Improving the underwriting process for cyber insurance requires a ‘holistic view’ ahead of the ‘next big shift’, says Aviva’s head of cyber

Dynamic internet protocol (IP) addresses pose a “big challenge” for underwriters using cyber risk rating reports to decipher the true cyber risks faced by SMEs, according to Stephen Ridley, head of cyber at Aviva.

According to domain name resolution service OpenDNS, a dynamic IP address is when the number used by a computer to identify a location of a network changes from time to time. A static IP address, in comparison, stays the same.

Cyber risk rating reports, meanwhile, are used by underwriters in a variety of ways – including to inform risk acceptance or improve a firm’s technological resilience based on its specific, individual risk characteristics.

Cyber security rating platform BitSight described a cyber risk rating as an objective, data-driven measurement of an organisation’s security performance against key risk vectors.

Michela Moro, cyber underwriting manager, regional unit, London at Allianz Global Corporate and Specialty (AGCS), said: “Cyber risk ratings provide a level of detail that traditional insurance questionnaires are not able to provide.

“This supports us and our insureds in getting a better understanding of controls and, potentially, of areas that require remediation.

“In a proactive manner, underwriters are also able to share the insights with [insureds], to support remediation and further [enhancements] to the cyber security posture.”

For Ridley, however, the use of cyber risk ratings can cause difficulty for underwriters because they can lead to a “frequency of false positives”.

Ridley stated this is because static addresses are “rare” among SMEs – particularly those that use the cloud for their business services.

“A company may use a particular IP address for some time before it is reused by another company”, he explained. This could then lead to “services being associated with the wrong firm”, Ridley added.

Lost confidence

The biggest risk arising from cyber risk rating reports is to “reputation and credibility”, Ridley continued.

He explained: “I’ve seen instances where a report has been provided to a customer highlighting a number of issues that would need remediating before cover could be purchased, only for it to turn out that much of the information was either inaccurate or couldn’t be fixed as suggested – for instance, closing a port essential for business operations.

“The end result is that the client loses confidence in the broker, the underwriter and even the cyber insurance industry at large.

“There is also a risk around taking a good risk score and directly equating that to a good risk. There still needs to be an amount of underwriter assessment and judgement applied.”

Echoing Ridley’s sentiments, Moro added: “Direct validation with an insured is always advisable, particularly following changes in company structure as the reports might include assessments of IP addresses that no longer belong to the company.”

Moro noted that changes in company structure can be a result of M&A activity.

But how can the underwriting process for cyber insurance be improved?

‘Next big shift’

Ridley highlighted that there is “currently too great a focus on yesterday’s problems” in cyber underwriting.

To improve underwriting cyber insurance, therefore, ”a more holistic view” is needed ”to ensure that we as an industry, and businesses at large, are prepared for the next big shift”, Ridley said.

He continued: “Building in cyber risk ratings or external scanning as part of the process can definitely help with that process, but aiming to fully automate underwriting using just these tools is not a viable solution at the moment.”

Moro added: “The underwriting process can be improved by making clients more aware of cyber risk rating resources, so they can leverage them on an ongoing basis as part of their cyber risk management practices.

“This would allow insureds to proactively monitor their external IT footprint and reduce the time required at renewal stage to review and validate results.”