Steven Schwartz, CEO Quest Managing Director, explores the cyber insurance paradigm at the intersection of InsurTech and RegTech, and why a lack of industry standards is holding back the potential and ever needed cyber insurance sector.
Many mature organizations are becoming acutely aware that their historic industrial-based business models, which strive for control, efficiency and scale, are not deigned for speed, innovation nor personal and individualised customer experiences which consumers now demand. As such, corporate leaders are finding no option but to consider and utilise cloud based platforms as part of their ecosystem to gain operational efficiencies.
However, the greater diversity of computer networks and systems brings vulnerabilities that previously did not exist. For enterprises, we know that finding an appropriate balance between cyber security and privacy strategy, while allowing for innovation, is of fundamental importance. Investment in the appropriate controls that align the internal corporate culture with existing and new business models that ensure data protection and the maintenance of trust is vital for innovation to thrive.
How and when does the cyber insurance industry plan on adapting to effectively underwrite and manage the most dynamic risk in the world?
As all businesses will ostensibly be “data companies” in the digital networked world, a world where numerous platform options exist, a big question emerges: how and when does the cyber insurance industry plan on adapting to effectively underwrite and manage the most dynamic risk in the world?
The standardisation problem
It’s clear to see that everyone wants a piece of the action. There are more than 70 US carriers and 30 UK carriers who offer cyber insurance and the supply side of insurance is only continuing to grow rapidly. There is, however, one fundamental flaw – there is absolutely no standardisation! As it relates to cyber risk aggregation, we don’t have consistency in capturing the same data points that conform to an industry data classification, thus there is no gold standard within the selective group of cyber insurers providing the coverage.
How can the industry appropriately underwrite, analyze and manage the most interconnected risk in the world when no single carrier captures the same data points in their underwriting application and there is no common data classification to map towards?
Each insurer is analysing different data and perhaps a greater issue, the data is captured at static a point in time, typically via checkboxes on a paper application. This becomes quickly outdated and unless a vulnerability assessment is mandated for some of the larger enterprises to obtain coverage, there is no true validation of the prospects security posture. Insurers are not capturing contextual data to validate their insured's policies and controls that ultimately represent the risk. Is it enough to ask “Do you educate or train users on information security and privacy?” or would it help to know whether an insured does training once a year during lunch versus another insured who holds quarterly training meetings with randomly scheduled, unannounced phishing simulations throughout the year. It comes down to context and validity; the industry is deficient in both.
Then we evaluate the direct online-to-bind insurance in which some carriers only require 4-6 data points to underwrite the risk and present a quote in a matter of minutes. Is a company’s industry, revenue, address, number of records and a question on any previous claims really enough to understand the risk? While there is a need for seamless customer experience to ensure new business isn't lost, at the moment it appears more like a reckless arms race to see who can capture the most SMB business, with little thought to obtaining the necessary data to make more informed underwriting. This is further highlights by the fact that there is no validation of the actual inputs from the insured.
Bridging the gap
In bridging the gap towards a more effective way to capture, understand, underwrite and manage the risk, along with a seamless, individualised customer experience, let’s first evaluate the hurdles facing both SMBs and large enterprises.
The biggest challenge for organisations is not technical, it’s organisational. In shifting from legacy enterprise structures, businesses have to evaluate their existing information security policies to ensure that their security controls are aligned with complete clarity around what data requires privacy protection. This often starts with a risk assessment similar to a cyber insurance application. That said, many SMBs have not had an adequate risk assessment unless contractually required to so. Anyone who has painfully gone through risk and compliance assessments at the enterprise level will agree that they need to streamline this process with a centralised solution to collect and analyse information about their cyber program such that they can quickly react to identified vulnerabilities and regulatory requirements. The traditional, siloed approach where a company completes assessments in confusing, overly detailed Excel documents specific to a regulation is outdated and ineffective. With the process, many organisations fall into the trap of focusing on completing each assessment and not truly understanding their risk exposure across industry standards.
This unfortunately shifts the focus to a more defensive approach in complying with regulations instead of determining actionable insights needed to enhance their cyber maturity. Again, this manual process provides only a snapshot of the risk at given point of time and can be extremely labor intensive. This increases even more as companies now need to assess their supply chain.
As we continue to shift to the digital era, a company’s cyber exposure or cyber maturity is not nearly the same on January 15, 2016 as it will be on January 15, 2017.
Continuous, standardised insight into a company’s cyber risk is required to appropriately assess the risk at any given point in time. Insurers are spending thousands on isolated solutions, yet they are only viewing cyber risk through a small prism. In the continuous scramble to try and find new solutions and products, it’s clear to see that there is a strong knowledge gap within the industry.
The secret at the intersection
What most insurers don't realise is that successful cyber insurance underwriting comes at the intersection of "InsurTech" and "RegTech." Insurer's need to shift towards a digital platform that standardises the data capture and has the data immediately available for analysis and is continuously analysing an insured's risk throughout the policy period.
Both insurers and companies need a standardised assessment that automates the manual processes of traditional risk assessments and allows companies to automate and streamline the IT and Vendor audit process by mapping to several security standards.
To take a stronger, recognised role in the cyber security process, insurers need to guide their client's with appropriate solutions as early as possible in the process and in a manner that is not too invasive. With standardisation and automation, you will then create a brokerage force that can finally understand cyber insurance and is more willing to sell the coverage and act as an advisor to their client.
This is how we effectively underwrite and manage cyber risk.