In our previous publication, Cybersecurity Risk Management in a Post-Pandemic Era, we discussed the implications of increasing cyber-attacks on insurers and enterprises in a post-pandemic world. While insurers are actively taking measures to improve cyber risk underwriting to contain overall claims losses, enterprises are strengthening their cybersecurity capabilities by investing in the right set of technologies and talent levers.
The increasing severity of cyber-attacks, accelerated adoption of digital technologies, rise in digital touchpoints, consumerization of IT, and convergence of Information Technology and Operational Technology environments have made the traditional security services models obsolete, according to Everest Group PEAK Matrix reports.
Enterprises are seeking security strategies based on their specific business context, business maturity, geography, and other parameters. One way they are doing so is by partnering with third-party providers to align enterprise security initiatives with broader goals. They are also conducting risk assessments of critical functions and laying out cybersecurity improvement and investment plans for their organizations.
Increasing enterprise investments in cybersecurity
Enterprises are actively investing in endpoint protection, network security, cloud application security, secure web gateways, internet security, Identity and Access management tools, and other avenues to adequately shield businesses from cyberattacks. The endpoint threat detection and response market alone has been growing by more than 20% each year, primarily driven by the increasing number of devices attached to networks owing to the current remote working landscape. Additionally, the rise in the demand for mobile security solutions has further propelled the growth of endpoint threat detection systems. Cloud application security is another area that has recently observed traction from enterprises, as many move to cloud solutions to ensure business continuity in remote/work-from-home environments. In 2020, the cloud security market was estimated to have reached US$35 billion owing to this rising adoption of cloud computing services.
The response from insurers
Insurers are investing in two key areas:
- Strengthening underwriting capabilities to accurately assess cyber risk and, in turn, to control claims losses
- Partnering with cybersecurity providers to offer value-added services to customers while also effectively managing risk
Insurers are heavily investing in Artificial Intelligence/Machine Learning (AI/ML) and scanning tools to automate their cyber risk underwriting, resulting in dynamic policy rate scenarios. Many insurers have invested in cyber scanning tools that can be tweaked based on potential cyber vulnerabilities of the client. This has resulted in a market where there is limited consistency in pricing. Additionally, insurers are moving towards API integration to facilitate updates in pricing, coverage limits, and policy terms, instantly based on the insurer’s underwriting and claims experience. This has resulted in sub-limits imposition for certain coverage options such as social engineering or ransomware attacks.
Insurers are partnering with cyber risk analytics firms to improve underwriting capabilities and better understand portfolio risk exposure. For instance, leading insurers such as Chubb, Munich Re, and Hiscox have partnered with risk analytics firms to better understand the systemic risks in their cyber portfolios. Insurers also are using these cyber risk analytics platforms to analyze client cyber exposure, thus providing for detailed underwriting of cyber risks.
The cyber insurance industry also is garnering attention from regulatory authorities. Regulatory authorities are calling on insurers to strengthen underwriting processes, as cyber-attacks pose significant levels of aggregate risk for the industry. Most recently, the New York Department of Financial Services has asked insurers to take stringent measures in underwriting cyber risks.
Apart from implementing underwriting discipline, the broader insurance market is headed towards product innovation. Insurers are bundling standalone insurance offerings with risk management services as they reposition from an insurer to a risk guardian, Everest Group analysis has found. They are increasingly offering tailored risk solutions and value-added services that enable customers to reduce risk exposure. Insurers are partnering with cybersecurity providers to offer business protection services to customers to bolster their cybersecurity. For example, Swiss-based Zurich Insurance Group has partnered with Israeli cyber firm CYE to offer Zurich cybersecurity services along with its standalone cyber policy. The new product addresses cyber risks by helping businesses define and implement effective cyber risk management programs.
Effective management of cyber insurance claims losses is critical for both insurers and enterprises. Without it, it is expected the market will witness decreasing margins and a decline in risk capacity. Going forward:
- Enterprises must implement firmwide cybersecurity policies that are engrained in governance to ensure a robust defensive strategy
- Insurers must work with third-party data providers and develop a solid ecosystem that includes internal and external experts to bring forward the best solutions
In our upcoming third and final edition of this article series, “The Future of Cybersecurity and Cyber Insurance,” we will explore what the future holds for cyber insurance for enterprises and insurers; emerging ways of underwriting cyber risk; and the role insurers and enterprises will play in battling the cybersecurity challenges over the coming few years.
If you’d like to share your observations or questions on the evolving cybersecurity and cyber insurance landscape, please reach out to Barbara Beller ([email protected]), Supratim Nandi ([email protected]), or Mehul Khera ([email protected]).