Ransomware, data breach, cloud outage: finding a path to profitable cyber underwriting through data and analytics

It’s an interesting time to be in the cyber insurance market. The opportunity is huge, with a current market size of $8 billion and growing to around $20 billion by 2025. At the same time, challenges are real and dynamic. Threat actors continue to develop tactics to automate and scale operations to achieve their goals, monetary or otherwise.

We live in such a highly interconnected world that when threat groups strike at a highly leveraged node in a supply chain, the ripple effects can affect thousands of businesses and result in millions of dollars in losses. Insurers need strategies to continue to grow profitably in this kind of environment.

Judy Chow, director of product management at CyberCube, will reveal the key risks that contribute to cyber insurance claims during her panel on June 30 at Intelligent Insurer’s Underwriting Innovation Europe event. Revealing how data-driven decision-making can improve profit margins, she will demonstrate how carriers can meet the challenge cyber poses today and in the future.

What are the most pressing risks insurers need to understand today?

A risk at the top of mind for insurers in recent months has been the rise of ransomware and double-extortion ransomware attacks. Ransomware has become a more frequent occurrence over the past 18 months and has taken a significant toll on profitability as victims cope with all aspects of post-incident response including ransomware payment demands, remediation, business interruption and reputational damage.

The effects of a cyber attack are magnified even more when they happen to companies that are single points of failure (SPoFs) in a business ecosystem. The ransomware attack on the US Colonial Pipeline in May is a prime example of the impact that an attack on a single company can have on many adjacent businesses and industries that rely on oil and gas to operate.

It’s essential for insurers to stay on top of the cyber threat landscape and continue to sharpen the ways they manage their portfolio risk.

What sort of insights can insurers hope to receive from data to help them make decisions around profitable business?

There is so much cyber data in the world that it’s almost overwhelming for an insurer to sift through the noise and find the gold nuggets that will positively impact its business. Ultimately, insurers need insights that will tell them which companies are at higher risk of an attack, how well those companies are protecting themselves, and what the magnitude of potential loss would be should an attack occur.

Are there any areas that remain unexplored that insurers should examine more closely?

Some people say that a cyber attack is not a matter of “if” but “when”. From this perspective, insurers should not only evaluate a company’s security posture to defend against an attack but also its ability to quickly recover from an attack.

For instance, if a company’s data is encrypted in a ransomware attack, can it recover the data using data recovery technologies? If a cloud service provider used by a company is compromised, does it have redundant services to keep the business going?

Understanding the dependencies in a digital supply chain is a second important area of focus. A cyber attack that impacts a key dependency can have a huge magnifying impact on losses across the ecosystem. Having a strong understanding of supply chain dependencies, especially SPoFs, is vital for insurers.

Can you explain what might constitute cyber vulnerabilities and how those impact risk selection?

There are many types of cyber vulnerabilities that are important for insurance underwriters to assess during the risk selection process. For example, our products provide insights on whether a company uses end-of-life technologies such as Windows 7, has misconfigured email servers, or shows indications that a cyber attacker has compromised its infrastructure.

Underwriters can use these insights to make more informed decisions on whether to underwrite that risk and if so, at what price point.

What are some of the considerations for an insurer considering underwriting cyber for the first time?

It's important to have a disciplined approach, guided by a strong hypothesis and deep cyber insights. Having a well-formed initial hypothesis to guide underwriting strategy setting is needed to avoid “shooting in the dark” A first-time cyber insurer has to be flexible enough to adopt this approach if the results of its initial investigation are not as expected.

Other aspects to consider include putting some boundary conditions around the strategy setting. For example, this could be certain sectors or geographies that it is not going to explore, or by limiting its target market by its existing broking relationships.

If the insurer is a new entrant into cyber, it should ensure it has access to deep cyber analytics to support decision-making, from both threat and loss potential perspectives.

We have developed a structured approach to supporting insurers through an initial underwriting (or re-underwriting) process. This involves developing synthetic portfolios of cyber policies to stress under a range of market conditions, assessing for inherent cyber threats and taking a view on expected insurance losses.

This supports the development of clear guidelines and pricing/rating models. The underwriting workflow and technology stack will then be constructed to aid the company’s strategy.

Finally, it is important to ensure that there is a clear risk appetite and underwriting governance guidelines to enable underwriters to stick to strategy and limits, while having defined points in time to review and (if required) adapt their approach.

What do you hope attendees will take away from this session, and is there anything you’d like to add?

Although the cyber insurance arena is complex, data and analytic insights will equip insurers to make sound decisions. I hope that attendees will walk away with greater confidence that they can be successful in this area in the long term, and I look forward to sharing more on this topic during my session.

Judy Chow will be speaking at Intelligent Insurer’s Underwriting Innovation Europe Virtual Event (June 28—30, 2021). The event is free to attend for insurers and brokers/agents, but you must register in advance. Sign up to access the content live and on demand here.