Cyber insurance is a newer industry that has experienced unprecedented growth and changes over the last five years. As we all strive to stay secure while navigating a hybrid work model, we are witnessing the landscape shift from data breaches and credit card theft making headlines to growing threats like ransomware. After working in insurance in varying capacities for over ten years, holding roles in claims, sales, and underwriting, I joined Coalition's Canadian underwriting team as a Production Underwriter in February 2021.
I feel like one year in cyber should be measured in one decade given how fast things change and evolve.
Much like the cyber insurance industry itself, as a production underwriter, you often have to pivot multiple times throughout the year to keep up with the ever-changing environment. As an underwriter, it is essential to keep your finger on the pulse of the marketplace. One of my favorite aspects of this job is seeing how applicable it is in day-to-day life. My fiancé pokes fun when I ask how my information will be used when I sign documents, give my credit card info to a company, or read privacy policies associated with various software updates.
While this level of mindfulness may seem excessive, evaluating and mitigating digital risks is critical, especially as companies and individuals rely on technology now more than ever to create a sustainable, efficient, and connected future.
At the beginning of my journey in cyber insurance, the industry saw an uptick in clients taking out policies for their cyber liability exposure. Back then, companies were primarily concerned with privacy liability exposure, resulting in class action lawsuits and potential fines from the Privacy Commissioner of Canada. These lawsuits were the result of breaches of personal information — personally identifiable information (PII), personal health information (PHI), and payment card information (PCI).
At this time, cyber criminals were more focused on breaching smaller companies with sensitive records to sell on the dark web or make fraudulent health insurance claims for a profit. As a result, clients were very conservative when purchasing coverage because they didn’t think they had significant exposure to cyber risk. They often bought lower limits and were very price sensitive.
A year later, there was a clear shift in the industry. Attackers pivoted toward DDoS attacks and business interruption to cripple businesses and their revenue generation. Business interruption losses skyrocketed as a result, and with that, the appetite in the insurance industry shifted. Changes soon came by way of social engineering and phishing attacks to gain user credentials. Business email compromises (BEC) soon followed. And yet, clients still believed, “it won't happen to me.” The rapid shift in tactics and the resulting attacks did plant a seed in the mind of the CFOs and CISOs that cyber insurance was a critical business expense.
Email phishing was the initial vector of attack for 48% of reported claims where this data was available. – Coalition Claims Report
At this time, the industry standard was still an outdated method of analyzing risks by confirming that basic controls were in place, i.e., antivirus, multi-factor authentication (MFA), and firewalls. However, relying on only these checks was proving insufficient in the wake of rising cyber claims. Eventually, the mindset would shift toward a defense in depth model: utilizing layers of security tools and technologies to protect critical information.
The importance of having cyber insurance grew due to companies implementing contractual obligations, which included stipulations that companies would need their own cyber liability policy with specific limits in order to participate in acquisition processes. At the same time, there was a boom in ransomware that crippled companies. These factors motivated companies, large and small, to collectively spring into action and obtain quotes for cyber insurance. At this time, this industry was still catching up on how to underwrite cyber accounts efficiently.
Eventually, carriers and insureds alike were forced into a more uniform process for cyber underwriting due to COVID-19, which forced companies into a virtual world with no preparation. Companies undertook the added exposure of employees using their personal Wi-Fi and IoT devices to access company assets. Paired with overworked and overstretched IT staff, this was a perfect storm for attackers to exploit. By now, the importance of Endpoint Detection and Response (EDR), backups, encryption, and MFA was top of mind for both insureds and insurance companies alike. But was that enough to prevent cyber incidents?
I remember reading an article about how car insurance companies helped reduce the amount of accidents seen in the rural United States; I laughed it off as marketing. The article explained how insurance companies incentivized customers to lower their premiums by rewarding them for having newer cars, less mileage, no points on their license, and no previous at fault claims. As a result, newer models replaced older cars, people used seat belts more and drove safer, causing accidents to dip significantly.
Cyber insurance has taken a very similar role. Cyber insurance acts as a risk management solution pre-breach and a panic button post-breach, offering a turn-key solution to your cyber exposure.
The role of the insurer has changed significantly in the span of five years as clients gain access to a vast array of tools designed to prevent an attack, making them more insurable and less likely to sustain a breach.
Insurance companies react to the ebbs and flow of the marketplace, and their requirements change frequently based on the claims trends they see. During my time in cyber, the underwriting process has changed drastically due to the ever-changing nature of the marketplace. Previously, we would ask clients to fill out a check-box application that could be anything from 10 to 18 pages in length. Then, we would underwrite the account on this information alone. The most heavily relied upon information would be revenue, industry class, and whether or not the client met the minimum security standards (MFA, firewalls, and backups).
This outdated mentality of putting pen to paper contradicts the pace of attackers that insurance companies are hoping to outpace. At Coalition, we need your domain names and a ransomware supplemental that is a mere two pages. We evaluate the rest of a potential insured’s risk using our robust scanning and underwriting processes.
Coalition has held strong as the cyber landscape has evolved. We adapted our underwriting process, pivoting from primarily mitigating privacy and social engineering losses. This underwriting method was easier, but claims became more complex as many businesses transitioned to remote work, providing attackers with new technologies to exploit. Because Coalition emphasized security heavily before it was standard in the marketplace, we were well-positioned to adjust as attackers shifted tactics, remaining inside networks longer and deploying deadly new ransomware variants. Today, we determine the risk exposure of potential policyholders by scanning their public-facing networks and assessing their security controls entirely from the outside, just like an attacker. We work with our policyholders end-to-end on their cybersecurity journey, providing pre-breach services, employee training, incident response planning, compliance assistance, and IT services.
Our underwriting and risk engineering capabilities are unique among cyber insurance providers, and our claims frequency reflects this. Coalition policyholders experience less than one-third the frequency of claims when compared to other carriers in the market. – Coalition Claims Report
The cyber market undoubtedly has more changes ahead. As cybercrimes continue to escalate in severity, addressing cyber risk has become a critical task. The 2021 Coalition Cybersecurity Guide provides simple, straightforward steps to protect your organization from malicious actors. Our H1 2021 Cyber Insurance Claims report analyzes the cyber incidents that precipitated claims, including the attack vector and root cause. In addition, policyholders can take advantage of Coalition Control, our integrated platform that lets organizations review and manage their cyber risk.