AXIS Global Head of Cyber: Cyber Insurance Market Facing 'Seatbelt' Moment
Insurers now know what the 'minimum' requirements are to make companies safer from cyber attacks, but still face systemic risks, said Dan Trueman, global head of cyber, AXIS Insurance. Trueman spoke with Insider Engage at the RIMS 2022 conference in San Francisco.
Can you tell us what you're hearing from clients? What are they asking you about cyber and technology?
That’s a great question, because particularly here in this conference, that's really why we're here — to take the temperature of the clients and understand what it is keeping them awake at night. Not just about their risk but about their transfer of their risk, and the insurance element of that. What we're really hearing from them is the cyber market has gone through quite a significant correction in the last two years, particularly in the last 12 months on price in particular. And the clients are really asking, why is that change happening? What can we justify? Can we explain where the pricing is coming from? And then secondly, they're asking when's it going to end? I suppose and what can they expect? Which is a fair question as well.
Now that they're all swept up in the hardening market, is there a way to differentiate how a client is performing and what they're doing in regards to cyber?
Absolutely, is one of the other questions that we're sort of seeing is. We accept that there's a portfolio pricing method here, we accept that you've seen frequency and severity, we accept that you're reassessing systemic risk. But what about me as a client? What about all of these things I'm doing to make my risk better? And how can I affect that? Is there a delta for my pricing?
Absolutely. We as a market have really over the last couple of years in particular, we've gathered...enough data. The way I've described this is the cyber market is going through its seatbelt moment at this point. We've identified what good looks like. And we've identified well enough to understand that if you do a number of simple things — hygiene factors we call them — your risk actually is significantly better. At the very least we're saying to all clients they have to do these things. Then the type of clients we typically see in a room — that are larger, more sophisticated clients, we expected them to do a whole other level of things. That's what we're seeing a bit of. There's still a differentiation there between the bottom end. We've just really expect people to have multi-factor authentication, sort of good offline, encrypted backups security through their VPN. These are the sort of things we've been talking about. It's minimal hygiene standards. The next level, we're talking about their availability, their process, what do they do with the cloud, how sophisticated they are. So it's different levels. It's about assessing that risk. We're always obsessive about turning data to information, information to insight and insight into action for the clients. That's what we call the seatbelt moment. The reaction really now is you have to do this, it makes your risk better, it's better for us all. That's really important for insurance, because there's a social value for that. It's like we've learned enough now, to turn our data to do that. So that's quite exciting.
What do you see is the biggest cyber risk today?
It seems like insurance 101, not only transfer the risk, but understand what your aggregation is. If I say what is the biggest cyber risk at the moment, we'll call the Rumsfeld quadrants — what is the current known unknown, that is keeping us awake at night? Is really systemic risk. It's understanding that and understanding, have we got the right scenarios for that systemic risk? Are we understanding it as a whole? Do we need to create deterministic models to understand this the scenarios themselves, and then really affect what their likely return periods are and assess that properly. Because at the end of the day we have to understand our full risk properly. That's a really interesting element, are we doing that well enough on the systemic basis?