In an exclusive interview with Actualidad Aseguradora (Inese) for FERMA Forum 2024, Jose Carlos Jiménez Fernandez and Rafael Ortiz Losada, Senior Cyber Underwriters for Arch Insurance (EU) dac discuss Arch’s first 12 months of writing cyber insurance in continental Europe and the team’s appetite for further growth. They also highlight some of the main challenges facing risk managers in the cyber space and the prevention and mitigation strategies businesses can employ to navigate the evolving risk landscape.
This interview was first published by Actualidad Aseguradora (Inese).
How has Arch’s experience been during its first year of operations in the European cyber insurance market?
Jose: We’ve had a really positive 12 months since setting up our new operations in Madrid and Paris to grow our European cyber insurance portfolio. By establishing teams of highly experienced underwriters with a wealth of European cyber market knowledge, we have been able to develop strong relationships with brokers and clients in a short space of time.
We launched in Madrid in September 2023, with Rafael and I initially focusing the key European markets. In parallel, we opened a second office in Paris with the appointments of Sergio Pierro and Roxanne Deslandes. We believe the European cyber market has significant growth potential across all business segments, and by establishing these two offices, we have a strong platform from which to develop a diversified portfolio of cyber business across Europe.
We have developed a tailor-made cyber insurance product in partnership with leading local service providers to provide not only financial protection but also strengthen clients’ cyber risk management strategies by providing risk mitigation and incident response solutions.
How would you describe your company’s risk appetite when it comes to cyber risks?
Jose: Cyber is a core line of business across the Group and following strong growth over the past five years, Arch is now one of the leading global providers of cyber insurance in an increasingly competitive marketplace. The continued investment in the cyber sector, in particular within Europe, demonstrates our clear commitment to strengthening that global leadership position.
Our appetite for growth within Europe is strong. We provide primary and excess coverage for local and multinational organisations across multiple sectors in Europe, including energy, healthcare, leisure, retail, financial institutions, and manufacturing, focusing on areas such as cyber and tech E&O.
Our aim is to develop a well-diversified portfolio with a broad Europe-wide risk appetite. Our approach is based on detailed analysis of each risk and an in-depth understanding of each client’s business activities, including its level of maturity and the cyber risk controls in place to both protect and maintain operations. That enables us to provide the high levels of service expected from our brokers and clients as well as develop informed solutions that meet their specific cyber needs.
Have you identified any specific sectors where cyber risk is particularly high and requires special attention?
Rafael: Cyber is a global risk exposure that impacts all industry sectors and business activities. However, it is important to recognise that each organisation has its own particular risk profile and differing exposure to cyber risk.
The main cyber exposures facing organisations typically fall into two key categories:
Firstly, data protection. Companies are increasingly reliant upon larger volumes of data and/or sensitive information. As a result, such organisations are exposed to a heightened threat of data breach, and associated claims, as well as sanctions due to more stringent data protection regulations.
The second category focuses on business continuity. This is particularly the case for those companies that are highly dependent on Information Technology (IT) or Operational Technology (OT) that are potentially vulnerable to cyber-attack. In such an environment, cyber incidents have a much greater potential to disrupt business operations if systems are impacted.
At Arch, how do you help companies prevent cyber risks before they turn into claims?
Jose: Our cyber insurance policy includes a range of prevention and mitigation services provided in partnership with leading risk-solution providers in the sector to help policyholders minimise their cyber risk. Our risk mitigation solutions extend from vulnerability scans, privileged user management, and identity security technology, to anti-malware capabilities, cyber training and awareness, and breach containment.
What is the main challenge for risk managers in this field? Are these professional (and companies in general) sufficiently prepared to face cyber threats?
Rafael: Insurance is becoming an increasingly relevant part of an organisation’s cyber security posture. The rise in cyber-related incidents and resulting claims in recent years has heightened levels of cyber awareness, particularly amongst the C-Suite of organisations, which has subsequently increased investment in areas such as risk transfer as part of an overall resilience strategy.
In this context of continuous evolution, one of the main challenges for risk managers is how to adapt to new threat paradigms and emerging risks, seeking insurance solutions that adapt to their risk, both in terms of coverage and contracted limits. That is why cyber insurance products now go beyond the basic promise to pay in the event of a loss, to provide more service-led solutions that extend across all aspects of the cyber ecosystem, helping companies keep pace with this rapidly shifting threat environment.
What future trends do you observe in claims related to cyber insurance?
Rafael: New and emerging technologies, such as artificial intelligence (AI) and generative AI in particular, have the potential to create new risk scenarios that could significantly impact the cyber insurance market. While AI promises to revolutionise process automation across many sectors, it also has implications for data collection, storage and use, particularly in relation to data privacy and security.
In an ever more interconnected world, supply chain risks are a rapidly growing concern for businesses. Increasing dependence on third parties in the digital supply chain creates clear cyber risk, as a failure in one link can directly and rapidly impact the rest. Greater transparency and understanding of an organisation’s digital supply chain is crucial to managing the associated risks.
Also, while investment by companies in cyber security is increasing year-on-year, people remain the weakest link in any cyber security system. Several studies suggest that 90-95% of cyber breaches are due to human error, highlighting the growing importance of continuous training and awareness for employees.
Although the number of ransomware claims has not increased, the severity of cases remains high. What measures should companies take to manage such a complex risk?
Jose: There are several measures that we consider as key to helping mitigate risk within organisations.
As mentioned, improved awareness and continuous employee training are key to helping reduce the ‘human error’ element of a company’s cyber exposures.
Multi-factor authentication (MFA) to protect against password or identity theft are also fundamental to improving cyber security, but there is still a significant proportion of organisations which have not implemented enterprise-wide MFA protocols. Similarly, consistent security patch management is crucial to mitigate exposure to new vulnerabilities.
We would also recommend offline backup to enable companies to recover information in the event of ransomware encryption or loss of data. In addition, deploying an endpoint detection and response security solution will enable companies to automatically search for and respond to cyber threats.
Arch provides customers with a cyber risk analysis questionnaire containing key controls to assess cyber maturity and in turn help identify potential improvements.
How are you assessing the risks associated with artificial intelligence in relation to cyber insurance? Could the use of AI in companies present new types of cyber risks?
Rafael: This falls into three main areas in our view.
Firstly, AI is still at an early stage of adoption for many organisations, and, like any new technology, it entails novel risks that need to be recognised, evaluated and mitigated. At Arch, we evaluate the use cases that each insured has found for AI in their business, as well as the controls they have applied.
Secondly, we have observed that cybercriminals are already applying AI to develop more sophisticated and increasingly automated cyber-attacks.
Thirdly, from a regulatory perspective, the EU AI Act introduces the first comprehensive regulatory framework for this technology. With this Act, there is a clear set of requirements and obligations on the part of both developers and users of the technology with respect to the safety and rights of EU citizens. Companies that make use of AI tools therefore need to be aware of their compliance requirements under the legislation and potential sanctions.
AI is evolving rapidly and continuously, posing new security challenges for companies. It is therefore vital that we not only understand AI’s potential but also the potential short, medium and long-term risks it may create.