AXIS lead on the evolution of the cyber threat landscape

Looking back to when he first joined the cyber insurance market in 2010, AXIS’ Andrew Maher (pictured) said that it has been incredible to see how the online threat landscape has changed as back then, it was privacy that the cyber insurance and security industries were selling. And the rapid evolution of cyber risk is unlikely to slow down any time soon, he said, not while the value of most organisations’ intangible assets continues to so dramatically outstrip that of their tangible assets.

Maher, who was promoted to head of cyber and technology, London at AXIS in September 2022, noted that he stepped into his new role at a fascinating juncture, with corrective market conditions starting to gently ease. It’s a fantastic time to be part of the London team, he said, because of how it fits into the strength of AXIS’ global cyber offering and because of the opportunity present in the market to “get out there and grow”.

Key cyber insurance milestones

Addressing some of the milestones he has seen mark the progression of cyber insurance in recent years, he noted the increased identification, implementation and maintenance of key minimum standards to which insureds are now expected to adhere. There is an increased understanding across the market that just putting a hard protective shell around businesses is not sufficient.

“So, it’s not just about having those different controls and securities in place, it’s having the understanding of them and how they’re working together within the network to the benefit not the detriment of the company,” he said. “The market all came together and pushed on certain minimum standards, on some harder than others, but those baseline controls such as multi-factor authentication for remote access, backup controls and security have been key.

“They’ve really become your cyber sprinkler system or seatbelt. They should be seen as bog standard and must be implemented which is why you’re now seeing insureds buying cyber insurance for the right reason – for true risk transfer as opposed to using insurance as their whole cybersecurity and incident response plan. Because insurance is not there to be the first line of defence, it’s there to be the safety net in the event of an incident.”

The changing nature of cyber ownership within businesses

Another trend which has been interesting to see develop in recent years is the changing nature of cyber ownership within businesses. While 90% of the time, he and his team will of course deal mainly with chief information security officers (CISOs), chief privacy officers and risk managers, cyber conversations have evolved to include a much greater variety of stakeholders.

Much of the focus within those meetings is around governance, he said, and it’s a very rare occasion now that he doesn’t hear that cyber risk findings are being presented to the board every quarter because it has become such a board-level issue. As a result, it’s a red flag to hear that any board isn’t discussing a company’s exposure to cyber risk because the risk has evolved so significantly.

“And it’s a D&O risk as well now,” he said. “We all know about cyber now so if the board isn’t requesting that training be provided or that cybersecurity controls be implemented then that could lead to some rather large D&O risks. It goes further than just your cyber insurance policy so it’s definitely a red flag if there’s no board-level involvement.

“It also comes down to where and who the CISO reports into because there have been studies to show that the verity of a cyber insurance claim is dependent on where the CISO reports into. It tends to be that if they’re reporting into the board, the less severe the claim is going to be compared to if they’re reporting to say the CFO. So, as an underwriter, if you hear they’re not reporting into the board regularly, it does set off alarm bells.”

Increasing understanding of the cyber risk among businesses

There is a generally increased level of awareness around cyber risk among businesses and Maher noted that this is being driven by a combination of increased education from the insurance market and the high-profile nature of the risk. Most days bring new headlines on a ransomware demand or a data breach, he said, so it invites substantial attention – while reports also consistently rank cyber as one of the top risks facing businesses today.

“In the wild, we still hear that ‘my third party handles my security’,” he said, “but if their balance sheet can’t support your loss, that’s what insurance is there for. There’s so much that comes into play and even for those who might not have so much of a network, we cover privacy.

“And privacy is making a big comeback. The litigation landscape for privacy at the moment is a bit of the Wild West with old legislation being looked at to try and shoehorn modern-day risks. There’s a lot more attention [on privacy] now, especially with biometric information being collected, and how cookies and website data are been collected too.”

Cyber insurance – demonstrably worth the paper it’s written on

Addressing whether the corrective market conditions of recent years might have put off businesses from purchasing cyber insurance, Maher highlighted that cyber insurance has proven conclusively that it’s worth the paper it’s written on. That’s not just from a claims payout perspective, he said, but also given the increased emphasis on cyber insurance as a service as well as a product.

From SMEs to multinationals, insurance companies have shown themselves to be willing and able to help insureds navigate their way through an incident. The work that cyber teams do to support insureds in the event of a claim should never be underestimated, he said, as the expertise and experience they bring to the table make all the difference for insureds during their time of crisis.

“We did see some clients walk away from the market over the last couple of years with the pricing correction that was going on, and some of those have looked to come back now,” he said. “There is always going to be a tipping point for certain sized companies, as to whether they take it on their balance sheet or do some risk transfer.”

This decision-making should be underscored by a deep-impact risk assessment so businesses can have a better understanding of what their true exposure is and the limits that they should be buying. This is where the broker really steps in, Maher said, as their communication is the key to ensuring that insurers can put together the right products that match the requirements of the business in question.

“We’re never going to sit still from that perspective,” he said. “We have our AXIS Cyber Insurance  product – ACI – which is aimed at over £2 billion and our AXIS Cyber Technology and Media – ACTM – which is sub-£2 billion. There are nuances and differences between them because of where we’re aiming them and the partners that we’re working with. We’re always trying to ensure that our products are forward-facing and address the issues that are actually affecting our clients. There’s never going to be a one-size-fits-all product because you just can’t treat every risk as the same risk.”

The role of the broker in cyber insurance solutions

The role of the broker in helping to create a sustainable and secure cyber insurance market where the coverage matches the insureds’ risks is critical. AXIS works closely with its strategic partners to bolster their understanding of and confidence around cyber, he said, including through holding full-day accredited cybersecurity courses that offer extensive training to partners’ new joiners and graduate employees.

“We want to ensure that everyone is educated and knows which threats our clients are facing, and what we’re seeing from our claims experiences,” he said. “That knowledge is being transferred to the brokers because this is something we’ve all got to address together. Brokers, underwriters and vendors all need to address the issues we’re seeing today – whether those are on the regulatory side, the litigation side or the threat actor side. Everyone working together is how we ensure that we can stay relevant and continue to deliver products that are actually meaningful to our clients.”