Cyber risks are evolving beyond the confines of traditional underwriting techniques, and the industry must embrace a new approach that involves proactive, ongoing risk assessment.
“When cyber [risk] started to grow 10 years ago, it was underwritten like a traditional specialty insurance coverage application,” said Brian Alva (pictured), SVP of cyber underwriting at Corvus Insurance, a Boston-based commercial insurance platform with footprints in the UK, Canada, Australia, and the Middle East.
“At the time, that was probably sufficient, but as exposure started to grow and we saw an explosion of ransomware and additional cybercrime techniques, people realized that ‘snapshot-in-time’ approach doesn't work for cyber.”
The old application-based practices of commercial insurance – where companies tick off “yes” or “no” boxes to questions – is no longer an adequate way to get a holistic view of a company’s cybersecurity posture, Alva argued.
“In theory, that's great. But in practice those questions shouldn't always have a yes or no answer. But there's always going to be a lot of gray areas,” he told Insurance Business.
“You’re answering questions that might be true today but might not be true tomorrow as you as your network and change security controls.”
Data, artificial intelligence, and machine learning have had a profound impact on cyber underwriting in recent years, according to Alva.
“As we've been able to collect and analyze various forms of data, using different AI and machine learning models helps us start to build profiles of clients as well to predict the probability of claims,” he said.
“Using new forms of data using these new models, we're able to get a much better picture of a company's exposure profile than we were a couple of years ago.”
The most significant change that data has brought is to enable underwriters to quickly adapt as an insured’s cyber exposure shifts within a policy period. Data can deliver ongoing insights so that at renewal time, carriers don’t need to ask as many questions as they did in the policy year before.
Claims data are also becoming less relevant to the cyber underwriting approach. While such data can help inform future decision-making, the biggest threats last year or a few months ago may not be the same today, Alva emphasized.
“One of the interesting things about cyber is that it has evolved so quickly that the trends we see today are different from the trends we saw we saw five or six years ago,” the SVP said.
“While the additional claims data is certainly helpful and something that we build into our modeling, we have to be careful not to let past claims bias determine too much of what we're looking at in the future.”
For example, eight years ago, the most significant concern in cyber insurance was data breaches around credit cards. But this threat has ebbed with the adoption of better chip technology and encrypted payment information in the retail space.
“The tide instead turned to ransomware and cybercrime,” Alva said. “While we do pay attention to past claims data, we also want to be mindful that the exposures of tomorrow are not necessarily going to be the exposure as yesterday.”
Finally, underwriters are working more closely with cyber experts to look at and price risk from the inside-out.
“At Corvus, we have a handful of staff who are threat intel specialists who can monitor the dark web to spot emerging trends. We then use that information to inform our underwriting,” said Alva.
The past few years saw the cyber insurance market hardening significantly amid heightening ransomware and cyberattacks on organizations. While rates have stabilized in recent months, Alva said the market has diverged some aspects.
“I think [the cyber market] is a bit chaotic, if I'm being honest,” Alva told Insurance Business. “We’re seeing a lot of divergence among insurers. Some are moving to soft market tendencies, while others are trying to get more rate. There seems to be a different view of exposure within the market itself.”
The lack of consensus also reflects other threats in the market, such as evolving exposures in the regulatory landscape and several class-action lawsuits around data privacy, according to Alva.
“I think we'll continue to see different reactions from various markets on these newer trends,” he said.
What are your thoughts on the evolution of cyber underwriting and the state of the cyber market today? Leave them in the comments below.