As an underwriter who’s constantly trying to balance being both quick and careful, the worst thing you can do is treat every single applicant the same. Doing so can ultimately be setting you up to take on more risk than you’d expect. Of course, the more experience you have, the better you’re able to quickly assess a company’s risk posture.
But you should never compromise on either speed or quality when it comes to determining what a company does, it’s risk posture, and what sets that company apart from others in your book of business. Take a look at the following three things that can help you with this tightrope walk.
First, get a handle on what the company does.
The biggest challenge, risk, and opportunity for any underwriter—both new and experienced—is understanding quickly and completely what an applicant’s company does. This process can be time-consuming and difficult to understand, but its importance cannot be understated. If you are underwriting a new company, it’s far more critical to understand what the company does than it is to review all the responses on their application. As an insurance company, you essentially underwrite an applicant’s business operations, the services they provide, and how they make money. Certain responses on their application form may help you better understand the coverage they’re seeking and the limits you want to provide them—but without a good understanding of how the applicant’s business operates, you’re in the dark.
Second, identify which information on the application is critical based on the company description.
Next, you need to quickly understand whether the information the applicant provided you with is critical or not. For example, if you’ve done your homework on a company and know they have strong retail exposure, it would be good to know if they didn’t provide you with their PCI compliance data or records. But if your applicant was a manufacturer, PCI information and records may not be that critical. At this stage, you can begin seeing how speed and thoroughness are not at odds—they complement each other in this process.
Finally, use technology to help you gain objective insight for timely analysis.
There are certain vulnerabilities that companies are more susceptible to depending on their industry type and certain risk vectors that may align more closely to a particular applicant once you better understand the nature of the company’s operations. For example, if your applicant heavily relies on a single hosting provider and that provider isn’t available for a period of time, that could affect the applicant’s ability to deliver to their customers. Significant botnet activity associated with a company’s network over a period of time indicates a higher likelihood of compromised systems to data breach, business continuity loss, and ransomware.
BitSight Security Ratings help you uncover any vulnerabilities on your applicant’s network, and BitSight Discover allows you to instantly see which third parties your insureds are using. Using a combination of BitSight technologies, risk vectors that reflect endpoint vulnerabilities that the applicant might have, and your applicant’s critical service providers, you can hit the ground running quickly. Armed with this information, you’ll be able to determine if it’s a good idea to continue the underwriting process or whether the applicant presents more risk than you’re willing to take on.
Your goal should be to underwrite to the applicant while keeping in mind all the related risks around them. In simpler terms, don’t just consider what’s right in front of you—research the context, surrounding relationships, and implications. When you follow the advice above, you’ll accomplish both speed and thoroughness in your cybersecurity underwriting practices.