New cybersecurity risks require commercial cyber liability to evolve

cybersecurityprotection.jpeg

For companies and insurance carriers alike, tamping down the latest cyber threat can feel akin to a game of Whack-A-Mole; just as one threat is neutralized, another rears its ugly head. Vulnerabilities – both known and unknown – are ever-present, and they pose serious threats to ongoing operations and financial health across nearly all industries.

Commercial cyber liability coverage is an integral pillar of robust cybersecurity governance, but these cyber policies are an imperfect solution in their current incarnation. Notably, for insurers that cover hundreds, if not thousands of clients, these policies transfer a significant amount of financial risk onto their balance sheets – and with an inherently incomplete representation of the rapidly changing cyber risk landscape.

Further complicating matters, the structure of most cyber liability policies isn't as nimble as the dynamic nature of the threats these policies are meant to cover. Cybercriminals are organized and innovative, actively adapting attacks in real time, while cyber liability risk is calculated on a point-in-time basis, most often lacking relative threat intelligence insights or associated risk adjustments. Adding to the disconnect, the basis for assessing and underwriting these risks can be generalized, based on broad, non-company specific category assumptions, providing an ineffectual true view of an entity's actual cybersecurity posture over time.

These facts beg several questions: How can carriers evolve their offerings to play a more proactive role in cyber security governance?  Moreover, are there better ways to leverage data and AI to combat increasingly savvy cyberattacks?

The regulation complication
The answers are far more complex than they may seem. A variety of factors have conspired to make nailing down a cyber liability strategy a moving target for both companies and insurers. Most notably, a highly impactful recent regulatory push has cast this issue into the front-page spotlight. The U.S. Securities and Exchange Commission's new cyber transparency and governance rules, among other reporting requirements, mandate all publicly traded companies to disclose a material cyber incident within four days. These new reporting requirements make it clear that cybersecurity is a leading concern for investors and the public alike.

Complying with that mandate requires companies to have speedier filing of cybersecurity incident disclosures, more detailed explanations of cyber governance, and the processes and personnel to monitor, manage and report these risks to the board of directors. Interestingly, the new rules also focus heavily on both management and the board's capability to effectively assess and manage material risks from cybersecurity threats.

So, in light of these new regulatory burdens, how will corporate boards ensure that competent, unbiased, and intelligible cybersecurity position information is sufficiently available for them to enact appropriate oversight? Will a new independent third layer of defense, somewhat similar to financial disclosure compliance frameworks, be required? And who will step into this new market demand for cyber governance assurance?

From carriers to governance partners
As these new disclosure rules reinvigorate interest in cybersecurity governance and liability protections from commercial insurers, cyber liability carriers are in a prime position to take on a larger role in the rapidly growing market for third-party cybersecurity oversight. Not only are carriers familiar with the risks, but they can often connect assessment, predictive modeling and threat communications directly with their clients. The added level of regulatory scrutiny may well drive organizations to look for partners who can not only provide point-in-time based liability pricing, but an ongoing, dynamic relationship with risk assessment and associated coverage. Cyber governance intelligence reporting, for example, may soon become an industry standard for companies looking for outside-in guidance on cybersecurity performance.

New technologies will help evolve these relationships. Sidd Gavirneni, global product owner for digital risk management at HSB, explained: "Five years ago, insurers did not have substantial data to be able to connect cyber breaches with potential causes. But now they do, and this is helping them create proactive risk mitigation services for their insureds.  It's a move in the right direction, but the insurance industry as a whole is not there yet."

Cutting edge analytics allow for ongoing monitoring and assessment without the need for additional, time-consuming status submissions. More regular cyber position and resilience assessment also provides valuable objective documentation, bolstering investor confidence for SEC registrants. 

How carriers can incorporate these elements into their business model is open to strategic interpretation. New product designs building in elements of real-time cyber risk monitoring, for example, would allow carriers to be more aggressive in delivering innovation for clients that require it. The cyber market remains relatively new from an insurance perspective – and carriers are in prime position to gain market share via novel service and coverage offerings. A more proactive cycle of cyber vulnerability alerts, transparent cyber governance scoring and reporting, frequent "check-ins" to monitor remediation efforts can drive down indemnity exposures and reinsurance costs – making this a lucrative rationale for insurers to innovate. These additional efforts may not prevent every claim, but lowering loss ratios while earning coveted goodwill from clients should prove a powerful motivator for change.

It should not be understated how important the associated stream of independent, ongoing third-party cyber vulnerability reporting may become for executive management seeking to demonstrate appropriate cyber governance oversight. Given evolving regulatory requirements, having another trusted source of documented governance procedures serves as welcome insight to executive management and board members looking for validation of proper cybersecurity posture.

At a minimum, data-enabled cyber risk intelligence innovation provides cyber liability carriers with enhanced risk management, improved acquisition and retention, and far better customer engagement. Further integration of these capabilities, over time, may open even more interesting potential across actuarial, marketing, new business and product development as well. 

The next step
The evolution of cyber liability carriers from risk-transfer vehicles to trusted cyber governance partners serves as at least part of the answer to how companies will manage cyber transparency requirements going forward. Still, it won't be easy. Highly dynamic cyberthreats must be met with equally innovative approaches to managing these risks, and those strategies may take on different forms. Carriers will have to be agile in how they monitor and act to address new vulnerabilities. The good news is that those that are quick to act and take advantage of growing demand for these types of integrated services should enjoy market share growth, improved margins, and more loyal, satisfied clients in the process.

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks
MORE FROM DIGITAL INSURANCE