Capacity is still readily available to cover cyber risks, but more insurers are approaching the coverage cautiously, a speaker said Friday at NetDiligence’s Cyber Risk Summit in Toronto.
In terms of procedure, clients’ applications for cyber coverage must clear more hurdles now than they did before, noted Sophia Kudlyk, cyber practice leader with insurance advisory and brokerage firm Purves Redmond Limited. “It’s not necessarily just the application, quick, done, easy,” she said. “Additional questions are being asked. I think the onus is on the brokers to be able to explain [to clients] why these questions are being asked, why it’s important to the underwriting process, [and] what losses you have seen that lead to these questions being important to know from an underwriting perspective.”
Kudlyk was responding to a question from moderator Lindsey Nelson, U.K. and international cyber team leader with CFC Underwriting, about how easy it is to get terms in the market from a broking perspective. Kudlyk was part of a panel called Underwriting Small Risks at the 6th annual Cyber Risk Summit in downtown Toronto.
Generally speaking, coverage is very broad, Kudlyk said. “It’s as broad as it can be. The onus has shifted onto the broker to really differentiate between the policies that are in front of them. If they don’t understand the nuances within the policy wordings, there is not going to be that traction.”
In addition, pricing in the cyber market has started to normalize a bit more, Kudlyk reported. “You’re starting to see that narrow a bit, which is helping with the credibility of the coverage.”
From left: Moderator Lindsey Nelson of CFC Underwriting, James Lindsay-Carlin of Hiscox, Dave Chatfield of NetDiligence and Sophia Kudlyk of Purves Redmond Limited at the NetDiligence Cyber Risk Summit Feb. 21.
Another part of the panel discussion revolved around the underwriting process for SMEs (small- and medium-sized enterprises). Nelson said that a couple of years ago at CFC, the specialist insurer stopped asking control-based questions and began underwriting from an exposure perspective and the data it already has. “Streamlining that on systems where you only need on piece of information to get quotations is now starting to become the norm on that type of business,” she said.
Nelson then asked: “How easy should we make it as a market for these clients to get business, and what information should we actually be asking them, if anything at all?”
Panellist James Lindsay-Carlin, a cyber underwriter at Lloyd’s syndicate Hiscox London Market, said that about three to five years, it was pretty common to give an SME a five, six, or seven-page application form. But now, the underwriting questions being asked are very, very restricted, and short-question sets.
“But I think the pertinent information is being asked,” Lindsay-Carlin said. “We’re in a stage now where the market has matured enough where we do have claims experience to base some of this on. So we do have claims databases, we know the key questions which we’re asking.
“Personally, I can’t see how we can make it any easier.”
As an example, Lindsay-Carlin said, a common underwriting question or common part of a warranty statement might have to do with a company’s back-up business processes and strategy.“We found at Hiscox, across the U.S., Europe, Canada, Australia and the U.K., for [the instances when] insureds answered negatively to our back-up questions, the cost of a ransomware claim to us is 20 times [more than] when they answer positively to it,” he said. “When we look at what questions are actually material, I say that is obviously a material question in there.”
On the flip side, asking a company with $2 million in revenue if they have a dedicated chief information security officer is likely unnecessary. They probably don’t, Lindsay-Carlin said. “Do you really need to ask that question that isn’t going to impact your underwriting decisions?”