There is plenty of talk about the everchanging cyber risk environment, but what about the insurance industry that underwrites these risks?

As some contemplate a need for more stability in cyber underwriting, others say the key to a more mature market is embracing its constant pace of change.

“The risk is evolving. It is continuous,” said Prashant Pai, senior vice president and general manager of strategic initiatives at information security company SecurityScorecard. “And hence, underwriting needs to be continuous as well.”

Pai was speaking alongside two other panelists at the Advisen Cyber Risk Insights Conference, held last week in San Francisco and streamed virtually. The panelists discussed the evolution of cyber underwriting amid obstacles like the proliferation of ransomware and the ongoing hard cyber insurance marketplace.

“I think the hard market is indicative of an inefficient marketplace in cyber.”

Shawn Ram, Coalition

“I think the hard market is indicative of an inefficient marketplace in cyber,” said Shawn Ram, head of insurance at cyber insurance company Coalition. “When you have companies and technology driving economic growth, particularly in the middle of a pandemic, when you have the threat vectors of cyber, of adversaries, changing at an accelerated rate, and when you couple that with just the general nascence of cyber compared to other risk areas, it just leads to this inefficient marketplace.”

Ram said that although the cyber insurance industry has historically been very profitable, spikes in ransomware over the past couple of years point to the need for a market correction.

“How does this inefficient market, or this correction, kind of plateau and how does it resolve itself?” he asked.

He believes the answer is data, something Nyreese Arzu, an underwriter for US Cyber & Tech at Beazley Insurance Services, said the industry is already gaining a better handle on. “Over the last 12 to 18 months, in which we’ve seen a tremendous round of ransomware losses and more scrutiny worldwide on cybersecurity, there’s been more awareness,” she said. “Even my grandmother understands what cybersecurity is and has a better grasp on what I do day to day.”

She said as the industry reckons with ransomware, traditional insurers are gathering more data, and insurance technology companies are emerging to push the industry forward and help quantify the risks for small and medium enterprises as well as larger insureds.

Pai agreed, adding that as ransomware has evolved over the past couple of years to become more widespread and attritional, cyber insurers have been stepping up to the challenge. “We are seeing across the board a rise in the maturity cycle, and we are seeing where carriers, where brokers, are approaching the risk, approaching their clients, with a lot more maturity than they did three years ago,” he said.

“Part of it is that we are forced, right? We are forced as an industry to better understand the risk to better evaluate it.”

Ram said that as underwriters work to evaluate risk, the questions they ask of insureds are becoming more specific, which indicates a much more mature cyber market than what has existed in the past.

Underwriters are saying, “‘Hey, we have seen a firewall on your system, but we don’t see it covering your entire infrastructure. Tell us more about that,'” he said. “So the questions are becoming a whole lot more specific and detailed, and it tells you that we are on that maturity journey with underwriting.”

When assessing a potential insured’s cybersecurity awareness and sophistication, Arzu said insurers need to be examining whether the insured understands not only the global cybersecurity landscape, but their specific exposures based on their industry.

“”There really isn’t like a perfect set of questions where you can say yes or no, and based on that, you can automatically make an underwriting decision, which means we need skilled underwriters.”

Prashant Pai, SecurityScorecard

“Then, it’s what investment have they made? What actions have they taken?” she said. “We understand from the underwriting side that you don’t have an unlimited budget, you don’t have unlimited tools—especially with regards to the talent wars for cybersecurity professionals—you may not have all of the pieces in place. But you have a roadmap.”

Pai said another key to evaluating potential insureds is looking at their cyber culture.

“If you think about the culture, it is people, processes, technology,” he said. “I mean, if they don’t have people on their staff, are they contracting with someone? Do they have expertise? I think those are the insights that we all need to look for. Are they looking across the spectrum, and are they holistic in their approach?”

“We understand from the underwriting side that you don’t have an unlimited budget, you don’t have unlimited tools—especially with regards to the talent wars for cybersecurity professionals—you may not have all of the pieces in place. But you have a roadmap.”

Nyreese Azru, Beazley Insurance Services

However, Pai added that underwriting needs to be continuously tailored to fit the current threat landscape, which means rather than a one-size-fits-all, standardized approach, the industry simply needs proficient underwriters who can adjust with the market.

“There isn’t really a silver bullet,” he said. “There really isn’t like a perfect set of questions where you can say yes or no, and based on that, you can automatically make an underwriting decision, which means we need skilled underwriters.”

To achieve this, Ram said education is the first step.

“I mean … the technical acumen required in order to understand cybersecurity is something that I think this industry has not invested in, in a tremendous way, going back years,” he said, adding that the proliferation of ransomware and the subsequent move toward more sophisticated underwriting has dramatically increased this need. “I think there’s a tremendous opportunity for education to increase around cyber tech and security acumen.”

Although Arzu said she believes the industry is still looking at a hard market through at least the end of the year, Pai said to achieve more stability, it all comes back to continuous evolution.

“I think we need to stay on top of the risk on an ongoing basis,” he said. “I think that’s where we get parity, because the risk is continuously evolving. We need to be continuously evolving with it.”