Cyber Insurance Underwriters Overemphasize Speed

Written by Kyle Ferguson, Vice President of Business Development

July 8, 2016

Every time I search Google for the latest news related to cyber insurance, I find announcements about the latest insurance company to enter the cyber insurance market that touts its quick and easy cyber insurance quote generator. In as quick as 5 minutes, small and midsize companies now have the ability to purchase cyber insurance.

At first glance this seems like a great thing for companies because they have quick and easy access to necessary insurance coverage in the face of growing cyber threats. For insurance companies, they are able to drive premium growth via new product offerings that have so far enjoyed healthy margins. The fundamental problem with this quick and easy quote process is that underwriters are unable to determine the risk profile of a customer in 5 minutes.

The ability to underwrite cyber risks quickly provides carriers with a competitive advantage for winning new customers but it leaves the carriers with a portfolio of policies of unknown risks. The benefits of the law of large volume averages, commonly relied upon by insurance companies to normalize adverse risks, do not apply to cyber risks due to the lack of policy standardization and the lack of historical data required to rely upon actuarial tables for risk pricing.

Underwriters, aware of their lack of insight into the risk profiles of their policyholders, are left struggling to gain insight into the aggregate risk level across their entire cyber risk portfolio. Without assessing the cyber risk of each individual customer with enough specificity, insurance companies will never truly be able to know the true aggregate risk level of their cyber risk business.

Slowing down the underwriting process for new risks is not an option due to the competitive nature of the cyber insurance marketplace that requires speed in order to win customers.

Given the business need to underwrite new policies quickly in order to compete with the underwriting efficiency of competitors, and the need to understand the risk posture of each insured, insurance companies should consider performing risk assessment activities for each insured during the renewal process instead of during the underwriting of new policies. That way, insight into the majority of the aggregate cyber risk of their portfolios of risks may be achieved without disturbing new business generation.

Risk assessment at renewal requires an efficient and effective assessment method that produces powerful insight about a customer’s cyber risk profile. SSIC introduced X-Analytics to achieve just that. At the point of renewal, X-Analytics can calculate the residual cyber risk of a client by considering relevant threats, direct business impact of its risks, and the effectiveness of its cyber security controls. Underwriters are unlikely to slow down the underwriting process themselves, but by implementing X-Analytics during the renewal process, they may finally gain critical insight into the risk profile of their cyber insurance portfolio.