OWIT Banner
Follow Us



The Two Sides of Cybersecurity

Insurers have been hiring chief information security officers (CISO) for the better part of this century and in today’s world it’s uncommon to find an insurance carrier without someone manning that position. But on the product side, where insurers have been busy developing new cyber products, insurers have a skills gap, according to Adam Thomas, advisory principal in Deloitte's cyber risk services practice.

“Somebody who has been dealing with property insurance or business interruption insurance doesn't necessarily understand cyber issues,” he says. “Insurers have hired information security specialists, but it may be a lower-level individual (than a CISO). They need to get more robust and have deeper knowledge about cybersecurity on the product side of the business.”

When Deloitte surveyed insurers for their report, “Demystifying Cyber Insurance Coverage” the information showed there remains a silo between an insurer's own CISO and the product group dealing with cybersecurity coverage, according to Sam Friedman, insurance research leader, Deloitte Center for Financial Services and co-author of the report.

If an insurer is underwriting cybersecurity as a product, they don't necessarily collaborate with those on the CISO team. Insurers are looking for the latest news on the threat actors and the vectors they are taking, so the question becomes is that information being shared with the underwriting side of the house or is it in a silo.

“One question we raised is whether there a better way to operate for insurers, who are not just purveyors of cyber risk but also victims of attacks,” says Friedman. “Is there a better way to share knowledge to protect themselves and help loss control and risk assessment if they are writing cyber insurance?”

Cloud Security

One obstacle insurers deal with is a fear of aggregation risk—the idea they are taking on more risk than they can swallow, according to Friedman. Cloud vendors that offer web hosting services are storing data offsite and if there is a breach of the cloud the question is could this be like a cascading loss where it hits thousands or even hundreds of thousands of accounts on that cloud and trigger coverage through a whole series of policies rather than the work of an individual hacker coming after an individual player.

The cloud provider or any shared-service provider should have coverage of their own, but without knowledge of how big a risk the provider assumes itself, how good is their coverage, asks Friedman. “You can't assume that because a third-party has its own policy you can hit them up for compensation,” he says.

Another complication, according to Thomas, is more often than not the security of the environment is actually the customer's responsibility. Cloud providers provide capability for customers to configure the security—the firewalls and the control lists around which cloud services can talk to other cloud services—so if an event happens in a cloud environment who is at fault.

“Many of these cloud environments have exposed configuration capability to their own customer,” says Thomas. “They provide the tools to do that for the customer.”

Explaining Exposures

From the buyer's side, many companies don't have cyber insurance and one reason for this is the buyers don't understand or appreciate the breadth or depth of their exposure, according to Friedman.

“They certainly don't understand the insurance options available to them,” he says. “Cyber risk is spread out over a number of policies. Some bigger policies are comprehensive, but there also is cyber risk exposure in product liability and business interruption.”

It's not only hard for the buyers to get their heads around the subject, but Friedman points out that while large brokers may have enormous resources and expertise, independent agents likely don’t have a total grip on the issue themselves.

“It's hard for them to create an educated buyer,” he says. “It's an evolving risk that is changing every day.”

Thomas points out there is a significant shortage of talent in the cybersecurity space, particularly among insurers focused on mid-sized companies or brokers. When you look at the opportunity in front of the cybersecurity professionals, they may feel there is a more exciting way to go than working with a broker or a smaller insurance company.

How Much Coverage

Thomas believes companies need to start with a risk assessment to understand where the risk exposure lies within their company relative to cybersecurity. A merchant's primary risk exposure, for example, may be customer information around who their customers are and the payment mechanisms they use for goods and services.

“If you are a pharmaceutical manufacturer, you likely don't have a lot of credit card information, but what you do have is clinical trial information—who's trying the drugs, what their experience is, profiles of the individual lifestyle,” says Thomas. “Or you may be concerned about the industrial control factors with the companies that produce the drugs. It all starts with a comprehensive risk assessment to understand where the exposure is and then a conversation about the mix of controls and the type of insurance needed to deal with the controls.”


When Deloitte speaks with its clients about cyber risk management, Thomas explains the conversation generally focuses on three areas:

  • The things you do to secure your environment. Implementing firewalls and intrusion detection that will alert people when an anomalies are happening
  • Things that involve vigilance. This is a changing environment on a minute-by-minute basis—the attacker changes, the models change. What is considered good security today might not be considered good security tomorrow. Good vigilance is about understanding where changes are occurring.
  • Resilience—having the right capabilities in place to deal with a cyber event to minimize brand reputation and financial loss. Practice in advance of an event happening. It has to be muscle memory to respond to it.

Security Expense

There are two sides to the question of expense when it comes to cybersecurity, points out Friedman. If you are talking about bigger insureds they may buy stand-alone coverage. From the small business side, one concern Deloitte is hearing from rating agencies is insurers in a soft market are frequently adding cyber coverage to small business coverage without adding any premium. The concern is whether those insurers have properly assessed the risk and are they reserving for it properly. In that case it's very inexpensive.

When discussing the dearth of data and people not having a good handle on how big this risk is, Friedman points out that goes for the buyer as well as the seller. Several questions arise, including: Is the premium reasonable for what they are offering? How much out-of-pocket expense will the buyer get stuck with? What is the deductible?

“We are really feeling our way through the equation,” says Friedman.

Reputational Risk

If a cyber event happens and it hits the press there is not a lot you can do other than try to control the message, according to Thomas. Insurance isn't necessarily going to help with reputational risk, but part of the risk assessment means understanding the exposure and where cyber insurance fits.

Friedman points out that directors of big public companies are making sure the management team is on top of this issue. “It’s so hard to underwrite given the dearth of data and it's so unpredictable because entry points are expanding with the growth of IoT,” he says. “You have more potential entry points for hackers. So you can't underwrite because the predictive model is based on a critical amount of data that doesn't exist yet.”

Historical data doesn’t always help because it doesn't take into effect new threats and new vectors. If you provide a holistic service—not just risk transfer—and help the policyholder as their risk manager directly or in partnership, that might give an insurer the edge because it eliminates the possibility of loss, it helps the insured to have a more risk-resistant policyholder in place, and it cements the relationship to help take care of the risk. If the worst does happen, insurers may help their policyholder to recover quickly so the incident doesn't become a serious loss.

“Don't just peddle a policy,” says Thomas. “Peddle a solution.” 


Featured articles

MT 160x600



The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.


April 5th – 7th, 2020
The Diplomat Resort
Hollywood, FL
Become a member today to receive updates – www.itapro.org/MR


only online

Only Online Archive

ITA Pro Buyers' Guide

Vendor Views

Partner News