InSights Blog

What is cyber insurance underwriting, how has it evolved, and what you can expect when you apply for cyber insurance.

It’s not hard to justify why you need property insurance when you’re surrounded by your physical goods that you don’t want to be lost or damaged in your home or business. So why isn’t cybersecurity the same?

The SolarWinds breach is already one of the most significant cybersecurity incidents ever. And as with any unprecedented cyber event, this will have long-term effects on the way businesses and government consider their security programs. While many questions remain unanswered, the SolarWinds impact on the insurance sector has become clearer after an analysis we’ve completed with one of our partners. So, what should we expect the financial impact of SolarWinds on cyber insurers? And how can cyber insurers quantify a breach of this scale in the future? 

The SolarWinds breach is already one of the most significant cybersecurity incidents ever. And as with any unprecedented cyber event, this will have long-term effects on the way businesses and government consider their security programs. While many questions remain unanswered, the SolarWinds impact on the insurance sector has become clearer after an analysis we’ve completed with one of our partners. So, what should we expect the financial impact of SolarWinds on cyber insurers? And how can cyber insurers quantify a breach of this scale in the future? 

This post was originally published July 18, 2016 and has been updated for accuracy and comprehensiveness.

Hardly a day goes by without the emergence of a disturbing new trend in cyber crime or headline-grabbing hack. Hackers are getting smarter and threat vectors are constantly evolving. The escalating threat is forcing businesses to file more cyber insurance claims than ever. But are they taking the proactive steps necessary to boost their security postures and become a better underwriting risk?

In the months since BitSight’s inaugural EXCHANGE forum inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together security executives from all over to discuss the challenges they face in their roles every day.

Companies typically buy several lines of insurance—from property, to general liability, to professional liability. When something goes wrong, it’s common for a company to run to its insurance provider and claim that it has coverage. But many times, companies like this assume that their insurance will cover them—but this may not always be the case.

Policy pricing is something every insurance company and underwriter struggles with at some point. The primary issue is differentiating between the risk an applicant presents and the information you’re given. Let’s take a closer look at how policy pricing is examined in cybersecurity today.

Determining whether you should quote or decline a cyber insurance applicant is an extensive and critical process. Typically, the decision is made after gaining an understanding of what the company does, identifying critical application information, and considering your organization’s risk appetite. But are you able to verify whether the decisions you’ve made are valid? 

If I were to ask you whether your cyber risk underwriting strategy is mature, your first question would likely be: “How do you define mature?” It’s a great question! Here’s the answer: A mature cyber risk underwriting strategy considers all relevant underwriting issues when assessing an applicant's or insured’s risk profile.

Most insurers find that the cyber insurance renewal process is fairly efficient from a time perspective—but it’s not very effective. In other words, they are able to quickly re-underwrite a company in their portfolio, but don’t have any better understanding about the insured’s security posture to see whether the risk has changed and is still suitable to keep on the books.

In many lines of insurance, claim activity is part of the norm—and it’s expected that you’ll have to underwrite to losses consistently. For example, in casualty lines, it’s common to have workers file for worker’s compensation because of an injury they experienced on a job.

A loss trend can be defined as a projected loss expectation based on historical data. If you find that past losses might be indicative of potential future losses, you can then use this information to price your services accordingly. 

As an underwriter who’s constantly trying to balance being both quick and careful, the worst thing you can do is treat every single applicant the same. Doing so can ultimately be setting you up to take on more risk than you’d expect. Of course, the more experience you have, the better you’re able to quickly assess a company’s risk posture.