Cyber Risk & Insurance: A Game Plan

By Jenny Soubra, U.S. Head of Cyber, Allianz Global Corporate & Specialty

Clients often ask me for a playbook: Cyber Risk Mitigation for Dummies, as it were. In large part, I understand the request. Humans love certainty. Risk managers love check boxes… If I do this, then I’m compliant. If I do that, my company won’t have a network breach. If I do this other thing, the network breach we suffer won’t be so bad I’ll get fired after it. They want the risk management version of a perfectly executable program.

As a cyber insurer, we get a very critical piece of the risk puzzle: data on real-time network events and new threat vectors. We see this over a great number of companies.  We also see companies that do not suffer losses. That does not, however, mean that there are obvious causalities between doing X and suffering Y.

Some things are obvious: encrypt, segregate, protect. But insurance companies really only get one piece of the picture. We get an insurance application, which at best just gives me a snapshot of a client’s network posture at the precise minute that they filled out the application. Assuming that the person that filled out the application understood all the questions and gave valid responses, the application may be irrelevant next week, let alone in a few months when the client has the budget to bind the policy I quoted. I need a way to trust and verify, as well as to give my clients suggestions on how they can further improve.

I Get By With A Little Help from My Friends

As I mentioned, Insurers have one important piece of the puzzle: data. We know what’s happening and when it happens, because our clients want us to write checks to deal with it. But my business model isn’t one of dissecting new data – it’s one of interpreting data that has been built over years. My actuaries can tell me that I (as a married woman with children, living in urban California, driving a certain kind of car) have a likelihood of X of getting into an accident, and that if I do, it is also likely to cost Y. There simply isn’t enough data in any insurance company’s claims system to give us similar insight on cyber losses. But the losses won’t stop just because I can’t predict them by traditional means.

Enter: Partnerships – specifically partnerships with firms that have more insight into and dedicated resources for applying Big Data and network defense trends to the problem of how we help our clients manage and improve their cyber risk. We especially look for partnerships that can help us not only anticipate claims trends that we have not yet seen or that have not yet begun, but that can also tell us which of our existing clients or applicants are likely impacted by those emerging trends.

We have been very lucky to partner with two Valley-based firms, Cyence and Zeguro, both of whom provide us different insight into these issues. One (Cyence) helps us make better decisions, allowing us to pick better risks and better understand the likelihood of threat vectors on individual companies. The other (Zeguro) helps our clients choose better solutions, enabling them to further improve their network security.

The partnership model for addressing cyber risks is not new. For over 10 years, the industry has leaned on expert law firms and vendors to help clients navigate the murky process of responding to data breaches, whether caused by network security failures or otherwise. There are and will be other fantastic partners whose skill set we can bring to bear for the benefit of our clients; like any good team, we will play to each other’s strengths. However, the game is so new that we’re still identifying which positions are required to play. As such, I anticipate and look forward to partnerships that will help us move the ball forward.

About the Author

Jenny Soubra is the U.S. Head of Cyber, Tech E&O, Media, Specialty PI at Allianz Global Corporate & Specialty (AGCS), in addition to her role as a Global Cyber Practice Leader at the firm.  In this capacity, Jenny is responsible for setting strategy for and leading a team of U.S. underwriters focused on Cyber and Specialty Errors and Omissions risks.  Additionally, Jenny leads AGCS’s cyber breach response vendor engagement process on a global basis.

Since joining AGCS in 2015, Jenny has helped to build the insurance policies and enterprise strategy for Cyber, Tech E&O, Media, MPL and A&E products, and is working to build strategic partnerships supporting these products both for the US and globally.  She is also a frequent speaker for NetDiligence, PLUS and other affinity groups on topics of technology and cyber risk.

Jenny is a seasoned Insurance professional, with nearly 20 years of experience across financial lines at some of the largest carriers globally.   Throughout her experience, Jenny has been charged with principal underwriting responsibilities for some of the largest U.S. Cyber carriers, where she has managed Fortune 1000 books nationally, including primary placements for many of the largest retail, healthcare, and cloud providers in the world.  Further, Jenny managed regional and national management liability and professional liability teams, coordinated actuarial and claims review of complex risks in the Crime and EPL space, and managed national distribution networks for several carriers in the financial lines space.

Jenny received her BA in Mass Communications from Cal State University at Hayward, and is a licensed CA Fire and Casualty Broker.  Jenny co-founded the Northern California chapter of Emerging Insurance Professionals (EIP), for which she most recently served as VP of Communications. Jenny participated in strategy setting for the PLUS Diversity Committee and completed two terms as National Committee Chair for Future PLUS.