DUAL underwriting perspectives: Enhancing cyber readiness for unpredictable risks

As a Senior Cyber Underwriter at DUAL UK, with over 22 years of industry experience, I’ve witnessed first-hand how critical it is for organisations to prepare for ever-changing cyber risks. My career has taken me from Norwich to London, a stint in Boston, and Dubai, providing me with a diverse perspective on global cyber threats. In this article, I will share my insights on how businesses can enhance their preparedness and help mitigate risks.

Underwriting Approach

We all know that we are operating in a field that is constantly evolving. Cyber insurance is relatively new, and the threats we face are unknown, and can be volatile. Traditional security measures—like multi-factor authentication and regular backups—should now be the baseline, but businesses need to go further to protect themselves as hackers will continue to look for new vulnerabilities.

One of the most significant vulnerabilities I see is human error. Even with the best IT systems in place, individuals can inadvertently expose their organisations, i.e from phishing attacks. For instance, it is hard to spot if an ‘I’ (capital i) has been replaced with an ‘|’ (line symbol) which would reveal a fake email address. It is easy to assume it is the correct email address and click on the malicious link! Many companies assume they are protected by having basic security measures in place, but it is the combination of this, alongside comprehensive awareness training and ongoing education that is key.

At DUAL, we carry out various outside-in scans, as well as expanding on the questions in our proposal forms. Open-ended questions help us to better understand each business’s unique risks, going deeper than yes/no questions. I aim to capture the nuances of each organisation’s security posture, taking a tailored approach allows me to provide more relevant guidance and support to my clients.

Tips for staying prepared against cyber threats

Here is my take on steps a business can take to enhance their preparedness:

1. Continuous learning commitment: Businesses should try to stay updated on potential vulnerabilities and emerging threats. Educate employees about the risks associated with cyber threats. Regular training can help reduce the likelihood of human error leading to data and security breaches.

2. Brokers should ask questions: As we enter a softening market typically, brokers push for fewer questions, and insurers give in as we seek to retain renewal business and chase new. But this isn’t what we should be doing to make sure our insureds are best prepared for an incident. Questions aren’t there to hinder the purchase (or at least that isn’t the intent), but to help guide brokers and insureds on the problems we see.

3. Regularly review cybersecurity measures: I urge businesses to assess and strengthen their security posture regularly. Complacency after implementing basic measures can be dangerous. Continuous evaluation is essential.

4. Develop and test incident response plans: Have robust incident response and business continuity plans, which should clearly outline roles and responsibilities before, during and after a cyber incident, and be tested regularly. The better prepared you are, the more effectively you can respond.

Common misconceptions and red flags

Despite the growing awareness of cyber risks, I’ve found that many businesses still hold misconceptions about Cyber insurance. Some companies view insurance as a safety net, believing it absolves them from implementing robust security measures. I firmly believe that insurance should complement security efforts, not replace them.

Another common issue arises among small and medium-sized enterprises (SMEs), which often underestimate the importance of cybersecurity investments. The low cost of insurance might tempt them to skip critical security measures, but the potential losses from a cyber incident far outweigh these costs.

In my experience, a major red flag that suggests a company may be unprepared for a cyber incident is the absence of basic security measures. If a company isn’t taking cybersecurity seriously, they are leaving that door unlocked. This is why we shouldn’t be looking to reduce the questions asked in proposal forms, but make sure they are perhaps more appropriate - to a new buyer verses a renewal.

A proactive approach to cyber resilience

In conclusion, in my experience, emphasis is on the importance of a proactive and informed cybersecurity approach. The cyber threats landscape is continually shifting, that isn’t going to stop, and businesses must be prepared to adapt. By promoting a culture of continuous learning, regularly assessing security measures, and prioritising employee education, organisations can enhance their resilience against cyber threats.