Asia’s cyber underwriters will need to draw on data beyond traditional loss history to build a profitable book, considering the region’s relatively low cyber insurance penetration, executives speaking at ITC Asia said.
“The data pools in the US and Europe are very full. There’s a lot of data there,” said Alexander Liu, Vice President for Cyber & Financial Lines APAC at MSIG Asia. “It’s been a market that has been around for a while, but the data pool in Asia is relatively shallow.”
With cyber penetration rates significantly lower in Asia, the region has a smaller data pool than those of more mature markets in the US and Europe.
Furthermore, the soft market has weakened incentives for disciplined underwriting, according to Nawaz Imam, CFO at cyber incident response firm and MGA Blackpanda. “The incentive to calibrate on that basis is a bit less compared to hard markets, but we’ll get through that,” Imam said.
Incident data collection and security posture
But the lack of data does not mean underwriters have no idea of the risk, said Bo Yu, head of claims at Markel.
“The fact that there’s no data doesn’t mean that it’s currently not insured by anybody, or [that] most people just simply do not understand or know how to underwrite it,” Bo said.
Imam argued that underwriters should rely on both internal datasets, such as incident-response caseloads, and external indicators, including a client’s security posture.
“We have paid a lot of attention to the way we create a taxonomy around the cases we work on, so we can use that from a general cyber underwriting perspective,” said Imam.
Underwriters need to have a clear understanding of a client’s security posture, noting that controls such as multi-factor authentication (MFA) and endpoint detection and response (EDR) can reduce the likelihood of cyber attacks and breaches by more than 50%, said Imam.
These data frameworks are consistent from one region to the next, Imam pointed out. The same is true of how risk accumulates and the types of exposures insurers take on across their books.
“Historically, when I was looking back at our own data, the most prevalent forms of breaches were things like business email compromise, but now vendor compromises have gone right to the top,” he said. “If your book also has concentration risk across these factors, you’ve got to watch out.”
Real-time claims information can also be used to shape the underwriting process, especially in speciality markets where risks move quickly, like digital asset insurance. It’s therefore important that underwriters don’t work in a silo, separate from claims professionals, said Marie-Francine Richard, COO at specialty digital asset insurer Cryp-Sure.
Cryp-Sure, which provides embedded insurance to crypto exchanges, combines its underwriting and claims systems, so both sides have access to the same information in real time.
“What’s really important is having access to information in real time and then being able to effectively process that and analyse it quickly, in order to then go back into making sure what type of risk it is, and how [to] price it,” Richard added.
“Trust less, verify more”
As AI transforms the insurance industry, insurers are also likely to become more exposed to cyber threats, panellists argued.
AI integration is likely to expose insurers to a range of risks, from model poisoning to unverified AI-generated code to misdirected claims payouts, said Allen Juang, CTO at Tokio Marine Asia. “It’s a whole spectrum of risks that we’re currently exposed to,” Juang said. “How do we trust less, or trust more slowly and verify more, and how do we develop that culture [within] our business?”
As social engineering fraud rises and AI-powered phishing risks spike, technology is making it far easier for fraudsters to increase their speed and frequency, said François Burtin, Global Head of E-Commerce at Allianz Trade.
Insurers can use AI to build fraud-detection models that catch data that’s “too good to be true,” essentially fighting fire with fire, Burtin said.
“We’ve built technologies to assess the identity of the company [and] the individual verifying the bank account, so that we can cross-reference all that and get more comfortable entering into a relationship with the debtor,” Burtin said.
“That’s the kind of thing we are working on. It’s probably an endless race, but it’s an exciting one.”