Cyber competition must not weaken underwriting discipline

Cyber insurance is hugely competitive, especially at the SME end. There’s no debating that. 

Brokers have a wealth of insurance markets eager to provide the best fit for their clients’ complexity of risk, scale and threat exposure. 

Meanwhile, specialist providers like ourselves continue to evolve and enhance cover features to keep pace with emerging vulnerabilities, ever-shifting criminal stratagem and the challenging reality of dealing with disruptive system downtime.

On the surface, such keen competition is wholly good news for insurance buyers. Plenty of choice, downward price pressure and broader cover.

Baseline security risk mitigation requirements once deemed essential pre-requisites among insureds by cyber underwriters – such as multi-factor authentication – are no longer being stipulated in some quarters.

Ian Summerfield, Pen Underwriting

But that depends on what we believe cyber insurance is really selling, and how sustainable we want the market to be long-term.

Risk relaxing

Over the last two years, after rate-adequacy price rises began to tail off, market conditions turn and competition hot up, we have observed not only competition on price but a relaxing of risk management requirements and underwriting controls in certain parts of the market.

That concerns us. Why? Because the underlying risk landscape hasn’t improved, or even stabilised. Quite the reverse. Firms of all sizes are arguably more likely than ever to be negatively impacted by a cyber-attack.

Our own research found that firms in the UK and Ireland are five times more likely to be the target of a cyber-attack than suffer flood damage, a common peril which they all insure against. 

Despite that, market data suggests only around 20% of SMEs currently buy cyber insurance. 

Similarly, although 80% of surveyed firms said they could not afford to be offline for a week or less, one in four of those that had suffered commercial disruption from a cyber-attack confirmed the impact lasted for at least a week or longer.

Why is this important amidst the current ‘heat’ of cyber cover competition?

Because with cyber insurance, we’re not simply selling the promise of financial loss reimbursement. 

A vital part of dedicated cyber cover is the loss-prevention risk mitigation services and expert-led breach response. 

Consequently, we should all want to help firms do their best to prevent a successful attack in the first place and minimise the paralysing disruption that data loss or systems compromise inevitably produce.

And yet brokers have commented to us that some cyber markets almost seem to have ceased evaluating and underwriting risk in their keenness to win business.

For example, baseline security risk mitigation requirements once deemed essential pre-requisites among insureds by cyber underwriters – such as multi-factor authentication – are no longer being stipulated in some quarters. 

Not only that, but some brokers tell us that question sets by some cyber insurers are not just being refined but stripped right back to the point of undermining the relevance of risk information presented.

Instead of paring back requirements we should be actively encouraging our clients to use all the tools, training and techniques at their disposal to bolster their cyber resilience and block attempts to infiltrate their systems. 

From an underwriting perspective, this should also benefit loss experience, sustainable portfolio performance and help minimise any need for significant future rate corrections.

Unified message

If we send out conflicting messages to customers on risk control requirements, we risk undermining trust and belief in our expertise. 

Worse still, some of these competitive behaviours – less actual underwriting, heavily reduced rates and removal of baseline risk management measures – could ultimately result in a return to the corrective action needed in 2019/20, that’s to say, rate hikes, cover restrictions and reduced capacity to provide the cover that’s needed. No one wants that.

No matter how competitive the market, it’s important we keep cyber resilience centre stage and do what we can to help customers reduce their vulnerability to attack.

Competition can, and is, driving many positive behaviours among cyber insurance specialists. 

For example, smarter rather than simply stripped-back question sets to ensure they correlate to current threat landscape and claims experience; implementing reductions in excess levels for the smaller, less complex end of the SME market to make an investment in protection more appealing and reduce barriers to buying; and introducing a greater range of insured sub-sets to more precisely tailor cover to their size and complexity.

But there’s a big difference between flexibility of approach and reduced underwriting discipline.