At its best, traditional insurance helps businesses manage and mitigate the risks they worry about most, and helps make everyone safer along the way. The data insurers have on effective interventions — and the lever of pricing to guide policyholders’ actions — are a powerful combination. Over time, the insurance industry has helped make buildings, work sites, and transportation safer – the key uncertainties people cared about.
Having an understanding of the power and potential of insurance is exactly what makes it frustrating to see some players in the industry shy away from insuring cyber risks. Thanks in large part to insurance itself, risks involving buildings, auto fleets and workplace injuries are no longer chief concerns for business leaders. They are not gone, but are well managed. Instead, businesses are worried about cyber risk. Surveys consistently show cyberattacks and data breaches are the top concern for business leaders, and oftentimes their next-biggest concerns — things like business interruption and brand reputation damage — are direct outgrowths of cyber threats.
That’s why it’s not an exaggeration to say that getting cyber insurance “right” isn’t just a good business opportunity for insurers, reinsurers and brokers — it’s also a make-or-break moment for the industry. If we don’t help our customers navigate their biggest concerns, they will look elsewhere for solutions. We could find ourselves in a future where businesses trust their old-line insurer to protect their (likely reduced) office space, but when it comes to their most precious assets — the digital ones — their resources go elsewhere.
The demand for Cyber Insurance is evident. Why are insurers scared?
We shouldn’t be surprised by business leaders’ worries about cyber. It’s become a cliché at this point, but data truly is the new oil (or gold, or real estate): it is a crucial and valuable commodity. Likewise, digital operations and interconnectivity are now fundamental for business operations. So when a cyberattack hits, a business not only risks losing its most valuable assets, but also risks a simultaneous interruption from generating revenue. It can be devastating, and businesses’ concerns are justified.
So why would an insurance industry that so valiantly helped its customers with their most risky problems in the past shy away from cyber?
1. Cyber is new.
We don’t have decades of data on which to build actuarial models, making the risks seem practically unknowable if your only lens is traditional methods of underwriting. It means introducing new and unfamiliar types of information into a process that change has come to slowly.
2. Cyberattack vectors change constantly.
It’s one thing to model the potential impact of something we’ve known about since the beginning of time, like how much a fire will damage a certain type of building. It’s entirely another to have to update your models to capture the likelihood of a new kind of threat event every other month.
3. The pace of change also requires near-constant engagement with policyholders.
This upends the model where an insurer sits comfortably in the background for 364 days a year. While frequent customer engagement is entirely normal in some industries, it’s a new type of motion that insurers are not accustomed to.
This is an industry where a 30-year-old player can still be considered an “upstart.” Overcoming these roadblocks is not a trivial undertaking. But we in insurance must press on in order to stay relevant — and fortunately, we have a leg up.
Insurance has an advantage - and history behind us
An insurer’s unique position leads to natural advantages in helping businesses face down cyber attacks and threats.
Most importantly, we have unmatched access to data. The victims of cyberattacks naturally try to hide as much as possible from the public about incidents, posing a problem for any third party trying to form an accurate picture of the threat landscape. Even most cybersecurity software providers gather data only on discrete parts of a customer’s system, or serve only particular kinds of clients or technologies.
It’s insurers who can see the full view. What kinds of businesses fall victim to cyberattacks and what kinds of technologies and cybersecurity solutions were in place, how an attack unfolds and what it ultimately costs the victim: this is all visible across an insurer’s diverse book of business.
All of this data provides clear signals about which actions businesses can take to make themselves safer, and insurance pricing gives a strong incentive to carry those actions out. This is insurance at its best: helping policyholders understand their risk, alerting them to imminent threats before they become a victim, and, when necessary, pushing the adoption of proven technologies or processes that make them safer. It’s a modern and amplified version of how insurance drove change in past decades in fire, auto, and workplace risks.
Another distinct advantage comes from the insurer’s position as a partner. In the event of an incident, the insurer won’t be seen as an opportunist, generating questions about motivation or trust in the midst of a crisis. Within the insurer-policyholder partnership incentives are aligned, and teams are already in place to help policyholders coordinate and manage the complicated incident response process.
Cyber is the insurance industry's opportunity to lose
Overcoming the challenges of cyber and leveraging insurers' natural advantages will require new approaches, and new talent. In order to ingest new forms of data and make the data actionable for cyber underwriting and risk management, you need to have an agile and tech-led approach embedded in the DNA of your organization. To stay in constant contact with policyholders and deliver the insights they need to be safer, you need a different kind of service and communication mentality.
That means bringing together different pools of talent: insurance underwriters working alongside cybersecurity experts; actuaries working alongside data scientists and software engineers. It’s with these varied skill sets that we are uncovering the solutions that will form the future of cyber.
If that describes the right way to approach an opportunity like cyber, there’s also a wrong way. In the face of a difficult risk, some insurers are relying on heavy exclusions and low limits, offering the minimum risk solution possible and hoping for the best. That’s a reliable way to avoid the issue, but it’s not a reliable way to win over customers and gain trust.
We don’t know how the insurance industry will react to these challenges and opportunities over the long term. What we do know is that policyholders will continue to care a great deal about cyber risks and security breaches because they are not going away.
Since we can’t eliminate cyber risk, what we can do is give policyholders the best possible chance for continued safety and stability through cyber risk mitigation. We can act as a partner and help our customers manage their concerns, not only through sharing of financial risk but by helping them increase resilience. Or, insurers can become the farriers of the 21st century. It’s our choice.