Advisen Panel: No Commonality in Cyber Underwriting Process Any Time Soon

Cyber insurance experts say they don't see uniformity coming to the underwriting process any time soon, but underwriting continues to become more sophisticated as cyber threats evolve.

Source: Alex Zank, Advisen | Published on February 24, 2022

Those are two of the key takeaways from a recent panel discussion on cyber underwriting, as part of Advisen’s recent virtual Cyber Risk Insights Conference.

Underwriting questions vary from carrier to carrier, particularly when it comes to ransomware supplemental applications. This “can make for a tough process on the broking side with clients to have to fill out a bunch of different questionnaires,” said Keeley Sidow, cyber practice director with Woodruff Sawyer.

Shawn Ram, head of insurance at Coalition, said he does not see uniformity forthcoming unless there’s parity around data, a massive regulatory change, or if adversaries themselves shift tactics.

“I don’t see this happening any time soon,” Ram said. “The reason is, I don’t attribute it as much to carriers, it’s just the accelerated nature of adversarial tactics. At the end of the day, carriers are looking for data to help them manage claims. However, the threat vectors associated with claims are just evolving, and they’re accelerating at a rate that is very different than any other area of risk.”

It may cause some frustration for brokers and insureds, but the industry is still far from streamlining, noted Nyreese Arzu, a U.S. cyber and technology underwriter with Beazley. Cyber applications may reach more commonality as underwriting evolves, but insurers will likely always take a proprietary view of risks based on their individual books, she said.

Prashant Pai, senior vice president and general manager of strategic initiatives with SecurityScorecard, said he sees some alignment among applications, as well as more carrier-specific questions. Each carrier will have its own “special sauce,” based on observations from their own portfolios.

“What we’re seeing is the cyber insurance industry stepping up its game,” he said. “We’re seeing across the board a rise in the maturity cycle, and we’re seeing where carriers and brokers are approaching the risk, approaching their clients, with a lot more maturity than they did three years ago … we are forced as an industry to better understand the risk, to better evaluate it.”

The increase in underwriting sophistication is largely in response to the rise in ransomware. Just three years ago, multifactor authentication “wasn’t even a consideration,” according to Beazley’s Arzu. Now, underwriters view it as essential, she said.

“The technicality of underwriting for cyber insurance has increased significantly because of the ransomware environment that we’re in, and the increased knowledge and awareness from C-suites down to people in our normal lives that understand these terms and see the impact on our lives,” Arzu said.

A recent advisory from international cybersecurity authorities reported that ransomware attacks on critical infrastructure increased in 2021, hitting 14 of 16 critical infrastructure sectors in the U.S. Cybercriminals shifted their attention to ransomware attacks because they are more profitable, Ram said.

Marsh recently reported cyber insurance pricing skyrocketed an average of 130% in the fourth quarter, with high prices and tough underwriting a sign of a hard insurance market. Ram said the hard market is “indicative of an inefficient marketplace in cyber” where a market correction was needed due to a spike in claims and evolving threats. Data from those claims will lead to a more efficient market, he added.

“Now, that doesn’t mean that pricing will change dramatically to where it was before … there’s lots of things that need to happen in order for that to occur,” said Ram. “But I do believe the accuracy around pricing cyber-related risks will continue to improve.”

Some insurers are no longer in the cyber marketplace because of the unexpected losses from evolving threats, Arzu commented.

“It’s a hard market now because we weren’t charging for the risk. We didn’t know ransomware,” she said, adding that without an infusion of more capital, the hard market should continue through the end of the year.