Industries
Insurance
Reinventing the Insurance Industry with a Digital-first Strategy
Highlights
- Advanced scanning tools now leverage predictive analytics, real-time data, and artificial intelligence (AI) and machine learning (ML) to provide dynamic risk monitoring and expanded information coverage for cyber insurance assessment.
- The insurance industry is moving toward standardised supplier evaluation frameworks similar to credit ratings, while exploring hybrid approaches that combine external scanning with internal assessments.
- Insurance providers are developing integrated approaches with continuous monitoring and vulnerability flagging, linking remediation directly to pricing and policy renewals.
On this Page
Cyber risks are increasing at a fast pace
The rapidly evolving cyber landscape has resulted in a complex web of vulnerabilities for businesses across industries.
The financial services industry, by its very nature, is particularly at risk of data breaches and cyberattacks nearly all the time. Take for instance the 2024 CrowdOut. While the insurance losses emerging from this event were much lower than initially feared, the incident has shone a stark light on the risks of interconnected IT systems. High-profile incidents such as ransomware attacks exploiting third-party software or data breaches originating from vendors are also increasing the urgency for understanding and addressing these challenges.
Market forces hinder cyber risk assessment
Concerns over systemic cyber risk and the looming specter of a cyber catastrophe continue to plague the insurance market.
Yet, it largely remains a buyer’s market, with competitive pricing, abundant capacity, and broadening policy coverage, including non-IT dependant business interruption (DBI).
As a result, insurers are stuck in a balancing act. Despite the increasing frequency and sophistication of cyber events, the soft market is hampering accurate and detailed cyber risk assessment, particularly when it comes to the opaque risks inherent in supply chains.
Insurers are not in a position to ask detailed questions or undertake thorough risk assessments. End-customers can simply select another carrier to avoid the burden of answering a detailed set of difficult questions that they may not have the answers to.
Even for larger accounts, while insurers may ask if companies conduct due diligence on their third-party suppliers, deep dives into supply chain vulnerabilities are rare. The time and resources required to carry out such assessments are prohibitive. Business impact analyses (BIAs) are typically limited to top-tier suppliers, leaving a significant portion of the risk landscape unexplored.
Yet the obstacles to cyber risk assessment can’t solely be attributed to the soft market. There are other hurdles, including:
- Lack of knowledge: Many end-customers simply don’t know the extent of their third-party risks or how they may be interconnected.
- Paucity of data: Few companies or suppliers are willing—or able—to share the detailed data needed for comprehensive supplier risk profiles. In addition, cyber event data is patchy, and vulnerabilities are future-focused. There is no large bank of historical, publicly available data to draw upon.
- Limited industry collaboration: Unlike other insurance lines, such as property, cyber insurance lacks collaborative structures such as flood maps or standardised risk modelling.
Digital supply chain risk cannot be ignored
Despite these challenges, ignoring digital supply chain risks is no longer an option.
While the market has yet to experience its first major cyber catastrophe, it is a matter of when and not if the event will occur.
The onus of assessing the risk of a major event should not solely be on the insurance industry. Companies must understand their digital supply chains and the risks they are exposed to. But it’s a complicated and difficult exercise.
Brokers and insurers are ideally placed to help businesses understand and mitigate exposure to hidden threats in their supply chains. Aside from the pricing benefits, in a competitive market, those that innovate have the opportunity to differentiate themselves while driving better outcomes for their clients. But ultimately, by proactively addressing these risks, all stakeholders can reduce the likelihood of catastrophic losses and foster greater resilience across the digital ecosystem.
Navigating the complexities of what lies ahead
The first step to advancing cyber risk assessment is improving the information environment.
During our recent breakfast discussion – a bespoke event that had industry analysts, business leaders, and technology partners come together to deliberate on ‘Cyber catastrophe: How can technologists help?’ – two key priorities emerged:
External scanning tools offer some insights, but in isolation they have limitations. Market participants feel they only provide a surface-level view of IT suppliers and risk missing critical vulnerabilities. For instance, they often do not help with understanding the level of reliance a company may have on suppliers. In addition, market conditions mean that insurers can feel unable to translate results into actionable underwriting or pricing decisions.
Some forward-thinking insurers, managing general agents (MGAs), and insurtechs are experimenting with more integrated approaches. They offer continuous monitoring, flag vulnerabilities, and tie remediation to pricing and policy renewals. These represent a step toward more dynamic and responsive underwriting.
Scanning tools are also continuing to evolve – combining the power of predictive analytics, real-time data, and artificial intelligence (AI) and machine learning (ML) to monitor risks dynamically and increase information coverage. Given the difficulties involved in getting information from end-customers and suppliers, developing such increasingly sophisticated external data tools will be vital to understanding and calculating digital supply chain risks better.
The concept of developing standardised supplier evaluation frameworks – akin to credit ratings – is an interesting one. Although a company’s internal infrastructure will still vary, it would still be a step in the right direction. Equally, tools that aggregate anonymised supplier data could help to build a more comprehensive picture of risks by sector, although there are still the challenges of participation and data sharing to overcome.
While ’outside in’ approaches such as these are easier to implement than detailed client disclosures and assessments, they don’t provide the full picture. On the flip side, ’inside out’ insights are more expensive and difficult to manage. Hybrid approaches that combine external scans with internal insights are therefore a promising avenue that must be explored.
Insurers are faced with many questions. How can technology improve the speed, efficiency, and accuracy of detailed assessments by risk engineers? Are there ways in which outside in discoveries and external scanning tools can be used as a launch point for building a more detailed inside out understanding of third-party risks? Is there an appetite for insurers, brokers, or technologists to offer digital supply chain BIA services to larger clients?
Insurers, brokers, and technologists must continue to make progress in these challenging areas. The first major cyber catastrophe will not only reshape the market but also force a reckoning on how risks are assessed and managed. The question is whether the industry will be ready—or caught unprepared.
The first major 'cyber catastrophe' will not only reshape the market but also force a reckoning on how risks are assessed and managed
