A cybersecurity insurance broker’s tale of two cities: Washington and London

Recently I was reviewing a number of reports made available by Forbes, Advisen, Deloitte and a variety of others. In the course of this review, I stumbled on an interesting video where to insurance experts gave differing opinions of the sustainability of the cyber insurance marketplace. Given the fact this video was from 2015, I thought it might be of interest to jot down some of the key points and then see how some of these topics and predictions fared over the last two years.

I had the privilege of speaking with one of the two panelists, Sarah Stephens with JLT Specialty Limited. Sarah has been in this space specializing in cyber coverage since 2006 and is highly respected in both insurance and cyber arenas. I asked her about her thoughts on the industry and what, if anything, has changed her opinion on her positions back in 2015. Her responses were very enlightening.

First off, it was great to speak with an industry practitioner that firmly believes you cannot properly assess an applicant's cyber risk profile by merely looking at it through a "technical lens." Ms. Stephens made it a point to discern that a client's "culture" in how it addresses cyber risk is more telling than what type of security technologies it has in its arsenal. We touched upon technologies like BitSight, Security Scorecard and others. She said the problem that exists when you rely too heavily on these solutions is that you do not evaluate the intersection of process risk with technical risk.

Our interview also touched upon traditional issues that have been highlighted in previous blogs here on the Cyber Insurance Forum. Specifically, how the questions most brokers and carriers use are technical questions that are designed to be very "reactive in nature." This is a very important issue to be sure because until the industry adopts methods of looking at the culture, to include: people, process, technology and acquisition, there is a likelihood that current questions will not properly assign correct evaluation criteria. "This will result in premiums being generally overpriced," she added.

Later in our interview, we touched upon a very clear need for brokers to have a responsible conversation with clients and to properly illustrate what may not be covered. This dovetailed into a question I posed on the potential impacts of the General Data Protection Regulation (GDPR). Ms. Stephens believes that the markets will inevitable mature and be able to adopt to the growing changes as they apply to being able to cover fines associated with violating GDPR as many of the take up rates are closely tied to applicants wanting to have the post-event services at their insurance provider's disposal.

Having said that, she does not believe that policies will be designed in a manner to cover the maximum penalty thresholds of roughly $20 million or 4 percent of annual turnover. This ties back to her point on having a "responsible conversation" with the applicants.

From the other side of the pond, here in the United States, I spoke with David Schaefer of AH&T Insurance. Mr. Schaefer is the leader for AH&T's Technology and Government Contractor insurance practice groups. On the topic of uptake in the market, he first noted that cyber spans more than one type of policy unless you have a dedicated cyber policy, independent of other lines of coverage. He referenced the Council of Insurance Agents and Brokers (CIAB) annual report on the cyber markets that comes out each fall. While 2017 has not come out yet, the 2016 report had a penetration rate of about 27 percent. Mr. Schaefer advised this is "a dismal take up rate when measured against the business risk, which is higher now than in past years."

He went on to illustrate a variety of reasons he feels this is the case. In many instances, applicants are advising they do not have it in their budget to expand coverages to include cyber lines of coverage. From a business perspective, there may be a point here but a counter point is that do you have incident response and crisis management costs built into your budget? Of course not.

Another challenge is that many Chief Information Officers are telling their Chief Executive Officer or Chief Financial Officer that, "We are good. We don't need to worry about a breach." This is incredibly naive. Speaking for myself, I cannot think of one major breach that occurred where the CIO or CEO believed they were susceptible.

Even if we are able to bypass these two challenges, you still have to contend with businesses that take the position of "we are not there yet in terms of controls." Mr. Schaefer added. This conveys buyers that believe they will face higher premiums, lower coverages, or both if they do not have cyber risk mitigation controls in place.

AH&T provides a Cyber Exposure Education Program that illustrates the value of both pre-event and post-event challenges and services but oddly enough, the number of clients that take advantage of this free service, very few.

When asked about recent developments for the State of New York's cybersecurity rule that went live just a couple of weeks ago, he believes this is "a wake up call for any business that touches financial services but we will have to wait and see how enforcement actions affect the market." This also is likely true of recent developments of GDPR. What I was not aware of up until this interview is that some endorsements for some conforming coverages are now available in relationship to the New York state law. Having said that, these coverages cannot be considered a get out of jail free card. The applicant must be responsive to these requirements.

So to recap, both see challenges with uptakes, but I found it great to see different perspectives on future enforcement actions and how these punitive fines and sanctions will be addressed by insurance.