MGAs: the driving force behind a mature cyber insurance market

Cyber insurance, as an emerging line of insurance within property/casualty insurance, started as a relatively straightforward product by traditional insurers, focusing first on third-party liability resulting from a data breach. There was an obvious need to expand as cyber incidents evolved beyond data breaches, and this has resulted in the complexity we face today.

The driving force for growth in the cyber insurance market came as organizations digitized their operations. Turning information into digital form allowed large amounts of data to be taken without permission. Digitization of sales (e-commerce) disrupted traditional sales but also led to an increased reliance on technology. This was compounded by the proliferation of attacks and the types of incidents, while technological innovations such as cloud and mobile computing multiplied the scenarios to be handled. In order to respond to the resulting increase in cyber risk, businesses had to build their cyber resilience.

However, the uncertainty around the risk meant that cyber insurance policies were limited in coverage. The mid-2010s saw the emergence of start-ups focused on producing cyber risk models in the same way start-ups provided insight into natural catastrophe risk three decades earlier - what we call model vendors. These companies built initial models for cyber risk. These models highlighted key risk drivers for adverse and catastrophic outcomes, enabling some cyber insurers to capitalize on the first wave of cyber insurance adoption. The first wave was primarily focused on serving the large enterprise market. Soon afterward, additional challenges emerged such as “silent cyber” and the hardening of the market as cyber incidents morphed from being primarily data breaches and became ransomware attacks and other damaging attacks on a variety of industries.

Why risk modeling vendors were unable to fully solve insurers’ concerns

Modeling vendors’ analyses certainly helped increase the understanding of risk frequency and severity. However, as cyber risk continued to proliferate, the impact of cyber events on an insurer only increased. At the same time, many insurers did not upskill or reskill for cyber at a pace that could keep up with the evolution and growth of the exposure. Being nimble and agile to rapidly adapt to a constantly evolving risk and policyholders' needs, was (and still is) a must-have characteristic for any insurance business attempting to succeed in the cyber insurance market.

The newer managing general agencies that write cyber business are, by their nature, incentivized to find new ways to better understand and write risk. The value of these entities is based upon their ability to grow which is, in return, limited by their ability to produce profitable business. Those that produce uncontrolled growth that results in the loss of profitable results will find they eventually have less capacity.

The winners in this MGA space will be those with core DNA made of both cybersecurity and insurance, but also agile enough to adapt to changing circumstances, opportunities and new types of cyber risk. Opportunities abound in the small and medium enterprise markets as well as the large enterprise markets. In addition, succeeding in the SME market requires building for scale and large volumes of transactions. Let’s explore the main drivers of success:

• Being built with cyber at their core.
• Being unconstrained by legacy systems.
• Willingness to embrace digital distribution.
• Better control over cyber catastrophe risk; the need to grow, but profitably.

MGAs started with a focus on cybersecurity 

Successful cyber MGAs have focused on the cyber protection offerings they bundled with cyber policies. This has then been blended with the requirements for insurance capacity to produce an acceptable cyber insurance product.

The advantage of this has been building tools that create a frequently updated view of an insured's risk. This enables risk monitoring with the goal of keeping the ever-changing cyber risk profile of insureds aligned with the policy coverage.

The data accessibility for MGAs enables excellence at data analytics

Information is power - building new systems has enabled smart use of collected data and risk signals in multiple ways.

• External and internal cybersecurity signals can be collected to compile just-in-time information about organizations applying for cyber insurance and their cyber risk profile prior to bind.
• Insureds can be actively monitored and guided to improve their risk profile based on collected risk signals.
• Claims data can also be analyzed to strengthen the cyber risk profile of the impacted insureds, as well as inform the entire book about the likelihood of cyber incidents in specific sectors.

Ability to identify, assess and manage cyber risk exposure

MGAs have focused on building the tools that enable them to identify exposure to the digital faultlines that could cause a cyber loss impacting a large population of insureds. This information is also available to the wider insurance industry from data and model vendors.

Understanding the exposure to, and impact of, cyber catastrophe is key so that:

• The exposure to any one cause of the loss event can be held to acceptable levels.
• The potential for significant loss events can be priced in.

MGAs have an advantage in both these areas resulting because of how recently they have been set up. The systems they use leverage modern technologies (data science, artificial intelligence) to their fullest. They tend to be more flexible and more adaptable to the different types of information that might need to be stored and interrogated to measure and manage the exposure to cyber aggregation. Given the evolving nature of cyber, that adaptability is key; it enables MGAs to dynamically adjust pricing to reward policies that diversify their portfolio exposures to risk aggregation. It also enables the capture of new forms of data that are key to aggregation exposure, increasing the completeness of data used to price catastrophe exposure.

Further still, the technology initiatives pursued by MGAs to reduce the risk of their policyholders having a cyber event can be quantified and thus rewarded within their own pricing and catastrophe modelling, creating a positive feedback cycle for policyholders and MGAs and even reinsurers.

It makes sense for insurers to consider whether they wish to emulate the flexibility and expertise of MGAs or whether they wish to reduce the execution risk by forming relationships with them and consolidating backing behind those they consider to be best-in-class in respect of their areas of relative advantage.

Insurers should move with caution but be mindful that cyber-ILS as an asset class will unleash a torrent of capital once the objective cyber model vendors become accepted as a risk currency. This tap will be turned as cyber model vendors produce results better tuned to the actual levels of risk rather than those produced at present which are considered overly cautious by the market, or scary by those who are less sure about how the actual risk will manifest.

The cyber MGA mission requires both growth and profitability

Cyber MGAs have many stakeholders inside and outside the insurance ecosystem. Each stakeholder provides a different perspective. Stakeholders’ need to grow profitably requires MGAs to actively listen to intelligence and guidance coming from each.

This triangulation of intelligence, combined with being hands-on with the risk, results in an overall superior position to distill and implement optimum solutions. An example of this is the greater focus on aggregation and catastrophe modeling within MGAs as they are able to obtain and process the data and then discuss this with appropriate stakeholders.

This will result in MGAs producing the optimal risk structures to spread the risk across the appropriate quantitative levels of risk appetite as well as types of risks within market participants’ appetite.

The ultimate winners will be those MGAs that use their advantages best. Warren Buffett famously said, “You only find out who is swimming naked when the tide goes out.” The tide going out and exposing the efficacy of the efforts of all market participants will be a significant adverse or catastrophic event. What can be more meritocratic?

Visesh Gosrani is director of catastrophe modeling at Cowbell. Contact him at [email protected].

© Entire contents copyright 2023 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.