Understanding Cyber Insurance: Interview with Michelle Chia of AXA XL

With cyber intrusions on the rise and costly ransomware incidents making headlines, more companies are seeking to manage risks by purchasing cyber insurance coverage.

According to the National Association of Insurance Commissioners, the U.S. cybersecurity insurance market grew 47.6% in 2022 to about $9.7 billion in direct written premiums. But many businesses are still thinking about whether to add cyber insurance coverage, or don’t know enough about this relatively new type of policy to decide.

To learn more, we spoke with Michelle Chia, chief underwriting officer for cyber in the Americas at AXA XL, the specialty risk division of global insurer AXA. This interview has been edited. 

A: Fast forward to about 2017. That’s when we started seeing ransomware in a meaningful way. Year after year, from 2017 to 2022, we saw maybe 50%, 100%, more than 300% increases in events related to ransomware. That also coincided with the pandemic because there were so many more individuals working from home, and there were more entry points into networks. So many claims were being paid, not just the number of claims but also the scale of payouts increased substantially, and therefore that created another capital crunch. There was a limited supply of insurance capital, and the demand was high at the time.

A: It’s definitely more of a buyer’s market right now. Rates are more favorable in comparison to the past two or three years, primarily because of an increase in carriers who have entered the space, creating a greater access to capital. Also, carriers that were in the space haven’t been paying as many losses as in prior years and so they are able to expand as well. 

A: Somewhere between 30% and 50% of organizations actually buy cyber insurance, and they are only insured to about 30% to 50% of their exposure. So they are underinsured, and the vast majority of businesses haven’t purchased it yet. 

A: In comparison to other insurance products, cyber insurance is not required. If I’m a $10 million or even $100 million revenue organization, what are my other spending priorities? These are business decisions organizations have to make. I also think there is a lack of awareness and understanding of what to do. This is an emerging risk. If we look at auto insurance, every kid knows you’re supposed to wear your seatbelt. Kids in elementary school practice fire drills. We’ve been made aware of those risks as a society for decades. Cyber risk has only taken prominence since the dotcom boom. 

A: There’s an application process. Some carriers scan the external network of an organization to get a sense from the outside of cybersecurity controls. Many times there is a questionnaire, much like applying for health insurance. Basic questions are asked to understand what type of risk you are and how well you are managing exposures within your control. If there are basic controls, then the discussion becomes, “How do we structure a program that makes sense for how large you are and for your exposure?” 

A:  It depends on what their cybersecurity posture looks like: Do they have absolutely nothing in place? An organization should always do what it can that’s under its control. Build your resilience first. If they don’t know where to start they should definitely go to a cybersecurity consultant. It’s important to figure out what your exposure is relative to your organization’s size. Then, from an insurance procurement perspective, go to a broker that helps with other commercial insurance lines to figure out what else you need to do in order for an insurance carrier to be interested in you as a client.

A: It depends on the insurance company. Many times when an organization experiences an event, it’s either Friday night or over the weekend or over some federal holiday. The majority of events occur during those time periods. So at AXA XL, we have a 24-hour, seven-day-a-week hotline so that people can call and say, “I’ve experienced an event, I need help.” There are many organizations that need to be called immediately to stop the bleeding. You need to know who to call. If you have an incident response plan, great. Follow that plan. Some organizations don’t have one. We have the 24/7 hotline where we always have someone on call to help our insured through the event.

For more on the latest in cybersecurity news and tools, visit the MxD Cyber Resource Hub.