Background

As some of you know and now those of you who read this post will know, I’m writing a 2nd book. I have a tentative title which I really like but won’t share until I begin drafting in 2Q24. I’m striving to provide value to the insurance industry with the focus being on cyber risk issues that P&C insurance companies do and will face whether conducting commerce with commercial or personal lines clients.

(The topics of insurance commerce and insurer’s use of technologies are central sources of interest to me. My first book is titled ” From Stone Tablets to Satellites: The Continual Intimate but Awkward Relationship Between the Insurance Industry and Technology” and is available on Amazon in Kindle, Audible, Paperback, and Hardcover formats.)

Wells Media will again edit and publish my book. I continue to appreciate Patrick Wraight’s and his colleagues help at Wells Media Group to edit and otherwise move my book from ideation to be published for the insurance industry.

Cyber Age

The Cyber Age has a multiplicity of factors including, but certainly not limited to: cyber insurance; self-insurance; auditing, monitoring, remediation, incident response, and (active) preventative services; emerging technologies and their applications; government regulations; and human behaviors and actions. Cyber exposures will continue to grow (exponentially?) as they spread – at times, in a “how the hell did they do that?” fashion – through an ever-expanding multi-dimensional and multi-directional attack space impacting consumers, corporations, and governments.

As my reading progresses and is augmented by the comments of cyber professionals graciously accepting my LinkedIn invitations, I believe at this time (November 2023) that there are 15 macro facets of the cyber age which I will discuss in my book (see visual):

I plan to discuss each of the 15 macro facets – and how they are interdependent and/or shaping the cyber age – in detail in my book. Readers of my first book won’t be surprised that I will again have several visuals in the book. Text on its own is too bland (for me) to guide me on my writing journey.

This blog post encompasses my:

1. High-level timeline plan
2. Audience for the book
3. Discussion objectives
4. More detailed plans for the 2nd book
5. Cyber insurance beliefs.

My high-level timeline plan

Here is my latest (as of November 13, 2023) high-level timeline plan:

1. Conduct research throughout 2023 & 1Q24. This includes gathering source materials, analyzing them, synthesizing my analysis into (hopefully) cogent notes and ideas; getting briefings from:
   • cyber insurance / risk participants including (re)insurance carriers, brokers, and MGAs (I’m changing this to early 2024),
   • CISOs / CSOs (Update: sent the survey in 3rd Quarter 2023 and gave them until late February 2024)
   • Lawyers offering cyber advice and other services
   • cyber information brokers, modeling and predicting (cyber risks), and other cyber analytical participants (Update: in 2024)
2. Still in 2023. Framing (and re-framing) the sections and chapters of the book. I’ll continue to write WordPress blog posts during 2023 as a way to test my ideas with my LI members and LI Cyber Groups and with myself.
3. Draft the book beginning in 2Q 2024. I expect that I will do several rewrites throughout 2024 and 2Q25. Because I am visual in my thinking and subsequent writing, my writing process includes creating PowerPoint visuals. As my readers and Wells editors know from my first book, I need to create or find a diagram of various situations (e.g., the flow of insurance commerce) to understand where cyber risks do or could exist. I’ll work with my editor (Patrick Wraight) sending him both progress reports and my initial drafts for his feedback during 2024.
4. Have the book published by Wells Media sometime in 2025 early 2026: I plan to send my final draft to Wells Media sometime in 2025, collaborating with Patrick Wraight to work through his edits and suggestions (and rewrites where necessary) until he is satisfied the book is ready to be published, and turn over our collaborative result to him. At that point, the book will be in his court to do his final edits and for his team to perform their magic to publish the book.

I realize this timeline is aggressive given the interviews and briefings I’d like to complete. I have created, to this point, seven frameworks for the book to prevent me from overextending too much.

Audience

I’m from the business side of the insurance industry and I write for insurance business professionals.

Specifically, the audience for my book are insurance industry business professionals involved in cyber insurance commerce. That includes professionals working for (re)insurance carriers involved in pricing; product development; underwriting; claims; customer service; and marketing, distribution and sales.

But my audience also includes:

• CISOs / CSOs creating a cyber security / resilience stack of capabilities;
• Lawyers defending insurers from insured’s cyber lawsuits;
• Professionals working in the expanding ecosystem of cyber advisory service firms providing monitoring, auditing, remediation, analysis / modeling, incident response, and prevention services.

Discussion Objectives

My background

I have always loved to research current and emerging technology since I began working in the insurance industry in the mid-1960s. As I mentioned, I’m from the business side of the insurance industry (other than 4 or so years focusing on computer security and privacy in the SAFARI department of Aetna Life & Casualty in the early 1970s – the irony, right?).

In 1997, I was given the opportunity to become an insurance industry technology analyst and since then, I launched and/or guided insurance strategic services at technology analyst firms in the US (The META Group, IDC Financial Insights) and the UK (Omdia but called Ovum when I worked there).

The theme running through all of these experiences has been to analyze how current and emerging technologies – and their associated applications – does or could impact insurance industry structure as well as insurance commerce and operations to get-and-keep customers. These experiences informed my first book and will inform the second book.

My cyber focus

I intend to discuss (some of) the expanding cyber risk attack space impacting personal and commercial lines insurance commerce. My discussion will include current and emerging insurance cyber business commerce models and the associated expanding ecosystem of providers of various cyber advisory services.

My discussion will also include cyber risks facing P&C insurance carriers themselves as participants in the insurance commerce processes. Cyber is definitely a situation where “what is good for the goose is good for the gander”.

For me, this includes discussion not only of the P&C insurance commerce models (e.g. ILS cyber cat bonds, fronting captives) but also the growing importance of:

1. D&O insurance for corporations who are – or could be – impacted by cyber risks (whether they purchase cyber insurance or not)
2. E&O insurance (inclusive of Media Liability) for the applicable corporations who are – or could be – impacted by cyber risks (whether they purchase cyber insurance or not)
3. Technology E&0
4. E&O insurance for P&C insurance channels (and carriers?) selling cyber insurance
5. D&O and E&O insurance for firms providing cyber risk monitoring / auditing / remediation services.

This is one of several junctures where I will need assistance from Wells Media’s Insurance Academy discussing which P&C insurance lines of business do or could come into play (Professional Liability?) in my discussion of the (known and possible) risks associated with insurance commerce in the cyber age.

I’d like to include, if the data is available, a discussion of which (re)insurance companies are providing cyber insurance policies, the nature of the cyber insurance coverage, for what range of premium, with which terms, conditions, and restrictions, and history of cyber claims and combined ratios. Where possible, I want to discuss the 3 or 5 year trend of the cyber coverage and its concomitant premium range as well as terms, conditions, and restrictions.

More detailed plans for my 2nd book …

I plan to reach out to:

1. Technology industry analyst firms. The cyber age, for me, rests on the changing digital infrastructure that is continually reshaping our markets and customer expectations. I discussed in my first book that we are now living in a mobile, digital, web-accessible, cloud-enabled marketplace: those terms taken collectively are how I define the “cyber age“. Trends and challenges of each of those five elements (the 4 technology elements plus the consumer / corporate behaviors of the marketplace) both define and introduce new cyber risks or change existing cyber risks;
2. (Re)insurers offering cyber insurance coverage;
3. MGAs and brokers selling cyber insurance coverage;
4. Technology and Telco firms offering solutions to insurance companies, brokers, and MGAs to support their marketing, distribution, and sales and service of cyber insurance;
5. Information firms with cyber risk data for various attack spaces;
6. Cyber advisory service firms providing monitoring / auditing / analytical / modeling / remediation / preventative services;
7. CISOs / CSOs to identify their challenges about the evolving cyber risk attack space and associated cyber attacks;
8. Lawyers offering cyber advice and services;
9. Other firms that I identify through my research and/or from suggestions from my LinkedIn members, my contacts at Wells Media, and other contacts.

Cyber Insurance Beliefs

What’s driving me to write this book?

For me, cyber risks feels like terrorism risks.

That drives my foundational beliefs:

1. Within the next 5 – 7 years, insurance carriers will provide less and less cyber insurance capacity by:
   • stopping to offer cyber insurance coverage entirely
   • lowering the limits of cyber coverage they offer
   • sponsoring ILS cyber cat bonds (to keep more of their financial capacity away from paying for cyber claims)
   • fronting cyber captives (to keep more of their financial capacity away from paying for cyber claims)
   • continually tightening the terms, conditions, and restrictions of their cyber insurance coverage (generally as well as to stay away from systemic cyber risks and wherever possible cyber acts of war)
   • increasing premiums to offset their cyber-related losses, expenses, and combined ratios.
2. Cyber risks are on the path to become high frequency and high severity, if they’re not there yet.
3. Catastrophic cyber risks, and systemic cyber risks, are uninsurable by insurance companies.
4. The cyber “protection and remediation” market is one where insurance companies will have a diminishing role. Other actors will have to take on an increasing important larger role:
   • The Federal Government (and the EU and other national governments) will have to take the largest role to provide a financial backstop for companies;
   • The ecosystem of cyber advisory service providers will take on an ever-increasing important role working with consumers and corporations who have been, are, and will be targets in the attack space (e.g. every consumer and corporation);
   • Consumers and corporations will have to take on the basic, and continual, role of protecting their own cyber security (with the help of firms in the cyber service ecosystem and with the financial backstop of their federal / national government). Corporations, specifically, will need to increase their retention levels (both financial and self-protection [which, when skills, experience, and other resources required for protection are factored in are essentially “financial” by another name and instantiation].

My beliefs may change as I progress through my research and briefings. However, 40 years + of working (primary on or with the business side) in the insurance industry has grounded me to the inconvenient fact that just because a risk exists doesn’t mean that the insurance industry should offer coverage for the risk.

Begun week of January 9, 2023

I began researching this 2nd book effort during the week of January 9, 2023.

Similar to my first book, I am using Scrivener to create the framework and then in 2024, as the writing solution for my drafts.

I am continuing to identify and collect cyber source materials; reading comments from cyber professionals on LinkedIn; and crafting – and re-crafting – an initial framework for the book.

I would appreciate any comments and direction you want to offer me as I pursue this project. You can respond to this blog post or email me: barryrabkin99@icloud.com