As cyber attacks evolve and increase, smaller companies are finding themselves just as much at risk as large corporations.
This is increasing demand for cyber insurance and making it vital for insurers to ensure they have deep enough expertise to keep pace with and project this rapidly changing risk.
This is according to Dan Carr, chief innovation officer and cyber lead for London-based Occam Underwriting.
“Every year individuals, businesses and society are becoming more reliant on technology, even more so during the COVID-19 pandemic,” Carr said.
“Cyber is becoming a bigger and bigger exposure, with threats no longer solely relating to the disclosure of sensitive data, but increasingly to the disruption to business operations due to a lack of availability of technology systems.
“In last couple of years, the loss experience has flipped: while there are still large data breach events and exposures, the more frequent and costly issues relate to ransomware.
“This threat has grown significantly, and is impacting all segments of the economy. It’s not specifically focused on or concentrated to larger businesses—it is heavily impacting smaller businesses too.”
The change has accelerated demand for cover from small and medium-sized enterprises that previously might have been overlooked by attackers as they focused on the bigger corporations.
“This is because in the last few years ransomware has changed: attacks are no longer carefully crafted and targeted exercises against specific companies,” Carr explained.
“Attackers are increasingly basing their attacks on exploiting broad and generic vulnerabilities present in systems that are widely used, for example Windows.
“This provides the potential to infect a much larger number of victims from their initial investment, but is far less selective.
“More recently, such attacks are impacting large companies and small ones alike to equal degrees of pain. The frequency of attacks continues to rise and this is set to continue, with mitigation becoming more of a challenge.”
Established in 2003 and relaunched as Occam in 2018, the company is focused on three lines of insurance: cyber, energy and space. Of these, cyber is the largest line.
Occam continues to grow and is currently looking to add further lines of business requiring deep technical expertise. In the realm of cyber risk, Carr believes the company is set apart by the level of its team’s understanding of the risk and technology.
“In terms of how we underwrite, we are slightly different from our peers largely because our background is engineering led,” he said.
“As an expertise-led business, we focus heavily on risk selection and a client’s cybersecurity posture, because we have the experience and expertise to understand an insured’s business and the relative maturity of its security programme for its size and industry.”
He added that for cyber, it is important to understand not only the type of controls companies have in place, but also how the cyber risk environment might evolve.
“For example, it was quite evident to us how ransomware was going to develop so in our underwriting decisions we took that into account well before the rise in activity currently impacting the market,” Carr said.
He emphasises that this type of responsive, forward-looking approach is essential for addressing cyber risk—to mitigate loss and to best advise and assist clients before they encounter an incident.
“You might have a great understanding of attackers and what they are doing at a point in time, but tomorrow they could turn 180 degrees and go for a different industry or use a very different approach to achieve the same aims,” he said.
“You have to remain proactive, and that lends you to an expertise-led approach.
“It is vital that you have access to individuals who understand the risk environment and have detailed knowledge of the industry to better inform underwriting strategy, decisions and client advice.”
Main image: shutterstock.com / Alexander Geiger