Risk managers urged to take advantage of softer cyber market

LONG BEACH, California — Public entity risk managers should take advantage of the relatively stable cyber insurance market to bolster their security measures, so they are better prepared to work with underwriters when rates start to rise again, says an expert.

“You all heard the horror stories in ’22 about 150% increases in premium,” said Bryan Hurd, Seattle-based vice president of Aon cyber solutions. He spoke during a session Wednesday at the Public Risk Management Association’s annual conference.

“Now, the market has actually softened,” he said, with some policyholders seeing renewals at the same rates. But claims are increasing, he said, noting there is about a 12- to 18-month lag between claims and rates.

“If claims continue to grow, you can believe the underwriting is going to be even more stringent 12 to 18 months from now,” he said. “You can be 12 to 18 months ahead of that equation.”

Temo Garcia, Chicago-based assistant vice president, Aon cyber solutions, said the first step is “understanding your vulnerabilities, really figuring out where you currently stand.”

Mr. Hurd discussed what he has dubbed the “dirty dozen,” the top 12 controls that could have stopped the spread of ransomware and other scams. Topping the list is multifactor authentication. 

MFA “is like Frank’s RedHot sauce — pour it on everything,” Mr. Hurd said.  If you do not, “the response of the underwriters will be ‘Leave your message after the click,’ and they will hang up.”

Mr. Garcia said access control remains the top factor underwriters look for, followed by endpoint security. Business continuity testing and tabletop exercises are also increasingly being required by insurers, he said.

“How long is it going to take you to get back up and running” after an incident? he asked, adding that the claims costs associated with business interruption increase every year.

Endpoint detection, which monitors end-user devices to detect and respond to cyber threats, is also a significant factor, Mr. Garcia said.

“More and more underwriters” want to see 100% of policyholders’ networks covered by endpoint detection tools.