Risk & Insurance® recently sat down with Lindsey Nelson, head of cyber development at CFC, to discuss the latest developments in the cyber space, from the rise of AI to trends in the perception of cyber risk — including the fact that until cyber policies became commonplace, insurers had very little cybercrime data to work with.

Below is a transcript of our conversation, edited for length and clarity.

Risk & Insurance: What’s your current area of focus as the person in charge of cyber development initiatives at CFC?

Lindsey Nelson: My primary responsibility as the head of cyber development at CFC is to grow the global cyber market. That’s accomplished by ensuring we continue to innovate with a cyber product our clients are asking for, educating our broker base to turn generalist brokers into cyber specialists, and ensuring CFC remains the insurer of choice for brokers around the world.

Second to that — and crucially as we continue to grow as a global business — there is growing responsibility in ensuring that our team of more than 80 underwriters around the world is seen as thought leaders and continuing to provide best-in-class service and sales initiatives for our key partners.

R&I: What changes are you witnessing in the threat landscape and cyber risks people are facing?

LN: Contrary to what most people believe, the threat landscape remains almost entirely unchanged over the last 20-plus years. However, with the benefit of the increasing amount of data insurers are able to access as a result of market growth and claims activity, we as an industry understand a lot more than we ever did when it comes to threat vectors, who they affect, how they affect them in terms of quantum of loss and — importantly — what the cause-effect relationship looks like between security controls and cyberattacks.

What has changed as a result of that is businesses’ awareness that anybody using a computer or hiring an employee has a cyber exposure in a digitally reliant world. Consequently, cyber insurance policies have also brought awareness through product innovation by highlighting coverages that were created based on previous attacks that they had witnessed.

An excellent example of that was back in 2018, with the introduction of digital theft of funds coverage included within cyber policies, which then tremendously fueled the growth of the market on the small business side.

There is a strong argument that cybercrime has been around for a lot longer than businesses have been aware of it, and insurers are now enabled to have better insight to educate the market on the importance of risk transfer.

R&I: What emerging techniques are hackers taking up as technology changes?

LN: The development of AI is a very topical point at the moment, because although the majority of the narratives surrounding it are “what-ifs,” AI can be used for both good and bad. We may see an impact in the way ransomware attacks are carried out through the use of AI. However, 75% of our cyber claims are still caused by human error.

Crucially, when it comes to cyberattacks, it likely won’t impact the frequency or severity of them, but it provides a new method of conducting an attack that has the same result on a business, and inevitably causes a distraction from more traditional methods of attack that will perhaps be overlooked by the business in lieu of new technology.

Regardless of the type of cybercriminal or threat actor, their success relies on an employee clicking a malicious link, falling victim to a theft-of-funds scam or opening an attachment they weren’t meant to. This really brings home the importance of cyber insurance for businesses, particularly small ones, where it’s often an either-or purchase with IT security.

We advocate for businesses to choose cyber insurance if they have to make a choice. With a cyber insurance policy, businesses get the combination of insurance and access to enterprise-grade security teams through our team of over 150 people at CFC. This provides incredible value for money, especially for businesses that don’t even have one IT person employed.

R&I: How has the perception of cybersecurity changed, particularly regarding the effectiveness of firewalls versus the importance of social engineering in cyberattacks?

LN: The perception of cybersecurity has evolved tremendously from the perspective of both organizations and insurance companies. From a high-level perspective, we’ve witnessed numerous cyberattacks that bypassed security measures that clients thought would protect them. In the past, clients relied heavily on firewalls, believing they were sufficient protection. However, firewalls are ineffective if their permissions are not set correctly.

A couple of years ago, multi-factor authentication (MFA) was been touted as a solution, but we’ve seen threat actors bypass MFA on several occasions. It’s not a perfect solution to preventing cyberattacks. Today, insurance companies have either partnered with or built in-house cybersecurity divisions to complement the insurance piece, knowing they work complementary to one another.

Interestingly, our proactive cyber team is dedicated to identifying and stopping threats against our policyholders before they affect the client. While this approach has been successful in stopping more cyberattacks than we’ve had to respond to, it’s not foolproof. Threat actors can still bypass security measures.

It’s analogous to property insurance, where having a sprinkler system in place doesn’t eliminate the risk of fire. The same principle applies to digital risk in the modern age.

R&I: As that perception changes, is the perception of who needs to buy cyber insurance changing as well? My sense is that, at one time, it was seen as something for Fortune 500 companies — is that still the perception?

LN: Every business that uses a computer or has employees needs cyber insurance. While most examples in the media and those shared by our broker partners involve Fortune 500 companies, our data shows that 90% of the cyberattacks we see are against businesses with under $50 million in revenue.

Smaller businesses are often targeted as criminals have the perception that they have little to no budget to spend on robust security measures. Equally, smaller businesses often get caught in the crosshairs of larger-scale attacks where they weren’t the intended target at all.

A common objection from small business clients is that they can’t afford the coverage, viewing it as a “nice to have” rather than a necessity. But when you compare the cost of a cyberattack to the cost of an insurance policy, it becomes evident that the coverage offers incredible value for money.

At CFC, our cyber policy offers unlimited reinstatements, allowing clients to have multiple cyberattacks throughout the policy period. We are the only market globally to provide this feature. Our confidence in offering this stems from our enhanced and rapidly scaled security team, which works with clients after an attack to prevent future incidents.

R&I: What should clients look for in a cyber insurer, and how can brokers effectively communicate the value of cyber insurance to their clients?

LN: Clients should look beyond the coverage offered in a cyber insurance policy and consider the additional services that come with it. Every cyber policyholder with our company gains access to our instant response app and proactive, preventative services that identify and alert them to potential threats to their business. This helps them avoid falling victim to attacks and suffering reputational harm or feelings of intrusiveness.

Additionally, our policyholders benefit from the expertise of an enterprise-grade security team. If clients were to hire this level of expertise in-house, it would cost multiples of what the insurance policy does. We encourage clients to think about these value-added services when considering cyber insurance.

For brokers, it’s crucial to present cyber insurance as a necessity rather than a luxury, and what brokers need is easy accessibility and a product that responds to claims for their clients. We aim to make cyber quotes accessible by leveraging technology to do the heavy lifting work, eliminating the need for lengthy applications.

Brokers should also be acutely aware that a good cyber policy today doesn’t impose any warranties or conditions around security controls. At CFC, this allows us to focus on what matters, which is getting their clients back in business. &