'Cyber is a company risk; not just risk management's responsibility'

‘Cyber is a company risk; not just risk management’s responsibility’ | Insurance Business America

Cyber

‘Cyber is a company risk; not just risk management’s responsibility’

SVP of brokerage giant on the rise of cloud providers in cyber space

The cyber insurance industry has been experiencing robust growth – S&P’s research reveals that the market hit about $12 billion in 2022 and was projected to increase 25% to 30% per year to reach about $23 billion by 2025.

But what exactly is driving this accelerated growth? Speaking to IB, Samantha Billy (pictured), senior vice president and US broking growth leader at Aon, says there are a number of factors, but one is a cloud-based shift and insureds’ increased reliance on technology.

“We are seeing a lot of companies, specifically in the FI space, switch over to cloud providers versus in-house technology,” she explained.

Impact of AI on cyber insurance

Artificial intelligence (AI) is another significant element propelling cyber insurance growth. Companies use AI to enhance operations and strengthen cybersecurity controls. However, the technology also presents new challenges.

“There are bad actors that are looking to utilize AI to write emails that are much better disguised social engineering attacks,” Billy explained. “That said, companies are looking to counteract that, using AI in order to help protect them from some of those bad actors and new vectors. Generative AI is something that’s emerging – and so there’s a lot of people just trying to talk to one another to understand best how to utilize it.”

And this talk has even reached the echelons of UK’s Parliament, with the AI regulations continuing to be discussed and debated – much like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This, in turn, has impacted the cyber insurance market, forcing it to evolve and adapt to not only new rules but also client needs.

“Clients are looking to buy more limits because they see that there’s much more severity exposure compared to where it was in the past,” said Billy.

Cyber insurance underwriting changes

Underwriting in the cyber insurance sector has adapted to the inevitability of cybersecurity breaches.

“Part of the underwriting process is not just the proactive controls to help prevent the breach or event, but the reactive controls that companies have,” explained Billy. “What are their disaster recovery plans? Are there back-up systems in place? Who are their vendors that they are going to use if something were to happen? What protocols do they have? How do they prevent and minimize the damage?”

Ransomware attacks, in particular, have skyrocketed, dramatically altering the risk landscape for companies.

“Ransomware events compare to five years ago have increased over 1,000%,” Billy shared. This surge underscores the urgency for businesses to address this threat. Aon’s approach to advising clients involves a comprehensive view of cyber risk, integrating both proactive, quantification, risk transfer and reactive measures.

“We believe that all cyber risk factors should work together,” added Billy. And, in this challenging environment, clear communication and robust partnerships with clients are essential. Billy emphasized the importance of coordination within companies to manage cyber risk effectively.

“Cyber is a company risk; it is not just a risk management or information security office responsibility. Everybody in the company needs to work together,” explained Billy. “It’s a competitive cyber insurance marketplace now versus where it was two to three years ago. Clients are looking to buy more limits, because they see that there is more frequency and severity exposure compared to where it was in the past.”