Capacity with a Different View
Resilience Insurance is a newly launched cyber program manager targeting middle-market companies with revenues of $100 million to $5 billion.
Resilience is underwriting on the paper of Intact Insurance Specialty Solutions (rated A+ by A.M. Best). It’s not just an insurance model that simply issues a policy, says Vitale. By bringing together security, insurance and recovery, Resilience goes beyond risk transfer and helps clients become cyber resilient. Here is our Q&A with Vitale, pictured left.
It’s definitely a hard cyber market. In the third quarter, Marsh published a report showing that 70% of cyber renewals are experiencing some kind of price increase, with the majority of those increases being over 20%. As increases continue, some carriers are withdrawing completely from writing cyber. All the while, deductibles are going up while limits are going down. All of this means that a lot of brokers are working twice as hard to fill out layers of coverage with shrinking capacity.
Cyber may be even harder than other lines of business, and I know there are several under extreme pressure right now. Because the losses [in cyber] are so high and carriers are reporting unfavorable results and cases of ransomware are getting so sophisticated, a lot of claims departments are telling us they don’t know how to handle everything. There’s a lot of confusion and a lack of ease that the insurance market has historically been able to provide.
Risk engineering is understanding not only what predators are out there in the very dangerous cyber world but also understanding the appropriate protections a certain company needs in the confusing world of cyber security. What’s the risk, and what are you doing about it? What new kinds of automation are they undertaking? What new types of products are they issuing? What new types of software do they employ? What are their practices on backing up their data, detecting a breach, protecting the integrity of their email?
There’s no simple, blanket, risk-engineering solution. No two protection programs are the same. It differs depending on what kind of business they are, what they may be doing, and where they may be going.
Part of our value proposition is true risk engineering but not in a general way—not downloading some kind of software program. It’s understanding a company’s risk by talking to their CISO or talking to their IT department about what it is they have and where they are going and how we can protect them from tomorrow’s attacks.
Most of the MGAs we talked about are focused on the small commercial risk. They use technology—self-service if you will—to help protect those risks and educate their clients. There are companies that are trying to be everything to everybody in that small space. And the truth is, you really can’t make everybody happy.
We launched Resilience with a different approach in mind for a few reasons. First and foremost, we are only dealing with companies that have complex cyber risks and need thoughtful solutions to address their cyber security. Often what these companies will spend—or should spend—on cyber security is more than what they’ll spend on insurance. I think that’s a good thing. The two greatest risks that are facing corporations today are insurance needs—one is directors and officers for obvious reasons, and the other is cyber. Cyber crime goes to the core of harming a business—business interruption, reputation risk, and ransomware (where your data is encrypted and you can’t do business). Our view of delivering value means providing cyber security, technology, data science, as well as risk transfer into a superior cyber insurance product.
Our second approach hits on education. We have to stop and ask ourselves: “What can you do today to protect against tomorrow’s threats?” Answering this question is more complex compared to a transactional insurance product for small businesses. Resilience believes that educating and nurturing a relationship with brokers is critical to ensure true cyber resilience. Resilience’s cyber-security experts are monitoring what the hackers are testing right now. We will provide education seminars and access to our experts so brokers and their client base will learn about complex risks as well as the broader risk landscape. That way, we can move the culture beyond just compliance and take the necessary steps to protect against a constantly evolving threat.
Part of this is science, and part of this is art. It’s not just an actuarial science—it’s using underwriters and underwriting expertise and cyber-security expertise to understand the kind of attacks that are out there, how bad they’ll be, and how much effect they could have on business interruption, reputational damage, and other related risks.
This is the beauty of having cyber and insurance experts team up. We want to go beyond just pricing a risk. We have a sophisticated cyber database on specific risk characteristics as well cyber-security utilization. Our methodology will help everyone understand the risk more intelligently and how to properly insure and secure against the cyber complexities. Overlay that with our unique insurance and coverage experience, and we will be taking this science/art value proposition to a whole new level.
Part of why it has been hard to predict the amount of cyber losses is because coverage has been expanding. A lot of underwriters have been, if you will, very generous in the coverages they’ve been granting. And because of expanding coverage grants, there’s an expanding loss space too. So part of it is understanding how much of those losses are related to coverage and how much is related to the fact that the hackers are getting more sophisticated. Putting our protection levels into place, we need to determine what the proper amount of risk transfer is in terms of coverage, as well as how much to charge for that. Knowing that, when there is a breach, we will be there to prevent it from becoming a bigger problem, that’s a significant component of what we bring, and all that goes into our rating model and pricing.
It certainly is a changing landscape. The number of attacks continues to rise. We recently heard that October 2020 was the worst month ever, and I suspect it’s going to get worse. Most of these are outside attacks coming from sophisticated hackers. We know pretty much who they are working with and how they’re sponsored, whether it’s Russia, North Korea, Iran, or others. As a result, it becomes very difficult to catch these criminals, but it does call for government and private enterprise working together to make sure cyber criminals are not protected and bad actors are shut down.
The current trend is that hackers are getting more sophisticated and, due to the pandemic, many more individuals are working from home, leading to a higher proportion of devices being exposed. A company with 100,000 employees, for example, working out of 10 offices now has 100,000 employees working from home. That means there are now 100,000 points of exposure that could be used by those hackers to get into their home service who eventually get into their corporate service and work their way up.
The technology used by hackers also continues to improve. We’ve seen a lot more use of automation with robots and artificial intelligence. It still takes an individual to drive those machines, but the technology is moving fast. Bad actors are using more sophisticated tools to initiate those attacks and get into the servers. We’re also seeing a trend where hackers feel they have an opportunity to make money by teaching amateur hackers. Bad actors are actually teaching classes where amateurs pay money and learn how to mature their tactics and techniques as another way to make money. That’s the nature of what we’re dealing with.
A little more than a year ago, the targeted industries were municipalities. We saw so many of them attacked, so many of them locked down. They were vulnerable. In 2020, there was a lot of focus on healthcare. Almost every day, I read another healthcare system has been breached. It’ll probably be something else in 2021, and it’s our job to monitor these trends to stay ahead of the curve.
I don’t see it slowing down, especially with the increasing use of robots and artificial intelligence at the hand of these hackers to accelerate the breaches. I see it continuing to evolve, continuing to change. It might move around industry groups, it might move around countries, but we have quite a bit to go before we see this leveling off.
The extent of that question takes you to the next level. How big is the cyber market going to become? A lot of people underestimated the impact on free enterprise. We’re talking about a $50 billion gross premium market at a minimum over the next five to 10 years, which means it’s going to grow by at least five times where we are now. Losses will continue, and where losses continue, risk transfer will grow. And while that might be something that very much is going to be troubling to all of us, it is potentially ruinous only to those that don’t address it as a real threat and don’t do something about it.
I’d say to the CEO of that company, don’t be foolish. You will be the focus of a cyber attack, and you will be breached. It’s just a matter of time and luck. How prepared are you? What preventive measures did you have in place? Once you figure out what happened, how do you want to explain it to your board, your shareholders, and your employees?
The most overused phrase in the whole notion of cyber is: “It’s not a question of if; it’s when.” If your company matches anything close to the profile of companies that have been breached or if you keep PII [personal identifiable information] or if you have something of value, you’re going to get breached.