Capacity with a Different View

What is the market looking like today?

It’s definitely a hard cyber market. In the third quarter, Marsh published a report showing that 70% of cyber renewals are experiencing some kind of price increase, with the majority of those increases being over 20%. As increases continue, some carriers are withdrawing completely from writing cyber. All the while, deductibles are going up while limits are going down. All of this means that a lot of brokers are working twice as hard to fill out layers of coverage with shrinking capacity.

Cyber may be even harder than other lines of business, and I know there are several under extreme pressure right now. Because the losses [in cyber] are so high and carriers are reporting unfavorable results and cases of ransomware are getting so sophisticated, a lot of claims departments are telling us they don’t know how to handle everything. There’s a lot of confusion and a lack of ease that the insurance market has historically been able to provide.

Over the past few years, we have seen many companies launch cyber insurance MGAs. Why do you think so many companies are choosing this route, particularly related to distribution and underwriting?

At one point in time, insurance companies were able to have their underwriting, claims and risk engineering specialized across various niches. It’s nearly impossible now for insurance companies to be specialists in every area. MGAs’ expansion in all lines of business—not just cyber—is testimony to the fact that they are a necessary and crucial piece of providing underwriting expertise in focused categories of business. I believe that is the main reason for their growth, and I think it’s going to continue.

Resilience is technically a program manager. How is this different from a true MGA?

There isn’t a great deal of difference between MGAs and program managers. A lot has to do with what you’re allowed to be called in certain states from a regulatory standpoint. The real question is, do you have underwriting authority, do you have claims authority. I am proud to say that Resilience has both underwriting and claims authority for our A+ carrier partner, Intact. So the same people who provide your insurance coverage will be the same people you’re dealing with when you have a breach, and that is quite valuable and different from our competitors.

How does risk engineering work in cyber security?

Risk engineering is understanding not only what predators are out there in the very dangerous cyber world but also understanding the appropriate protections a certain company needs in the confusing world of cyber security. What’s the risk, and what are you doing about it? What new kinds of automation are they undertaking? What new types of products are they issuing? What new types of software do they employ? What are their practices on backing up their data, detecting a breach, protecting the integrity of their email?

There’s no simple, blanket, risk-engineering solution. No two protection programs are the same. It differs depending on what kind of business they are, what they may be doing, and where they may be going.

Part of our value proposition is true risk engineering but not in a general way—not downloading some kind of software program. It’s understanding a company’s risk by talking to their CISO or talking to their IT department about what it is they have and where they are going and how we can protect them from tomorrow’s attacks.

The SMB cyber market seems to be very tech driven, focusing on speed and automation versus mid- to large-market cyber risks, which focus more on underwriting. Can you explain the difference?

Most of the MGAs we talked about are focused on the small commercial risk. They use technology—self-service if you will—to help protect those risks and educate their clients. There are companies that are trying to be everything to everybody in that small space. And the truth is, you really can’t make everybody happy.

We launched Resilience with a different approach in mind for a few reasons. First and foremost, we are only dealing with companies that have complex cyber risks and need thoughtful solutions to address their cyber security. Often what these companies will spend—or should spend—on cyber security is more than what they’ll spend on insurance. I think that’s a good thing. The two greatest risks that are facing corporations today are insurance needs—one is directors and officers for obvious reasons, and the other is cyber. Cyber crime goes to the core of harming a business—business interruption, reputation risk, and ransomware (where your data is encrypted and you can’t do business). Our view of delivering value means providing cyber security, technology, data science, as well as risk transfer into a superior cyber insurance product.

Our second approach hits on education. We have to stop and ask ourselves: “What can you do today to protect against tomorrow’s threats?” Answering this question is more complex compared to a transactional insurance product for small businesses. Resilience believes that educating and nurturing a relationship with brokers is critical to ensure true cyber resilience. Resilience’s cyber-security experts are monitoring what the hackers are testing right now. We will provide education seminars and access to our experts so brokers and their client base will learn about complex risks as well as the broader risk landscape. That way, we can move the culture beyond just compliance and take the necessary steps to protect against a constantly evolving threat.

For a line that lacks historical loss data and is not limited to geographic boundaries (like weather-related risks), how will Resilience hedge against the risk of a catastrophic cyber attack impacting customers across the nation/globe? Is this risk taken into consideration?

Part of this is science, and part of this is art. It’s not just an actuarial science—it’s using underwriters and underwriting expertise and cyber-security expertise to understand the kind of attacks that are out there, how bad they’ll be, and how much effect they could have on business interruption, reputational damage, and other related risks.

This is the beauty of having cyber and insurance experts team up. We want to go beyond just pricing a risk. We have a sophisticated cyber database on specific risk characteristics as well cyber-security utilization. Our methodology will help everyone understand the risk more intelligently and how to properly insure and secure against the cyber complexities. Overlay that with our unique insurance and coverage experience, and we will be taking this science/art value proposition to a whole new level.

Part of why it has been hard to predict the amount of cyber losses is because coverage has been expanding. A lot of underwriters have been, if you will, very generous in the coverages they’ve been granting. And because of expanding coverage grants, there’s an expanding loss space too. So part of it is understanding how much of those losses are related to coverage and how much is related to the fact that the hackers are getting more sophisticated. Putting our protection levels into place, we need to determine what the proper amount of risk transfer is in terms of coverage, as well as how much to charge for that. Knowing that, when there is a breach, we will be there to prevent it from becoming a bigger problem, that’s a significant component of what we bring, and all that goes into our rating model and pricing.

How has the cyber insurance market changed in recent years? What trends are you seeing, and are you able to pinpoint where the majority of losses are coming from?

It certainly is a changing landscape. The number of attacks continues to rise. We recently heard that October 2020 was the worst month ever, and I suspect it’s going to get worse. Most of these are outside attacks coming from sophisticated hackers. We know pretty much who they are working with and how they’re sponsored, whether it’s Russia, North Korea, Iran, or others. As a result, it becomes very difficult to catch these criminals, but it does call for government and private enterprise working together to make sure cyber criminals are not protected and bad actors are shut down.

The current trend is that hackers are getting more sophisticated and, due to the pandemic, many more individuals are working from home, leading to a higher proportion of devices being exposed. A company with 100,000 employees, for example, working out of 10 offices now has 100,000 employees working from home. That means there are now 100,000 points of exposure that could be used by those hackers to get into their home service who eventually get into their corporate service and work their way up.

The technology used by hackers also continues to improve. We’ve seen a lot more use of automation with robots and artificial intelligence. It still takes an individual to drive those machines, but the technology is moving fast. Bad actors are using more sophisticated tools to initiate those attacks and get into the servers. We’re also seeing a trend where hackers feel they have an opportunity to make money by teaching amateur hackers. Bad actors are actually teaching classes where amateurs pay money and learn how to mature their tactics and techniques as another way to make money. That’s the nature of what we’re dealing with.

A little more than a year ago, the targeted industries were municipalities. We saw so many of them attacked, so many of them locked down. They were vulnerable. In 2020, there was a lot of focus on healthcare. Almost every day, I read another healthcare system has been breached. It’ll probably be something else in 2021, and it’s our job to monitor these trends to stay ahead of the curve.

Cyber attacks have skyrocketed since the onset of the COVID-19 pandemic. The FBI is receiving more than 4,000 reports of cyber attacks per day—400% more than before coronavirus—and Interpol is seeing an “alarming” number of attacks on companies, critical infrastructure, and governments. Do you see any of this activity slowing down?

I don’t see it slowing down, especially with the increasing use of robots and artificial intelligence at the hand of these hackers to accelerate the breaches. I see it continuing to evolve, continuing to change. It might move around industry groups, it might move around countries, but we have quite a bit to go before we see this leveling off.

The extent of that question takes you to the next level. How big is the cyber market going to become? A lot of people underestimated the impact on free enterprise. We’re talking about a $50 billion gross premium market at a minimum over the next five to 10 years, which means it’s going to grow by at least five times where we are now. Losses will continue, and where losses continue, risk transfer will grow. And while that might be something that very much is going to be troubling to all of us, it is potentially ruinous only to those that don’t address it as a real threat and don’t do something about it.

What do you say to senior management that hasn’t planned for or dedicated resources to a catastrophic cyber event?

I’d say to the CEO of that company, don’t be foolish. You will be the focus of a cyber attack, and you will be breached. It’s just a matter of time and luck. How prepared are you? What preventive measures did you have in place? Once you figure out what happened, how do you want to explain it to your board, your shareholders, and your employees?

The most overused phrase in the whole notion of cyber is: “It’s not a question of if; it’s when.” If your company matches anything close to the profile of companies that have been breached or if you keep PII [personal identifiable information] or if you have something of value, you’re going to get breached.