Customised cyber insurance pricing: a white space in the market
The cyber insurance market is undergoing a massive shift as cyber-attacks and losses have increased together with demand. While premiums are being recalibrated, PolicyDock CEO Roger Ying believes insurers should go a step further by creating a suite of cyber products that consider a business’s cyber preparedness and cyber exposure.
Cyber insurance loss ratios have gained a lot of attention recently because of the substantial increase. Was insurer pricing inaccurate to begin with?
This is also a legacy problem that larger carriers have. You know, with those newer kind of insurtechs, they've built in a lot of technology to handle risk quantification, portfolio management, as well as pre-read cyber readiness and monitoring for the clients. But from the traditional insurance standpoint, they are still stuck on legacy systems that have created siloed data across the value chain, which they can’t access in real time to help them make critical underwriting decisions.
And a lot of, for example, applications for cyber insurance is still done via these long-winded PDFs. Very often, clients do not actually even know how to answer questions like “how many, how much biometric information do you store?” So many questions have been answered falsely. From the insurers point of view when a claim comes in, to protect their brand, they should pay the claims just to satisfy the client.
To price the product accurately, insurers need good quality data which comes from a variety of sources. Do you think other businesses like cybersecurity firms are ready to share such information with insurers?
This is the discrepancy in the value chain is:
Cybersecurity firms want to cross sell insurance to their clients because they have the most information on the clients. They've done a lot of preparation like penetration testing, testing if the company is SOC-2 compliant, if the company practices multi-factor authentication. So logically, this is where cybersecurity firms and insurers should be working together, but because of legacy systems, it’s been hard.
At the same time, clients are thinking: I've spent so much money on cybersecurity firms making sure I'm protected. If I've covered all these loopholes, my percentage chance of being hacked is very low so why am I still paying the same price of a company that does not have all these loopholes covered?
There could be more synergy between cybersecurity firms and insurance companies which still has not happened.
Are small and medium enterprises less likely to buy cyber security insurance because they find it too expensive?
That's exactly the point. When I tried to get cyber insurance recently, I was quoted something like an exorbitant amount whereby we have and are undergoing many security audits and have put more than average preventative measures in place. At the end of the day, what I'm paying for is a lack of expertise, per se, amongst the insurer to quantify my cyber risk. It's almost like, you try to get a loan from a bank, and they don't know who you are.
What's your opinion on the education level of cyber risks among SMEs, insurers, brokers - basically everyone along the value chain?
I think it's generally low. As people are using more SaaS services and things like that, the cyber risk conversation should be kind of part of the daily conversation.
Why do you still believe in the business opportunity within cyber risk insurance even though it seems to be in a state of flux?
When there's a big problem, there's a big opportunity. Are cyber risks going away? No. Yes, loss ratios are high but that’s because of a mismatch in the market.
It's almost like applying for credit or a loan back in the days, where a community bank may make a loan based on trust, but in this day and age where every company has a cyber and trackable digital footprint, you can leverage big data which helps you understand who your clients are. There are ways to better optimise and underwrite that risk and manage your portfolio.
For more info, please contact us here.
Related content: