With cyberattacks and hacks splashing front pages across the country, 80% of commercial insurers see cyber insurance as a "major growth area" for the sector this year, according to Insurance Information Institute polling. And, many have a secret weapon in the race to identify where corporations face vulnerabilities and how to patch them: Their own internal IT staff and information security teams.
Thomas Dunbar, chief information risk officer at XL Group, said he shared his experience to help support underwriters when the company first started to sell cyber insurance. Beginning with the U.S. underwriters, and later with their European counterparts, Dunbar’s team applied its understanding of breaches and security programs within XL to create more in-depth underwriting questionnaires for customers.
“They knew they needed someone with more background in technical side of things,” Dunbar said. ”That goes a long way in making sure they enhance their products.”
Over the past few years, XL has expanded its capabilities by hiring more technically trained underwriters with extensive cyber security backgrounds. And Dunbar’s security staff now includes a certified ethical hacker that frequently acts as a liaison between the two groups.
[See also: Dunbar on the NAIC's Cybersecurity Task Force]
Mitchell Wein, VP of research and consulting at Novarica, an insurance strategy research firm, says IT is definitely working with product development to shape and support insurance products. In his former role as chief architect and CTO for AXA, he acted as advisor to many of the new products development and marketing teams were bringing to market. Sometimes those teams created a product description and asked him to look to see it if was complete, and if it covers everything it should cover. “They’ll come over to tech and say, We’re thinking of creating a new offering in this space, what do you think should be in it?” he said.
Beginning last year, XL began formal, regularly collaborations between IT and the business to understand the latest in cyber risk and how the company should respond. The company’s Cyber Working Group meets quartery, bringing teams from the risk management side, including underwriters, actuaries, claims, and risk, and the company’s security team together to see what the cyber position should be for XL.
“As an insurance company we need to look at cyber exposure for any of our lines of business. That’s one area my security team gets involved and gives feedback,” explains Dunbar. This includes comments on current risks, emerging risks, what cyber exposure different lines of business could have and how they might be addressed.
Other big commercial writers have a similar strategy. David Hallstrom, director of information risk insurance at CNA, and Robert Allen, VP, chief security officer at CNA, say they traditionally have enjoyed and facilitated a strong in-house relationship between information technology, underwriting and risk control teams.
“At first it started as a quarterly meeting, however, we’ve added monthly sessions," says Hallstrom. But eventually, they expanded their meetings to an even larger group of 20 or more people, focused on knowledge share of cyber exposures and how they’re being minimized, both internally and externally. Topics are taken from whitepapers, conferences and events that have happened to insureds. In these meetings teams dissect them to understand how each can apply the information to their work.
[See also: More on CNA's information security practices]
Cyber security professionals are still in very high demand, and Allen and Hallstrom say these meetings support efforts to move security and technical expertise to the business side, and to develop business skills for IT professionals.
CNA says the internal collaboration have expanded to a point where insurers can share this expertise externally. In a series of meetings they call SORCE -- School of Risk Control Excellence -- the staff have educated agents and customers, helping them to better understand emerging risks in their industry and how to apply appropriate security techniques in their own business.
“CNA is focusing on helping customers understand IT security as a business concern,” Allen says. “We consider it part of the business equation now, focusing on a larger shift around data retention.”
Previously, a business leader saying I need to obtain that data’ pushed conversations. Now, the conversations happening need to shift around how long a business must hold on to sensitive data and if it will be necessary later.
“These conversations minimize sensitive data footprints and are the result of a lot more peer sharing, inside and outside our industry. This helps us put the right thought leaders and business processes in place internally, as well as how to advise our customers,” Allen explains.
Taking IT-Business Alignment to the Next Level
Cyber insurance is not the only product to benefit from internal collaborations. Many insurance companies are innovating in the digital space to enhance their ability to underwrite, but as the digital product lines grow, so do the opportunity for cyber attacks, intrusions, and risks. Security teams are therefore being increasingly being called upon in the to consult on the development of products.
Drones, for example, are hot new tools for claim adjusters after a disaster. The drones need to be developed for the purpose, protected against malware, and the tools themselves need to be insured. Likewise, in the wearable device category insurers are looking at what they can do in terms of leveraging data from fitness bands for health and life insurance underwriting. Insurers will take into account HIPPA laws that require these tools to have appropriate data breach procedures.
“A lot of these digital products have a double side to it, technical underwriting and product development,” says Wein. “Conversation around IT, marketing, and product development go into creating that product. You’re gong to see more of that kind of thinking going forward.”
Register or login for access to this item and much more
All Digital Insurance content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access