Deploy the Latest Methods for Continually Evaluating and Monitoring Cyber Risk to Reduce Loss Ratios and Boost Underwriting Performance

As a result of the COVID-19 pandemic insurers, like many other companies, have had to adapt to compete and thrive. Cyber insurance innovation has been thrust to the fore as digital transformation, as well the more general need to constantly innovate to respond to a changing market and economy, has become a required factor in enabling competitiveness and reducing risks, and ultimately it can play a significant role in improving underwriting performance.

David Channing, Director of Insurance Solutions (EU) at SecurityScorecard, one of the  Cyber Insurance Innovation 2022 panellists at Intelligent Insurer’s webinar “ Deploy the Latest Methods for Continually Evaluating and Monitoring Cyber Risk to Reduce Loss Ratios and Boost Underwriting Performance” on April 21, 2022, offered his views ahead of the event.

What are the latest cyber risk threats and total global losses?

Remote working has changed the corporate working environment. Employees are working from home using networks which are less secure, for example, personal internet of things devices are attached to the network and could be used by hackers to target corporate networks and data. Third party exposure is a more pressing threat, with independent contractors more likely to be hired to complete work once handled by full-time employees.

External parties are being granted access to critical networks and systems, providing another way for hackers to exploit an access route to data in less well-protected networks.

It’s becoming more important for companies and insurers to understand supply chain exposures and manage the risk accordingly, which is leading to a rise in cyber insurance purchased to cover contractual exposure. The obvious risk to mention is ransomware, which is not a new threat. However, hackers have become significantly more sophisticated, and payments requested are higher in recent years. The market’s response has been to sub-limit or exclude ransomware coverage completely in some cases.

Social engineering and targeted “spear phishing” attacks are evolving, whereby hackers are targeting cryptocurrencies, which are becoming more widely accepted by society and not seen merely as the currency of cyber criminals. Hackers are impersonating digital wallets and other crypto-related apps to try to steal login credentials to steal Bitcoin and Ether, which have risen significantly in value over the last two years. I’m not aware of coverage available for such losses under a cyber policy, but as risk evolves the market will need to adapt and respond to ensure continued growth in cyber premiums.

Cyber hygiene is more important than ever. Avoiding unprotected networks, using a virtual private network (VPN), good patch management to ensure systems and applications are regularly updated, and good password management are all habits that need encouragement. Employee training should form part of everyone’s daily work life to encourage awareness.

I can’t comment on global losses, but an October 2021  report from the National Association of Insurance Commissioners (NAIC) suggested gross written premium in 2020 among the top 20 cyber insurers in the US was circa $2.3 billion vs losses of $1.5 billion.

To what extent have insurers been complacent about cyber risk?

A challenge we are seeing is that traditional risk evaluation processes that are more static or have hundreds of years of loss data don’t work for cyber, given the fast pace and always-evolving nature of the risk.

Insurers are always looking to reduce loss ratios and boost underwriting performance, but that’s not to say they aren’t constantly evaluating and monitoring risk. As new data streams and risk modelling and risk quantification tools improve, underwriters have more data on hand to make better underwriting decisions.

I would personally like to see more being done by insurers to turn a bad risk into a good one. In a hard market, it’s more difficult for companies to obtain coverage and premiums are increasing so underwriters have more choice over the companies to which they are willing to offer coverage. I would like to see underwriters offering proactive solutions to risk areas such as ransomware.

Questions need to be asked, such as:

How can the issue of scant historical data be tackled, strategies for analysing external real-time feeds be explored?

Newer market entrants, as well as more established players, utilise reinsurance to help spread risk. A number of new entrants to the risk quantification space are doing a good job of mapping exposure. The struggle is mapping data gathered back into a monetary value of exposure, which is something we are working to improve by working more closely with underwriters.

Although there is a good amount of historical claims data available, insurers need to embrace the fact that historical data can quickly lose relevance. Instead of placing all their bets on highly accurate underwriting, insurers need to place significant focus on being proactive about helping policyholders to avoid cyber incidents.

That means being hyper-aware all the vulnerabilities that can lead to losses, having the agility to respond when new risks emerge, and increasing engagement between brokers and policyholders to quickly remediate discovered issues.

What role can AI play to obtain a more complete view of cyber risk?

Artificial intelligence (AI) has some very interesting applications for insurance. The idea of utilising technology and known incident response playbooks, based on claims triggers, can help to automate the incident or breach response process for large and small companies. This would lead to a reduction in time-to-respond and cost-to-respond, resulting in lower premiums.

The use of telematics aboard cars, fitness trackers, and healthcare wearables has changed the automotive, life, and healthcare industries. Cyber insurance is still in its infancy. I would like to see more innovation in continuous underwriting based on a company’s continually evolving footprint, and utilising rules-based evaluations as well as risk engines to provide accurate underwriting based on the data we collect and analyse. There is a lot of data that underwriters are being asked to internalise and drive their decisions. AI can help them determine the data that matters and the actions that are needed.

Why is it vital to recognise the challenges associated with continuous shifts in risk exposures?

The viability of the cyber insurance business depends on it. We have just seen insurers dramatically increase rates, reduce coverage, and even exit markets—all of which caught policyholders by surprise. Given the speed and scale of cyber risk, it’s not outside the realm of possibilities that some new threat emerges that surprises insurers and causes a repeat of the overcorrection we just saw.

If these types of overcorrections continue to occur, policyholders could start to question the value of cyber insurance and decide that it’s more effective to reallocate insurance premiums to cybersecurity budgets.

How can underwriters exploit the latest cyber assessment tools to transform the profitability of their cyber book?

A technical risk requires more integration of technology in underwriting. Again, there are so many technical variables that must be considered when evaluating cyber risk and it’s clear that human experience and judgement by itself is not enough to properly make sense of all that information.

We grade a company by looking at different areas of risk including application security, network security, endpoint security, social engineering, hacker chat, DNS security, Cubit Score, IP reputation and any leaked information. Cubit Score is SecurityScorecard’s proprietary threat indicator that measures a collection of critical security and configuration issues related to exposed administrative portals.

We then crawl the internet for publicly available information such as IP addresses. We also use vulnerability fingerprinting, which is a passive scan to obtain information about malicious traffic such as malware. Our data science team then uses this information to build out a company’s digital footprint.

By combining our approach with traditional underwriting methods, we’re helping underwriters to dive deeper into a company’s risk profile and helping companies improve their security posture to lessen the likelihood and the potential impact of a cyber incident.

What are your tips for small businesses to overcome their unique challenges?

Understanding the constraints for small and medium sized enterprises (SMEs), such as financial limits, technical knowledge and ability, time or SME buyer behaviour towards cybersecurity and insurance, is the key in being able to help SMEs overcome their challenges.

Most SMEs have limited budgets to spend on cybersecurity and lack the in-house expertise of a larger company so they rely on a managed service provider (MSP) or outsourced IT provider to advise on their exposure.

What if an MSP is not very good? Insurance is often a compulsory purchase, with cyber insurance being a secondary consideration. Take-up of cyber cover is increasing, but many SMEs are struggling to obtain insurance in a hard market and coverage such as ransomware—which is probably what is fuelling interest from smaller companies—is being sublimited or removed.

Smaller SMEs might not necessarily purchase via a broker so we must do more to ensure that affordable coverage is available through other channels.

What takeaways would you like delegates to gain from the webinar?

Cyber risk is uniquely different from the risk within other lines of business. The answer to winning in the cyber market is not simply being able to better understand the risk, it’s also being able to transform the business of cyber insurance to meet the needs of all stakeholders—policyholders, brokers, and underwriters.

David Channing, Director of Insurance Solutions (EU) at SecurityScorecard, is a panellist at Intelligent Insurer’s webinar “ Deploy the Latest Methods for Continually Evaluating and Monitoring Cyber Risk to Reduce Loss Ratios and Boost Underwriting Performance” on April 21, 2022, part of  Cyber Insurance Innovation 2022.

To find out more about Security Scorecard visit  securityscorecard.com