Tag Archives: cyber

Educating Owners on New Risks

COVID-19 changed everything, including insurance. New risk opportunities emerged with each lockdown that included increased cyber threats among a dispersed workforce. With risk evolving at such a rapid rate, one can’t help but wonder: Does the average founder of a small to medium-sized enterprise (SME) understand their risks and business insurance? Do SME clients understand the importance of risk transference should a data breach occur? 

My team at Embroker conducted a survey of 500 SME owners, CEOs and tech startup founders and found a discrepancy between what founders know about risk and the actions they have taken to mitigate that risk. Embroker found that only 22% of owners and founders say they have read and understood all of their policies. 

The good news is half of the owners and founders rely on a broker to sign up for coverage, which may improve their understanding. Embroker research also shows that SME owners lack an understanding of insurance industry standards regarding risk mitigation and often look to brokers for better education. 

Trusting Brokers 

The report shows that 25% of owners and founders rely on the broker to fully research and price out their options. One in five admitted to not knowing how their insurance purchases are handled.

Almost one in three (29%) SME owners allow their insurance to auto-renew without making changes, while 74% of tech founders either engage with a broker or have someone internal to assess their needs and options upon renewal.

See also: A Commentary on Agents & Brokers

Cyber Risk

As business threats intensify and concern grows, both owners (46%) and tech founders (57%) fear they don’t have sufficient coverage in the event of a ransomware attack. But the concern about this risk remains low: 63% of SME owners believe they are unlikely to face a data breach or ransomware attack.

Tech founders, on the other hand, are more aware of cyber risks than other industry business owners. 58% of tech founders believe they are likely to face a data breach or ransomware attack. However, tech founders are still not securing coverage, with only 34% having cyber policies. Why is this? 

It’s likely tech founders don’t understand how transferring their risk in the event of a cyber attack can dramatically help their business, or they accept the popular assumption that obtaining cyber insurance puts you at greater risk of an attack. This is simply not true. Here’s the reality: It’s not if a company will face a cyber attack, but when.

We now know that COVID-19 pandemic created a dispersed workforce and thereby created more opportunities for hackers to spot weaknesses. Ransomware-as-a-service is becoming an increasingly common tool. According to ABC News, cybercrime is up 600% as a result of the COVID-19 pandemic. 

To learn more about the business insurance approach for SME owners, CEOs and tech founders, download the full report here.

How to Counter Ransomware Surge

During the COVID-19 crisis, another outbreak has happened in cyber space: a digital pandemic driven by ransomware. Malware attacks that encrypt company data and systems and demand a ransom payment for release are surging globally. 

The increasing frequency and severity of ransomware incidents is driven by several factors: the growing number of different attack patterns; a criminal business model around “ransomware as a service” and cryptocurrencies; the recent skyrocketing of ransom demands; and the rise of supply chain attacks. In a new report, cyber insurer Allianz Global Corporate & Specialty (AGCS) analyzes the latest risk developments around ransomware and outlines how companies can strengthen their defenses with good cyber hygiene and IT security practices.  

Cyber intrusion activity globally jumped 125% in the first half of 2021 compared with the previous year, according to Accenture, with ransomware and extortion operations one of the major contributors. According to the FBI, there was a 62% increase in ransomware incidents in the U.S. in the same period, which followed an increase of 20% for all of 2020. These cyber risks trends are mirrored in AGCS’ own claims experience. AGCS was involved in over a thousand cyber claims overall in 2020, up from around 80 in 2016; the number of ransomware claims (90) rose by 50% compared with 2019. In general, losses resulting from external cyber incidents such as ransomware or distributed denial of service (DDoS) attacks account for most of the value of all cyber claims analyzed by AGCS over the past six years. 

Increasing reliance on digitalization, the surge in remote working during COVID-19 and IT budget constraints are just some of the reasons why IT vulnerabilities have intensified, by offering countless access points for criminals to exploit. The wider adoption of cryptocurrencies, such as Bitcoin, which enable anonymous payments, is another key factor.

Five areas of focus

In the report, AGCS identifies five trends in the ransomware space, although these are constantly evolving and can quickly change in the cat-and-mouse game between cyber criminals and companies: 

  • The development of ransomware as a service has made it easier for criminals to carry out attacks. Run like a commercial business, hacker groups such as REvil and Darkside sell or rent their hacking tools to others. They also provide a range of support services. As a result, many more malicious threat actors are operating.
  • From single to double to triple extortion: “Double extortion” tactics are on the rise. Criminals combine the initial encryption of data or systems, or increasingly even their back-ups, with a secondary form of extortion, such as the threat to release sensitive or personal data. In such a scenario, affected companies have to manage the possibility of both a major business interruption and a data breach event, which can significantly increase the final cost of the incident. “Triple extortion” incidents can combine DDoS attacks, file encryption and data theft – and don’t just target one company, but potentially also its customers and business partners. A notable case was a psychotherapy clinic in Finland. A ransom was demanded from the hospital. At the same time, smaller sums were also demanded from patients in return for not disclosing their personal information. 
  • Supply chain attacks: There are two main types – those that target software/IT services providers and use them to spread the malware (for example, the Kaseya or SolarWinds attacks), and those that target physical supply chains or critical infrastructure, such as the one that hit Colonial Pipeline. Service providers are likely to become prime targets as they often supply hundreds or thousands of businesses with software solutions and therefore offer criminals the chance of a higher payout. 
  • Ransom dynamics: Ransom demands have rocketed over the past 18 months. According to Palo Alto Networks, the average extortion demand in the U.S. was $5.3 million in the first half of 2021, a 518% increase on the 2020 average; the highest demand was $50 million, up from $30 million the previous year. The average amount paid to hackers is around a tenth of the average demand, but this general upward trend is alarming. 
  • To pay or not to pay: Ransom payment is a controversial topic. Law enforcement agencies typically advise against paying extortion demands to avoid encouraging attacks. Even when a company decides to pay a ransom, the damage may have already been done. Restoring systems and enabling the recovery of the business is a huge undertaking, even when a company has the decryption key. 

See also: Access to Care, Return to Work in a Pandemic

Business interruption and recovery costs

Business interruption and restoration costs are the biggest drivers behind cyber losses such as ransomware attacks, according to AGCS claims analysis. They account for over 50% of the value of close to 3,000 insurance industry cyber claims worth around €750 million ($885 million) it has been involved in over six years.

The average total cost of recovery and downtime – on average, 23 days – from a ransomware attack more than doubled over the past year, increasing from $761,106 to $1.85 million in 2021

The surge in ransomware attacks in recent years has triggered a major shift in the cyber insurance market. Cyber insurance rates have been rising, according to broker Marsh, while capacity has tightened. Underwriters are placing increasing scrutiny on the cyber security controls employed by companies. 

Checklist with IT security best practices

AGCS has published a checklist with recommendations for effective cyber risk management. 

In the event of an attack, cyber insurance coverage has evolved to provide emergency incident response services that typically include access to a professional crisis manager, IT forensic support and legal advisory. Further offerings include IT security training for employees and assistance with the development of a cyber crisis management plan.

For additional information, please visit Allianz: Ransomware Trends – Risks and Resilience.

Why Nonprofits Can’t Ignore Cyber Risk

Cyber breaches are more common than ever. Almost half of all global organizations will experience a data breach. The repercussions go beyond financial, as organizations suffering breaches can suffer reputational damage in the eyes of clients, donors, business partners and the general public.

For nonprofits, such repercussions can cause irreparable harm. Nonprofits tend to underestimate the cybercrime threat, believing they’re less attractive targets than major for-profit enterprises or external service providers performing IT-related functions.

Yet critical aspects of nonprofit business operations expose them to cyber risk, while often lacking the technology resources, infrastructure or staffing to manage it.

Consider the following:

  • Since the onset of the COVID-19 pandemic, many employees are working remotely with home networks, creating greater risk as these networks may be unsecure
  • Nonprofits have embraced cloud computing, software-as-a-service (SaaS) and warehousing data
  • Criminals routinely hijack online payment systems like those used for nonprofit donations
  • Third-party software used to manage and store donor CRM information can be hacked

The stakes have risen on PII

Nonprofit organizations solicit donations throughout the year, with the heaviest activity generally in the fourth quarter. They may store donor data containing personally identifiable information (PII), which are a tempting target for criminal elements. Even if an external party handles the data, the nonprofit is considered the owner and is liable for its safekeeping.

As many as 80% of all data breaches compromise personal identifiable information (PII), with the average cost of a breach $150 per record. These costs include civil liability, defense costs, regulatory fines and penalties and the cost of business interruption. A breach also raises immediate expenses, including the costs of investigation, consumer notification, credit monitoring and public relations.

Be a responsible, prudent steward in three steps

Nonprofit leaders are responsible for organizational assets entrusted to their care and are expected to exercise diligence and informed decision making. The following three steps will help a nonprofit organization start improving cybersecurity and reduce risk.

Step one: Assess exposure. Determine the approximate number of records the organization owns that contain protected information, and identify vulnerabilities in technology infrastructure, people and processes. Defenses include firewalls, antivirus protection, encryption and multifactor authentication, background screening, access restrictions, regular equipment inventories and physical security.

Step two: Build a team. Create a comprehensive information risk program, designating an employee or committee to champion cyber security. This team will help train employees and find ways to recognize, report and resolve vulnerabilities.

Step three: Determine insurance options. Explore the availability and cost of commercial risk transfer. Specialty insurance products have proliferated, offering coverage to address multiple risk exposures, from traditional information risk to media liability. Carriers will reward organizations with superior data risk management with better-than-average cyber insurance rates.

See also: COVID-19 Boosts Cyber Risks in U.S.

Transferring risk to cyber insurance

Traditional forms of insurance such as property, general liability, management liability and crime policies only provide fragmented protection against data breaches. In fact, mainstream underwriters are continually introducing new exclusions to shift the burden away from their policies and into specialty cyber solutions.

Cyber insurance is not one-size-fits all: Each policy must be tailored to the buyer’s needs, based on its unique risks and exposures. A robust cyber policy should cover the following:

  • The services of a privacy attorney to help navigate legal responsibilities after a breach
  • A forensic investigation to pinpoint the cause of a data breach
  • Coverage of the cost to notify potentially affected parties and provide credit monitoring services, as well as the cost of hiring a public relations firm to minimize reputational damage
  • Liability defense costs, claim settlements, judgments, regulatory fines and penalties
  • Damage to the policyholder’s own IT network and digital assets, including ensuing business interruption

Cyber risk management starts with quantifying an organization’s risk and the costs to address it and continues through adopting a thoughtful, holistic strategy that includes transferring risk to insurance coverage when possible. It’s a process that will pay major dividends — even if a nonprofit may not seem like much of a target for cybercriminals.

Growing Number of Uninsurable Risks

A few weeks ago, I saw a LinkedIn post from Dr. Robert Hartwig that discussed his testimony to one of the U.S. Senate’s subcommittees about the uninsurability of business income from the COVID-19 pandemic. Seeing that LinkedIn post, and reading his testimony, triggered my continuing belief that uninsurability of certain risks has been happening more frequently over the decades.

More specifically, I believe that as we, as a society, become increasingly more dependent on web-connected devices, uninsurability will become more of an issue for both the insurance market and for corporations (and individuals, as well).

I want to thank Dr. Hartwig for giving me permission to use some of his content from his July 21, 2021 testimony to the U.S. Senate subcommittee.

His testimony is titled: “Examining Frameworks to Address Future Pandemic Risk,” and he presented it to the U.S. Senate Committee on Banking, Housing and Urban Affairs, Subcommittee on Securities, Insurance and Investment.

My three key messages

My three key messages for the readers of this blog post:

  1. There has been, and continues to be, an inexorable shift to (potentially uninsurable) severity from a small but expanding number of risks.
  2. Not all of the risks that fall into the uninsurable severity category are technology-related or technology-driven. Terrorism and global pandemics fall into the uninsurable severity category (in my opinion), as does, or will, certain ramifications of climate change. None of those three are technology-related or -driven. However, technology specifically in the form of web-enabled devices will push more risks – cyber risks – into the uninsurable category.
  3. Regardless of the insurability or uninsurability of a risk, the risk itself doesn’t disappear from a corporation’s (or individual’s) need to manage the impact of the risk in some manner. (Neither denial nor hope is a risk management strategy.)

Frequency and severity

Almost all, if not all, P&C insurance professionals would tell any person who asked that the two connected concepts of frequency and severity are critical to analyzing and pricing each risk that happens in their target markets or throughout society more generally. (Frequency and severity are also needed to perform claims analysis – before, during and after a claim event – as well as needed for target marketing, product development, setting reserves and surplus and a host of other operational and financial functions.)

These two concepts were at the forefront of my mind when I decided to write this blog post.

The “frequency of severity” is increasing

However, the continual expansion of technology applications is leading society and the insurance industry into more instances of uninsurable severity. Specifically, I believe that what I call the “frequency of severity” of risks is increasing as our society becomes more digitally dependent on the web throughout its operations, home life, transportation, entertainment, shopping, communication and collaboration, and within other personal and corporate activities.

Simultaneously, as web-connected digital capabilities become the lifeblood of society, insurance firms will find fewer opportunities to generate profitable premium because the risk costs will become too large to profitably underwrite.

From a societal and insurance industry viewpoint, we have lived in a situation of “uninsurable severity” before, following the terrorist acts of war of 9/11. Now, society and the insurance industry are living with another situation of “uninsurable severity” risk: the impact of COVID-19 on business income/interruption.

I identify both of these risk situations (terrorism and global pandemics) as sign posts on the path to a “shift to (uninsurable) severity”: a shift that effectively shrinks the market segments that are insurable.

Before discussing why I believe that cyber is yet another instance of a shift to uninsurable severity risk, I want to take a few steps back to consider the P&C insurance industry. The people who have read my blog posts or have read my analyst reports through the years know that I like to discuss context before delving into the heart of an issue. So, …

A macro insurance industry overview of risk

The societal value-added of the insurance industry is to profitably manage or mitigate risk for people, corporations, non-profit organizations and actually businesses of every flavor. One of the critically important words in this first sentence is: “profitably.” Insurance firms strive to operate profitably through their ever-changing risk appetite.

Risks emerge on their own (e.g., lightning strikes) through interaction with nature, through interaction with the actions and behaviors of members of society (alone or among members of society), through the applications of technology or through some hybrid combination of any of these elements. (See visual below.)

Insurance professionals, including risk managers, think of a risk landscape. I’ve written reports about the risk landscape (or landscape of risk) through my decades as an insurance industry analyst. But the term “land” has outlived its usefulness for many years.

True, we can, and do, think of risks beyond those occurring on a terrestrial terrain to include risks happening in (or under) the oceans or in air or space. However, with the advent of the web and web-enabled applications and their concomitant risks, “land” is too mentally limiting. The web is a bridge from our historical world of analogue risks to a hybrid world encompassing an ever-changing mixture of analogue and digital risks. The bridge is a host of cyber risks that will affect both the digital applications as well as the analogue applications infused with or connected to the web-connected digital applications.

I propose using “risk radar” instead of “risk landscape” to encompass all past, current and emerging risks regardless of where they exist or appear, including in the application of web technologies. I’ll try to use it in this and forthcoming blog posts. However, I know that I used “risk landscape” in my book, which is going through an initial edit by Wells Media. We’re targeting 2Q22 or 3Q22 for the book to be published as an ebook, audio book and paperback. (I had to put in a plug for my own book, didn’t I?)

See also: The Spectre of Uninsurable Risk?

Shift of impact of risk to an uninsurable level of severity

I am not stating that every risk that society has experienced, is experiencing or will experience will have an uninsurable level of severity. I am stating that there will be a growing number of risks, particularly those associated with web-connected digital artifacts (or analogue artifacts infused with or connected to web-connected digital artifacts), will have uninsurable levels of severity.

The table below shows a 2 X 2, but we all know there is actually a gradient from low to high frequency as well as a gradient from low to high severity. Pandemics, terrorism and, in my opinion, cyber attacks sit in the “high severity” row (or end of the severity gradient).

Most of us trust the companies we conduct commerce with, but there will be more questions like these:

  • “How did thieves break into my digitally locked car?”
  • “What do you mean I can’t get into my house because the ‘key’ has been hacked and I have to pay ransomware to get into my own home?”
  • “How could some person hack into our web-connected devices that we use in our homes to know we were gone and rob us?”
  • “Why are all of our corporate systems shut down?”
  • “What do you mean that my company’s servers have been used for a dedicated denial of service attack and my company is liable for the damages done to other companies and their clients?”
  • “Why is my EV car stopping in the middle of the highway?
  • “Why has our company stopped providing petroleum products throughout the U.S. East Coast?

In reality, the trust – between each of us and the web-connected devices we use in our homes, vehicles or corporations – should have been completely vaporized as soon as the first device (home appliance, corporate appliance, personal vehicle, company fleet vehicle,…) was connected to the web.

Web-connected devices have an impact of and level of losses that is no longer local or regional: The impact of the risk is global. To repeat what is in the red outlined box in the visual above for better readability:

I hypothesize that as society – governments, businesses, people – use increasingly more digital technologies (of which increasingly more will be connected to the web), that the scope of cyber attacks will represent a financial scale that represents a level of severity that the insurance industry is not financially able to provide sufficient coverage for.

Pogo is definitely at play here: “We have met the enemy, and he is us.”

Revisiting the CP&C broker commerce conversation

My remarks in this section are based on the areas of focus in the visual of the last section: low frequency and high severity as well as high frequency and high severity of risks.

The first visual I show below illustrates what I call the “conversation and acceptance” of commercial P&C insurance commerce. I have a question mark next to “acceptance” to indicate the changing risk appetite of carriers.

(In case there is any doubt about my use of “changing risk appetite,” I am from the insurance carrier business side of the insurance industry. I absolutely believe that carriers have the right – and responsibility – to change their risk appetites whenever they think it is best to do so for their companies.)

I’m using the curved arrows to reflect that large/jumbo CPC clients will have a hybrid stack of self-insurance, use of primary insurance and use of reinsurance. There will not necessarily be a stacked column of the three elements one after the other. Moreover, I’m showing some of the elements of the CPC carrier that “greet” the broker and the client as they look for cover for the specific risk. Please don’t overlook the “small” potential role of the federal government (depending on the risk being considered for coverage.)

I want to repeat what I wrote in the green box under the CPC client for emphasis: Regardless of the market solution the broker identifies to mitigate the client’s risk(s), the legal onus is on the client to manage the risk in some manner. This always holds (for every risk) and will hold in dramatic fashion for cyber risks. And for the cyber risks in the areas of focus, I believe the role of the federal government will have to explode in a similar dramatic fashion.

Actually, I could foresee when (and it should be when and not if) the federal government plays a major role “covering” cyber risks that are uninsurable. At that time, the federal government will take a very large stick (perhaps through laws, regulations and executive orders) to hammer corporations to better secure their cyber operations to protect their company, their clients and prospects, their subcontractors and others (people and companies) they conduct commerce with.

This will expand the market for technology firms that create and sell cyber security and privacy solutions. It will also expand the market of people with “white hat” cyber hacking skills to work for companies (or technology firms or consulting firms). The technology firms offering cyber security and privacy solutions should also find themselves under the harsh glare of the government cyber laws and regulations.

I want to make another point clear: Brokers involved in the cyber commerce conversations will have to have some minimal level of knowledge of the (changing) nature and implications of cyber security and privacy as well as the cyber solutions available to mitigate their damage to the broker’s clients (and their clients).

I believe there will be a role for CPC insurers to generate non-risk-based fees from the provision of cyber services (e.g., auditing, monitoring, remediation). The CPC insurers participating in the cyber services market would obviously have to determine the resources needed to offer the cyber services.

Not every risk is insurable

The crux of this post is the point that there are some risks (and I believe a growing number of risks) that are (and will be) uninsurable.

See also: Why Open Insurance Is the Future

Criteria for insurability

This raises the question: How can an insurance/risk management professional identify risks that are insurable? Here I introduce some of Dr. Hartwig’s July 2021 testimony. I’ll let the table below speak for itself, but I will repeat his point that “The inability of a risk to meet one or more of these criteria reduces or eliminates its insurability.”

Consideration of a pandemic through the lens of the six criteria

Here – in the table below – is how Dr. Hartwig viewed the current pandemic through the six criteria: You can see there is a relentless parade of “no,” with his logic given for the requirement of each criteria not being met.

Cyber risk will increasingly become uninsurable

Turning now to cyber risk (which encompasses various risk segments), I use the same six points of insurability (or uninsurability, depending on your point of view) to conclude that cyber risk is uninsurable.

Remember, the risk is not insurable if only one of the six criteria is not met.

By my analysis, I come up with: two criteria of insurability met, two criteria not met and two criteria assigned a “quasi” rating, meaning maybe yes or maybe no. I answer no to the criteria: 3) determinable and measurable loss and 5) calculable chance of loss.

I suggest you select a specific cyber risk and do your own analysis. I may be too skeptical. I may be looking at the cyber risks too harshly. However, whoever does the analysis should lose whatever levels of trust they have about any of their web-connected devices being safe, secure and private.

Remember, there are only two types of web-connected devices: those that have been hacked … and those that have been hacked but you don’t realize it.

Boosting Cyber Hygiene With Insurtech

Thanks to large-scale ransomware attacks on technology providers like Kaseya, everyone involved — from cybersecurity practitioners to the business leaders who hire them, and from local policymakers to the White House — is thinking about how to reduce risk across the board. As cyber attacks grow in quantity and complexity, hurting downstream customers and interrupting business continuity, organizations need to take the right steps to implement proper security controls. 

Before, in-house security teams at organizations were scarcely involved with cyber insurers (if the organization had a cyber insurance policy at all). But in the face of an intensifying threat landscape, policyholders, brokers and insurers are working together to find solutions that benefit everyone involved. This newfound collaboration is enabled by technologies and solutions developed by insurtechs, taking the form of data-driven approaches to underwriting and more efficient implementation of best practices, thanks to up-to-the-moment data on security postures gathered by insurers and shared with brokers and policyholders. 

Let’s look at a few of the ways that insurers, brokers and policyholders are working together to improve security. 

Giving Policyholders Incentives to Adopt Better Controls

Policyholders should be encouraged to implement better cyber defense. Today, cyber insurers are looking for a new baseline of controls, which commonly includes multi-factor authentication (MFA), endpoint detection and response (EDR) and acceptable backup planning and strategy.

  1. MFA is an authentication method that requires the user to provide two or more credentials to gain access to an account. Rather than just asking for a username and password, MFA requires one or more additional verification factors unique to the individual, which decreases the likelihood of a successful cyber attack. Insurers want to see MFA for access to email, remote access to the network and administrator-level access, as it will help thwart or at least slow down an attacker. While a determined threat actor may find a way around MFA, a company without MFA in use is low-hanging fruit.
  2. Assuming a skilled threat actor does find a way in, EDR tools can provide an extra layer of threat identification and protection. They have all the benefits of regular antivirus software but go beyond just looking for known indicators of compromise. EDR tools can also identify anomalous user behavior on the endpoint and flag it as suspicious. And if implemented properly, the tools can potentially prevent ransomware from deploying fully. These tools may also have important activity data that forensics investigators can use to determine what the threat actor did in the system and data recovery functions that help a company get back up and running faster. Insurers are increasingly asking about EDR as a control, given it can at least lessen the impact of ransomware incidents. 
  3. In connection with efficient data recovery, solid backup strategy and documentation of a disaster recovery or business continuity plan will help provide peace of mind to policyholders that they are prepared for the worst-case scenario. Security protocols that include immutable backups (a backup that is read-only and cannot be altered or deleted by anyone, including an administrator at the company) are often supported by top-tier cloud backup solutions, marking another important consideration for policyholder investments. Gone are the days where backing up to a separate server is sufficient. Many organizations are moving their backup solutions to the cloud or adopting a hybrid model for this very reason — but it’s how you protect those cloud backups that is key. Organizations need to invest in a solution that will prevent internal members from making changes to backups, because a threat actor that steals their credentials will attempt to access and delete backups as a way to force an organization’s hand at paying.

To fully harness the power of these protective tools, there are two main ways to encourage policyholder usage: fair pricing and education. The cost of cloud backup solutions and EDR tools has come down significantly in recent years, meaning these tools are no longer cost-prohibitive for most companies. For insurers, providing additional discounts on top of already reasonable pricing can be what pushes an organization over to compliance. The greater challenge is in prioritizing what controls to implement and identifying the right vendor (there’s a lot of noise out there!). This is where education can be key and where cyber insurers and brokers can step in to recommend solid partners and solutions.

See also: How Insurtech Boosts Cyber Risk

Enable Underwriters With Tech for Increased Visibility 

Cyber underwriters have traditionally relied on application questions, emails and underwriting calls for larger accounts to obtain cybersecurity information to underwrite an account. Insurtech in cyber insurance empowers underwriters with additional data points about a risk’s posture so they can take a data-driven approach to underwriting.

The ability to scan for threats, and identify risk levels based on existing data, enables underwriters to identify vulnerabilities and build a more meaningful analysis. While there’s no tech-enabled replacement for an experienced underwriter, being able to gain insight into an organization’s IT infrastructure to discover common risk factors (some they may not even be aware of) can streamline the process. The applicant is able to mitigate risk and improve cyber hygiene, which gives the underwriter the additional confidence to move forward. 

In the end, thanks to tech-enabled underwriting, the result is an insured organization. Given the current risk environment and hard market for cyber insurance, we can confidently say that, without the ability to pinpoint risk factors at an individual account level, far more insurers and their underwriters would have further clamped down on cyber limits, increased rates and perhaps exited the market entirely — meaning insurance would be inaccessible for most, if available at all.

Standardize a Threat Response

Cyber insurers and brokers can work with existing policyholders to identify new, active threats during the policy term and support them in their response. 

Once a policyholder is identified as at-risk, tech-enabled cyber insurance providers can consistently monitor the situation and communicate clearly, concisely and quickly about what’s happening. As more information becomes available, it is critical to not only alert the right people but provide extra context around the vulnerability, what the risk is if they don’t patch it and the steps needed to resolve it. This should be done in a way so that all types of team members (in addition to IT professionals) can understand the criticality and communicate it to the right stakeholders for resolution. 

See also: Wake-Up Call on Ransomware

Another method to support policyholders is to weave in prioritized cybersecurity recommendations. At Corvus, our “vCISO,” or virtual CISO, guidance is one way we help policyholders take a stance against threats. This starts with a short security assessment, and pairing of the responses with scan findings that provide the policyholder with a prioritized list of cybersecurity recommendations and resources to help them implement controls or remediate vulnerabilities. This type of consistent, close collaboration is core to the cybersecurity approach that modern insurtech providers are taking to make an enduring impact on risk, rather than checking off a few boxes at the point of underwriting and renewal. 

To boost digital resilience and strengthen cyber hygiene against outside threats, policyholders need to have both the context for why certain security controls are so crucial, as well as the ability to adequately implement them within their organization. Insurers and brokers play a pivotal role in guiding policyholders to make the best decisions to limit their risk, and solutions developed by insurtechs help get the process off the ground with data-backed guidance. As cyber attacks evolve, so will protection strategies — and the sooner companies adopt supporting technologies the easier it will be to get on the same playing field as cybercriminals.