Businesses are often in the dark when it comes to applying for a cyber insurance policy. What documentation is necessary? What should they expect? What security controls are underwriters actually looking for? I spoke to John Hennessy, RVP of underwriting at Cowbell, for an insider’s perspective on the underwriting process.
Q: What should people know about cyber insurance underwriters?
Q: What does the typical underwriting engagement look like?
Q: What are some of the non-security factors underwriters look at?
Q: Why does annual revenue matter to an underwriter?
Q: What are the key security controls underwriters want to see in a business?
Q: What changes in the cyber insurance market have occurred over the last decade?
Q: What will the cyber insurance market look like?
Q: Why is an InsurTech company like Cowbell better poised to price and assess cyber risk than traditional insurance brokers?
Q: What would you say to businesses without cyber insurance?
Hennessy summarizes underwriting as “somewhat subjective and somewhat objective”, which is why computers haven’t taken over the role. While a machine is capable of efficiently rejecting applicants who applied with unchecked security control boxes, humans are still needed to comprehend the nuances of each question. For example, where a computer will see the applicant doesn’t encrypt personal identifiable information (PII) stored on their network, underwriters will consider that they use extended detection and response (XDR) as a supplemental security control.
“It’s really about analyzing the big picture and understanding every one of those controls and how they function,” says Hennessy.
Underwriting picks up the process downstream. It starts with the client and the broker to submit documents that outline the nature of the business’s risk, the exposures, and the security controls around each operation. From there, the underwriting process begins. It’s a mixture of pricing, analyzing, and evaluating the exposure, and then offering and binding terms.
Hennessy noted that the factors depend on each operation, but they generally look at the business’ operations, industry, annual revenue, and how many privacy records they control.
Annual revenue is indicative of what carriers are covering from a first-party perspective, explained Hennessy. It establishes what a company will lose daily if their network goes offline. Furthermore, rates are based off their third-party exposure that the cyber insurance policy is intending to cover. This is typically the insured’s third-party record count – all the private information from third parties that the business is handling that could potentially be compromised within a network breach. He also noted that businesses that tend to have a higher annual revenue have more third-party records.
Hennessy commented that multifactor authentication (MFA) is “the talk of the town”. However, underwriters want to see MFA in a few places beyond company email accounts, such as apps with remote network access and on admin accounts – which are very privileged accounts that control a company’s network.
Underwriters also check that in the event your modern applications are compromised by a threat actor, you have regularly tested backups in place that can get your network back online after a breach.
Lastly, endpoint detection and response (EDR) – or, taking it a step farther, XDR – is critical, especially for organizations with a lot of privacy records. If someone gets into their network, cyber insurance carriers will be on the hook for costs associated with privacy notification, recovery, and any fines. This increases the risk for the carrier, which can lead to a higher cyber insurance policy quote for the customer.
Hennessy said he started noticing rumbles of change in 2017 when large organizations were hit with ransomware attacks, leaving carriers were on the hook to cover massive damages and recovery costs. While carriers were worried about the impact of ransomware attacks, he didn’t notice any regular news coverage until early 2019. It was at this point companies started realizing this was a serious risk and the cyber insurance market began to harden as there was more demand for bigger policies.
As the threat landscape continues to evolve, Hennessy said the “easy answer” is that threats are not going away, which will maintain the demand and need for cyber insurance. However, he also believes organizations are going to continue to become more secure – a trend he’s been noticing since ransomware became more prevalent in 2017.
Cowbell’s differentiator compared to a traditional insurance market is their scanning capabilities and technology, explains Hennessy. Underwriters use the same platform that provides the quote, processes the documentation, and assesses an organization’s risk and exposure. This platform produces valuable data from an outside-in perspective.
Hennessy compared it to a loss control property visit where an underwriter would walk through a warehouse to “kick the tires on forklifts and check your sprinkler heads.” Instead, Cowbell’s platform will investigate the network, open ports information on the dark web, and a myriad of other critical factors to establish a quote.
“First party exposure is unavoidable,” explained Hennessy. “So, if you’re not covered by a cyber insurance policy and something happens in terms of a breach or network outage, you could be on the hook for a lot of money.”
To learn more about cyber insurance and risk management, check out the following resources: