In an interview with Reinsurance News, Kyle Bryant, Chief Underwriting Officer at cyber risk solutions firm, Resilience, suggested that 2022’s reprieve from ransomware attacks is only temporary.
The first question we posed to Bryant was what are the most important lessons of 2022 regarding cybersecurity, to which he answered, “2022 was a really good year, and I think most of the industry would tell you they’re going to end up turning a profit as we saw some of the most frequent impacts from ransomware quieten somewhat.”
“That’s because there was a distraction for a lot of the cyber criminals that are located in some of those countries that may be at war. You also had government defences on the offensive, and that distraction I believe will lead to better performance in 2022 for most insurance carriers.
“I think what we learned from that, though, particularly in Q4, where we saw some of that activity return, is that the temporary reprieve is just that, temporary.”
Bryant continued, “I think we will be reminded – and you may have seen this from some of the claims reports already – that when ransomware may not be the most frequent, some of the older severe claims scenarios start to rear their head.”
He gave examples such as email compromise and fraudulent wire transfers, adding that, “Ransomware is more of a symptom of the external threat environment rather than indicative of the actual risk overall.”
Further, Bryant suggested that 90-95% of all claims are derived from poor cyber hygiene, noting that this can be distilled down to five or six items that are driving most of the losses.
He said, “The companies that are well prepared are either able to protect against the incidents or when an incident happens, they’re able to defend against it and limit damages.
“I think that is holding true and there’s been some coalescence around what those cyber hygiene elements are. You can look at every carrier and broker that released an advisory and you’ll find similarities in the approach. That’s going to prove out the insurance market’s role in improving cybersecurity.”
We then asked Bryant what to anticipate from Resilience over the next 2-3 years, to which he said, “A lot of the market has looked at us as a bit of a proof of concept. We hire security talent to accompany our policyholder’s experience with insurance.
“You’re going to see us taking the lessons learned from all of those engagements and making them approachable for any insured, wherever they are on their cyber journey, to recognise an ROI on the technology and risk transfer spend that they’re making.”
Bryant noted that some of the earliest feedback Resilience gets from clients is how happy they are to have a real security consultant, not an insurance risk engineer, to speak to.
He added, “They have someone they can reach out to either through our platform or via telephone about some of the issues they may be facing. They love to have a second set of eyes, and sometimes they need more, but that real person in the loop that we add to that equation is not a technological innovation, rather, it is bringing expertise to an area that is starved for expertise.
“One of the things we’ve benefited from at Resilience as a young company is building from zero. The broader insurance market is addressing a similar problem to us, but with existing portfolios.
“We have the benefit of creating an intimate relationship from day one, and making sure that we’re putting the insured on a path to maintain a resilient security posture no matter what happens.”
Bryant continued, “The next phase for us, is to begin taking that relationship and making it something that no matter the size of your company, no matter how complex or simple you are, you can find value through a digitally native approach.”
When questioned about the trends he expects in the cybersecurity market in 2023, Bryant said, “From a reinsurance perspective, I do believe that the news of the first cyber cat bond is really good for us as a market, I’m happy to say that it will create new opportunities for competition in how reinsurance is placed for cyber insurance.
“I think it’s going to bring some resiliency to the cyber reinsurance space, it’s not going to be immediate, but it’s a great start. This is something that’s been around for a long time, and there’s no reason it can’t work for cyber insurance.”
Bryant concluded, “We’re going to see that better data, and those that know how to use the data coming from insurance are going to be able to produce a better response. They’re going to be able to choose and maintain value, rather than using policy tooling to manage risk.
“This will play through the entire lifecycle of insurance, and I’m quite confident that we’ll begin to see that coming particularly into the 2024 reinsurance renewals, where you’ll see that data begin to prove out more and more value.”
