A problem with the policy preamble
A typical preamble in a cyber insurance policy will include something like this: “Any actual or alleged act, error, or omission that causes a privacy wrongful act, or a security wrongful act, or a media wrongful act…” will trigger the policy.
Why is that preamble important? Suhs explained that even if an insured has the best risk management procedures in place – they use multi-factor authentication (MFA), endpoint detection and response technology (EDR), and they have call-backs with their bank for wire transfers – all it takes is one employee error, act, or omission (for example, someone might accidentally turn off MFA) and the policy will be triggered.
“You could be representing an application doing all the right things [in risk management and cybersecurity], but if the insured does something wrong, the policy can still be triggered,” said Suhs. “While I’m a big advocate for strong risk management, and doing more in terms of cybersecurity, in the end, that doesn’t really matter from an insurance standpoint.”
The moral hazard
Suhs has also identified a moral hazard in the current cyber insurance approach. Cyber policies often include regulatory defense and penalties coverage, meaning they will cover the costs of dealing with state and federal regulatory agencies in the event of a data breach.
As explained by the IRMI: “This insuring agreement covers … the costs of hiring attorneys to consult with regulators during investigations and the payment of regulatory fines and penalties that are levied against the insured (as a result of the breach).”
This is problematic from a moral hazard standpoint, according to Suhs, because it gives policyholders the option to say: “Well, I’m not going to encrypt my data, because I can buy a policy that will defend and pay the regulatory fine.” This is counterintuitive to the laser focus on risk mitigation in the marketplace at the moment.
Adverse risk selection
Another potential problem Suhs has identified revolves around how underwriters select risks. Some companies use cybersecurity scoring systems, where prospective insureds are assessed and given a letter or number that indicates the strength of their security program.
“I believe that’s irrelevant, because it will basically move underwriters towards adverse risk selection. They’re going to write the accounts with better scores,” said Suhs. In particular, Suhs said there are challenges in scoring small businesses in this way, as many are outsourcing their IT. If companies don’t have their own servers, and they hold all data in a cloud, then “what are they really scanning or monitoring,” he asked.
Many of the companies offering this real-time security scanning and threat monitoring are cyber-focused insurtechs, who are looking to penetrate the very under-served small business marketplace.
“The challenge … if you’re monitoring just by website – that’s not even where the majority of our [small business] computing power resides,” said Suhs. “If you were to scan our website, conciergecyber.com, we’re probably in a multi-tenant server, who knows where, but you won’t see any of the financial data, the customer relationship, our shared Dropbox, or anything like that. It’s all in the cloud.”
“All about incident response in the end”
Understanding the above deficiencies, Suhs launched Concierge Cyber in 2019 – a membership platform that provides small businesses and private clients (with or without cyber insurance policies) access to relevant information and tools for before and after a cyber incident occurs. Members are guaranteed emergency response to a cyberattack or data breach through a team of high-quality providers, on a pay-as-you-go basis and at substantially discounted rates.
Suhs explained the premise behind the platform – which he described as being “like roadside assistance, but for cyber” – saying: “In the end, it all comes down to having a response plan. Companies with a tested and active response plan are going to remediate a lot quicker and minimize the dollar amount [of a cyber event]. Granted, proactiveness is good, but when you have state-sponsored actors and sophisticated attackers getting into any account they want to get into, that’s where you have to remember that any company can be compromised, so it’s all about incident response in the end.”