Alex Jomaa: Brokers ‘have been let down by insurers’ on customer cyber education

Brokers are ultimately responsible for educating the market, and customers within it, on the necessity for cyber insurance. However, they “have been let down by insurers” on the provision of effective education materials.

That was according to Alex Jomaa, chief underwriting officer at cyber MGA Onda, who spoke to Insurance Times following the expansion of the firm into the mid-market via the launch of Onda X. 

Jomaa explains: ”Brokers are responsible for carrying that education torch, but they have been let down by insurers in that they don’t really have anything concrete to show customers, other than some myth busting documents and a policy wording that gives some coverage details.

“That doesn’t really show customers anything terribly specific about their business, whereas we’re attempting to equip brokers with the means to go and have a toe-to-toe conversation with security or IT managers and bring them to the table.” 

Onda’s mid-market proposition, Onda X, was designed with the goal of providing brokers with these ”basic building blocks” that they need to effectively sell cyber insurance, while also eliminating the need for time-intensive form filling on the client side. 

Through the blending of an external scan, threat profiling and quantification and a “behind the firewall risk assessment” of customers to validate what controls they have in place, Jomaa says that Onda can generate all the information it needs for underwriting while also providing brokers with examples of security improvements that the client can make. 

He adds: ”That holistic view across internal, external and threat takes away a tonne of guesswork from underwriters and alleviates the need for a broker to get a client to fill out a massive proposal form, often standing in for hundreds of questions.

“We’ve determined that all the information we need to make an educated underwriting decision is already housed within the client product suite or through external and threat signals.”

Claims efficiency

In promoting the penetration of cyber insurance into the mid-market, Jomaa says that this method of verified underwriting may also help to improve the reputation of insurance cover. 

Rather than claims being held up or refused because of technical specifics gathered from underwriting forms, brokers can ensure that underwriting criteria are correct from the off. 

He says: ”Customers that buy cyber insurance through the traditional route of filling out an application form can often have a dispute post loss with their insurers because configurations weren’t exactly as they were specified. 

“That doesn’t necessarily result in claims being declined, but it certainly results in delays or reductions in indemnity and so on. Candidly, that’s not a good look for the industry at large when we’re trying to sell the value proposition.” 

Jomaa says that this is particuarly important for mid-market firms because, unlike larger companies, they are often still in rapid scaling journeys and can be underinformed about the risks cyber criminals pose. 

Backed up by Onda’s threat analysis, Jomaa notes that there is “increasing activity by cyber criminals that is partly being driven due to the democratisation of tools”. 

He adds: ”What you have to keep in mind about the cyber crime industry is that it is an industry, that it is hugely lucrative and is dependent upon skilled technicians to deliver the various stages of an attack with different skill sets. 

“Believe it or not, a lot of the larger cyber crime groups operate like large regulated companies with departments and engineering teams.” 

This is a vital part of the education piece that brokers must bring to clients when arranging cyber insurance, because it drives home the point that this line of cover is not a traditional form of insurance. 

Jomaa finishes: ”People forget that cyber attacks are an act of man sometimes, rather than traditional insurance perils that are acts of God, such as hurricans and earthquakes. There are factors you cannot predict and we can’t identify what cyber attacks are going to look like 10 years into the future.”