One company got help doing stress tests to report to senior management what cyber coverage it needed and why.
Corporations scrambling to cope with the rising threat of data breaches and ransomware attacks face the additional, unpleasant reality of soaring premiums (see chart) and shrinking capacity in the cyber insurance market. That’s putting more pressure on finance teams to weigh the potential risks of forgoing or reducing coverage against the high price of having protection.
- At a recent meeting of NeuGroup for Large-Cap Treasurers, a risk manager at one member company explained in detail how her team responded to a request by the CFO to justify coverage when it came time to renew the firm’s cybersecurity insurance.
- “You have to allow your team to do a fair amount of diligence,” the member said. In her case, that involved bringing in insurance broker Marsh to do intensive stress testing.
Start by asking the right questions. The member began the cyber insurance assessment process with a basic framework. “First, we decided we needed to dig into what the program gives us, why it’s important and what can we do with it going forward that allows us to grow it in a way that’s responsible and disciplined and still allows us to make our budget.” She devised three critical questions that a stress test at the center of the project must answer:
- What are the potential losses that drive the company’s cyber coverage and technology errors and omissions (E&O) insurance program?
- How will the company’s risk profile evolve over the next five years?
- How much insurance is optimal for the company to purchase, at the most price-efficient structure, given current market conditions?
Prepare for interviews and Monte Carlo. The member worked with Marsh to do a “very detailed” analysis of the company’s preparedness for cyberthreats. The process required interviewing company leaders and “going through risk scenarios to show you the potential cost of that scenario. They can show you what the cost of an event would be under certain variables.”
- The member described a time-consuming process to get the company’s legal department comfortable with the discoverable nature of what would be discussed with an external group, as Marsh’s analysis required comprehensive access.
- “We then started the stress test last fall and made 15 leaders available to discuss materiality, risk profiles, long-tail risk events and mitigants,” she said.
- “Interviews were conducted for eight weeks, and Marsh went ahead with modeling and Monte Carlo simulations; they had a pretty impressive team doing the work. They definitely helped improve the comprehension on our team.”
The bottom line. The study recommended that the company should ultimately double its cyber insurance limits to provide better balance sheet protection. But current cyber insurance market conditions and capacity constraints prevented the company from doing that in one annual renewal cycle.
- Instead, it will increase its limits by 20% and hope to reach the 100% level in the next three to five years. The cost increase for its total program (primary and excess) this year was 55%. The company also increased its retention by 50%.
- The member’s presentation indicated that the company had “no significant pullbacks or narrowing of coverage,” but that its business interruption waiting period increased from eight hours to 12 hours.
- Looking ahead, the member said that “depending on market appetite feedback, we may even consider stripping out tech E&O in the high excess of the cyber program to enable more market appetite.”
- The company will also seek to raise capacity by looking at carriers in other markets. “We are looking to add more of our global markets from a coverage standpoint once we’re able to travel more easily,” the member said.
Peer feedback. One member responded that his company has struggled to invest in cybersecurity insurance due to the amount of due diligence required. “But you could drive a truck through our current coverage,” so he said it would likely be worth the effort.
- The presenting member responded that it likely would be, adding that her company’s program is still “relatively inadequate—it’s helpful but still not sufficient.”
- Another treasurer responded that the presentation was eye-opening. “We don’t have cyber, but after this presentation I probably will,” he said, adding, “We’ll probably only add catastrophic coverage going forward.”