In previous years, the questions around cyber risk insurance were centred around ‘should we or shouldn’t we purchase’? Many boards and risk managers, not entirely sure of the value a Cyber Risk insurance policy brought, and on the justification of ‘we’ve never needed it before’, viewed cyber risk insurance with a cautious and cynical eye. Perhaps the misconception of ‘we don’t handle high volumes of personal sensitive information’ was a convenient argument for boards to dismiss this new class of insurance out of hand. Another justification was a high reliance on the organization’s IT teams: ‘our IT teams have our cyber risk under control. There’s no way we could get hacked. We are completely secure.’
In 2020, when the world got upended by a global pandemic and work routines, operational structures and life in general as we knew it underwent complete upheaval, IT teams globally that were thrust into the mission-critical roles of ensuring (i) availability of systems and (ii) security of environments in a remote working model. The pandemic coincided with reports of unprecedented increases in reported cybercrime, namely, ransomware1. In turn, this stark rise in cyber threats manifesting in real loss events, has had a profound impact on how organizations reframed cyber threats and cyber risks, the true cost of a cyber event occurring to their business, and in turn the cyber risk insurance industry which has collectively reported significant losses due to surges in claims in their cyber portfolios across all geographies and industry segments. Significantly for organizations across Asia – the need for cyber risk insurance was brought sharply into focus.
What has this growth in demand and shrinkage in supply done for the Cyber Insurance market?
Rather than citing various global statistics and figures, it may be more useful to draw from our own lived experience at WTW in Asia. Based on our Cyber portfolio in Asia, we have seen rate increases range from 50% to 200%. This will be after several rounds of lengthy negotiations, thorough remarketing activities to different carriers and scrutinizing for coverage changes we could implement to effect premium savings. One surprising finding has been that when remarketing an account, the alternative pricing has often been quoted with terms more expensive than that of the incumbent insurer’s pricing. Another dimension of the remarketing process is also that the alternative carrier will request a vast set of alternative underwriting information, with each carrier formulating their own cyber risk underwriting due diligence at chief underwriting level. These are disseminated throughout their regional and local offices with strict oversight and often little room for deviation. The result is that an insured seeking an alternative cyber insurance quotation, is subjected then to an entire new round of scrutiny and cybersecurity ‘audit’ from a fresh set of eyes. The ‘questions fatigue’ facing insured’s IT teams and CISO offices may be inevitable and, unfortunately, unavoidable.
One may have thought these mounting hurdles in procuring cyber risk insurance combined with increasing premium levels would serve to dampen demand for cyber risk insurance. However, we have found the opposite to be the case. The growing realization of the extensive cost outlay of a cyber event is now sitting uncomfortably for boards, risk managers and finance departments. Costs scale quickly and multifacetedly – across various workstreams – including digital forensics, PR, Legal, and business interruption. The response costs alone can accumulate to several million dollars for a single event. Organizations are now dealing with ‘active assailants’ in the cyber risk landscape and thus the hallmarks of cyber claims are now both by severity and frequency. Many of the cyber claims we have or are currently dealing with at WTW in Asia exceed the USD 1 million-dollar mark in losses. While premiums may be higher than several years ago, it seems that for the majority of organizations, the opportunity cost of not carrying cyber insurance, is far costlier in the long run.
The increasing question facing organizations now therefore isn’t ‘should we or shouldn’t we purchase?’ but ‘can we get it?’. Organizations must be able to demonstrate adequate baseline cybersecurity controls before insurers will even offer a quotation. In the current market, many insurers will simply decline to provide a quotation where baseline requirements are not met.
So where should we invest? IT security or Cyber insurance?
This should not be an either/or question. CrowdStrike, a cybersecurity technology firm, notes aptly: “Cyber insurance is not a substitute for cybersecurity”2. A well thought out cyber risk strategy involves the right balance between organizational investment in its people, discipline in its processes, and investment and deployment in the right technologies to monitor threats and mitigate cyber-attacks from manifesting. Once these lines of defence are in place, insurance rounds out the picture as the final layer of defence. Cyber risk insurance is the financial backstop after reasonable investments have been implemented and best efforts deployed to mitigate against attack.
While no two organizations are identical in terms of their network setup and IT environment, insurers have adopted broad baseline security measures which they look for in an organization, before they deem the organization ‘insurable’. Just like how a property insurer would not insure a building without locks and sprinklers, cyber insurers would not insure companies that didn’t meet certain baseline IT security controls.
What are these baseline controls?
If you do not presently purchase cyber risk insurance and are interested in learning about your cyber risk ‘insurability’, please contact us.
1 https://www.wtwco.com/en-IN/Insights/2021/08/dealing-with-ransomware
2 https://go.crowdstrike.com/rs/281-OBQ-266/images/Whitepaper2021
CyberRiskReadiness.pdf
3 CrowdStrike are a leading provider of Endpoint Detection technology. If you are interested in special rates available for CrowdStrike’s services as a WTW client, contact us with “WTW X Crowdstrike” in the subject line.
WTW is an insurance broker and gives its views on the meaning or interpretation of insurance policy wordings as brokers experienced in the insurance market. Insurers may take a different view on the meaning of policy wordings. Any interpretation or thoughts given are not legal advice, and they should not be interpreted or relied upon as such. Should a legal interpretation of an insurance contract be required, please seek your own advice from a suitably qualified lawyer in the relevant jurisdiction. While all reasonable skill and care has been taken in preparation of this document it should not be construed or relied upon as a substitute for specific advice on your insurance needs. No warranty or liability is accepted by WTW, their shareholders, directors, employees, other affiliated entities for any statement, error or omission.
For more information, please contact local entities of the WTW Group:
Willis Insurance Brokers Co. Ltd. | Willis Hong Kong Limited | Willis Towers Watson India Insurance Brokers Pvt. Ltd | PT Willis Towers Watson Insurance Broker Indonesia | Willis Japan Services K.K. | Willis (Malaysia) Sdn Bhd | Willis Towers Watson Insurance Brokers Philippines, Inc. | Willis Towers Watson Brokers (Singapore) Pte. Ltd. | Willis Towers Watson Insurance Korea Limited | Willis Towers Watson Taiwan Limited | Willis Towers Watson Vietnam Insurance Broker