I’m writing this on a plane from JFK to Austin after a week in New York that included attending Advisen’s Cyber Risk Insights Conference. Before the conference, we met successfully with potential partners of various types, but the conference drove the trip. Here’s what we learned.
Since the initial release of our SaaS platform earlier this year, we’ve been “heads down,” adding to our customer base and enhancing the product. Cyber Risk Insights, a conference focused on the cyber insurance market, marked our first adventure in co-sponsoring an industry event.
All our main objectives were met:
- Increase visibility for our brand,
- Grow our network, and
- Identify hot topics.
We had arranged to underwrite (pun intended) the lanyards for the show. The Advisen team was very supportive, working with us on the design and doing the heavy lifting of dealing with the vendor and the production process. We were pleased to see how well the Cybernance lanyards turned out (see above), and we enjoyed seeing them around the necks of all the attendees! They proved to be a good conversation starter in awkward moments when starting a conversation with an attendee that we’d never met.
The networking at the show was even better than expected. All the major players in cyber insurance were represented – buyers, brokers, insurers, vendors – and with fewer than 1000 attendees, approaching them was easy. I had conversations with three interesting contacts even before the program started. As the day continued, we met others at breaks and at lunch, and casual conversations ended up with a number of commitments to drill deeper during subsequent online meetings in the next week or so.
The following topics and tidbits represent a collection of things I heard while attending. They are offered in no particular order, and in no way characterize the breadth of topics covered by the conference, but hopefully you will gain a flavor of discussions there.
- “FICO-like scores are inadequate. We need to go deeper for cyber insurance.”
When a panelist said this, it grabbed my attention because we’ve said it before ourselves. A company’s cybersecurity status is too complicated to comprehend in a single score. The idea is that a FICO score is based upon external data, and having an internal assessment of defensive measures deployed is more illuminating than external measurements of cyber risk.
- “The NIST framework is impacting how insurers and insureds view risk.”
The impact of the 2014 release of the NIST Cyber Security Framework (CSF) continues to grow. Several comments during “The Buyer’s Perspective” panel indicated that the impact of NIST usage is having a significant effect on how companies view risk. One speaker opined that insurance underwriting is moving beyond “check the box” general questionnaires toward a more detailed view of risk as defined by NIST CSF.
- “Exposure from cyber breaches is spilling over from cyber insurance into broader P&C lines of insurance.”
Panelists indicated that the industry is seeing far more claims of liability and responsibility against lines other than cyber for remediating breaches occurring at SaaS services and cloud hosting providers. While this is growing, the consensus is that, at end of the day, the user is just as responsible for using the facilities correctly, and responsibility for breaches can’t all be attributed to vendors.
- “Business interruption is a hot topic and a key area of cyber coverage evolution.”
A growing concern for insureds is the threat of business disruption. The recent DDOS mega-attack against DYN highlighted this threat in headlines around the world. Speakers confirmed that they are seeing more attention paid to mitigation of third party risk because of business disruption fears.
- “Hybrid solutions that involve combining insurance with technology are emerging.”
One example comes from CyberPolicy that offers insurance from Chubb bundled with cyber protection from Norton. Ari Vared of CyberPolicy suggested that, while it is still in the experimental stage, they’re getting a very good reception from small businesses. Aon’s recent acquisition of Stroz Friedberg is an analogous combination of insurance with technology consulting aimed at large businesses. [Disclosure: we offer a NIST-based assessment and monitoring tool that warrants board members against liability.]
- “Risk managers are overwhelmed by the process of managing and mitigating cyber risk because they have too many tools to choose from.”
Even as they tackle the problem, it’s very difficult to figure out how much residual risk there is, and the policies are inconsistent and full of holes. Buyers want brokers and underwriters to provide better guidance on how to manage, mitigate, and buy coverage for residual risk.
- “IoT is introducing a huge number of devices that represent new sources of entry into networks and thus new potential lines of coverage and premium adjustments.”
The role of the Internet of Things in insurance has not been fully comprehended but it is introducing new liabilities and new opportunities.
- “We have to deal with the emergence of property damage, bodily injury, and product liability consequences from cyber incidents.”
It’s not yet clear whether the marketplace will try to underwrite and price these incremental sources of liability under existing products or, over time, will seek to exclude them in favor of addressing them under a separate “all cyber risks” product.
Thanks to Advisen for putting on a valuable conference. A special thanks to Ben Beeson of Lockton for introductions to key industry people. If you have an interest in the effect of cyber risk on insurance and want to get up to speed, you can do no better than an immersive learning experience through attending an upcoming Advisen conference.