With some loss ratios peaking around 400% in recent years, underwriting cyber risk has become a challenge for the industry.
Brokerage executives discussed whether cyber is becoming uninsurable, and agreed a lack of understanding about technology risk is creating undue exposures, in a Feb. 8 Canadian Underwriter webinar.
“Cyber, like a lot of products, it struck me that it was just this race to get to market,” Erin Magilton, risk and broking leader, Canada, WTW, said.
“I think there was innocently a lack of understanding in terms of how to truly underwrite — a lack of understanding of systemic risk,” she said. “It’s also a risk that seems to fundamentally shift on a daily basis. It’s hard to wrap your arms around a moving target.”
When it comes to whether it’s insurable or not, Magilton said it’s nuanced: “It might be uninsurable for some and I think there are some elements that might be uninsurable for all.”
She added brokers, insurers and insureds need to have fulsome conversations to address which elements of cyber coverage are actually needed by the client.
“Start crafting solutions and products that address those needs, rather than — as we do in a soft market — kind of throw everything at the wall to charge very little for it, and keep our fingers crossed that nothing goes sideways,” she said.
“There are still industry verticals that are underpriced and cyber is one of those,” Doug Morrow, CEO and managing partner, Excel Insurance Group said.
Another broker executive agreed cyber could become uninsurable.
“It could be on the precipice of being uninsurable,” said Adam Mitchell, CEO, Mitchell & Whale Insurance Brokers.
Even though cybercrime often victimizes companies through high-profile breaches and ransoms, Mitchell explained cybercriminals are also capable of stealth.
“What about the people that are wandering around the servers, not saying anything? They go in, they go out, and you think you have all the doors locked. But these smart criminals have the ability to install new doors,” Mitchell analogized. “Or, we’re talking about the doors, and we didn’t realize the whole time the roof had holes in it.”
“These new things keep getting discovered…it doesn’t feel like the majority of our industry understands, never mind the customers, and we’re all so damn exposed,” he added.
Morrow concurred that insurers may lack understanding of the products they underwrite.
He gave an example of a client that was expected to update their internal systems to meet the cybersecurity expectations of a carrier but wasn’t given adequate time.
“A very large, complex client was given, I think, 90 days to introduce multi-factor authentication. It’s about an eight- or nine-month project,” he said. “And of course, in the middle of that eight or nine months, we have a [policy] renewal.”
Morrow said this client interaction shed light on how pressing it is for the industry to work with incumbent clients in particular, “not to create undue stress, and not to create situations where people will find themselves without coverage.”