Cyber insurance is having growing pains. Insurance provider Munich Re
Providers must deal with pricing pressures, spotty growth and volatile cycles. The cyber insurance market is full of potential, since many businesses, especially small and mid-size businesses, have not yet insured against cybersecurity risk. Lack of effort or intent is not to blame for market stagnation; systemic constraints are. To overcome them, insurers need more reliable, bottom-up data and more strategic technology partnerships.
Frustrating conditions for insurers
Frustration for cyber insurers shows up in four main ways:
1. Underwriters dealing with old data and attestation-based applications – They are operating on best guesses instead of actuarial-grade inputs. Getting funding or reinsurance means having a clear, organized process and consistent data that proves you have the right protections in place to handle claims properly.
2. Slow revenue growth: There's a risk that prices could drop faster than the number of new customers increases. That said, the cyber insurance market is still wide open, since most companies are either underinsured or not insured at all.
3. Unstable, inconsistent market cycles – Volatile pricing makes planning and portfolio management difficult. Currently, cyber insurance doesn't act like property/casualty; its swings are more dramatic. Its pricing is mainly affected by the loss experience of specific industry sectors. If a sector has a lot of claims or severe ones, premiums can jump as much as 400% higher.
4. The cyber broker cycle is broken – Clients are always wanting better terms and conditions, which makes brokers' jobs harder and reduces their commissions. Prices are down at present, so brokers don't have the time, margin and other resources for solutions and services that would make them more efficient. Until this cycle is broken, innovation isn't possible.
Barriers to innovation
Vendors promise insurers automation, visibility and improved cyber risk evaluation. Not all of these tools produce high-value outputs, though, and the vetting process can be exhausting. And vendors have to contend with long, inconsistent insurance sales processes. This joint frustration hampers adoption and innovation.
In addition, cyber insurance isn't part of daily cybersecurity reality– yet. How cybersecurity teams operate and/or document controls doesn't square with inconsistent, ambiguous insurance application questions. For instance, an insurance application may ask if multifactor authentication (MFA) is enabled, but that question could apply to dozens of systems – maybe more. Which systems use MFA, and which don't?
The timing of on-the-ground cybersecurity and underwriting doesn't match, either. Annual renewals don't make sense when businesses deal with constantly changing cybersecurity risks. Cybersecurity's role is to shepherd and instruct a company about risk mitigation; insurance is just one of the tools in the cybersecurity toolbox.
Capital expenditure for cybersecurity ideally helps lower your risk profile, but if that's not an option or a desire, you can "buy down" your risk by transferring some of it to a third party. Enterprises probably don't mind annual insurance contracts, since they can afford to buy a large amount of insurance. However, small and medium-sized businesses (SMBs) come up against risk exposure changes, some of which call for more coverage than initially purchased. This is a scenario where monthly contracts could be a better option.
What's also challenging is enterprise data that's fragmented and can't be verified. Companies typically use
Property engineering, such as physical inspections and building codes, has detailed, standardized data that insurers go by; this is not the case for cybersecurity. Consequently, underwriters know they are imprecise but don't have the data they need to course-correct.
Better data is everyone's gain
Insurers don't need bigger questionnaires or more random figures; they need standardized, reliable data. Ongoing, provable data makes these factors stronger:
- Adjudication of claims;
- Capital efficiency and reinsurance negotiations;
- Portfolio analytics and actuarial modeling; and
- More accurate underwriting and reduced accumulation risk.
When insurers have better data, they can lower uncertainty, reach new buyers and expand coverage. Fragmented data gets unified via partnerships with data providers and cybersecurity vendors.
Kickstarting innovation
The cyber insurance industry is fighting on multiple fronts: lower prices, long market cycles and limited capacity for innovation. Brokers don't have the funds to reinvest in growth, underwriters are handicapped by legacy data models and insurers suffer vendor fatigue as they navigate the ocean of tech tools they are relying on to demonstrate ROI.
What's more, cybersecurity and tech vendors aren't happy, either. They're used to a fast pace that insurance companies can't match. Improved field-level data structures, along with smarter partnerships, will prove to be the winning combination for unlocking capital efficiency and restoring innovation and momentum to a market that is currently stagnant.
