Cyber pricing: Have carriers got it right?

Cyber insurance is a good tool to help clients understand their vulnerabilities, but carriers need to do a better job of pricing according to risk, speakers suggested at a recent conference.

“There seems to be a lot of spit-balling on the pricing in the marketplace today and I think for buyers, that’s always problematic,” said Doug Howard, vice president of global service and IT Innovation at RSA Security LLC, a unit of Dell Technologies Inc. “I have had insurance quotes…where one quote might come in in the millions of dollars and for the same exact [coverage] see something for $200,000. And then when you go back and challenge the other company, mysteriously, the gap will close pretty rapidly for no particular reason.”

Howard was moderating a panel discussion Tuesday at the International Cyber Risk Management Conference, produced by MSA Research and held at the Metro Toronto Convention Centre.

Howard suggested that for some clients, buying commercial cyber insurance is like going into a car dealership and being told a car is going to cost $28,000 and then going to a different dealer and told the same car is going to cost $22,000. In the car-shopping analogy, the consumer goes back to the dealer who initially quoted $28,000 to be told they will match the $22,000 quote.

Tuesday’s ICRMC panel was asked by an audience member what they think is valuable about cyber insurance and how the industry could be doing better.

“It feels a bit like the insurance industry is playing catch-up in understanding the cyber space and what the risks are, but I think it’s getting there,” said Nick Steele, a former deputy global chief information security officer for Sony Group who is now deputy chief security officer at Dell.

“If I buy an alarm for my house and I put extra locks in it, depending on where I live, that tends to affect [the price of] my home insurance policy,” said Steele. “But I don’t know that we are necessarily there yet in the cyber space and I am hoping that’s where we will end up.”

Also on the panel was Vivek Khindria, vice president of cyber security and technology risk for Loblaw Companies Ltd., which has more than 500 retail stores across Canada, including Shoppers Drug Mart, No Frills, Provigo, Superstore and Zehrs.

The cyber insurance providers are doing a good job of bundling incident response services from third-party technology vendors with the cyber policies, suggested Khindria.

“The Number 1 benefit for me and my program is, I know that my suppliers are going to be beholden to a list of incident responders that are qualified, capable and independent,” said Khindria.

“The worst thing [that can happen] when you are working with a supplier handling your data is for them to say, ‘Oh by the way, last Friday we may have had a breach. We are checking it out.’ Who is checking it out? ‘Well, Fred’s got a cousin and he’s helping us out.’ Who’s the cousin? ‘He knows about computers.’ That’s not good enough.”

Another advantage of having cyber insurance is that the carrier or broker will sometimes call the client and ask questions to gauge their risk mitigation methods.

“I have participated in some of those calls, I find it’s good,” said Khindria. “It doesn’t seem to sway the price up or down, no matter what is said in those conversations. But it does put the team on the spot, makes them think and prepares them. There is a couple of hours of pressure for that company to think, ‘Hey, are we actually doing enough?’”