Cyber Insurance: A risk-led approach

The unprecedented rate of change in the cyber threat landscape has caused significant upheaval in the insurance market (as we discussed here). This has left large or complex clients in a challenging position, unable to access risk transfer due to often confusing and onerous insurer requirements. 

Over the last two years, we have worked on over 50 cyber risk assessments in support of obtaining insurance coverage for large clients with over USD500m in revenues. These clients have come from a range of sectors, from manufacturing to telecommunications, pharmaceuticals to professional sports.

Working closely with our broking colleagues, we’ve learnt a lot of lessons in a relatively short period of time, with our approach tending to differ significantly when working with large organisations in comparison to those in the small- and mid-market space.

Below, we outline five key priorities that we put into practice when engaging with our clients on cyber security, to simplify their approach to the insurance market. We feel this drives better outcomes both internally, in terms of improved risk management, and as part of the insurance transaction.

‍

Priority 1: Contextualising the role of risk transfer

This comes down to answering one question before even beginning an insurance placement process: why do we want to transfer some of our cyber risk into the insurance market?

Organisations should be capable of clearly identifying their tolerance and appetite for cyber risk, and preferably should have educated the Board and senior leaders on the role of cyber insurance in the first place.

For instance, cyber insurance should be a mechanism for transferring residual financial risk off of the balance sheet (particularly in catastrophic scenarios) only once solid risk mitigation measures are deployed, as well as providing skill sets and response options which may be more difficult to engage individually (particularly network forensics, incident response, and legal ‘breach coaching’).

Everyone in the organisation, including Information Security, Risk, Insurance, the C-Suite and Board, should be on the same page about what cyber insurance is there to do and should be clear that it is only the final step in a process which should be rooted in Enterprise Risk Management (ERM) and risk assessment.

Making efforts to calculate potential losses from an adverse cyber event is also important here, as this would form the quantifiable basis of how much risk should be transferred to external markets in terms of limits and coverages. This alone has a number of considerations:

Consideration 1: What financial losses might be involved in a data loss or data exfiltration incident? Are these direct or indirect financial losses?

Consideration 2: What financial losses might be involved in a business interruption incident? Are these direct or indirect financial losses?

Consideration 3: How strong is our balance sheet to withstand that level of loss? Does it make financial sense to hold this risk on the balance sheet given tax, financial risk, operational risk, debt, and other liabilities and exposures?

Consideration 4: What might be the long-tail exposures of a badly-managed cyber incident based on previous case studies? What will the share price impacts be over the longer term for a publicly-traded company?

Consideration 5: What are other similar companies purchasing for the purposes of their cyber insurance limits, and why might that be relevant or irrelevant for us?

Consideration 6: Is there some way of quantifying the effectiveness of our cybersecurity control environment, and if so, what is the residual financial risk that would be left?

‍

Priority 2: Establishing and bedding-in a cross-functional team

The biggest issue we tend to see in large organisations when advising them on their cyber risk is a siloed approach, particularly between Information Security, Information Technology, Insurance, Business Continuity, Legal and Finance.

All of these stakeholders will have a role to play during the risk assessment and risk transfer process, for example:

• Information Technology provides information on how systems are architected, how networks and services are configured, and will usually be the first line of defence (‘1LOD’ in industry parlance) for implementing technical cyber measures such as patching;

• Information Security leads the charge on designing cyber security measures as part of a wider risk management strategy, and tracks and communicates progress on these initiatives to senior leadership;

• Insurance tends to take responsibility for managing brokers and advisers, question the involvement of particular insurance markets, assess the adequacy of insurance limits and coverages, and facilitates the interaction with Alternative Risk Transfer (ART) solutions such as captive insurers which are wholly owned by the organisation;

• Business Continuity teams provide information around the criticality of processes, how these interact with individual business models within the organisation, assess Critical Digital Assets (CDAs), and identify Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for individual systems and teams;

• Legal continuously manage the organisation’s liability exposures with clients and suppliers through contractual clauses, and develop and implement procedures and policies to respond to regulatory requirements (such as GDPR in Europe or HIPAA in the United States);

• Finance possess key data around how particular systems and processes drive revenue and profit, and therefore hold the key to understanding what the financial impacts of an adverse cyber event might be.

Putting this team together ‘in one room’ well ahead of engaging with insurers is critical, particularly if the organisation is conducting risk assessments to inform what residual risk will be transferred into markets. Personal relationships between these teams and knowledge of ‘ways of working’ when discussing cyber risk, can make all the difference in making an organisation fighting fit when preparing to talk about risk with external parties. This cross-functional team also can sometimes exist in other guises already, such as Cyber Security Working Groups or Information Security Executive Committees.

‍

Priority 3: Understanding the business model/loss connection

Controls are important, but they’re not everything. An organisation’s business model (the way that it generates revenue and profit) and how it interacts with and depends on systems and processes at risk of a cyber event, plays a critical role in how impactful an adverse cyber event might be. We can describe a set of ‘layers’ which help to explain how this works:

Revenue generation relies on provision of products and services, which rely on processes, which rely on applications and tools, which rely on data and data transfer, which relies on infrastructure and architecture.

First, understanding these dependencies enables an organisation to map out what it needs to protect, allowing it to prioritise resources and activities in a way which supports its most critical processes that generate income.

Second, as the nature of every organisation’s business model is different, companies can be inherently more resilient to cyber events than others, regardless of how mature their control environment is.

Let’s take a worked example of this through the lens of two fictional companies:

Organisation A with USD400m in revenues has terrible controls from a cybersecurity perspective. Access management is rudimentary, security monitoring is non-existent, and architectural principles for setting up networking are not clearly defined. The organisation generates its revenues from the manufacture of premium, hand-made cigars predominantly in Central and South America which it mainly provides to wholesalers in large markets such as the United States, Europe, and Asia.

Although the controls in this case are terrible, the nature of Organisation A’s business model (a handmade, premium product) means that there is little or no involvement of operational technology in the physical manufacture of their cigars: equally, their reliance on wholesalers rather than shipping to individual customers minimises the data that they hold. It also simplifies business continuity: if shipping systems go down, cigars can still be sent to wholesalers manually by making 40 phone calls instead of 600,000.

Organisation B with USD200m in revenues has impeccable controls including single sign-on across the enterprise which is supported by multi-factor authentication, a dedicated Information Security team, and rapidly maturing business continuity and disaster recovery plans which clearly identify the role of immutable backups. This organisation generates all of its revenues from the provision of a piece of Software-as-a-Service technology directly to large customers which sit under individually-negotiated contracts, as well as through an Application Programming Interface (API).

This technology sits in single ‘stack’ of interconnected systems, meaning if one component or service fails the stack has a high risk of collapsing and preventing the provision of the product to customers. The technology stack also itself relies on external suppliers to function, such as cloud service providers, performance monitoring services, and integrations with other SaaS platforms. A major adverse cyber event, which will never have a zero likelihood of occurring regardless of how mature the control environment is, could generate huge losses both from data loss and business interruption.

Although this is just a thought experiment, it demonstrates that the nature of the business model has a significant effect on the exposure of a cyber event: the Potential Maximum Loss (PML) scenario for Organisation B will be much higher than Organisation A, despite the fact that the latter’s revenue is half that of the former. This relationship between the business model, underlying systems, and the cybersecurity control environment drives much of the conversation with insurers. It’s critical that large clients understand how this might differ across their organisation based on business unit.

‍

Priority 4: Developing ‘transparent underwriting information’

The concept of ‘transparent underwriting information’ is difficult to define, but is also the foundation for any long-term risk transfer strategy for a large organisation. Importantly, it’s analogous to ‘transparent risk information’ within an organisation.

Military and law enforcement regularly utilise the term ‘Common Recognised Information Picture’, which is, in essence, that all stakeholders are orienting themselves and taking decisions based on the same set of information which is as detailed as possible at any particular point in time. This ‘picture’ is what we aim to generate in collaboration with clients to share with insurance markets to connect risk management to risk transfer.

The two supporting pillars of this objective are ‘what the information is’ and ‘how the information is presented'. Both are as important as each other.

The former generally relies on how comprehensive the information provided is relating to revenues, data, systems, and how these are protected across the organisation (see Priority 3), and then how granular this information is. Information which covers all business units in an organisation is comprehensive, and information which includes detail on individual lower-level systems is granular. Information provided to insurers for large organisations should be both, and it’s the role of the broker to advise on how this should work.

These two are also not mutually exclusive. An information picture could be both comprehensive and granular, but equally may only be comprehensive (but not granular) or granular (but not comprehensive). If the information being discussed by the client, brokers, and underwriters meets both of these criteria then confidence and trust across all parties is significantly increased, which should improve the outcomes of the process.

Although it sounds superficial, ‘how the information is presented’ is equally important for a range of reasons, not least that underwriters are human and when dealing with a large number of potential client risks at any given time, will likely prioritise those in which the information presented is easy to absorb and digest.

An organisation could provide reams of information which can be considered to be both comprehensive and granular, but if it isn’t accessible it becomes worthless. Returning to the military and law enforcement example, organisations in which the management of intelligence (read: information) is critical, huge investments have been made since 9/11 not just in the collection of data but also in how it’s presented to humans for analysis.

Palantir, a Silicon Valley software giant, has been so successful partly based on its ability to make large amounts of information meaningful. It now has a market capitalisation of USD16 billion.

Client risk management and insurance teams, alongside the partner broker and advisors, have the greatest success when executing a strategy which develops a Common Recognised Information Picture which is comprehensive, granular, accessible and digestible. This ‘transparent underwriting information’ then serves to increase the trust and confidence of insurers, particularly when it’s fully contextualized. It also serves to reinforce that disclosure requirements were fully met at placement when negotiating over any subsequent claim. As many underwriters have quietly explained, "we don’t trust anything now which looks perfect".

‍

Priority 5: Setting expectations on timeframes

The last area that we’ve found to be a common area of frustration is the time now associated with the renewal of a cyber policy for a large organization.

Partially, this is likely the result of an extremely rapid transition between a state of play where a policy would take a Risk Manager hours to procure to the current state where the process will take months (and probably tens of person hours of time, or more). This frustration will likely dissipate as heightened information collection requirements become the new normal, but in the interim, convincing disparate teams across an organisation to become involved in the information discovery and renewal process can be difficult.

There are a few ways to deal with this. We tend to find that the best way to set expectations is to characterise the process as part of governance and enterprise risk management generating an outcome which is relevant and actionable to the organisation, unconnected with insurance.

The transfer of this risk financially into the market is just a by product of the process rather than its aim. Once stakeholders understand that this forms part of enterprise risk management, rather than teams ‘doing a favour’ to the Insurance team, the dynamic changes and additional time and resource tends to get prescribed. A consulting-led approach here can underline this very clearly.

‍

For more on the key strategic priorities clients should consider when engaging with insurers on cyber, as well as detail on what we are seeing 'on the ground' with our clients (both good and bad) as they approach the cyber insurance market, download our Cyber Arms Race report.