• United States




A cybersecurity insurance broker’s tale of two cities: Washington and London

Sep 11, 20176 mins
Risk ManagementSecurity

A look at how brokers in the United States look at the cyber insurance markets versus those in the United Kingdom.

insurance cyber attack protection
Credit: Thinkstock

Recently I was reviewing a number of reports made available by Forbes, Advisen, Deloitte and a variety of others. In the course of this review, I stumbled on an interesting video where to insurance experts gave differing opinions of the sustainability of the cyber insurance marketplace. Given the fact this video was from 2015, I thought it might be of interest to jot down some of the key points and then see how some of these topics and predictions fared over the last two years.

I had the privilege of speaking with one of the two panelists, Sarah Stephens with JLT Specialty Limited. Sarah has been in this space specializing in cyber coverage since 2006 and is highly respected in both insurance and cyber arenas. I asked her about her thoughts on the industry and what, if anything, has changed her opinion on her positions back in 2015. Her responses were very enlightening.

First off, it was great to speak with an industry practitioner that firmly believes you cannot properly assess an applicant's cyber risk profile by merely looking at it through a "technical lens." Ms. Stephens made it a point to discern that a client's "culture" in how it addresses cyber risk is more telling than what type of security technologies it has in its arsenal. We touched upon technologies like BitSight, Security Scorecard and others. She said the problem that exists when you rely too heavily on these solutions is that you do not evaluate the intersection of process risk with technical risk.

Our interview also touched upon traditional issues that have been highlighted in previous blogs here on the Cyber Insurance Forum. Specifically, how the questions most brokers and carriers use are technical questions that are designed to be very "reactive in nature." This is a very important issue to be sure because until the industry adopts methods of looking at the culture, to include: people, process, technology and acquisition, there is a likelihood that current questions will not properly assign correct evaluation criteria. "This will result in premiums being generally overpriced," she added.

Later in our interview, we touched upon a very clear need for brokers to have a responsible conversation with clients and to properly illustrate what may not be covered. This dovetailed into a question I posed on the potential impacts of the General Data Protection Regulation (GDPR). Ms. Stephens believes that the markets will inevitable mature and be able to adopt to the growing changes as they apply to being able to cover fines associated with violating GDPR as many of the take up rates are closely tied to applicants wanting to have the post-event services at their insurance provider's disposal.

Having said that, she does not believe that policies will be designed in a manner to cover the maximum penalty thresholds of roughly $20 million or 4 percent of annual turnover. This ties back to her point on having a "responsible conversation" with the applicants.

From the other side of the pond, here in the United States, I spoke with David Schaefer of AH&T Insurance. Mr. Schaefer is the leader for AH&T's Technology and Government Contractor insurance practice groups. On the topic of uptake in the market, he first noted that cyber spans more than one type of policy unless you have a dedicated cyber policy, independent of other lines of coverage. He referenced the Council of Insurance Agents and Brokers (CIAB) annual report on the cyber markets that comes out each fall. While 2017 has not come out yet, the 2016 report had a penetration rate of about 27 percent. Mr. Schaefer advised this is "a dismal take up rate when measured against the business risk, which is higher now than in past years."

He went on to illustrate a variety of reasons he feels this is the case. In many instances, applicants are advising they do not have it in their budget to expand coverages to include cyber lines of coverage. From a business perspective, there may be a point here but a counter point is that do you have incident response and crisis management costs built into your budget? Of course not.

Another challenge is that many Chief Information Officers are telling their Chief Executive Officer or Chief Financial Officer that, "We are good. We don't need to worry about a breach." This is incredibly naive. Speaking for myself, I cannot think of one major breach that occurred where the CIO or CEO believed they were susceptible.

Even if we are able to bypass these two challenges, you still have to contend with businesses that take the position of "we are not there yet in terms of controls." Mr. Schaefer added. This conveys buyers that believe they will face higher premiums, lower coverages, or both if they do not have cyber risk mitigation controls in place.

AH&T provides a Cyber Exposure Education Program that illustrates the value of both pre-event and post-event challenges and services but oddly enough, the number of clients that take advantage of this free service, very few.

When asked about recent developments for the State of New York's cybersecurity rule that went live just a couple of weeks ago, he believes this is "a wake up call for any business that touches financial services but we will have to wait and see how enforcement actions affect the market." This also is likely true of recent developments of GDPR. What I was not aware of up until this interview is that some endorsements for some conforming coverages are now available in relationship to the New York state law. Having said that, these coverages cannot be considered a get out of jail free card. The applicant must be responsive to these requirements.

So to recap, both see challenges with uptakes, but I found it great to see different perspectives on future enforcement actions and how these punitive fines and sanctions will be addressed by insurance.


Carter Schoenberg is the President and Chief Executive Officer of HEMISPHERE Cyber Risk Management, Inc. Mr. Schoenberg is a certified information system security professional with over 23 years of combined experience in criminal investigations, cyber threat intelligence, cyber security, risk management and cyber law. He is a cybersecurity subject matter expert supporting government and commercial markets to better define how to evaluate a risk profile and defining criteria for brokers and carriers to utilize in their determination on coverage and premium analysis.

HEMISPHERE is working with insurance stakeholders to define appropriate standards and training of brokers and agents in determining coverage requirements, scheduled for release later in 2017. HEMISPHERE is also working with the National Association of Insurance Commissioner’s Cyber Task Force.

Mr. Schoenberg’s expertise has been featured at many events and his background and knowledge in the Latin American markets, specifically in Panama’, has provided him with a unique and detailed view of this market segment.

Mr. Schoenberg is responsible for designing practical solutions to address cyber risk management using his proprietary cost-benefit analysis enabling system owners to make mission and cost justified decisions on cyber risk. Starting his career in law enforcement as a homicide detective, his work products have been actively used by DHS, the ISAC communities, and the Georgia Bar Association for Continuing Learning Educational (CLE) credits on the topic of cybersecurity risk and liability. His expertise is profiled at conferences including ISC2, SecureWorld Expo, ISSA and InfosecWorld.

The opinions expressed in this blog are those of Carter Schoenberg and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.