The cyber data conundrum part 3: fitting signals into the underwriting workflow

The cyber data conundrum part 3: fitting signals into the underwriting workflow

In the cyber data conundrum series, we’ve established the importance of using appropriate data in cyber underwriting, as well as the signals underwriters need. However, having access to informative signals is only the first step in utilizing them.

Part three of this series will explore how to fit signals to an underwriting workflow. This can be especially difficult in an industry with a spectrum of technical knowledge and understanding — as such, it’s essential to be aware of the complexity of a cyber underwriting workflow and how to effectively navigate this using appropriate signals.

The cyber underwriting workflow

Standalone cyber underwriting and cyber insurance, much like other lines in commercial insurance, revolve around an annual contract cycle. Cyber insurance policies are typically written as a 12-month term, whereby most of the underwriting assessment, critical exposure, and control review occurs 30-120 days before renewal or initial inception. Post inception, policies are relatively low touch, and most servicing revolves around non-technical billing, issuance, post bind policy wording, and various notices, provided there are no contingencies attached to the bound agreement.

Observations in a monthly view that are stable, smooth and normalized to a single time period can cut through the noise and save time in underwriting — while maintaining the rigor and depth of a higher resolution drip. Underwriters do not need to repeatedly return to assess an account’s profile, waiting for fluctuations and changes before proceeding or making the finalized underwriting decision. This leads to less friction between carrier and broker, and ultimately less friction with the insured.

The renewal period

Cyber risk signals can play a big role in the exposure and controls review period. Typically done roughly 120 days before renewal, underwriters begin their assessment of technical controls and exposure of a company. This process can vary between SME, Middle Market and Large business underwriting. However, most insurance carriers and underwriters still value efficiency in their renewal process, so as not to waste valuable time re-underwriting every single account.

The amount of time spent on renewals can fluctuate depending on hard vs. soft market cycles, and volatility of the threat landscape. Given the amount of fluctuation that can occur with a dynamic peril like cyber, carriers should be seeking stable, consistent views of risk that are easily comparable from one policy period review to another, and capture the most up-to-date cyber threat landscape.

The impact of signals

Signals can play a critical role in the renewal notice period. Underwriting a risk for critical vulnerabilities, deficiencies, and other red flags several months in advance is commonplace, especially in a hard market. Carriers should seek to get ahead of problem areas with their insureds to prevent customer attrition, and help foster an ecosystem of resiliency, rather than deal with the unpleasantries of making strict demands for remediation or threatening non-renewal.

As is the case with new business, applications can provide a simple two dimensional, often binary (yes/no) view of an insured’s behind the firewall risk posture via its people, process and technology. Cyber risk signals can serve as a source of truth, corroborating the details in the application, and providing other unique unreported (attacker’s perspective) observations, spanning from network scanning and user behavior to dark web chatter intel.

New business deals

For new business deals, gathering accurate, relevant data points before putting a deal on the books is paramount. As a carrier is locked in and ‘on risk’ for the duration of the contract for the first time (i.e. 12 months), the ultimate underwriting decision made, write or decline, holds a lot of weight for the profitability of the broader book of business.

Additionally, as is seen with renewal contracts, commercial relationships can be bruised if proper expectation setting and messaging, and risk mitigation and remediation plan partnerships are not well articulated. This is especially true for larger corporate relationships that span multiple insurance lines.

The impact of signals

Using signals during new business deals can help underwriters familiarize themselves with a risk for the first time. Underwriters can save time when investigating the risk by starting with signals, and identify quick tells about a company’s posture that might lead to a declination, or further investigation. Additionally, signals can be used to support and justify their decisions, demonstrate an informed understanding of the risk, while also ensuring that the deals made are in line with the insurer’s overarching goals. Making long-term profitable decisions requires clear analytics that can help convey risk efficiently and effectively.

The modern cyber underwriting assessment

The modern cyber underwriting assessment seeks to evaluate and assess a variety of control areas that demonstrate an account’s well-balanced and resilient cyber risk and cyber security posture.

Questionnaires are growing in length and address various aspects of a company’s people, process and technology, pinpointing specific control areas and procedures such as encryption, patching, backups as well as how an organization has addressed specific known vulnerabilities and entry vectors.

The impact of signals

The amount of time spent on an account seemingly increases by size and complexity. By using third party cyber risk signals and scores, the underwriting process can be more efficient, and underwriters can be better informed with a unique, streamlined view of risk. Signals and scores can be used as a first port of call, and provide an additional method and lens for risk triage, as well as exposure, controls, and vulnerability augmentation and corroboration.

Effortless underwriting integration

Harnessing the power of signals and integrating them into your current underwriting workflow is crucial to achieving profitability. Being adaptable to changing circumstances, including a dynamic market, will give cyber underwriters the edge they need to make informed decisions precisely and efficiently. Signals should be categorized in a manner that aligns with an underwriter’s thought process, and provide digestible recommendations and actionable insights that inform on what to do next.

Real time monitoring and insured feedback loops

Another aspect of signals within the underwriting workflow must also be addressed in today’s market. There has been a more recent emergence in the cyber insurance ecosystem of real time or instantaneous monitoring of an insured’s performance and posture.

We dive into this further in the final blog in the cyber data conundrum series where we examine effective and relevant ways that insurance companies and insureds can partner together to build resiliency and mutual profitability. Check it out here - Building relevant signals

CyberCube’s wide range of experts — from underwriters and risk managers, to cybersecurity professionals, data scientists — understand the problems cyber underwriters face every day. If you’d like to learn more about how our single-risk analytics solution utilizes signals, check out our report — Evaluating Cyber Risk Signals as Indicators of Future Incidents.

Evaluating Cyber Risk Signals as Indicators of Future Incidents