Cyber insurance: state of the space, trends & the emergence of fully-integrated cyber solutions
I have worked in fintech and then in cybersecurity; cyber insurance falls at the intersection of the two.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
I have worked in fintech and then in cybersecurity; cyber insurance falls at the intersection of the two. Naturally, it’s an area I am deeply interested in. In this article, I will be looking at the factors that make cyber insurance unique, the dynamics in today’s market, and the trends shaping the future of this product as well as the entire industry.
This article would not have been possible without the help of Eric Cho who was very generous with his time. Thanks Eric!
Key learnings:
Cyber losses are hard to underwrite or to diversify, in part because there is not enough data but also because it’s hard to correlate specific measurable factors with cyber breaches
Today’s cyber underwriting is heavily skewed towards qualitative assessments done by non-technical insurance professionals; it’s more of an art than it is a science
Both insurers and startups are actively working on tooling to better underwrite cyber risks
Fully-integrated cybersecurity and cyber insurance solutions are the newest innovation in the space and the one that may have a long-lasting effect on the future of security
What makes cyber insurance different from other insurance products
Cyber insurance is a unique product for many interconnected reasons; I would like to focus on the following four.
Cyber insurance is a new product
Cyber insurance is one of the newest insurance products as it’s less than 30 years old. With that, insurance companies do not and cannot have the same amount of loss data as they have for, say, life or auto insurance. This makes the work of actuaries and underwriters much harder and the insurance premiums companies charge are based on subjective judgment. While life, health & auto insurance rates are based on actuarial tables, cyber insurance rates we see today are much less scientific.
Cyber losses are hard to underwrite
Even when the loss data is available, cybersecurity losses are very hard to underwrite. Unlike the physical assets (buildings, cars, etc.) which are easier to count and quantify, with cybersecurity, everything can be a target — from the asset itself (hacking an HVAC system or a water supply and causing the damage to the building) to any information a company or its employees possess (employee and customer data, trade secrets, personal emails & digital media, bank details, etc. — the list of possibilities is almost limitless).
Cyber losses are hard to diversify
Unlike with other types of insurance, losses due to cyber attacks are not easy to segregate. Diversification is at the core of the insurance model: no one single company would insure all commercial buildings in a region with the potential to suffer an earthquake. If the disaster were to occur, it would suffer catastrophic losses and would be forced out of business. With fire insurance, it’s very unlikely that the whole city would burn down at once. It’s equally unlikely that 50% of cars in the city get into the crash simultaneously.
Cyber insurance is a different beast: in the world where everything is connected, it’s not at all unlikely that a large percentage of companies not connected by industry or physical proximity can be targeted and suffer catastrophic losses all at once. You don’t need to imagine this — it has happened before with WannaCry & SolarWinds attacks, to name a few.
Many elements require third parties
Another factor that makes cyber insurance unique is that, unlike other insurance types, many elements rely on third parties — risk assessments, detection & response, digital forensics, breach coaches, public relations firms, incident response (IR) firms, law firms, and many more. It’s a big ecosystem with complex relationships between parties.
Cyber insurance of today: how it works, who is involved, and how the decisions are made
Cyber insurance is a complex ecosystem
Let’s now have a quick look at the elements of cyber insurance, and how it works on a high level.
There are two components to cyber insurance:
First-party elements — cost that the insured takes on in case of the incident (data restoration, forensics, ransom payments, help to coordinate ransom negotiations, coverage for network interruptions, etc.)
Third-party elements — liability coverage when a third party faces a loss due to the breach (hacks resulting in class action suits, etc.)
On the high level, cyber insurance generally looks like follows (note this is an oversimplified explanation):
Companies will purchase security tools and services that fit their needs without any participation from insurance companies. Usually, insurance companies don’t tell their customers what vendors to use for protection (there are exceptions to this rule).
During the risk profile review, the insurance underwriter assesses both technical elements the company has in place, and security governance of the business. When evaluating risk, insurance underwriters take into consideration the exposure & controls the company implemented. During assessments, insurance companies give some recommendations about the controls.
When the claim happens, the business that has been breached will need to engage with security professionals for remediation.
Some insurance companies have partnerships with cybersecurity companies (incident response (IR), legal, PR consultancies, etc.) that require the insured to use listed vendors exclusively. Security startups are out of luck — discussions about getting onto the “preferred vendor list” are generally long and complex, and insurance companies generally favor large, established security vendors.
Other insurance companies have no lock-ins and allow the company that suffered a cyber breach to work with any vendor. Based on my discussions with people in the industry, I am hearing that this freedom is slowly going away. The main driver for the change is the quality of services: if an unqualified IR firm is called to remediate the incident, it can make it worse, and the insurance company will have to pay more.
Underwriting teams do not have a technical background
While a small number of insurance companies have deals with security vendors that allow them to pull security data for the underwriting directly from the company’s security tooling, underwriters working on the deal generally do not have a technical background. For large companies and multi-million insurance contracts, the insurance company would bring in the technical experts who work with CISOs (Chief Information Security Officers) and security teams to help quantify the risks; for smaller deals, this isn’t normally a part of the underwriting process.
Today’s cyber underwriting is an art, not a science
Quantifying security efforts and measuring success in cybersecurity is hard. A company can do all the right things & get breached, or do nothing & just get lucky. Cyber insurance underwriting is, therefore, more of an art than it is a science.
Cyber underwriters look beyond the hard numbers. While there are now several companies offering scans via URLs, doing vulnerability assessments, sharing data about the number of open ports, and similar, when underwriters get these reports, they look at them at a very high level. This is partly due to the lack of expertise, but also because of the inconsistent correlation between the specific security controls & losses.
According to one of the underwriters I talked to, human errors make over 50% of all claims — that would explain why the underwriters are more concerned with training programs companies put in place than with the version of their firewall.
New business models and what the future of cyber insurance could look like
The cyber insurance market has been growing in a large part due to the high number and severity of ransomware losses. Forced to cover the losses, insurance companies keep raising the bar and either increasing the premiums or refusing to renew the existing policies to reduce the exposure.
These, however, are not the only changes. I see four trends that I think are going to define the future of cyber insurance.
Cyber insurance companies are building tools to better underwrite cyber risks
Insurance companies are not just sitting there passively watching the industry change. Many are actively investing in their technology, building the tools & infrastructure to power their cyber underwriting. Some large insurance and re-insurance corporations are spinning up tech startups in their corporate innovation labs, the goal of which is to provide technical tools for risk assessment and underwriting.
One trend that will likely become more widespread in the coming years is the so-called “adaptive cyber insurance”, which means continuous monitoring, risk assessment, and continuous underwriting.
Startups building tools that help insurers to better underwrite cyber risks
Insurance companies are not the only ones who see the opportunity to better underwrite cyber risks. Many entrepreneurs have been attempting to revolutionize the way cyber insurance is sold and underwritten, and the way insurance claims are processed.
Examples include:
CyberCube offers end-to-end solutions for the cyber insurance sector, including an analytics platform with an unrivaled ecosystem of data, signals, and models to power cyber risk quantification.
BitSight which, as their LinkedIn page explains, “applies sophisticated algorithms, producing daily security ratings that range from 250 to 900, to help manage third party risk, underwrite cyber insurance policies, benchmark performance, conduct M&A due diligence and assess aggregate risk.”
Paladin Cyber is building tools for sustainable cyber underwriting.
Cyber insurance products are bundled with security services
NYC-based Cysurance is a licensed insurance agent designed to allow managed service providers to bind a broad cyber policy on behalf of their customers right at the point of sale. Cysurance’s cyber policy is underwritten by Chubb.
With platforms such as Cysurance, companies selling cyber insurance coverage no longer need to be licensed or even understand insurance. Managed service providers get an extra product they can offer to customers; here is an example of this arrangement in action.
In December 2020, Cysurance announced a partnership with a security vendor, CrowdStrike, and earlier that year — with Kaseya, a provider of IT infrastructure management solutions for managed service providers (MSPs) and internal IT organizations. Cysurance is also available on the AWS marketplace.
Cysurance isn’t the only player in this space; Cowbell Cyber is another similar example of this model.
This bundle is new but the business model isn’t innovative at its core: an insurance product sold through an established distribution channel of IT & security service providers.
Fully-integrated cybersecurity and cyber insurance solutions
The most revolutionary of the four trends listed here, in my opinion, is an establishment of the new offering — fully-integrated cybersecurity and cyber insurance solutions. It’s a big shift where the same company offers both security services (managed firewalls, monitoring, reporting, incident response, and others), and cyber insurance.
There are two prominent companies in this space worth featuring here: Coalition & BOXX.
With the online platform offered by Coalition, licensed insurance brokers can generate an insurance quote in minutes. Access to the proprietary cybersecurity tools and services that are designed to detect, mitigate, and contain threats are provided to the customers for free. In this model, a customer gets both protection & remediation from one vendor at a cost of cyber insurance.
Having started as a US company, in 2020, Coalition expanded its product & service offerings to Canada.
BOXX Insurance is a Canadian fully-integrated cybersecurity and cyber insurance solution for small and medium-sized companies. BOXX Insurance works through local insurance brokers to bring their tailored product solutions to businesses. In other words, it’s a Canadian equivalent of Coalition.
This innovative business model fully aligns the incentives of the cyber security (prevention) and cyber insurance (remediation) arms of the business: by lowering the risk of the breach with its prevention component, the company can save on the premiums it collects.
The future of cyber insurance will be different
As Peter Drucker said, “the only thing we know about the future is that it will be different”. In an industry as dynamic as cyber insurance, the future is indeed going to be very different.
Which of the four above trends is going to prevail? I think, all four, to a different degree.
As the cybersecurity industry matures, and as insurance companies accumulate more data, cyber insurance companies will have to become tech companies — more agile, open to experimentation, and new approaches. I think we will be seeing more and more integrated cybersecurity and cyber insurance solutions that incentivize businesses to better control their security posture. And, we are likely to also see new business models emerging in this space poised to grow and ripe for disruption.