Observations on cyber from Canadian Lloyd’s coverholder

Your commercial clients may be able to get cyber insurance with fewer underwriting questions than in the past, but you should still pay close attention to those clients’ risk management practices, the head of a Toronto managing general agent suggests.

The list of questions cyber insurers are asking during the underwriting phase has “probably gotten shorter as we have seen more market entrants come in,” said Greg Markell, president and CEO of Ridge Canada Cyber Solutions Inc., in a recent interview. Toronto-based Ridge is a managing general agent and coverholder in the Lloyd’s market.

The cyber market is getting softer, with broader coverage, suggested Markell. “The new market entrants are not necessarily requiring the breadth and depth of a lot of the previous applications that we saw, which were far more technical,” he told Canadian Underwriter.

In the Lloyd’s market, Ridge places commercial cyber insurance, including privacy liability and the cost of a business being interrupted as a result of a breach.

Ridge tends to ask clients seeking cyber coverage a lot of questions about the processes and controls they have in place to manage cyber risk, said Markell.

“We can still give pricing indications on very limited information, and we tend to stick to them. But then, as you peel back the layers of the onion with clients and with brokers, we encourage people to treat the cyber procurement process as more of an introspective consulting exercise. So if you are answering “No” to every question on a short-form application, are you necessarily ready to buy cyber?”

And what happens if your client answers “No” to every question?

“The reality is that the market is so soft, someone is probably going to write the risk,” said Markell. “Someone is probably going to [quote a price to] the client. But if we are looking at things pragmatically, and saying, ‘We are trying to be in this for a long, sustainable time,’ I think it is more worthwhile to have the risk management discussion.”

Ridge encourages brokers to talk to clients about how they can improve their risk and improve their processes.

For example, you could ask the client how, exactly, they educate their employees on basic precautions such as how to choose good passwords and to avoid clicking on links or opening attachments if they seem suspicious.

“It truly does start with the culture of the client,” said Markell. “When we have those discussions, you get a different perspective around the underwriting. You are not just looking at an application and seeing “Yesses” and “Nos” checked off at that point. You are truly getting your hands dirty with the client, finding out what sort of receptiveness they have, whether they are taking (information security risk) seriously and frankly you can make a judgement on governance at that point.”