Last updated on April 9, 2020.
The global cyber insurance market is booming. Fuelled by a demand for standalone cyber insurance policies, the industry is expected to grow to around $24 billion by 2024, at a compound annual growth rate (CAGR) of 27% between 2018 and 2024.
Clearly, there is a need for highly customized and dynamic cyber insurance products for each consumer. Small and medium businesses and even individuals are joining larger enterprises in demanding comprehensive cyber insurance to mitigate risk. Each of these business types have their own cyber risk exposure, and the industry these segments thrive in play an important role in underwriting cyber insurance. Factors like physical location, local regulations, and data privacy laws play an important part in determining which product meets the needs of consumers and remains profitable for the insurer.
These five questions can help insurers craft policies and products
1. How do I know I have the right product for my customers?
A well-designed comprehensive cyber product should be able to:
- Meet the specific needs of the target segments
- Meet requirements imposed by the regulatory authorities across all geographies
- Meet the risk requirement across target industries
- Identify risks associated with a particular client in a transparent way
- Manage risk accumulation at a granular level with respect to policy coverages
- Allow easy digital capture of information digitally from customers
- Provide continuous risk monitoring on a periodic basis to facilitate dynamic pricing
- Assist insured customers in the event of a breach
- Be open and flexible in adapting to changes in cyber security environment as new risks emerge
2. How do I design a bestselling cyber insurance product?
A well-designed cyber insurance product should be comprehensive enough to stand the test of time, and should be able to address the risk exposures of all different industries and geographies in which they are located. The product should have innovative loss prevention tools to educate and potentially prevent a breach; and in the event of breach there should be a dedicated breach resolution team so that insureds receive responsive guidance at every step.
Cyber threats are a highly complex, technical, and dynamic issue. Any response must be sophisticated, technically advanced, and constantly evolving. The ‘Digital First’ approach to designing a cyber insurance product line uses design thinking methodologies to help digitally transform the business and address the unique challenges of the cyber insurance market. This process should be led by an experienced, multidisciplinary team of strategists, designers, cyber security technologists, and cyber underwriters who work with the insurer’s product development, marketing, underwriting, and service teams, as well as insureds to (re)design an entirely new experience.
A good cyber insurance product must be highly contextualized to the needs of consumers and offer varying degrees of cyber protection. It should be offered as a bundle with flexible pricing options to make it attractive, affordable and reliable.
While cyber insurance can reimburse the costs an affected consumer pays to respond to a cyber-incident (including litigation fees and damages, and reimbursing revenues lost or expenses incurred due to a disruption related to cyber incident), the key lies in preventing that scenario in the first place.
Often, a cyber-protection bundle offering a continuous threat surface and vulnerability assessment, targeted threat intelligence from dark and deep web, cognitive detection and on-demand consultative remediation support and advisory services serves as a solid add-on. An automated cognitive technology-enabled solution that respects the privacy of the insured, along with an option of a comforting human touchpoint makes a cyber insurance product holistic and attractive to consumers.
3. What are the key success factors of cyber insurance?
- Cyber risk is highly technical, dynamic, and has many unknowns. The traditional approach of underwriting is not applicable. Underwriters should be provided with a smart solution that can perform both intrusive and non-intrusive risk assessment and recommend a near-real-time decision.
- Getting locked into a single cyber risk assessment product is not recommended. There are numerous cyber elements – routers, switches, servers, laptops, phones, POS devices, cloud computing, dark web, emails, IoT, drones, and others. No one product can claim to cover all risks. Instead, adopt an adaptive, assimilative approach, capable of ingesting information from a variety of sources and synthesize it into a quantitative self-learning model. Cyber risk assessment should be as-a-service. The cyber technology players should innovate and bring a transparent, flexible risk-assessment model. The payment should be for the service, not for the license lock-in.
- Policy wordings should be broad enough to adopt and respond to the dynamic nature of cyber risks.
- There should be a facility for continuous monitoring of the cyber risks of insured accounts. Monitoring should be upgraded regularly to address emerging risks and threats.
- The coverages provided under the policy wordings should address all the risks of the target segments.
- Keeping a close watch on cyber risk accumulation is essential.
- Tapping into the dynamic, innovative Insurtech ecosystem is important, but start with only a curated list. There are too many players who are in various stages of maturity.
- It is essential to build a digital experience for customers, underwriters and agents/brokers. Along with digital sales and services, it is also important to invest in creating cybersecurity awareness in agents, brokers and consumers. This will reduce churn, increase customer satisfaction and drive growth.
- Partnering with an expert with geographical reach, capacity and capability to provide technical support to consumers when they need, wherever they need, is pivotal.
4. How do I augment my underwriting expertise?
Cyber Bots can be leveraged to perform non-intrusive assessments, and can gravitate to intrusive assessment depending upon the size of the risk to be covered.
AI/ML techniques to proactively assess and predict cyber risk using data from both structured and unstructured sources is crucial. Not only must the technical data be analyzed and assessed, data from security governance reports, annual reports, and vendor contracts can be used to construct a model to uncover hidden risks associated in processes and controls, even assess third/fourth party risks.
If you use an industry product or a solution to construct your risk model and scoring, it's vital to consider whether it is fully transparent to the underwriter. Every insurer has its own business strategy, risk appetite, procedures, and controls to be considered while using the risk model and scoring. If the commercially provided model is not fully transparent and hides the parameters into recommending a decision, it would be better to assign a lower weightage, and should allow configuration of the model parameters to suit your company’s risk appetite.
5. How can I be continuously vigilant and profitable?
The innate nature of cyber risk continuously evolves. The risk posture of a cyber insurance-covered entity can adversely change any time after the policy has been issued. This puts both the insurer and insured at a significant disadvantage and can have serious repercussions on their business and profitability. A good cyber insurance policy should offer post-contract risk monitoring, assessment, and on-demand remediation should the scores fall below a certain threshold. This will encourage responsible behaviour from both the insurer and insured. If the risk posture increases, the insurer can increase the premium to cover the additional risk and make the insured aware so that he/she can take mitigatory measures. If the risk posture decreases, the insurer can offer discounted premiums and earn customer loyalty.
1 - https://insurancenewsnet.com/oarticle/cyber-insurance-market-growing-at-a-cagr-of-around-27-between-2018-and-2024