Specifics make the difference in cyber cover
If there ever was an insurance product where the devil is in the details, it’s cyber. How coverage is written has and will continue to determine whether a cyber claim is covered or denied. Important stuff indeed.
Rightfully so, but almost ad nauseum, cyber risk is at the forefront of every insurance buyer's mind. Most are advised by educated specialists who counsel their clients to ensure the correct and proper amount of coverage is purchased. Conversely, however, too many are instructed by uninformed brokers that are ignorant to what cyber insurance actually is and how to cover it. Often, clients of these brokers end up purchasing cyber products with inadequate coverage, restricted by exclusions and restrained by sublimits.
A cottage industry no more
The evolution of cyber insurance is an extraordinary story. Once a cottage industry, the product has changed dramatically since the first policies were issued some 20 years ago. I’m fortunate to have been involved from the onset. Initially, the task of underwriting cyber was given to the technology E&O underwriters for really no specific reason. Maybe cyber sounded like tech. Maybe because cyber was such an anomaly, insurance companies didn’t know what to do with it.
It’s been fascinating to witness how the advancements in technology have impacted risk, particularly cyber risk. In its infancy, cyber insurance was written to protect businesses from the perils of moving their operations online. Easy enough. But something went astray. The Internet kept growing and expanding. Applications were invented. Facebook, Twitter, Instagram and Snapchat revolutionized the way we communicate. All the while – unbeknownst to most, private information was being captured, stored and processed. Processing power took off. Storage became cheap. The Cloud was created. Mobile devices. IoT. You name it.
And the tech E&O underwriter was left to figure out how to underwrite it.
Needless to say, in early days the trading of cyber insurance did not go as smoothly as anticipated. Uninformed clients, uneducated brokers and inexperienced underwriters knew a new exposure needed to be identified and assessed and a product needed to be created, sold and serviced. We all tried hard but the task was difficult and pace of change breathtaking. Surely, mistakes were made along the way. Coverages were miswritten, exposures missed, limits undersold and exclusions misinterpreted.
Within the last few years, the market has really taken off and the process has improved dramatically. Recognizing the business opportunity, brokers have hired cyber specialists who excel at communicating risk to clients. Underwriters have gained much needed experience and have even looked to the tech industry to add talent. And more and more the market is relying on third parties, the real experts, for help.
Today it is not uncommon for cyber policies to have upwards of ten coverages, varying limits and retentions and riddled with technical terms. And to boot, all carriers’ forms and product offerings differ greatly in breadth, scale and scope- making decision making for brokers and clients difficult.
In addition there is no standardized underwriting process in cyber, as there is in other lines such as property insurance. For example, property underwriters routinely rely on a building’s construction, occupancy, protection and exposure, or COPE, which are well-defined and widely used engineering measures. Not so with cyber. At the moment there is no objective way to assess a business’s cyber security. The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, developed a cybersecurity framework for critical infrastructure in collaboration with private industry, releasing its first draft in 2014. NIST’s effort is a good start, but it’s voluntary. The NIST continues to collect feedback and conduct workshops, making updates to the framework.
The better the quality of information that a business can provide, the better off it will be in obtaining broad coverage and desired limits at a reasonable price."
As risks have gotten technologically more complex, underwriting has become more difficult. One change I’ve seen in this underwriting evolution is that underwriters have learned that they must ask sophisticated and technical questions to properly assess security risk. Those technical questions often take time and multiple people across the organization to answer. For example: What remote access methods are allowed and is multifactor authentication required? Is password vaulting technology in place for administrative service accounts? How are you assessing laws/regulations that pertain to sensitive information that you collect and where is the physical location that data is being housed? Are you actively scanning systems against known vulnerabilities and is there a patch management process for remediation? Are you actively running Red/Blue team exercises to determine any control gaps? The list goes on and on.
Often, those answers must be sought from the chief technology officer, chief information security officer, general counsel, privacy officer and others. It’s therefore important for risk managers to have good relationships organization wide.
Taking the time needed to collect those details pays off. The better the quality of information that a business can provide, the better off it will be in obtaining broad coverage and desired limits at a reasonable price.
Years ago, I used to see applications that were incomplete or wildly inaccurate. That’s far less frequent now. Brokers and their clients are doing a much more thorough job of submitting accurate information. More and more the underwriting process includes meetings amongst the prospective markets and the client where a detailed presentation and insightful Q&A takes place.
It takes a village
Another challenge is that security technology can only go so far. Organizations can have great security and state-of-the-art technology in place, but reducing risk still comes down to the people who are using those tools. The human element continues to play a role in many cybersecurity incidents, both accidental and intentional ones. That is a key reason that malicious actors keep trying social engineering tactics such as spear-phishing, in which employees open e-mails that unwittingly allow access to their employer’s network. Cyber risk mitigation is as much about improving an organization’s technology as it is about ensuring everyone understands and follows good cybersecurity practices.
Knowledge is a tremendous advantage in assessing and insuring cyber risk. The complexity of technology systems and the ever-increasing sophistication of cyber attacks require specialized expertise. That is one reason that XL Catlin hired an experienced information technology professional who is certified as an ethical hacker as an underwriter.
As I said before, cyber insurance is a fast-paced product. Underwriters need to be flexible to create insurance coverages that will respond to a dynamic, evolving environment. We routinely hear of cyber claims where an underwriter says, “I never envisioned that.” That is one reason we not only apply as much specialized knowledge as we can on cyber risk, but we also offer broad coverage. A new type of breach may emerge, and flexibility in offering coverage enhancements can make a big difference to the customer. After all, when you buy cyber insurance, you are paying for claims and post breach services so seek the organization providing the best services with the most skilled handlers and vendor panel. It may make a world of difference to your organization.
John Coletti is the Chief Underwriting Officer of XL Catlin’s Cyber Insurance and Technology E&O Group. His extensive experience includes cyber insurance product development, underwriting, auditing and accounting. He is a frequent speaker and author on cyber risk topics.