|
Reading time: 4 minutes The Elephant in the (Server) Room - an unfiltered conversation about systemic cyber riskSo, here's what nobody in insurance is talking about: your biggest cyber risk isn't your own network. It's your portfolio. It's the risk you're getting paid for, not the one you're trying to prevent. It's as much of an underwriting philosophy issue as it is an IT issue. What follows is an unfiltered conversation I had recently with the CFO of a regional P&C insurer. (These are mostly my own opinions. But, I would argue, they need to get some sunlight!) He'd just come from a board meeting where they approved another seven-figure spend on his network security, but he was starting to realize that was the wrong focal point. He was focused on the "uncompensated" risk—protecting his own fortress—while completely missing the existential risk he was aggregating inside the walls. This isn't polished. It's not a white paper. It's just us discussing what might be the most overlooked catastrophic risk on P&C balance sheets today. The "Victim" vs. "The Aggregator"Every CFO is told to think of cyber risk like a "Victim." Your job is to build the highest, thickest walls to protect your systems. You spend millions on cybersecurity, compliance, and training. These are "uncompensated" risks—pure, sunk costs you spend to prevent a loss, a fine, or a reputational hit. Your board, your regulators, and AM Best all praise this. This is "best practice." And it's completely blinding you to the real threat. The real threat is the "Aggregator" mindset. You're not just a victim of cyber risk; you're an aggregator of it. That fast-growing cyber insurance line you've been writing? That's the "compensated" risk. And it's not a diversified book of business. Think about it: when you write 10,000 homeowner policies, you're diversified by geography. A fire in Ohio doesn't cause a fire in Texas. But when you write 10,000 cyber policies, they are all, effectively, in the same location: "the internet." They are all correlated. They are all exposed to the same single, systemic vulnerability in a core piece of software. You're not underwriting 10,000 separate risks. You're underwriting one risk, 10,000 times. The Tragedy: Copying the Wrong PlaybookThe industry is telling every carrier to focus on the Victim problem. "Be more sophisticated," "Adopt these cyber 'best practices'," "Harden your network." But that's the equivalent of telling a carrier in Florida to buy a really good fire extinguisher for their home office... while they're writing 90% of their property policies in a single zip code on the coast. The fire extinguisher is a good idea! But it's not the risk that's going to bankrupt you. Every carrier is focused on preventing the $50 million operational loss from their own breach. But they're completely ignoring the potential $500 million underwriting loss from their portfolio. When a "Cyber Hurricane"—a single exploit that hits all your policyholders at once—makes landfall, all that spending on your own fortress walls becomes irrelevant. The tragedy is that the entire industry is focused on not becoming a victim, while actively aggregating a catastrophe. Want to understand your real cyber exposure and benchmark your institution against your peers? Contact LION Specialty for a confidential review. The Bottom LineLook, we know this seems counterintuitive. All the consultants are telling you to spend more on your own operational defenses. But that's not the existential threat. The threat is the correlated risk you're getting paid for. In Part Two, next week we'll get back to our Boardroom Briefings style. But for now, just sit with these thoughts. Systemic cyber risk is lurking. Here’s the formal preview for next week: Part Two: The "Cyber Hurricane"—How a Systemic Exploit Breaks the Insurance Model in 24 Hours
Can't wait a week to read Part Two? We get it. This is the conversation every carrier needs to be having right now. Your portfolio isn't your new profit center. It's a single, correlated point of failure. Thank you for reading today's edition! Want to share this edition via text, email or social media? And if this briefing was forwarded to you, subscribe directly here. Stay Covered, Mark "FLIP" Co-Founder & Managing Partner LION Specialty |
Everything you need to know to navigate the financial institution insurance market in ≈ 5 minutes per week. Delivered on Fridays.
Reading time: 5 minutesListen time: 11 minutes Good morning. Two forces are reshaping litigation at once. Claims are getting more polished and more plentiful. The proof behind them is not keeping up. Generative AI can draft a flawless-looking brief in minutes. It cannot manufacture the evidence that brief needs. That gap is where this week's intelligence lives. Here's what's in front of you: Courts have now caught AI-invented citations in more than 1,700 filings (as of July 2026), and one...
Reading time: 5 minutesListening time: 6 minutes The Boardroom Brief — Quarter in Review America turns 250 this weekend. Nobody will mention insurance at the barbecue. But the industry you run is older than the country it's celebrating. Marine underwriters financed the Revolution when the colonies had no navy and no central bank. The receipts are real. So instead of a new Brief this week: ten editions from the past quarter that you told us mattered, measured in the ones you opened and the...
Negotiating D&O at Every Stage of the Build My first insurtech client was convinced he was going to be the Steve Jobs of insurance. Ten years ago he had everything investors wanted. A growth curve doubling every quarter. A proprietary pricing algorithm. And a claims and reserving operation so unglamorous it never made the deck. Guess which one kept him solvent. The growth curve drove the keynote. His algorithm set the valuation. The reserve discipline no one put in the deck is the only reason...