Until recently, insurance companies were more than eager to meet the growing demand for cyber liability coverage. Competition among carriers drove down premiums. Insurance companies turned easy underwriting standards into a competitive advantage, according to the RPS U.S. Cyber Market Outlook.
Times have changed.
The past 18 months have been tough for the cyber liability market, both from an insured's and a retail agent's perspective. With coverage supply and demand out of sync, finding the right level of coverage at an affordable price can be a challenging task.
"Long-standing underwriting issues in the market as well as what had been a growing mismatch between exposures and underwriting, helped to create the current situation and the imbalance between coverage supply and demand," explained Steve Robinson, Risk Placement Services area president and national cyber practice leader.
Fortunately, with the right approach and a bit of extra effort, cyber coverage is still obtainable, especially for those organizations that are willing to step up to the plate and take their cyber security responsibilities seriously.
The need to keep pace with the constantly changing nature of technology, and the resulting exposures, make cyber a tough market for retail insurance agents to dabble in. Agents need to stay on top of cyber insurers' varying appetites, policy forms and language modifications.
While the technology jargon can be daunting, a good place for agents to begin their cyber education is by becoming familiar with application language around topics such as multi-factor authentication and remote desktop protocol, as well as proper back-up procedures and employee education programs. These are areas that can make or break a customer's ability to receive coverage.
They should also tap into available expertise, whether it's an agency colleague or a wholesale broker with significant experience in this sector.
Organizations can improve their attractiveness as a potential insured in a number of ways. The first step is to put a greater focus on network security. Smaller organizations, or those in industry sectors such as construction and manufacturing that aren't traditional targets, need to stop thinking that their business is immune from a cyber-attack, simply because they don't store thousands of customer credit card numbers or protected personal information.
Given the pressures on smaller information technology departments to keep pace, as well as their tendency to be more reactive than proactive, smaller companies and organizations should either consider outsourcing their network security to a third-party provider or at least augmenting their existing staff with outside expertise.
Employee education is another critical area for organizations to address. This needs to go beyond a yearly requirement for employees to watch a video and then pass a test. Organizations need to make training engaging and help employees feel that they are part of the solution. Tabletop exercises that require participants to work through different risk scenarios and potential cyber threats can be an effective way to accomplish that goal.