Cyber liability is one of the most challenging business coverages to accurately and profitably underwrite. This relatively young market lacks decades of actuarial data to help guide underwriting decisions. The fast-moving nature of technology itself means cyber exposures emerge and evolve at a pace that's difficult for even the most dedicated insurance professional to keep up with.
Until recently, competition among insurance companies created another underwriting issue. Eager to grow their market share, insurance companies turned easy underwriting standards into a competitive advantage. That approach abruptly stopped in 2020 as insurance companies experienced the impact soaring claim frequency and severity had on their bottom line, according to the RPS U.S. Cyber Market Outlook.
Clearly Underwriting Standards and Strategy Needed to Change
Insurance companies began asking detailed questions about a company's information security safeguards and practices through supplemental application forms for ransomware and business interruption (BI).
Network security questions now go beyond antivirus software and requests for the latest version of the company's data privacy policies to include topics such as:
- Data backup, segregation, testing and recovery
- Storage of biometric information
- IT vendor vetting process and management controls
- Employee cyber security training
- Remote desktop protocol (RDP) configurations
- Endpoint detection and response (EDR)
- Email security
- Log-in security and user authentication.
Multi-factor authentication (MFA) in particular has become a must-have to qualify for cyber coverage, as it's one of the most effective ways to prevent a cyber extortion event.
MFA, also known as two-factor authentication, requires the user to provide at least two different verification methods to gain remote access to applications, servers or networks. For example, MFA requires users to present both a password and a unique corresponding device (such as a cell phone) to log into a network.
With MFA, if bad actors gain unauthorized access to an employee's user names and passwords from the Dark Web, they won't be able to access the network without that secondary factor. Nearly all cyber insurance providers have added MFA as an underwriting requirement in 2021 as they focus on addressing deteriorating loss ratios.
While many insurance companies simply won't underwrite, or even renew, a cyber policy for a company without MFA in place, others will instead apply sublimits or even exclusions on cyber extortion and BI resulting from ransomware events to control their loss ratios.
Insurance companies are also starting to incorporate the same scanning technology used by hackers into their own underwriting process. This allows them to assess an organization's perimeter security and also develop a metric-based assessment for a potential cyber-attack.
These scanning tools can be used to identify unused, vulnerable open ports that could provide a bad actor with a network entry point.
However, even with the right controls in place, insurance agents are finding it challenging to find their clients affordable cyber coverage – and at the limits they desire. In these situations, agents may find a solution by tapping into available expertise from a wholesale broker with significant expertise in this sector.