The Expert Podcast

The cyber insurance market is going through a serious transition. The legacy or traditional insurance industry covered things like fire, damage, liability, and theft. Cyber insurance, however, is a more intangible coverage. It protects against risks in the technological landscape of a company.

For the past 100-plus years, insurance companies have based their underwriting, sales, and even claims adjustments on tangible losses—whether structural or financial. If your building is damaged or someone gets injured, the loss is straightforward. Cyber insurance, however, follows a different structure, and some companies are struggling with that transition. In the same way that electric vehicles are replacing gasoline vehicles, creating industry shifts, the insurance sector faces a similar struggle.

How is this transition affecting companies, brokers, and insured clients? From the insurance side, companies that specialize in cyber liability policies are well-equipped to handle claims. However, traditional insurers and adjusters who primarily deal with legacy coverages may not have the proper structure for underwriting cyber risks.

For example, underwriting a cyber insurance policy requires far more research about the insured than a traditional policy. A legacy policy is often based on the industry type, company size, and global loss rate for that sector. In contrast, cyber policies demand a more specialized analysis of each company’s internal security measures. Two seemingly identical companies—same industry, same number of employees, same revenue—can have vastly different cyber risk profiles based on their internal policies.

A monolithic rate structure may not be the best approach for cyber insurance. Even if insurers try to write policies for the lowest common denominator, licensing requirements and claims experience may result in greater-than-expected losses. Additionally, companies that fail to follow best cybersecurity practices may unknowingly take on excess risk.

For brokers, it may be wise to focus on markets that specialize in cyber policies. Writing standalone cyber coverage, rather than adding it as an endorsement to a standard policy, can be beneficial. While some legacy policies may include cyber coverage, they are often difficult to adjust and interpret.

In the 1970s, the term "future shock" described how rapid change creates both opportunities and problems. The same applies here—traditional carriers and adjusters handling "silent cyber" risks may struggle to prevent, detect, and mitigate losses effectively. That’s why, as a broker or a customer, purchasing a dedicated cyber policy from an insurer specializing in cyber risks may be advantageous.

Think of it like a houseboat—it’s not the best house and not the best boat. Similarly, mixing cyber and traditional policies may not provide the best coverage for either. Keeping them separate, at least until the industry fully adapts, might be the better approach.

Some new companies focus solely on cyber insurance, often offering lower premiums, better coverage, and a deeper understanding of the risks. However, when choosing an insurer, it’s important to compare options carefully. Don’t just rely on a company’s marketing; check their ratings, coverage details, and exclusions.

Cyber insurance policies often have strict exclusions related to best practices. Most insurers will require businesses to implement multi-factor authentication, install security patches, and maintain proper logging of all devices. The good news is that companies specializing in cyber insurance understand these requirements well and can provide valuable guidance.