With cyberattacks and hacks splashing front pages across the country, 80% of commercial insurers see cyber insurance as a "major growth area" for the sector this year, according to Insurance Information Institute polling. And, many have a secret weapon in the race to identify where corporations face vulnerabilities and how to patch them: Their own internal IT staff and information security teams.
“They knew they needed someone with more background in technical side of things,” Dunbar said. ”That goes a long way in making sure they enhance their products.”
Over the past few years, XL has expanded its capabilities by hiring more technically trained underwriters with extensive cyber security backgrounds. And Dunbar’s security staff now includes a certified ethical hacker that frequently acts as a liaison between the two groups.
[See also:
Formal Collaborations
Beginning last year, XL began formal, regularly collaborations between IT and the business to understand the latest in cyber risk and how the company should respond. The company’s Cyber Working Group meets quartery, bringing teams from the risk management side, including underwriters, actuaries, claims, and risk, and the company’s security team together to see what the cyber position should be for XL.
“As an insurance company we need to look at cyber exposure for any of our lines of business. That’s one area my security team gets involved and gives feedback,” explains Dunbar. This includes comments on current risks, emerging risks, what cyber exposure different lines of business could have and how they might be addressed.
Other big commercial writers have a similar strategy. David Hallstrom, director of information risk insurance at CNA, and Robert Allen, VP, chief security officer at CNA, say they traditionally have enjoyed and facilitated a strong in-house relationship between information technology, underwriting and risk control teams.
“At first it started as a quarterly meeting, however, we’ve added monthly sessions," says Hallstrom. But eventually, they expanded their meetings to an even larger group of 20 or more people, focused on knowledge share of cyber exposures and how they’re being minimized, both internally and externally. Topics are taken from whitepapers, conferences and events that have happened to insureds. In these meetings teams dissect them to understand how each can apply the information to their work.
[See also:
Cyber security professionals are still in very high demand, and Allen and Hallstrom say these meetings support efforts to move security and technical expertise to the business side, and to develop business skills for IT professionals.
“CNA is focusing on helping customers understand IT security as a business concern,” Allen says. “We consider it part of the business equation now, focusing on a larger shift around data retention.”
Previously, a business leader saying I need to obtain that data’ pushed conversations. Now, the conversations happening need to shift around how long a business must hold on to sensitive data and if it will be necessary later.
“These conversations minimize sensitive data footprints and are the result of a lot more peer sharing, inside and outside our industry. This helps us put the right thought leaders and business processes in place internally, as well as how to advise our customers,” Allen explains.
Taking IT-Business Alignment to the Next Level
Cyber insurance is not the only product to benefit from internal collaborations. Many insurance companies are innovating in the digital space to enhance their ability to underwrite, but as the digital product lines grow, so do the opportunity for cyber attacks, intrusions, and risks. Security teams are therefore being increasingly being called upon in the to consult on the development of products.
Drones, for example, are hot new tools for claim adjusters after a disaster. The drones need to be developed for the purpose, protected against malware, and the tools themselves need to be insured. Likewise, in the wearable device category insurers are looking at what they can do in terms of leveraging data from fitness bands for health and life insurance underwriting. Insurers will take into account HIPPA laws that require these tools to have appropriate data breach procedures.
“A lot of these digital products have a double side to it, technical underwriting and product development,” says Wein. “Conversation around IT, marketing, and product development go into creating that product. You’re gong to see more of that kind of thinking going forward.”
[Wein: