Cleo File Transfer Alert | December 2024
Cleo customers could be at risk due to a critical security flaw. Here's what you need to know.
In its early years, the cyber market felt like the Space Race: navigating uncharted territory with a wide range of unpredictable risks. It was difficult to underwrite and overlooked by most enterprises, which left cyber risk as a product many insurance carriers didn’t feel a need to prioritize — some even argued it was uninsurable.
In subsequent years, as the market has matured, those challenges have become ever more evident. The rapidly changing risk environment means that traditional underwriting practices have struggled to keep up with the cyber landscape and the threats that accompany it. Fire insurance has long been able to determine the leading risks for significant damage to a building, but the rapid evolution of technology, and the profit-driven ingenuity of threat actors, has left some insurers questioning their commitment to solving cyber.
Enter the Cyber MGAs — In a market that demands a deeper understanding of individual customers, a solid grasp of systemic exposure, and the agility to harness the best of combined technology and insurance expertise, these small-sized insurers are able to offer a more comprehensive solution for threats such as phishing, ransomware, and cyber extortion. Now established as an option for organizations of all sizes looking for cyber insurance, tech-forward Cyber MGAs are setting their sights across the pond.
Cyber MGAs, of which many fall under the Insurtech category, have a reputation for being tech companies first, insurance second. For program partners and incumbents, that isn’t seen as a positive. The tech offerings help — quantifying security risk, insights provided by novel data, and other investments in automation — but they can’t deliver on the promises for smarter underwriting without the collaboration of insurance industry veterans.
This misconception isn’t necessarily true. The most successful Cyber MGAs have learned how to handle the balancing act of being tech-forward — an absolute necessity for surviving the cyber market — while working hand-in-hand with insurance experts to guide the process. You cannot make powerful technology meant for cyber risk reduction and buying commercial insurance without knowing what all of our customers’, be they cyber brokers, policyholders, or risk capital providers, actually need.
Once this combination of tech and insurance gets working, its strength can be seen through real-world tests on a regular basis. For example, not long ago there was no consensus about the systemic component of cyber. But as ransomware has taken center stage, the downstream risk of third-party outages is abundantly clear. In the past year alone, Log4j, Kaseya, and Microsoft Exchange vulnerabilities have shown that a business can incur risk entirely outside of its own control if its software vendors experienced an attack. The message is clear: We need to measure the systemic component of the cyber world and get a handle on it before a true catastrophic event. Here, Cyber MGAs lead the way, adapting underwriting standards on the fly and coming up with new assessment technologies to aid in identifying if current or prospective policyholders meet those standards. This is the marriage of technology and insurance expertise in a nutshell.
Smart and nimble cyber underwriting is one approach towards a more optimistic future. As mentioned earlier, the behavior of threat actors isn’t as straightforward or predictable as the origin of a house fire. Underwriters working in cyber need to react quickly to signs of negative trends — like a web hosting provider with a vulnerability being exploited by threat actors — through analysis of aggregated data.
For example, at Corvus, we’re able to capture millions of data points across our portfolio. With every submission, we use a non-invasive scan to gather detailed insight on every organization that applies for cyber coverage. This gives us unprecedented real-time visibility to an applicant’s cyber hygiene and trends within different industries. In the event that a certain vulnerability is being exploited (like in the web hosting provider scenario) we can react in real time by imposing new underwriting rules that will limit our appetite tied to those users. Once the vulnerability has been addressed, we can modify our approach.
Tech-forward MGAs are enabled to be proactive by nature. On top of the more modern, digital approach to underwriting that allows for quick lever pulls without friction, there’s a lot more direct work with policyholders. Ensuring that they’ve done everything in their power to boost their security measures is one of the most straightforward approaches to cyber risk mitigation.
Going back to the exploited vulnerability impacting users of a specific web hosting provider: along with changes to an underwriting approach, we are able to alert all policyholders who use that provider and offer guidance on how they can protect themselves to help prevent a cyber claim. Here at Corvus, we have a Risk + Response team that can work hands-on with policyholders to help them in instances like this.
By making cyber insurance accessible to small- and medium-sized businesses — a sector historically overlooked and inadequately protected from cyber risk — some MGAs have taken this knowledge and are able to apply this to protecting organizations of all sizes. Why does that matter? Acknowledging that there’s a systemic component of cyber means that significant outages of cloud software or technology companies can hurt hundreds to thousands of customers or more. That’s a significant chunk of companies that will feel significant financial burdens (alongside reputational damage) from the loss. Carriers actively working to make SMBs safer are helping to reduce the downstream risk for their insureds and other larger organizations that rely on these companies as well.
Even with a volatile market, cyber insurance has proven that it’s going to be around for the long-haul. The growing concerns over threats created by cybercriminals worldwide make regular headlines, and the U.S. is prioritizing defensive cybersecurity spending with a proposed 11% increase for 2023. As high-profile attacks attract media attention, companies have responded by adding cyber insurance as a regular component of their risk management programs. According to the Government Accountability Office, policies increased by 60% between 2016 and 2019.
In 2020 alone, the industry experienced 33.5% growth. While the US is leading the charge, other countries are moving towards closing the gap — albeit not as quickly. As of 2020, cyber insurance written in the UK for UK-based businesses is estimated as 5-10% of global cyber insurance coverage. But the risk is still present: a small business in the UK is successfully hacked every 19 seconds.
As the market has matured, so has cyber risk advisory. When Russia invaded Ukraine in March, it was preceded by several cyber attacks in an attempt to distract from attacks on land. And while it could have been significantly worse, it proved that cyber risk is a present and worldwide threat. Insurers rushed to prepare for the potential impact — and they continue to do so — all while fearing the impact that a true cyber CAT would cause them.
While there’s no obvious answer to when or where that will be, the marriage of insurance experts and technology (in the right order) is a good step forward. The US market has led the charge in the growth of cyber insurance, mainly driven by regulation and the propensity of attacks, but the rest of the world is beginning to follow suit. The global market is forecast to grow by over 250% over the next four years, cementing the need for a thoughtful approach to cyber that can be applied across continents. A safe pair of hands for risk partners is key, which in turn will help companies purchase insurance and leverage the expertise that cyber MGAs can bring.
This blog post is intended for general guidance and information purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.