Cyber crime is changing insurers’ approach to risk management
The thing about cyber insurance is that it’s a new and totally unpredictable risk. And it’s a risk that cant be ignored and isn’t going away. The Internet has been great for convenience and connectivity but it has come at a price (which is why there is so much faith in blockchain as the enabler of trust).
In 2015, the CEO of Lloyd’s of London estimated the cost of cyber crime to business at $400billion a year (which means it’s a big market opportunity for insurers). A recent Swiss Re/IBM survey found that 40% of firms had reported a cyber incident and this is expected to rise (which means nobody is immune).
Accenture reported at Rendez-vous in Monte Carlo in September that for every $ spent on information security, only 4cents is being spent on cyber insurance (which means there’s an under-insured gap). And CBInsights reported that standalone cyber insurance premiums grew by 7% in 2017 with Swiss Re/Sigma reporting the cyber market could grow at 15%pa over the next 5-10 years (which means cyber insurance is a growth line).
But (and there is a but). Whilst cyber insurance offers many opportunities for insurers, it also brings with it many challenges. Compare it to, say, weather, where we have decades of detailed data to model patterns of climate behaviour. With weather, we also know in advance when adverse weather conditions are heading our way, albeit with just a matter of days or weeks’ notice.
But with cyber it’s a different story. There are no advance warnings. There are no detailed and complex models of behaviour to plan against. It’s like knowing that a hurricane is probably going to hit you at any time, but you won’t know when until after the event. And worse than that. You won’t know that you’ve been hit by the cyber hurricane, with all the resultant losses that come with it, for months maybe even years afterwards.
Cyber crime isn’t following patterns in the same way as other risks do. Cyber throws up new risks and threats that nobody has seen before. One minute everyone is looking out for the next ransomware attack and next thing you know the threat has shifted to crypto-jacking and your IT resources are being used by someone else!
With cyber, nobody knows the boundaries. Which is why the insurance industry is going to have to rethink its approach to risk management when it comes to cyber insurance.
InsurTech is leading the shift to Service Led Risk Management
Prevention is better than cure is the InsurTech mantra when it comes to IoT in the home insurance market. In the world of cyber insurance, it is even more relevant. The traditional approach to risk management of (simply) transferring the risk of financial exposure to an insurance company isn’t going to cut it for a business if it wants to continue business as normal after a cyber breach.
This is partly because assessing the full impact of a cyberattack is difficult. It’s not like assessing the cost and repair of an escape of water in the home, or even the cost of rebuilding a million homes after Katrina. With data increasingly being a firm’s key asset, protecting it and maintaining its integrity is a strategic imperative. According to IBM, the average cost of a data breach is $1m.
This is especially relevant if that firm is a small to medium sized enterprise. Because they are unlikely to have much in the way of information security or the resources required to prevent, manage and recover from a cyber attack. (According to a 2016 IBISWorld report, 72% of cyberattacks in the US occur in SMEs.)
The good news is that this creates a massive opportunity for the insurance industry, because it signals a shift to a services-led and preventative approach to insurance, especially cyber insurance. It’s a trend I’ve been talking about for a couple of years now and it’s showing no signs of going away.
It’s both an opportunity and a threat for insurers because if the insurance industry doesn’t do it, then another one will. Imagine a motor manufacturer saying they will accept liability for their self-driving cars. Where does that leave insurance? The winners in either case will be the reinsurers as they are the best at managing risk capital.
However, the shift to services-led (rather than indemnity-led) insurance doesn’t mean that we are going to see incumbent insurers trying to develop new core competencies. Given the complexity and technological demands of cyber risks, it is unlikely that we will see insurers investing in their own cyber security capabilities.
Instead, for the incumbent insurers, they will partner with specialist cyber security firms to offer a holistic cyber insurance service that covers both financial and non-financial remediation such as cyber prevention, resolution and recovery.
So, what are the InsurTech startups doing about?
The InsurTech Hybrid approach to cyber insurance
For the InsurTech startup, some are approaching cyber and cyber insurance differently to the incumbent insurers. This is a complex and fast moving line of business which means that relying on the traditional approach of checklists and out-of-touch actuarial models isn’t going to cut it when it comes to modelling cyber risk.
This new generation of hybrid cyber insurance startups come with a security and cyber background. This is the InsurTech trend where entrepreneurs who are tech first, insurance second are creating technology platforms for the sole purpose of enabling a lower cost, automated, digital insurance offering. It’s no different to the way that Uber, ebay and AirBnB are tech platforms that own no cars, merchandise or hotels.
This current generation of cyber insurance InsurTech firms are only a couple of years old but have already built cyber security monitoring and protection platforms and added insurance on top. Or to be correct, they’ve added reinsurance to the service offering (which is why you see Munich Re and Swiss Re all over this space).
As with all InsurTech firms, the cyber insurance startups have built highly automated and technology enabled platforms. They’re assessing risk and tailoring the insurance service and coverage to meet the SMEs specific requirements without a massive human input. As Coalition put it, they “underwrite without underwriters”.
The ones to watch in the cyber insurance hybrid model
Here are four of the leading InsurTech hybrid startups when it comes to providing a cyber security and insurance in a combined cyber insurance service for SMEs.
Based out of San Francisco, Coalition provides cyber insurance to SMEs across the USA. What makes them different is that they are also a cyber security business. Customers who buy their Swiss Re/Argo underwritten insurance coverage get a bunch of free cyber security tools and monitoring services.
Less than two years old, Coalition has already raised $10m through a Series A round. Their distribution model is through retail brokers, which is no surprise given the brokerage background of their CEO. But make no mistake, this a technology platform that provides a fully automated service rather than a standard checklist approach when it comes to pricing cover “within 4 minutes”, start to finish.
At-Bay are a cyber insurance hybrid InsurTech that are only a couple of years old and have already raised $19m to fund the development of a cyber monitoring platform. SME clients buy cyber insurance coverage that is underwritten by Munich Re’s Hartford Steam Boiler and what they get are cyber risk and security monitoring services provided free of charge.
The essence of the At-Bay cyber insurance offering is that they provide active risk management for the business. This is no longer the world of shoving the insurance policy in the digital filing cabinet. cyber insurance provides continuous, round the clock monitoring and protection with an emphasis on prevention.
Paladin Cyber is the brainchild of Han Wang, who comes from a military cyber security background. With co-founder Daniel Bilbao, they took Paladin Cyber through Y-Combinator in 2017 and now provide cyber insurance for SMEs. Like Coalition and At-Bay, Paladin Cyber are a hybrid cyber security firm and insurance provider.
As they say on the website, “We prevent the problem, resolve it if it happens and make sure it doesn’t break the bank”. Similar to Coalition and At-Bay, Paladin Cyber have built a cyber security platform that simplifies the task of cyber management for SMEs. Their insurance coverage is tailored to the specific needs of the SME.
Where Paladin Cyber differ is that they use InsurTech platform development agency Boost Insurance for its insurance administration.
Formed in 2016 in San Francisco, Zeguro have built a full stack platform that combines cyber risk management and insurance for SMEs. Their hybrid cyber insurance offering provides a cyber security management solution that covers continuous monitoring, tools for employee compliance and a maturity score with a tailored cyber insurance policy.
The Zeguro brand is built around the Virtual Cybersecurity Officer for the SME. Using automated monitoring and cyber tools, Zeguro both proactively protects the SME and provides cyber insurance cover from Munch Re’s Hartford Steam Boiler.
The Digital Insurer webinar; Cyber security – implications for the insurance industry
Later this year in December, The Digital Insurer will be discussing this topic of cyber insurance in detail with a panel of experts. Registration is open now for this free to attend webinar that will undoubtedly get to the heart of this matter.
The author Rick Huckstep is Chairman of The Digital Insurer and a keynote speaker, strategic advisor and investor in technology start-ups