Insurance underwriters are facing significant challenges in the cyber-insurance market, as the fast-changing risk environment and lack of comprehensive data make it difficult to accurately assess risks and write policies. While traditional insurance markets, such as car or home insurance, rely on actuarial tables based on decades of data, cyber insurance underwriting is more like a guessing game.
In recent years, the cyber-insurance market has experienced a turbulent ride, with insurers struggling to maintain profitability. Ransomware attacks and costly breaches have resulted in mounting loss ratios, forcing insurance companies to reevaluate their cyber insurance portfolios. Premiums for cyber insurance policies have skyrocketed, and policies now offer less coverage and include more exclusions and limitations.
However, offering expensive policies that exclude common risks like ransomware or nation-state attacks is not a sustainable approach. While these measures may temporarily improve profitability, they fail to address the root problem – the underwriting process for cyber-insurance policies is not sophisticated enough. Most underwriters lack the necessary tools and expertise to effectively measure the cyber-risk exposure of new or renewing customers.
A dirty little secret of the cyber-insurance market is that most policies are underwritten based on self-assessment questionnaires. These questionnaires often lack sufficient detail and verification, relying on the answers provided by applicants. Unfortunately, these answers are rarely checked until a claim is made, at which point the claims adjuster may be looking for reasons to deny coverage. Moreover, even if the questionnaire is completed thoroughly and honestly, it quickly becomes outdated, as cyber risks evolve rapidly.
The limitations of self-assessment in cyber-insurance underwriting mirror the challenges faced by vendor-management organizations when assessing risks posed by partners and suppliers. In response, the third-party risk management (TPRM) platform market emerged, providing continuous but simplistic views into the risk exposure of third parties’ Internet-facing infrastructure.
Cyber-insurance underwriters can learn from this market evolution and supplement questionnaires with continuous monitoring. Continuous controls monitoring (CCM), which creates a near-real-time measurement of an organization’s security controls, could be an effective approach for cyber-insurance underwriting. CCM is primarily used for tracking internal controls for governance, risk, and compliance (GRC) auditing but can also provide risk exposure measurements to insurance companies.
Insurers have the leverage and resources to implement CCM or other forms of monitoring in their customer base. However, the challenge lies in extending this approach to midmarket or smaller organizations. In some cases, insurers could partner with managed security service providers (MSSPs) or offer combined MSSP-cyber insurance bundles that include CCM.
Disruptive innovation is necessary in cyber insurance underwriting to make policies attractive to both insurers and customers. Insurers need a method of risk measurement that can keep pace with evolving threats. This kind of innovation will contribute to the creation of a cyber-insurance market that is more effective and beneficial for all parties involved.