More than 20 years ago, Steven Haase wrote the first cyber insurance policy. Haase told Insurance Journal the story of how that first policy came about in the first part of this report, What Agent Who Wrote First Cyber Policy Thinks of Cyber Insurance Today.
In this second and final installment of the interview, Haase reviews the current cyber insurance market, analyzes how carriers and brokers are approaching it, stresses the need for education in the field, and shares his view son where he the market and coverage are headed.
Insurance Journal: Now, there are a lot of cyber insurance markets today, compared to 20 years ago. I heard somebody today say anywhere from 80 to 100-and-something. Are they the same?
Haase: That’s a great question. How did we get here? We had a 9/11 incident. About $40 billion was extracted from insurance companies. We had a long-term downturn in the economy. Insurance companies are saying, “How are we going to grow? There’s nothing to grow. Our rates keep going down. The economy’s not going good.”
Somebody says, “You needed to be doing cyber, it’s just too attractive.” They’re all out there grabbing market share, and there’s new players. They’re really not tailoring the underwriting process to individual risks, or drilling down that deep. They’re trying to spread a risk and that makes sense. Get market share, spread a risk, and then you can backfill with the history. Because it’s so appealing, all the carriers are in it.
They’re driving coverages way beyond what I would have expected, frankly. The pricing and getting quotes has gotten easier, but still somebody’s got to read the policies, compare them.
Clients want to know, what are other similar companies buying? They surely want metrics. They want to know what my risks are, how bad is my risk, what limits to buy, that sort of thing. They are very different, yeah.
Insurance Journal: Do you think carriers are being cautious enough about how they’re underwriting it? I have heard that applications can be three pages to 27 pages. There’s a huge disparity in what they’re seeking in terms of information to accurately underwrite the risk.
Haase: Yeah, every carrier’s acting differently. Some of the more well-established carriers are a little bit more conservative on certain classes. There’s always some classes that they’re somewhat tight on, like healthcare or credit card processors, but we’re generally seeing enough capacity where they’re not meeting their goals without being aggressive.
For our viewpoint, you need different strategies for different types of accounts. Any account that needs to be sold, or is complex and requires a deep dive, then you’re going to have to take your time with it. You’re going to have to go through a checklist. You’re going to have to identify their exposures, meet with them, get them to help you identify their exposures.
[You’re] probably going to have to offer metrics. Probably going to have to do some indication of limits and risk, in terms of number of records and what that can lead to. They need a deep dive, and you need hand-holding in a tailored policy.
Now, anybody ready to buy, or in particular, small companies which are flocking to the market because the prices are so low, you could literally get four to seven quotes within 24 hours that are state-of-the-art and a full comparison. If they’re ready to buy, you need to move quickly, and you can get multiple quotes.
We have seen agents and even wholesalers have a single product strategy, or maybe just going to the admitted markets. You really need to do a broad marketing approach if you’re an independent agent, which you’re supposed to do anyway. To get to the market and get the best deal, you really need to do that.
What’s Ahead in Cyber
Insurance Journal: [W]hat do you expect for the future of cyber? I’ve heard there’s a lot of difficulty in determining sometimes where coverage fits. If it’s really in a cyber policy or in a crime policy, can you find it under your CGL? What do you expect in the future?
Haase: That’s a really great question. We think there’s a big aggregation risk out there. With traditional aggregation, you have geographical issues like hurricanes on the coast, floods, volcanic eruptions, that sort of thing. With Internet, the aggregation is the common use of certain technologies.
Amazon has a huge cloud; hundreds of thousands of companies get on that cloud. What if a hacker got in and infected all of those companies? Virtually every carrier has admitted that’s a problem and they don’t have a solution. They could absolutely get hit very hard, and it could drive a very tight market.
Amazon actually went down for, I think, a two-hour period, or maybe it was a four-hour period, this year. If they’d gone down over 10 hours, it would have tightened the market up.
We’re seeing the aggregation exposure. It’s cloud, software of service, hosting, managed security, all kinds of those sorts of aggregators of information, if you will.
Secondly, yes, there is computer fraud cover under the crime. We believe many of the ransomware and spear phishing-type attacks would have been covered under traditional crime, but the standard carriers have come out and limited that to a certain limit. Sometimes, they have certain authentication processes you have to go through. The coverage is very challenged in the crime policy.
Cyber carriers are saying we shouldn’t dump every exposure into the cyber policy. Well, we say, if it takes specialized underwriting, and the underwriting is the cyber-type underwriting, then it needs to go there. Because this is computer hacking, we think it should go there.
You can get coverage both places. They need to be coordinated. There’s all kinds of issues around doing that. It’s very tricky, and often, carriers are providing low limits but that’s definitely coverage needed. You need to make sure it’s somewhere.
Insurance Journal: I want to go back to the knowledge gap that you talked about. There’s a gap in knowledge happening throughout the industry in terms of people leaving. The industry is going to lose knowledge as more people retire. Is there a need in the cyber insurance community for more professionals to specialize, to really understand and share that knowledge with?
Haase: I think you have to. I think you have to specialize. It’s just a huge, very broad risk. You have to take deep dives. As I said, things are changing all the time, policy forms. One of the problems in the industry is we’ll grow 35, 40, 50 percent every year. Where do you get the people? There’s a huge shortage of people in that market.
Our own take on it is, we hire four or five people right out of college every year that have risk management degrees, for the most part, or some security background. We have our own training program. It takes about nine months to really be effective, frankly, so we try and mix that with senior people and train some.
That’s going to be a continuing problem. Fortunately for us, we’re in a state that has two risk management schools, so we can draw from them.
Insurance Journal: Lastly, being a specialist with as many years as you have in the cyber industry, is there something that you worry about? Maybe an exposure or something of the future that keeps you worried about how the coverage will respond?
Haase: We have found the coverages, if you get a state-of-the-art policy, very, very broad. Most agents and underwriters — I’m sorry, insureds — don’t fully understand how broad they are. We get a number of claims reported late and declined because, “Oh, I hadn’t thought it would cover my content on the website.” That’s an issue.
I think, more importantly, the cyber insurance actually really needs to be dovetailed with loss control. People are not thinking this through. We, in many cases, are able to get a client’s own security IT people approved to be the first responder on a claim, as opposed to a new person showing up who’s never looked at the network, doesn’t have a network diagram, doesn’t know where the devices are, has no familiarity with how it works, and has to start from scratch, often on an adversarial basis with the internal people.
Dovetailing it with loss control, most agents don’t really understand security loss control, but they understand other forms of loss control. They differentiate in workers’ comp, with on-the-job injuries, EPLI claims. We actually try and teach agents how to dovetail the security, and we offer the various security solutions so that you can tie those together.
Insurance Journal: I heard someone say something I hadn’t heard before, that the demand for cyber is slowing. It’s been one of the fastest growing segments of P&C for awhile. Are you seeing any slowdown in the demand?
Haase: That’s an interesting question. Obviously, I’d be worried and have my resume updated if we saw that, but no, we’re not seeing that. We don’t see it on the horizon. I say that because what we are seeing is carriers are not growing 120 percent. They’ve gotten so big, they’re growing 30 or 40 percent. We feel there’s a huge untapped market still.
We do go through periods where claims aren’t as big as they were but that tends to come around in cycles. Now, we definitely see some tightening in certain areas of the marketplace, so we think there’s a three to five window. We’re definitely not going to see a slowdown. This is the time to be doing cyber.
Was this article valuable?
Here are more articles you may enjoy.