Small and medium size enterprises (SMEs) and state and local governments looking for cyber insurance protection could be helped by allowing bundling, according to a
In cyber insurance, bundling is when insurers offer rebates to policyholders using cyber security services, or a reduced rate on those services. Half of all U.S. states allow the practice, and the other half do not. NAIC, the association of state insurance commissioners, revised its guidelines about five years ago to allow the practice.
"Larger enterprises have a whole dedicated team of cybersecurity professionals. They have access to a full range of products and services, and they also may be better able to manage loss if an incident happens," said Sophia Mauro, director of strategic communications at IST. Mauro and Taylor Grossman, director for digital security at IST, co-authored the report titled, "Enhancing Cyber Insurance through Resilience: Revisiting Anti-Bundling Regulation."
Among the cyber security services offered through bundling are managed detection and response (MDR) and a small amount of cyber risk investigation services, like one or two hours worth. About 80% of large corporations have cyber insurance, while about 20% of SMEs have it, according to Mauro.
"There's a lot of potential here for insurance to play a more proactive role in helping insureds, not just manage incidents, but actually get to a better place where, if an incident were to occur, it would have a lower impact," said Grossman.
Cyber insurers use co-marking to assess their position in underwriting, which spreads risk among multiple firms. The insurers look at the policyholder's risks and the products they use that could affect their cybersecurity, Mauro explained. Bundling can simplify and shorten the process of applying for cyber insurance coverage for SMEs that do not have time to complete a more complex application, she added.
Bundling in cyber insurance also adds value, according to Mauro. "There is potential for the combination of value added products or services to be adopted by the insured over the course of the policy, not just at the time of underwriting, where they could continuously monitor their level of risk, or try to mitigate losses," she said. "A bundled service could help them detect vulnerabilities quicker and patch them. That is a better pathway for them to achieve better cybersecurity."
In cyber insurance underwriting, ideally the policyholder gets an actuarily approved price for the risk, Grossman explained. "But often some insurers are using a heuristic MFA, or a blanket way of seeing the general risk profile of a potential insured, or they're raising the premium to account for risk rate," she said. "That's all happening at the time of the policy issuance and potentially renewal, but not throughout the course of the policy. That's where bundling can be a really helpful tool."
Mauro and Grossman's report recommends that regulators and government policy makers should encourage cyber insurers to provide more pre-breach risk mitigation tools, that researchers should analyze bundling as a model, and that researchers should compare how cyber breaches affect targets in states that allow bundling and states that do not.
