How to write profitable cyber business in a hard market
Nailing jelly to the wall, herding cats: pick your cliché, but it seems to be an accepted fact in the insurance industry that cyber risk moves and evolves so fast that underwriters struggle to keep up. As a result, pricing is rising exponentially as insurers try to limit their own exposure, without necessarily having a solid rationale and impacting competitiveness.
Similarly, clients are struggling to make sure they maintain enough cyber hygiene to satisfy insurer demands, again resulting either in dramatic premium hikes from one year to another or worse, falling out of insurability altogether.
This needn’t be the case however. It’s true that there is sparse historical data from which to recognise loss patterns, but recent advances in the use of artificial intelligence (AI) and machine learning (ML) allow for a more accurate view of today’s cyber risk.
On June 15 at 1.00pm BST, Peter Hawley, director of insurance solutions at SecurityScorecard, will be part of a panel of experts to discuss how to gain a more accurate picture of cyber risk, work with clients to build a more robust cyber hygiene strategy and create a more standardised approach to providing coverage that both underwriters, brokers and customers can trust.
In this interview ahead of the event, Hawley reveals what attendees at this exclusive panel can expect to learn and why it’s so important to engage fully with the latest innovations in cyber coverage.
Why is writing profitable cyber business proving to be such a challenge?
Speaking as someone who has spent the first part of my career in claims, the scary part is the sheer lack of data. People would typically be asking a maximum of five or six questions before rating the risk on the basis of industry and revenue. Then, when claims arise you’re trying to fight your way out of the other side.
Now, we can not only show people the data and the signals we can pick up from looking at insurance customers’ digital footprint as well that of their IT and non-IT vendors, but also then explain where that may end up in terms of losses, allowing consideration of what would be appropriate in terms of attachment and fair pricing, and then ultimately calm the whole cycle down.
It allows people to realise whether their current risk posture is an impairment to them and help them gain access to risk improvement services and resources.
Pricing is definitely the point where conversations around risk quality equating to cost need to happen. It’s getting to the point that customers are giving thought to whether there is greater value in spending the insurance premium elsewhere by not buying the product at all — which is bad all -round for the market.
Data we need to make sure new capacity and new capital can come to the market by virtue of underwriters saying: “‘Yes, I can tell you what I’m looking at, I can tell you what I think of it and where it will go and on that basis, I can underwrite this risk. Therefore, capital providers should back us”. The more capital we get the bigger and more sustainable the market will be, aside from the current rollercoaster.
How can insurers make sure they make the right decisions quickly, so they remain competitive in terms of speed to quote and pricing?
The big problem has been that there is a tonne of data. Some have 60 data points, some 80. At Security Scorecard we have more than 100 data points that we’re pulling in on every client that we look at. That’s potentially a lot of noise.
If you’re going to have to fight your way through that and then it’s presented in a 70-page PDF, there’s too much data to take in. Even worse, you potentially have a loss that could have been prevented or predicted by information buried somewhere in those 70 pages. Just because you didn’t find it, doesn’t mean an auditor won’t.
It comes down to AI and ML to delve into that data and align the information with probability. How important is that data point compared to the probability of a loss hitting the underwriter’s portfolio? It could be down to appetite, or attachment point, perhaps depending on the type of client company or whether they’re based in the UK or the US market. Over time, that’s absolutely where AI and ML will build out.
There will come a point where AI can allow notifications to get to underwriters quickly to flag up what to do if companies from certain industries come looking for quotes, if the AI has picked up that those industries have been exposed to specific cyber risk. Being able to ingest that sort of data quickly and with clarity will be a major boost, reducing turnaround times for responses to quote requests and improving the customer experience.
Cyber hygiene is still a concern. How can insurers deploy tools to help their clients work to mitigate their own risk?
Risk management methodologies and tools have been given to cyber insurance clients from day one but, only about 3 percent ever take advantage of these free services. That’s the problem we have here because it causes problems. At SecurityScorecard we’re giving customers access to various tools and applications that include risk management.
Our scoring of a customer is directly impacted by the remediation actions undertaken, with validation typically visible within three to five days— - not weeks or months. Our transparent methodologies and processes allow everyone in the cyber-exposed value chain to understand their needs and obligations.
We can advise clients on threats they are exposed to as they appear, provide notifications and remediation services, and reduce the likelihood of any surprises when insureds speak to their broker in the run-up to renewal with the capability of demonstrating their risk maturity - —greatly assisting in those discussions and maintaining insurability.
What do you hope attendees will take away from this panel?
As an industry, we tend to like the idea of the “‘dark arts”’, or at least the myth. Data is requested by insurers and brokers and when they don’t get the narrative they want, they tend to shy away from it. I want people to be not frightened of the data.
Seek out the information that’s going to be of most use to you, whether you’re a broker, an underwriter, or a claims adjuster. I can guarantee that in the next two years, your chief financial officer is going to want to know what you can do with that data, because we are moving to a world where cyber ratings are also part of financial ratings.
This isn’t just a fad, a piece of software for underwriters and brokers to play with. These conversations are going to management and board level.
On June 15 at 1.00pm BST, Peter Hawley, director of insurance solutions at SecurityScorecard, will be part of a panel of experts to discuss how to gain a more accurate picture of cyber risk, work with clients to build a more robust cyber hygiene strategy and create a more standardised approach to providing coverage that both underwriters, brokers and customers can trust.
Register for the event here
