You take a vacation, but cyber risks don't: how to keep your portfolio protected this holiday season
Risky Business Part 2: is friction in the insurance value chain putting businesses at risk?
Welcome back everyone! If you caught our last piece in the Risky Business series, you’ll know all about how cyber risk is affecting businesses, and exactly how the threat of attacks has shifted from an “if '' to a “when”. If you haven’t had the chance to read up yet, you can catch up here. In the meantime, these are the highlights:
- An increase in the rate of cyber attacks has meant that cyber insurance is now a must-have for businesses of all sizes.
- The increase in the need for cyber insurance and the threats faced means cyber insurance has become more difficult and expensive to obtain.
- The increase in claims and their severity has led insurers to change how they’re assessing potential customers.
- Insureds are now being asked to look at cyber risk and improve security by implementing MFA, safeguarding your emails with SPF and DMARC, updating your business continuity plan, backing up data and introducing cyber security awareness training.
The cyber risk market has changed - what does this mean for you?
We’ve already spoken about how the cyber insurance market has changed, but in this piece we’d like to go into a bit more detail about why securing cyber insurance might not be as easy as you think. First off, we’d just like to say it’s not all doom and gloom when it comes to obtaining cyber coverage – it’s just that the route to market is not quite as clear as it used to be. A lot of the difficulties that organisations face can be put down to a combination of the hardening market and the friction between insureds, underwriters and brokers.
To quickly recap, the “hardening market” can be attributed to a growth in both the amount of claims that insurers are receiving, along with the increased severity of these claims; this has been compounded by the rise in ransomware attacks. The upshot of all this is that organisations are finding it increasingly difficult to get cyber coverage, as insurers are becoming more selective when it comes to who they offer it to. The larger issue that many companies are facing, however, is a rise in friction between insureds, brokers and underwriters.
What does friction between insureds, brokers and underwriters look like?
We recently spoke at the Intelligent Insurer conference about this very issue. To put it plainly, each member of the insurance value chain (insured, broker and underwriter) has a unique position, and the changes to the threat landscape have made it more difficult for everyone to do their job.
Let’s start with underwriters. From the perspective of a broker or insured, it can look like they’re trying to withhold coverage – but this isn’t the case! What’s actually happening is that as risk has evolved, insurers need to find out more about what businesses are doing to alleviate common risk factors – this largely comes down to judging a potential insured’s cyber risk management. To help track this, they’re going to be asking a lot more questions at the time of application and renewal. On top of this, a more in-depth risk analysis is required to see where exactly potential customers sit. At the same time, this analysis serves to validate the customer’s conformity to processes and policies required by the insurer. This has come as a bit of a shock to businesses, especially if they’ve been insured before! The stringent nature of questioning, as well as the depth of analysis, means that many companies feel like they’ve been left in the dark.
Enter the broker. Traditionally the midpoint between insurers and businesses, brokers in the cyber insurance sector have seen their jobs get a lot more difficult. They’re now having to try and communicate these changing requirements directly to their customers and the shift has meant that brokers are now taking on more of an advisory role. If they can’t explain or help get businesses into a position of better cyber health, they may find themselves in the situation where they’re unable to get them a quote at a price they can afford, or even get them coverage at all. It's been the case that many brokers have found it increasingly difficult to get clients the cyber coverage they so desperately need, as the requirements of underwriters are evolving constantly.
Finally, insureds. Businesses around the globe are being asked to do more and more just to obtain coverage, not just at the point of application or renewal; insurers are now looking for evidence of good cyber risk posture throughout the entire lifespan of a policy. Not every business has the capacity and resources to dedicate to the necessary degree of cyber risk management. Even with the help of good brokers and engaging with underwriters, they’re still struggling to get to grips with the exact demands of insurers.
The fact that organisations might be considered a “risky business” (despite having the best intentions), that underwriters need a complete risk profile before they can think of offering coverage, and brokers are trying to figure out exactly where a client’s risk lies so they can ensure they’re in the best possible position to get a quote: presents a frustrating situation for everyone involved. The upshot of which is that everyone is having to become more engaged with risk.
How can insureds, brokers and underwriters work together?
From what you’ve read above, you might think that things are looking a little shaky, and that the rise in so-called “risky businesses” could mean no business at all for insurers and brokers. But, rest assured there is a solution, and it’s largely focussed around the insurance value chain working together. Things can’t go back to how they were! Instead, we need to look at shaking things up and improving the relationship. Reducing friction starts with simplifying the entire application and renewal process. By properly engaging with cyber risk throughout the entire lifespan of a policy and application, a renewal is no longer this big one-off event that’s fraught with worry – instead it’s just another part of the day-to-day management of the policy. This all sounds great in theory, but how can it actually be achieved?
How can risk management technology help alleviate friction?
The role of technology and solutions has become all the more important, given the rise in friction within the insurance value chain. At its heart, the most important options are now offering instant visibility of an insured’s cyber risk profile. On the face of it, this might seem like quite a small thing – the implications, however, are massive. No matter whether this risk posture is analysed by an insurer, broker or even the insured themselves, the improved visibility means that it is possible to immediately see where risk lies, which is the important first step in managing and reducing it.
It also allows for better collaboration. We’ve seen scenarios whereby using technology like ours, brokers have been able to explain to clients exactly where their gaps or vulnerabilities are before the point of submission. They can also be used by underwriters who can pass on the information directly to insureds or brokers, allowing them time to organise and put measures in place. The biggest advantage for insureds is that they’ll be able to experience a simpler renewal, while also benefiting from better terms throughout the lifespan of the renewals.
“Unfortunately, shiny front-end technology alone can not solve the challenges of securing cyber insurance in 2022 and beyond. Behind every min control requirement is a person, a team; struggling with budgets, resources and engaged in difficult internal conversations regarding how much risk tolerance is acceptable. Technology is only one part – providing strategy, insight and guidance to actual ‘people’ enables and maintains the best chance of insurability” – Ben Duffy, Head Of Insurance at KYND
Continuous risk management - the future of mitigating risk
The evolution of cyber risk management technology goes even further than this though. There are plenty of options that work to provide a snapshot of risk – which is of course useful when approaching a submission or renewal. But, the prospect of continuous monitoring presents a far better outcome for all involved.
As we spoke about earlier, the best way to reduce friction is to stop treating cyber risk management as a tick box exercise that’s only focussed on once a year. By choosing continuous monitoring, insureds can keep themselves better protected around the clock, and it also supplements a better cyber risk posture which makes organisations a more attractive proposition for insurance. If utilised by brokers or underwriters, they can quickly alert their customers if a new vulnerability is flagged as soon as it's noticed – this is a real value-add to the service these two parties can provide, while at the same time it better protects insureds in the ever-shifting landscape of cyber threats.
What’s KYND’s position?
We’ve made it our mission to help everyone see, understand, and manage cyber risk. There may be other options available, but our own has been built with simplicity in mind. You won’t need an IT degree to understand risk, and our system delivers non-intrusive analysis and prioritised reports that are available as and when you need them. When it comes to continuous monitoring, our scans test against over 250 known threats. We’re constantly updating our parameters to ensure that whenever a new threat emerges (these cyber criminals are a crafty lot) we are on hand to offer advice on what an insured needs to do to stay on top.
Speaking of advice, our commitment to better cyber risk management spreads to every member of the value chain. We’ve set up specialised services for insurers and brokers alike, all of which aim to help make risk manageable, with a combination of pioneering technology and support from our own team of experts that doesn’t rely on jargon. We’re committed to reducing this friction with the aim of making risk manageable for everyone. If you’d like to find out more or see a demo, get in touch!
PRESS RELEASE: KYND wins ‘Cyber Security Product of the Year’ award for the second year running
When cyber health is wealth: How to safeguard your private equity investments in the ransomware age