Cyber is an expanding net-new growth area with opportunity to deliver a compelling insurance offering especially in the mid-market. Yet, the path to becoming a market-leading and profitable cyber insurer is fraught with challenges. In this article, we outline the essential strategies to develop a top-tier cyber offering, culminating in a guide to the 7 strategic cyber steps for the Chief Underwriting Officer. 

Why cyber in the mid-market has unique challenges to mitigate

The cyber risk landscape is evolving so rapidly that insurers need a robust framework to for example enable continuous data-led learning from previous claims, deliver a seamless quote and bind process, and to mitigate unintended risk aggregation. 

While the SME market will typically purchase standard cyber coverage direct and online, the mid-market consists of companies that are serviced by brokers and agents. These companies require insurers to possess both foundational and advanced capabilities to effectively address the unique challenges of cyber risk in the mid-market. The key challenges that are unique to cyber in the mid-market are as follows: 

Transparency and clarity for brokers and agents: As the mid-market is predominantly serviced by brokers and agents, it’s crucial that the insurer’s risk appetite and underwriting approach are transparent. Whether the insurer offers a dedicated cyber broker portal or utilizes existing portals for multiple lines of business, the key is to have a transparent risk appetite and to make it seamless for brokers to compare quotes and to place business. Additionally, it is imperative to turn around accurate quotes on a same-day basis. 

Need for both standard and bespoke policies: The mid-market consists of companies that purchase both standard and bespoke policies. Insurers therefore need to be able to quickly turn around changes to policy terms, changes to exclusions, or a different mix of higher deductibles or sub-limits. Some mid-market companies have sophisticated requirements on risk mitigation, prevention and incident response planning. For large mid-market customers there can be a need for in-depth exposure analysis to design the right insurance coverage.  

Significant amounts of data: Whilst no more than four data points are required from an SME customer for a standard cyber policy (name, industry, revenue, and the customer’s website), far more data points are required by mid-market customers. Some data points can be obtained through open APIs and structured data intake from brokers, but the higher complexity of the risk, the higher the likelihood is for the relevant data points to arrive in unstructured documents. 

Establishing a robust digital infrastructure for cyber insurance

Cyber insurers need foundational capabilities across distribution, quote, and bind to ensure a seamless business process. The operating model begins and ends with being focused on the customer and broker experience. Whether insurers choose to organise themselves according to the customer segment (e.g. a mid-market Center of Excellence servicing all lines of business) or according to the lines of business (e.g. a specialized one-stop-shop cyber team cutting across distribution, underwriting, and claims), it is important that this is a conscious choice made at the C-level. 

All customers, irrespective of whether they purchase cyber insurance, should quantify their cyber risk and define their key cyber risk scenarios as part of their incident response planning. If they do not, they are running an unknown and potentially significant risk through the balance sheet. Some insurers may choose to invest in risk scenario capabilities, whereas others will rely on brokers or outsource to cybersecurity experts. The capabilities required for an in-depth exposure analysis is similar to what some insurers offer in a cyber saferoom that provides a secure space for pre-incident advice and training, cyber stress-testing, cybersecurity readiness verification tools, detection and response solutions, incident response planning, notification services and embedded claims services. 

A key foundational capability for cyber is a strong digital core and master data management that is fit-for-purpose. Insurers require strategic tools like a robust digital core and fit-for-purpose master data management to perform detailed exposure analysis at the quote stage. These tools facilitate granular risk accumulation and establish a framework for measuring and understanding aggregated cyber risk exposure based on various parameters, including industry sector, underlying hardware and software, cybersecurity maturity, supply chains, jurisdiction, and company size. A detailed exposure management framework is crucial for effectively mitigating the risk of unintended risk aggregation. 

Building advanced market leading cyber capabilities

A critical component to becoming a market-leading cyber insurer is that the technology and data capabilities must be architected to work at scale and in real-time. Cyber insurance is among the most challenging sectors due to the potentially catastrophic and boundary-less nature of breaches. Cyber incidents can be continuously evolving and unpredictable, akin to oil spillages, and can critically impact businesses, societies, and essential infrastructure like hospitals, water and sewage systems, and airports. Today, the potential for insurers to face unintended risk aggregation is a clear and present threat. 

As mentioned above, significantly more data points need to be captured and modelled at the quote and bind stage for mid-market cyber policies. Additionally, at first notice of loss, there can be hundreds of relevant data points, which is far more than for example with a motor claim, where insurers typically capture 20-30 data points that are motor specific (vehicle details, purpose of use, witness details, IoT data etc.). For a cyber claim there are more than 100 data points that can be relevant for the continuous learning and refinement that feeds into exposure management, the actuarial tables, and the risk controls in the underwriting system. This in turn is what enables a market-leading insurer to remain profitable through a robust framework around risk appetite and pricing.  

As previously covered, there is a scarcity of cyber talent with deep proficiency in cybersecurity protocols and a deep understanding of the constantly evolving regulations and legislation across IT, AI, GDPR, and consumer privacy. Whilst investing in talent and continuously upskilling underwriters and claims adjusters, there are high-impact use cases in cyber insurance for AI and Gen AI solutions. We have seen AI and Gen AI save underwriters tens of hours a month and empower them to only spend their time on niche and hazardous risk areas that require deep human expertise.  

Insurers with a strong digital core can move quickly on accelerating profitable growth in cyber, but most insurers are coming to the realization of the investments needed to implement AI and Gen AI at scale. Per Accenture’s Pulse of Change research, 46% of insurance C-suite leaders say it will take more than 6 months to scale up Gen AI technologies and take advantage of the potential benefits. If applications and data are not on the cloud, and if there is not a strong security layer, then benefiting from Gen AI at scale is virtually impossible. 

The 7 strategic cyber steps for the Chief Underwriting Officer

In today’s rapidly evolving technology landscape, Chief Underwriting Officers face the critical task of steering their organizations through the complexities of cyber insurance. The following strategic steps are a roadmap for insurers to not only survive, but thrive in this challenging environment: 

  1. Define your identity in cyber insurance: Decide whether you want to be a conservative insurer, a fast follower, or a market leader. This choice will guide your investments and emphasize cyber as a core part of your business. 
  2. Establish your cyber brand: Determine your signature offering in cyber insurance, whether it’s leading-edge risk consulting, competitive pricing, AI-powered and streamlined processes, or a strong reputation in claims service. 
  3. Opt for specialization: Choose between establishing a dedicated mid-market Center of Excellence (CoE), a cyber-specific CoE, or a hybrid operation model. 
  4. Enhance responsiveness: Transform or deploy new capabilities to deliver accurate quotes within a few hours. 
  5. Refine underwriting practices: Decide on the optimal number of underwriting variables for technical pricing. Reverse-engineer your processes to capture essential data at the broker submission and claim notification stages. 
  6. Assess cyber exposure management: Engage external experts to evaluate your cyber exposure management helping to avoid unintended risk aggregation. 
  7. Invest in talent: Focus on a talent strategy that enhances skills and integrates advanced technologies like AI and Gen AI to keep pace with the evolving cyber risk landscape. 

Measuring the path to being a cyber market leader

Designing and executing a leading framework for cyber insurance presents significant challenges. A crucial aspect involves defining success, establishing metrics for measurement, and determining the necessary actions to achieve these goals. Continuously monitoring financial and operational metrics is essential for timely adjustments, ensuring the capture of profitable growth in the cyber mid-market. For further discussion, please contact Carmina Lees and Matthew Madsen