Cyber-Insurance Underwriting Is Still Stuck in the Dark Ages
Innovations in continuous controls monitoring may be the only way underwriters can offer cyber-insurance policies that make sense in the market.
Insurance underwriters are storied for their analytical and extremely methodical use of data to measure risk and write policies accordingly. This works well in insurance markets such as car or home insurance, for which actuarial tables exist based on risk data that goes back for decades or longer.
But when an insurance company seeks to cover a fast-changing risk environment for which very little long-standing data exists, a lot of that actuarial science becomes more like a guessing game.
Guessing Game
This is where we're at with cyber-insurance underwriting today.
As a result, the last couple of years have been a wild ride for the cyber-insurance market as insurers have grappled with a very real profitability gap. After a decade of steering headlong into a lucrative cyber market that seemed to be minting money for insurance companies, insurers and their policyholders have crashed into a wall of ransomware and costly breaches.
Now a reckoning has come. Facing mounting loss ratios, insurance companies are scrambling to rationalize their cyber insurance portfolios. They started a couple of years ago with huge spikes in cyber insurance premiums. They've stabilized those increases somewhat in 2023 but now the more expensive policies are offering less coverage and including a whole lot more exclusions and limitations.
Offering expensive policies that exclude common risks such as ransomware or nation-state attacks is simply not a sustainable approach. This has helped insurers become more profitable for now, but these are only short-term fixes to the real problem at hand. Namely, that the underwriting process for cyber-insurance policies is still not that sophisticated. Most underwriters are poorly equipped to effectively measure the cyber-risk exposure of new or renewing customers.
Cyber-Insurance Underwriters' Dirty Little Secret
The secret of the cyber-insurance market is that most policies today are underwritten based on self-assessment questionnaires.
Sometimes these questionnaires are quite simplistic, with very little verification of the answers given. The pressure of accumulating losses has had some insurers beef up the technical details requested of applicants. But at the end of the day, self-assessment still reigns as the primary means of judging the insurability of an organization.
This poses problems on several fronts. Some of the questionnaires fail to examine enough material risks to scientifically measure the cyber exposure of applicants. The answers are rarely checked until it comes time to make a claim and the claims adjuster is looking for a way out of the contract. And most critically, even if a questionnaire is answered completely honestly, thoroughly, and accurately, it is almost immediately out of date the second an insurer gets it.
The limitations of self-assessment in cyber-insurance underwriting mirror the same issues faced by vendor-management organizations in judging risk posed by partners and suppliers. This was what spurred on the entire third-party risk management (TPRM) platform market over the last decade. TPRM monitoring platforms were created to get continuous but simplistic views into the risk exposure of a third party's Internet-facing infrastructure, even if those third parties would tell the first party to pound sand if they asked for any oversight into their internal systems.
Cyber-insurance underwriters could potentially learn a lot from this market evolution.
Cyber-Insurance Underwriting Is Ripe for Disruption
Cyber-insurance underwriters would do well to take a page from vendor management by supplementing questionnaires with continuous monitoring. But instead of the somewhat crude metrics offered by TPRM, the right approach for cyber-insurance underwriting may be better served by continuous controls monitoring (CCM).
Lauded by the likes of Google Cloud's CISO Phil Venables as a way to create a near-real-time ongoing measurement of the maturity of an organization's security controls, CCM is primarily used for helping organizations track their internal controls for governance, risk, and compliance (GRC) auditing. But it could just as effectively be tuned to provide risk exposure measurements to cyber-insurance companies.
Insurers probably have enough leverage through policy terms and bundled security products to attain this kind of inside-out monitoring approach in their customer base. CCM is still mostly aspirational for midmarket or smaller organizations, so cyber insurance companies would have to be creative in how they gained visibility in these segments. In some cases, the approach could be to partner with managed security service providers (MSSPs) or even directly offer a combined MSSP-cyber insurance bundle that includes CCM in the mix.
Whether it comes from CCM or some other form of monitoring, this is the kind of disruptive innovation in cyber insurance underwriting that insurers are going to have to seek out to make their policies attractive not only to their bottom line, but also to the customers they cover. Cyber insurers need a method of risk measurement that moves as quickly as the threats do. It's the only way to create a cyber-insurance market that makes sense for everyone.
About the Author
You May Also Like