Latest:
Spencer Timmel, Head of Cyber and Technology Insurance of Safety National
CoverCyber InsuranceFeaturedInsurance

Safety National: Building the Next Generation of Cyber Readiness

Health Tech Magazines

Uncertainty in the cybersecurity space, driven by the rise of remote work and digital trends following the COVID-19 pandemic, catalyzed a revolution in risk management for both enterprises and cyber insurance providers. With a 50% increase in ransomware attacks in 2020 and more than double the number of incidents in the following year, the cyber insurance market was disrupted by the frequency and severity of cyber claims, resulting in unprofitable results for the broader cyber insurance market. Insurers incentivized enterprises to adopt robust cybersecurity defenses and advanced security protocols, such as zero-trust architecture (ZTA), endpoint detection and response (EDR), and multi-factor authentication (MFA). Organizations had to prove their ability to recover from incidents. The risky environment led to increased premiums, decreased limits and coverages, but elevated security postures.

From the industry shifts, it is evident that cybersecurity can either pause or accelerate an enterprise’s digital transformation goals. In today’s AI-infused, intelligent automation and digital-led era, large enterprises face a significant risk of experiencing cybersecurity threats and data privacy non-compliance at both global and domestic levels. Safety National has been a leading specialty insurance and reinsurance provider for thousands of customers, including marquee global enterprises, since 1942. In 2017, the company introduced its cyber liability offerings. Its comprehensive cyber risk insurance solutions protect companies against diverse network security and data privacy risks, reimbursing damages and financial loss arising from accidental or malicious incidents to computer networks, software, and data.

Spencer Timmel, Head of Cyber and Technology Insurance of Safety National, shared his insights about the volatile cyber insurance market and how the company is poised to empower enterprises to become next-generation industry leaders. He is an industry veteran with nearly two decades of experience, bringing a rich background in risk identification and modeling, breach preparedness, coverage analysis, and claims advocacy.

Fleeting Stability, a Reflection of Threat Landscape

Spencer’s hands-on expertise, honed by years of observing industry shifts and the escalation of network security and data privacy vulnerabilities into serious threats, offers a unique perspective on the state of cybersecurity over the years.

Ransomware frequency declined in 2022 but increased again in 2023. Similar losses occurred in 2024, but the trend is now an increase in severity. This is a result of more effective backups allowing businesses to recover on their own, without the need to pay the ransom. Threat actors raised their demands on businesses that were unable to recover. “For those involved in cyber insurance buying, the market shifted to a much more buyer-friendly one,’ says Spencer. The capacity has returned, coverage has expanded, and premiums are down. However, markets have seen a considerable increase in data privacy claims.

Spencer believes the trend is a result of improper disclosure, collection, or use of sensitive data. This is because class action lawsuits and regulatory actions take significantly longer to finalize. “These longer tail issues bring the word uncertainty back into the insurance discussion,” Spencer adds. Recently, there has been stability in the cyber insurance market, with some industry classes in the large account space taking small rate increases.  

De-risking and In-house Approach to AI-enhanced Cyber Claims

Safety National’s cyber risk insurance and Excess Cyber Services powered by NetDiligence® are shaped by the profound industry expertise of their security teams, led by CISOs, that have already invested in the most significant and effective security tools. Instead of seeking out new security tools, the team is focused on helping customers optimize their existing tools and investments. By running external scans of Safety National’s insureds, they help identify blatant security vulnerabilities, like open ports, that cybercriminals could find and exploit. Additionally, Safety National works with several public entities, leveraging their client partnerships to provide relevant training and vendor contacts that can help support new technology.

Unlike typical insurers that use third-party administrators (TPAs) or external monitoring counsel, Safety National manages all cyber claims internally. To enhance the efficiency of their claims processing, the company has started using an AI tool as an enabler while ensuring that all underwriting or claim decisions are made by their employees, thereby balancing AI-driven automation with human insights.

We entered the cyber insurance market because some of our casualty clients mentioned that they were struggling with cyber exposures.

Pioneered with a Practitioner’s Edge in Cyber Risk Insurance Solutions

Having led a variety of client and market-facing roles for leading brokerage firms as a cyber and technology risk practice leader, Spencer has been instrumental in leading Safety National’s cyber insurance product development. His leadership approach and best practices align with the company’s values of balance, integrity, relationships, teamwork, and stability.

Adding on to Safety National’s client engagement model, Spencer highlighted the influence of his experience in proactive risk identification, quantification, and transfer. This experience has been the driving force behind developing a tailored approach to policyholders and underwriting individual risks, as opposed to the standard industry norm where carriers treat industry groups uniformly.

By using a unique program structure, experts at Safety National believe in listening to the insureds. “In fact, we entered the cyber insurance market because some of our casualty clients mentioned that they were struggling with cyber exposures,” Spencer adds. These customers have prior engagement with the company on other lines of business and sought a relationship-based approach, as well as experience and claims handling expertise on the cyber side of their business.

In 2025 and Beyond: The Race Never Ends

Overall, the insurance industry has made incredible progress in the last few years in its efforts to influence more security investments. In large healthcare entities specifically, Safety National’s team wants to observe how the players are implementing their security tools and ensuring their use across the entire cyber environment.

Although this seems like a challenging pursuit, for large environments with more endpoints and complexities across environments and architectures that deal with sensitive patient data, there is a higher likelihood of missing something critical. This would serve as a tremendous opportunity for Safety National. Additionally, the company focuses on understanding how organizations are securing and categorizing data because the risk of a privacy breach or exposure of patient data can lead to non-compliance with HIPAA standards and numerous regulatory and class action lawsuits that are a result of forgotten or unstructured data.

“Large organizations understand they have international threats, but concerning data privacy laws, our most significant concern is domestic threats,” Spencer says. Like how threat actors scan organizations’ external environments looking for vulnerabilities, many plaintiff attorneys are doing the same. They are searching for pixel tracking technologies and other opportunities that could result in a suit. Regulations change, but it is essential to maintain data privacy fundamentals to ensure enterprises can adapt to a shifting regulatory environment.

Advice for an AI-first Mindset

AI is evolving, and organizations must maintain clear-cut policies on responsible AI usage. This includes how enterprises train their employees, the data they have access to, and restrictions on adding sensitive data to AI. Anyone handling sensitive patient data who is accessing an open AI model is significantly increasing the risks. Access to a closed model through an AI provider contract should ensure that the information inputted is not contributing to the public access version.

Spencer added that it also applies to IT employees who might be trying to optimize an organization’s environment and, in the process, are providing AI with information about security tools. While this may drive operational efficiency and innovation, it introduces new risks such as model bias, data privacy concerns, and vulnerabilities to manipulation or misuse. Embedding ethical frameworks into AI development and ensuring alignment with emerging regulatory standards is critical. These policies and procedures should be shared with underwriters. An organization that can articulate those risks is likely to have better terms.

You May Also Like

Earl Maes, the CEO and Medical Director of Emergence Teleradiology,

Emergence Teleradiology-Diagnostics that Make Answering Patients’ Questions Easier

Health Tech Magazines

Data Governance: A Matter of Trust

Health Tech Magazines
Andrew Rosenberg MD, CIO, Michigan Medicine

Focus on infrastructure to support the most disruptive changes to health care; home hospital care

Health Tech Magazines