Is cyber insurance underwriting headed in the right direction?

New exclusions and strict requirements to obtain cyber insurance have dramatically improved the sophistication of underwriting processes, but one large consulting and advisory firm is questioning whether this is the right approach for the market to take.

“[Chief information security officers] are now in the room speaking to underwriters to help them understand their risk,” Jack Bottomley, senior consultant for cybersecurity with KPMG in Canada, said during KPMG’s 2022 Insurance Conference in mid-November. “Gone are the five-question applications. The insurance market has also reacted to exclude certain industries — by and large, healthcare and public sector. Any clients with large operational technology are finding it very, very difficult to get cyber insurance.”

Things like systemic loss exclusions and war exclusions are starting to come into play, as are condition precedent wordings. For example, “if you don’t patch a vulnerability that’s been released within a month, your coverage is going to decrease,” Bottomley said. Another example is co-insurance on ransomware, meaning the client can be on the hook for, say, 50% of the cost of a ransomware incident.

“The question I ask is, ‘Is that the right approach by the market? Can we do better?’ Bottomley asked during the Opportunities and risks in cyber session.

Part of the solution is “developing additional value, not just presenting a problem of, ‘You need to meet these controls in order to get insurance,’” Bottomley said. For example, many Canadian cyber insurance companies are now requiring businesses to offer multi-factor authentication and have cybercrime/data breach response plans in place before qualifying for coverage.

Jack Bottomley, senior consultant for cybersecurity with KPMG in Canada, speaking during KPMG’s 2022 Insurance Conference.

Looking forward, a value-add could include rewarding good client behaviour and avoiding blanket exclusions for certain industries, Bottomley suggested.

“Understanding the risk, it doesn’t make sense to just exclude a good client in a bad industry, whatever that looks like,” he said. “Sure, maybe there were some claims in the past. But… those claims were probably because of some poor underwriting practices, which have now been changed.

“So going forward, I don’t think it’s good enough to say, ‘I’m not writing that because it’s an educational client.’ Look at the controls, understand the risk and give the client a fair exposure.”

Of course, that doesn’t mean all clients will be good risks. “Walking away from clients might be painful in the short-term, but in the long term, it’s going to drive better behaviour, help the client have better conversations internally about prioritizing cyber risk, and serve the sustainability of the cyber insurance market as well.”

Bottomley said the majority of clients cannot avoid cyber risk and essentially have only two options: mitigation and transfer. The cyber market is “doing a great job of driving the conversation of mitigation” across its client base, which means that need for transfer (to bring the risk down to an acceptable level for clients) is reduced.

“With the hard market, with premiums going up and continuing to go up — even now we’re still seeing 25, 50% increases even after the big corrections that we saw last year — more and more clients are starting to consider self-insurance,” Bottomley reported. “Is there a way that we can do that without these big premium increases, maybe even spend more money on the mitigation that’s actually going to help prevent, detect and respond to a cyber incident?”

Feature image by iStock.com/wutwhanfoto