A problem with policy preamble
A typical preamble to a cyber insurance policy would include something like: “An actual or alleged act, error, or omission that constitutes a privacy tort, or a security tort, or a media tort…” Incentivize policy.
Why is that premise important? Suhs explained — even if the insured has better risk management practices. They use Multi-Factor Authentication (MFA).Endpoint detection and response technology (EDR), and they call back on their bank for wire transfers – an employee error, action or omission (for example, someone might accidentally disable MFA) and the policy is triggered.
“You can represent an application that does all the right things [in risk management and cybersecurity], but if the insured does something wrong, the policy can still be triggered,” said Suhs. “While I’m a big advocate for strong risk management, doing more in terms of cybersecurity, ultimately, it doesn’t really matter from an insurance standpoint.”
Suhs also identified a moral hazard in the current cyber insurance approach. Cyber policies often include regulatory protection and fines coverage, meaning they cover the costs of dealing with state and federal regulatory agencies in the event of a data breach.
As explained by IRMI: “This insurance contract covers … the costs of hiring lawyers to consult with regulators during investigations and regulatory fines and penalties imposed against the insured (as a result of the violation).”
This is problematic from a moral hazard standpoint because it gives policyholders the option to say: “Well, I’m not going to encrypt my data because I can buy a policy and pay the regulatory penalty. ” This is counterintuitive to the market’s laser focus on risk reduction at the moment.
Adverse risk selection
Another potential problem identified by Suhs revolves around how underwriters select risks. Some companies use cybersecurity scoring systems, where prospective policyholders are rated and given a letter or number indicating the strength of their security plan.
“I believe that’s inappropriate because it basically moves respondents toward an adverse risk selection. They’re going to write accounts with better scores,” Suhs said. Suhs said there are challenges in scoring small businesses this way, especially as many outsource their IT. If they don’t have their own servers and keep all the data in the cloud, “what are they actually scanning or monitoring,” he asked.
Many of the companies that offer this real-time security scanning and threat monitoring are cyber-focused insurtechs that tend to be more intrusive. Low volume small business market.
“The challenge … if you track through the website — and that’s not the majority of us [small business] computing power,” Sush said. “If you scan our website, conciergecyber.com, we’re on a multi-tenant server, they know where, but you can’t see financial data, customer relationship, our shared Dropbox or anything. Like that. Everything. It’s in the cloud.
“Ultimately all about incident response”
Realizing the above shortcomings, Suhs Launched Concierge Cyber in 2019 – A membership platform that gives small businesses and private customers (with or without cyber insurance policies) access to relevant information and tools before and after a cyber incident occurs. Emergency response is guaranteed to members on a pay-as-you-go basis and at significantly discounted rates for a cyber-attack or data breach through a panel of top-quality providers.
Suhs explained the premise behind the platform, which he described as “like roadside assistance, but like cyber: “Ultimately, it’s all going to have a response plan. Companies that have a tested and active response plan are much quicker to fix and lower the dollar amount. [of a cyber event]. It is good to be efficient. ”