Few cyber insurance policyholders have a security program in place. That’s an opportunity for insurers and brokers.
For large businesses, cyber risk is a fact of life. After the spate of privacy breaches and ransomware attacks experienced by companies with household-name brands, including the WannaCry and NotPetya attacks of 2017, cyber risk shot up to the top of lists of business risks. A recent survey of large businesses from Willis Towers Watson suggested that 85% of US employers and 72% of UK employers consider cybersecurity to be a top priority.
In general, these companies have the resources to take on the issue of cyber risk head on with well-developed IT policies and programs throughout the enterprise. But if you’re not a Fortune 500 company (or even a Fortune 1000 company) are the headline-making events of the last few years enough to coax you to take action?
Most would answer yes, with some caveats. One way to look at this is by looking at the market for cyber insurance. The steady growth not just in the enterprise segment, but also in middle and small business segments, speaks for itself. Within the SMB segment, first-time buyers of cyber insurance policies grew an average of over 30% each quarter for the year leading up to Q3 2018. That is substantial growth.
Yet awareness of the issue, and the penetration of cyber insurance, doesn’t provide a complete picture of risk, or what companies can do about it.
A recent survey from the Council of Insurance Agents and Brokers (CIAB) found that just 37% of commercial brokers’ clients have a security program in place to prevent or mitigate the effects of cyber attacks. These clients run the gamut from SMBs to the largest enterprises. The number is surprising given that this is a sample of companies that we already know have cyber insurance – so they are certainly aware of the risk, and willing to take steps to mitigate their financial exposure. Yet few have put procedures and programs in place to prevent the events they are insured for.
This points to a major opportunity for the insurance industry.
Companies of all sizes are clearly looking to insurers for help to protect against cyber risk. While the world’s biggest companies are already backing up their cyber insurance policies with standardized security procedures deployed across many thousands of employees and applications, companies in the vast middle market, including many large businesses, are not. The insurance industry serving this market can surely underwrite the risk and provide policies — but we can also help provide the knowledge companies need to help push toward safer practices and policies for cyber.
The key, as with much innovation in today’s business world, is data.
As cutting-edge cyber insurers develop new means of identifying and pricing cyber risk, the next frontier should be deploying that knowledge in ways other than simply fueling a premium and coverage decision. The opportunity is there for insurers to arm brokers with data about their clients’ vulnerabilities. In turn, brokers have the opportunity to relay that information to clients, ensuring they understand it. The challenge for everyone throughout the insurance value chain is presenting data clearly, making it actionable for the policyholders.
The CIAB survey noted that 85% of brokers have a “strategic approach to marketing and educating clients about cyber risks.” It’s time for insurers and brokers alike to take it a step further. If clients can get their hands on actionable information about cyber security — armed with knowledge of what it means, and what to do about it — it could mean fewer claims, lower premiums, and a safer web environment for everyone.