By Archie Whitehead, Tech, Media and Cyber Broker at New Dawn Risk
Network scanning has become a powerful tool for assessing a cyber risk, as it can offer a comprehensive report of a company’s IT environment and highlight key vulnerabilities at the press of a button. Though these scans are highly useful for gathering information, some cyber markets are starting to use them as gospel when evaluating the risk of potential clients. Cyber carriers should be wary of basing their full rationale off network scans, as this method simply cannot account for all the potential exposures a cyber carrier may be vulnerable to while on-risk.
For example, one major blind spot for network scans is that they do not pick up on a company’s Operational Technology (OT) environment. While this may not be of concern for certain industries, OT does account for a significant portion of cyber exposure in many industries (for example, manufacturing). When OT exposures are not accounted for, the accompanying risk will not be priced accordingly. While this may seem like a great result for the policyholder, who receives comprehensive cover at a cheaper cost, the insurer is putting both themselves and the insured in a precarious situation should a claim arise.
Additionally, network scanning does not take into account a policyholder’s governance – whether that be around culture, the use of employee security training, phishing simulations, or any other tools that can be used to boost prospective clients’ cyber hygiene beyond the realm of IT systems. Once again, subsequent pricing will not accurately reflect the risk at hand when these factors are overlooked.
As prior experience has shown, when loss ratios increase for these carriers, there becomes a need to determine what is going wrong and what needs to be changed. The dependency on scans as an underwriting process poses a hard question: have we learned anything from the last market cycle? Will the same occur again, with insurance companies unexpectedly non-renewing accounts, or unjustly increasing premiums even though the insured has not done anything to warrant such an increase?
If the cyber claims environment deteriorates once more in frequency and/or severity, there is concern that these carriers that have gained a large market share by warranting cheap rates through their scan reports will leave a huge gap in the market, potentially leaving clients stuck without a solution. By extension, this can cause anxiety around having to move policies to alternative carriers and essentially leave both insureds and brokers out to dry. Brokers may be held liable and will have to explain to clients that their cyber policy was placed with a carrier that did not account for all potential exposures.
Ultimately, network scans themselves are not the concern, but the use of such as a substitute for traditional risk assessment could become a major issue. These reports should be used in addition to the other underwriting tools within a cyber insurer’s arsenal; the danger comes in thinking they can replace human rationale and insight. Those in the cyber market should brace themselves for when this scanning bubble may eventually burst…