Not Your Typical 2023 Cyber Insurance Market Update

It’s going to be a bit different this year.?

When I sat down to write my annual state of the market article, I began with the same old routine: a crisp sheet of paper, a pen, and then the same old topics - capacity, pricing, supply & demand, and followed by changes to underwriting requirements and some trends in the pure cyber sphere. It did not take long for me to change my pen’s course - after all, industry knowledge is now relatively well distributed these days versus the pre-COVID “Dark Age”.?

So what could I add to the discussion? After giving it some thought, apparently quite a lot.

The Cyber Insurance Academy enjoys a uniquely privileged market position. It allows us to remain objective whilst keeping a finger on the fast beating pulse driving the sector. On top of that, we have the benefit of meeting with clients on a daily basis and speaking to them about their challenges, gaps and areas of focus. We hear their needs and requests and make it our goal to translate them into tangible products.?

But before I dive in, allow me to be somewhat self-contradictory and get it out of my system: prices are stabilizing, demand for the products is still increasing, the market is still maintaining its high growth rate, there is still a capacity crunch (although it is improving), and systemic/catastrophic risk is still a major concern for the market. Phew, that’s off my chest, so let’s get going.?

The Market Is Becoming Increasingly Technical

If three years ago, we thought that education in the cyber insurance sector would center around cyber terminology, it is now becoming increasingly clear that we are heading toward a very technical path. It was our original belief that getting comfortable with the “cyber language” would form a sufficiently sturdy and robust springboard for insurance professionals to convey the product messaging and interact in a professional manner with technical leaders.?

In actual fact, underwriters and brokers are now required to go into greater technical depth and to know much more than just “the basics”. Insurance professionals are now required to understand mechanisms, implementations requirements, identify potential gaps, and understand the alternatives/corresponding solutions. And they need to be able to do so in a timely manner in accordance to the ever-shortening deadlines set.

The buying process has transformed significantly over the last couple of years too, with the proposal form, policy, coverages and endorsements requiring a much greater technical understanding. And as a result, the nature of the role of a cyber insurance professional has changed to become more of a consultative one, with proactive approaches to cyber security featuring at its forefront.??

Education Is The First Step, But Must Be Closely Followed By Tech

Technology has a presence in this industry not only in words, questionnaires and oral discussions. Indeed, the technologies which provide crucial support to the entire policy sales-cycle are evolving as well - from pre-breach services and tools, on-going monitoring and response all the way to incident response and claims handling. It should go without saying: an education that evolves alongside the technology it concerns is imperative if insurance professionals are to properly harness those tools, maximize their value with the right data, and understand their “whats” and their “hows”.?

It starts with the minimum requirements, which have become an industry standard as insurers have learned to cherry-pick the best cyber risks to insure. This means that, before brokers even approach the insurer they must address and consider a variety of different technologies and tools such as non-intrusive assessments, backups, threat intelligence, stress tests, table top exercises and configurations. Of course they must also provide consultative services to support their clients by providing the right security tools, awareness training, phishing simulations, and ransomware workshops… and much more.

But, in the cyber world, an insurer’s risk assessment cannot simply end at the signing of the policy’s dotted line. Many carriers in the industry have now woken up to the enormous advantage of leveraging technology to ensure the safety of both their insureds and their capital reserves. After all, it is in everyone’s interests to reduce losses by stopping attackers in their tracks as early as possible. We’ve seen different “names” crop up over the past year to describe this new way of insuring cyber risk - “Active” Insurance, “On-Demand” Insurance, “Proactive” Insurance, and “Insurance-as-a-Service” - but from my personal, overarching perspective, the same approach of continuous monitoring and response applies to each. Of course, the technologies, tools and methodologies leveraged may differ from product to product.? But the industry in general has quickly cottoned on to the proactive approach to cyber insurance and with it, the demand for technical knowledge has skyrocketed.

Technology has, of course, also become an inseparable part of the Incident Response and claims handling process, including customer notification, forensic investigation, and even ransom negotiation and payment. This is obviusly on top of the inerated role that technology anyway has in the cyber incident response process.

The Cyber Policy Is Just The Beginning Of A Bigger Technological Disruption?

By that, I am not referring to the highly anticipated insurtech disruption. I am not referring to digitization and connectivity, nor to improved user experience.?

What I actually mean to say is that the buzzwords of today will become the insurance products of tomorrow. Glimpses are beginning to emerge of insurance products that deal with technological developments at their core - with cryptocurrency and blockchain technologies, the Metaverse, digital assets and social media policies to name a few. All of this serves to magnify the pressing need for the insurance sector to savvy up with tech if it is to stay relevant and provide clients with a meaningful service?

Moreover, given the prevalence of technology in our everyday lives, this investment cannot fall on the cyber and tech divisions alone, but, rather, throughout the entire insurance industry. Even the traditional insurance products such as property and liability now require a deeper understanding of technology and innovation. For example, AI, Big Data and cloud migration will not only play an instrumental role in cyber policies, but will also be increasingly adopted in traditional lines of business, providing better insights across the entire policy supply chain. To sum up: if the insurance industry wishes to stay relevant and to provide the best service possible to its clients, it needs to start building a stronger technological foundation that will last for decades.

The Cyber Policy Supply Chain Has Many Communication Gaps, But A New Ecosystem Is On The Horizon

Given our firm focus on education, the Cyber Insurance Academy finds itself uniquely rooted in the industry despite not operating like a typical insurance organization. We therefore have clear visibility over the various stakeholders that make up the cyber insurance supply chain, and can, accordingly, identify gaps - and there are plenty of them.?

I’ve spent this period reflecting on the conversations I’ve had over the past year and feel that the problem ultimately boils down to the different perspectives from which each of these stakeholders - the insurers/MGAs, brokers and end clients (the insureds) - view the same industry. This is very much a case of “two sides of the same coin”, with everyone having their own insights, needs and motivations. To create transparency and consistency, there needs to be a holistic, non subjective, unbiased body that improves communication and tackles these gaps.

From the carrier side of things, I’ve seen insurers apply their own claims data to identify and analyze emerging cyber trends, vulnerabilities and potential exposures and to protect their capital by constantly adjusting their requirements.

The impact? is, arguably, most keenly felt by the brokers, who are struggling to keep up with the changes, get the message to their insureds, and do so in good time. Not all of these changes are easy to implement and assessing a client’s policy readiness is no longer the simple case of box-ticking that it once used to be. It’s no longer enough to ask a client “Do you have MFA?” and to take their answer as gospel. Rather, they’ll need to produce copious amounts of information including lists of their remotely accessible assets, details on their PAM software, the levels of access and privileges given to those assets, their authentication methods and the MFA solution they employ.?

For the insureds, renewals become challenging if not sometimes impossible. They often need to implement new solutions, processes and procedures, and to do so properly.

But there is another interesting impact of developing trends on the cyber insurance supply chain: to counter the identified risks, insurers have also often taken various actions to protect themselves (such as co-insurance, new coverages and exclusions).?

And that is not all. Beside the pure insurance industry we are seeing increased involvement from cyber security vendors, risk quantification and analytics providers, law firms, technical incident response teams, PR companies, startups, and many other stakeholders. There is a new ecosystem in the making, one that requires much more cohesion and cooperation if the industry is to reach the stability it craves and to maintain its growth rate.?

The Market is Experiencing a Severe Talent Shortage?

The insurance workforce is aging, with many employees expected to retire in the next few years. To add fuel to the fire, it is no secret that insurance is not the most appealing industry to pursue as a youngster, especially those coming from a technical background. The payrolls and the benefits that the tech industry has to offer are somewhat more attractive. So what can and should we do as an industry to tackle this issue??

A good starting point would be to train people internally, and convert them to become tech experts. However, I acknowledge that this is more of a band aid rather than a real, long-term solution and will take some time to implement fully.?

So perhaps a more radical change is needed. MGAs and tech companies already operating in the insurance space have had relatively high success with sparking excitement in young talent and attracting them to the field. Efforts must be made to retain this workforce as they grow their careers, which will include facing some harsh truths: conditions and benefits need improvement and salaries need raising. But we also need to think outside of the box, join forces and come up with new initiatives.?

A great example of such an initiative is the LIIBA’s (London & International Insurance Brokers’ Association) STEM week, in which I had the opportunity to participate in last year. During this week in London, a class of British teenagers participate in seminars, tours and a variety of activities that culminate in a Board War Room simulation at the end of the week. The goal of the event is to expose youngsters, ages 13 – 17, to the wealth of the insurance sector (this time it was all about cyber insurance), and to inspire them to pursue a career in the field.?

How Should We Move Forward?

Although we are on the verge of a global recession, I am seeing budgets for cyber insurance buyers increase, together with budgets to invest in cyber within insurance organizations. This growing investment in talent, expertise, and initiatives are indications of the good health of the cyber insurance market and of its potential future growth.?

And here, the Cyber Insurance Academy will continue to do its best to facilitate this growth by plunging our everything into producing world-class Continuing Education, building a thriving Community, and making sure that the most important topics of cyber knowledge reach our members. We keep our eyes peeled for new trends and respond as quickly as possible with training collateral - with the benefits felt by both the insurance professional and their end client. The market’s rapid pace of change has challenged us to adapt our traditional products and vision and to consider new methods of content delivery: micro-lessons, a vendor-centric TechHub, and live events are just a few examples of the way we plan to help the cyber insurance sector burgeon.?

There’s excitement in the air at the Cyber Insurance Academy HQ as to what 2023 will bring. Let’s hope it’s our best year yet!

Written by Guy Simkin, CEO and Co-Founder of the Cyber Insurance Academy

The Cyber Insurance Academy?is a 24/7 online academy designed for insurance professionals. The academy is operating in more than 40 countries around the globe, and it is building the world's biggest community of technical insurance professionals.

Feel free to contact me at:[email protected]