Insurance against cyber-attacks, AKA cyber insurance, is surely the most exciting domain in insurance today. Companies globally are purchasing cyber insurance for different reasons including skyrocketing cyber security costs, banks that are demanding suppliers to have such a policy in place and board members that are worried with liability due to new emerging regulation such as GDPR next year. Eventually cyber insurance is the only “cyber” solution that will support an organization post-breach and will refund costs.
But many different parts still need to come together to deliver on its promise. While the estimated $5B US cyber insurance market today is still in its early days and is a small part of the approximate $1.2T+ net annual premiums written, it certainly is the fasted growing segment with around 30% CAGR expected for the coming years.
However, this market is still small relative to the size of the cyber risk pool with estimated costs of cybercrime to reach $2T in the US alone in 2019.
And so, a range of issues and concerns must be addressed in order to have cyber insurance realize its full potential:
- Customer Segments: Clearly an immediate need for cyber insurance is with B2B. Companies need cyber insurance to protect both 1st and 3rd party risk, including smaller companies supplying to third parties. But, consumers should also be able to insure themselves against cyber risk.
- Data: Insurance companies are mainly dependent on questionnaires which are not only outdated the day they have been filled, but also contain information which is often inaccurate and requires specific expertise to be gathered. In many cases, such collection process cost is higher than the cost of the premium itself. In a world where everything, and certainly IT resources, provide detailed data, attack surfaces expand and attack vectors develop, using real-time data to assess cyber insurance risk is a must.
- Customer Experience: Signing up for cyber insurance today means filling out long questionnaires regarding infrastructure, data, policies, people, etc. Complex info, hard to collect, introducing significant friction in the process. Hardly a process that scales, and a data-driven world allows for much of the user experience to be almost frictionless.
- Distribution: As a company, will I buy cyber insurance separately, or as part of other types of insurances? Is there a reason to buy it from an insurance company? Why would I not buy insurance for my customer data with AWS, and DDOS downtime insurance from Cloudflare? I get security updates with Windows – why not a basic insurance against the OS being hacked if I run their endpoint security that’s built in?
- Risk Modelling: From the outside-in or the opposite, one can automate data collection relevant for the process of underwriting a company, including risk domains such as digital, HR, regulatory and other types of data that can support predicting claims. Breach data is somewhat available in public repositories, however much of the interesting data is collected by ongoing OSINT and dark web intelligence (e.g. breached servers, account credentials, etc) and in some cases even the company itself is not yet aware of the breach. This data can be used in risk modeling to predict cyber claims and attacks impact. Aggregate and systemic risks are a main concern for insurance companies when discussing cyber. When the goal is enlarging market share, aggregated risks are sometimes invisible until a catastrophe hits.
So yeah, it is complicated.
But it is clear that insurance carriers need real-time, data driven technology solutions that can accurately assess cyber risk, to help deliver products across multiple segments and multiple distribution channels and with a great user experience.
Cyberwrite is building the technology to facilitate rapid growth of the cyber insurance industry and we could not be more excited to support Nir and Rotem achieving that goal, and doing so now!