Cyber Risk Underwriters

Hack Yourself First: Trends in Cyber Insurance for Small to Medium Enterprise.

Tech-based cyber risk solutions combined with insurance coverage improvements help agents improve close ratios.

Almost six in 10 small and medium-size enterprises (SMEs) do not purchase any type of cyber insurance. Only 33% purchase stand-alone coverage. Less than 15% of SMEs are trust currently used cyber defenses to detect and respond to cyber-attacks with two-thirds of SMEs reporting a cyber attack during the last 12 months. Despite aggressive pricing and increasing risk, traditional cyber insurance solutions remain a tough pitch for agents. The good news for agents is new insurers are capitalizing on these market realities with technology driven, broker-friendly offerings and market coverage improvements to assist agents to close more deals.

Engineered Cyber Insurance Solutions

“Engineered” cyber risk solutions are gaining traction in the expanding market for small to medium-sized risks. These products go beyond traditional risk finance and claims services to include the use of security technology to assess risk as well as ongoing security services historically affordable only to large enterprises. We set up our specialty wholesale operation on the premise that insurance alone was an insufficient value proposition for agents to achieve acceptable close rates. Agents told us that peddling fear, uncertainty, and doubt (FUD) was of limited use, as most SMEs can’t relate to megabreaches such as Target, Anthem, and Home Depot. In hopes of providing more relatable metrics, we engaged ethical hackers to help us develop our proposals. Using hacker techniques, we are able to better frame the risk and provide agents an improved blueprint to close deals. One of our early successes involved a middle market technology company submitted by an agent frustrated with the insureds lack of interest in adding cyber coverage to its business insurance portfolio. We conducted a non-invasive security assessment that identified outstanding software updates and compromised email credentials. More importantly, we discovered a Chinese hyperlink parked on the insureds web portal. We assisted the insured to remediate the risks and the agent closed the sale that same day.

Limitations of Traditional Market Offerings: Underwriting and Service Platforms

The current market is a land grab characterized by pricing not supported with actuarially sound loss data. As a result, premiums are generally not reflective of the risk. According to Rand4, existing rate schedules among carriers vary greatly in the sophistication of formulation of premium rates. Most insurers use simple, base rate pricing with adjustments based on industry class, revenue, limits, and retention levels. Applications provide insight into levels of existing cyber security hygiene, but the weights assigned to different technologies are inconsistent among insurers. Further, the report suggests, “in some cases, the carrier would appear to guess. It was not unseen for carriers to examine their competitors in order to define rate. In only a few cases were carriers confident in their own experience to develop pricing models”. The three pillars of information security are prevention, detection, and reaction. Traditional market solutions are terrific vehicles to react to a reported cyber event. Coverage forms and vetted claims service providers offer solid value to SME risk. Unfortunately, the traditional cyber underwriting process does not truly get to the bottom of the risk and offer risk-specific recommendations to improve the insureds cyber risk profile. Additionally, most insurers do not offer practical tools to mitigate risk during the policy period. While all insurers provide access to risk prevention tools via risk portals, these tools most often are available only at an additional price or are of limited risk management value. It is not surprising that insurers report only single digit take-up rates for such services.

The New Underwriting Model: Hack Yourself First

New technology insurers entered the market in 2017. In lieu of the traditional underwriting applications and manual processing, these markets use the same techniques hackers employ to assess risk. These tools allow insurers to collect thousands of data points relevant to the risk and make underwriting decisions in seconds. The objective is to get to the bottom of the risk and provide assessment findings to the insured to assist in the prevention of cyber events.

Casing the Joint: Research and Reconnaissance

Contrary to popular media references, criminal hackers do not break into a computer with a few keystrokes. Not unlike burglars, hackers case the target using a set of routine procedures to establish a footprint assessment of vulnerabilities. Each additional step is designed to expand gaps in cyber defenses to implement the hack. Taking a note from criminal hackers, the new breed of underwriters use non-intrusive tools such as public research and port scanning, to collect data to evaluate the insureds current risk level. This snapshot offers a metric based estimate of the likelihood of a cyber event. Searching dark web resources, underwriters can determine if the insured or its employees were subject to past breaches. More likely than not, underwriters find employee email login credentials compromised by past data breaches such as Equifax or LinkedIn available for sale on the dark web marketplace. Compromised information can include addresses, employers, job titles, phone numbers, social media profiles and passwords making it easy for criminal hackers to gain entry into corporate accounts, personal email, as well as access to online banking applications. One technology tool underwriters now use to evaluate risk is port scanning. A port scanner is a simple software tool to identify ports of entry into a computer network. Many free versions are available on the web. Computer ports are the doors and windows of a computer that accept and transmit signals into the public domain. The port number identifies the type of data accepted and transmitted. For example, port 25 is used for email communications and port 80 is used for internet traffic. The scan sends signals to each port to determine where the network is strong or weak. Underwriting scans also detect the operating system and other applications used by “Insurance has a key role to play in managing cyber risk, which requires a shift from traditional snapshot underwriting to a yearround risk management partnership. Rotem Iram, CEO and Founder, AtBay. 4 the insured and search for known vulnerabilities and outstanding software updates (patches) available to close such security flaws.

Risk Assessment Deliverables

Lack of understanding of exposure is a primary obstacle to selling cyber insurance for agents. Risk assessments, included at no extra cost by tech-based insurers, are valuable tools to assist in closing this information gap. Similar to property insurance engineering reports, the insured is provided a risk report containing actionable information as well as recommendations to remediate heightened risks prior to binding coverage. Typical findings include unprotected ports of entry, outdated software and compromised employee credentials. Security engineers are available to assist the insured to remediate such vulnerabilities prior to binding coverage.

Ongoing Protection

Traditional cyber insurers are hesitant to include ongoing cyber security tools to supplement existing controls employed by the insured. Cyber security is complex and traditional insurers do not possess a level of in-house expertise to confidently package prevention and detection tools with a cyber insurance policy. Many insurers cite concern for creating a higher standard of care resulting in increased liability as well as the added underwriting expense. New tech-based insurers are led by information security engineers, including former government intelligence and leading security software providers and strive to offer end-to-end solutions. Tools such as 24/7 network threat monitoring that alert the insured in real time of breach activity are bundled into these offerings. At least one MGA is including a security dashboard for the insured that includes threat monitoring, anti-ransomware software, denial of service website protection, and credential monitoring. Direct access to security engineers is also included in some offerings. These tools are meant to supplement as opposed to replace existing security technology utilized by the insured and are provided at no additional cost to the insured.

Coverage Improvements

As cyber risk evolves, so too must coverage terms. It is difficult to keep up but the latest developments, new innovative coverage’s now available in the marketplace offer additional value to insureds.

Cyber Crime

Historically, cybercrime coverage was limited to fraudulent funds transfer and phishing exploits. Typical sub-limits for cybercrime coverage ranged from $100,000 to $250,000. Several insurers now offer increased fraudulent funds transfer limits as high as $2,500,000 for select risks. A phishing attack is a type of social engineering attack employed to steal user data, including login credentials and credit card numbers. Attackers masquerade as a trusted entity and dupe victims into opening an email, instant message, or text message. Many insurers now expand phishing coverage to include client phishing also known as invoice manipulation. Criminals create phony invoices in the name of the insured to trick its clients or vendors to make payment to a fraudulent account. This extension covers the insureds direct loss due to the transfer of payments to unintended parties that otherwise intended for the insured.

Computer Hardware (Bricking)

Cyber policies historically excluded coverage for damage computer hardware. Bricking refers to a loss of use or functionality of hardware (such as servers) as a result of a hacking event. While malicious software may be removed, hardware may be rendered untrustworthy and require replacement. This coverage provides for the cost to replace such affected hardware

Service Fraud (Cryptojacking)

Cryptocurrency mining, or cryptomining, is a process in which transactions for various forms of cryptocurrency are verified and added to the blockchain digital ledger. The process requires computers to solve complicated math puzzles to win currency and requires an inordinate amount of electricity. Cybercriminals have increasingly turned to cryptomining malware as a way to highjack the processing power of large numbers of computers, smartphones, and other electronic devices. Service fraud coverage reimburses the insured for direct financial loss resulting in being charged for fraudulent use of electricity and other business services.

Contingent Pollution

One insurer is now offering to include contingent pollution coverage. If a hacker gains access to an industrial control system and triggers a system failure that results in a release of pollutants, the policy will cover the costs to defend the insured from 3rd party liability. Summary At some point in the near future, cyber insurance will be a standard component in a business insurance portfolio for small to medium sized enterprises. While the financial consequences are severe, most SME’s have neither the expertise or budget to protect their networks and systems from increasingly sophisticated threats. Techdriven solutions combined with improved policy forms create an easier pitch and better close rates.

About the Author

Jeffrey founded Cyber Risk Underwriters to offer tech-backed cyber insurance and related products distributed to insurance agents, cyber security providers and “InfoSec” investors. Prior to joining Cyber Risk Underwriters, Jeffrey enjoyed over 25 years of success providing complex P&C insurance and risk financing design, brokerage and relationship management expertise for complex risks including: technology, healthcare, private equity, and real estate. Cyber Risk Underwriters maintains offices in Atlanta Georgia, Park City Utah and Huntington Beach California.