Insurers, businesses learning to measure cyber risk in dollars, cents

As digital threats multiply, market for coverage opens up, draws more players

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Ser­i­al entre­pre­neur and cyber­se­cu­ri­ty expert M. Ariel Evans is posi­tion­ing her lat­est start-up to rev­o­lu­tion­ize the way insur­ance com­pa­nies assess and price poli­cies against cyber threats and how busi­ness­es pro­tect them­selves against cyber breaches.

An Israeli-Amer­i­can resid­ing in Tel Aviv, Evans is now chief exec­u­tive offi­cer of InnoSec, a com­pa­ny that ana­lyzes and man­ages risk from a cyber per­spec­tive. InnoSec’s cyber-risk man­age­ment appli­ca­tion, brand­ed STORM, gen­er­ates data to help com­pa­nies man­age cyber­se­cu­ri­ty risks and to allow insur­ance com­pa­nies to mea­sure prospec­tive pol­i­cy­hold­ers’ risk and price poli­cies appropriately.

Relat­ed video: Cyber insur­ance mar­ket bridges gap between tan­gi­ble, intan­gi­ble assets

Ariel Evans, InnoSec CEO

There’s a huge need to be able to under­stand the rela­tion­ship between cyber risk, cyber insur­ance and risk tol­er­ance, and to quan­ti­fy it in a way that orga­ni­za­tions can under­stand, and allow them to have this very insight­ful infor­ma­tion,” Evans says.

In the event of a major breach—such as the mas­sive 2013 attack that cost retail­er Tar­get more than $200 mil­lion, or the recent world­wide Wan­naCry ran­somware cryptoworm—cybersecurity insur­ance enables orga­ni­za­tions to col­lect claims that help recov­er costs and reme­di­ate damage.

Huge growth potential

Although a tiny share of the $505.8 bil­lion U.S. insur­ance mar­ket, the cyber­se­cu­ri­ty insur­ance sec­tor is poised to go from neg­li­gi­ble to nascent. Glob­al­ly, the seg­ment gen­er­ates about $3 bil­lion to $4 bil­lion in pre­mi­ums annu­al­ly, accord­ing to glob­al insur­ance com­pa­ny Allianz, an amount the com­pa­ny projects will grow to $20 bil­lion by 2025, which would make it among the industry’s fastest-grow­ing sectors.

As for the sector’s growth poten­tial, in its third bian­nu­al sur­vey of the mar­ket, the Coun­cil of Insur­ance Agents & Bro­kers found that:

• Only 29 per­cent of respon­dents’ clients had pur­chased any form of cyber coverage.
• But of those, 22 per­cent had pur­chased cyber insur­ance for the first time in the past six months.
• 40 per­cent had increased their cov­er­age in the past six months.
• 70 per­cent had stand­alone policies.

While the promise is great, the sector’s obsta­cles are equal­ly for­mi­da­ble. “Part of the chal­lenge is that cyber risk isn’t like any oth­er risk insur­ers and rein­sur­ers have ever had to under­write,” a 2015 report by pro­fes­sion­al ser­vices con­sul­tan­cy PwC assert­ed. “There is lim­it­ed pub­licly avail­able data on the scale and finan­cial impact of attacks. The dif­fi­cul­ties cre­at­ed by min­i­mal data are height­ened by the speed with which threats are evolv­ing and pro­lif­er­at­ing. While under­writ­ers can esti­mate the like­ly cost of sys­tems reme­di­a­tion with rea­son­able cer­tain­ty, there sim­ply isn’t enough his­tor­i­cal data to gauge fur­ther losses.”

Enter InnoSec

STORM zeroes in on com­pa­ny assets respon­si­ble for the largest share of its prof­its, detects vul­ner­a­bil­i­ties linked to those assets, and then quan­ti­fies the poten­tial finan­cial con­se­quences if those assets are com­pro­mised. For exam­ple, if an inter­net retailer’s order man­age­ment sys­tem is inter­rupt­ed by a denial of ser­vice, what will it cost the company?

The insur­ance indus­try has strug­gled for the past sev­er­al years to fig­ure out how to price [cyber­se­cu­ri­ty] poli­cies based on risk, because there’s no his­tor­i­cal data,” Evans says. “If you look across the his­to­ry of the insur­ance business—whether it’s life, casu­al­ty, auto or whatever—it’s all based on risk, it’s all based on met­rics that show you how the risk to the prospect influ­ences the policy’s price. This is where we’re get­ting [insur­ance com­pa­nies] back to; we’re get­ting them back to basics. We under­stand how to do it” in the cyber risk arena.

After relo­cat­ing to Israel a few years ago, Evans began work­ing with sev­er­al of the country’s start-ups, includ­ing InnoSec. The com­pa­ny ear­ly on drew upon the exper­tise of an exec­u­tive who had been with the Israel Defense Forces’ Intel­li­gence Corp, which has respon­si­bil­i­ty for infor­ma­tion secu­ri­ty with­in the coun­try. “And so, they came up with this idea of how to man­age risk and how to look at it from the cyber per­spec­tive, which is obvi­ous­ly very dif­fer­ent than from an oper­a­tional, legal or a finan­cial per­spec­tive,” she says.

Evans spent 18 months help­ing InnoSec refine its prod­ucts for enter­prise-wide appli­ca­tion before being named CEO.

Quan­ti­fy­ing risk

STORM crunch­es data from com­pa­nies’ change man­age­ment data­bas­es, vul­ner­a­bil­i­ty scan­ners and secu­ri­ty inci­dent event man­age­ment sys­tems, and then inte­grates the infor­ma­tion with InnoSec’s pro­pri­etary risk engine to answer such ques­tions as:

• How well is an organization’s key busi­ness assets pro­tect­ed against a cyber attack?
• Is a company’s cyber bud­get ade­quate to mit­i­gate the risk of a suc­cess­ful attack?
• What is being done relat­ed to cyber inci­dents a com­pa­ny witnesses?
• How much cyber risk expo­sure does a com­pa­ny have in actu­al dollars?
• How much should an insur­ance com­pa­ny charge a prospec­tive pol­i­cy­hold­er based on its indi­vid­ual cyber risk profile?
• How can an insur­ance com­pa­ny mon­i­tor a policyholder’s com­pli­ance and “accu­mu­lat­ed risk?”

InnoSec devel­oped its first iter­a­tion of STORM about two years ago. Cus­tomers includ­ed the Bank of Jerusalem and Harel Insur­ance Invest­ments and Finan­cial Ser­vices, Israel’s third-largest insur­ance group. InnoSec’s first major U.S. cus­tomer was Amdocs, a multi­na­tion­al that spe­cial­izes in soft­ware and ser­vices for com­mu­ni­ca­tions, media and finan­cial ser­vices providers and dig­i­tal enterprises.

SMBs can’t afford breaches

As the cyber threat to com­pa­nies and orga­ni­za­tions increas­es, the next major growth oppor­tu­ni­ty will be ser­vic­ing small- and medi­um-size busi­ness­es, which often have a low­er risk tol­er­ance for cyber attacks than larg­er com­pa­nies, Evans says.

The mar­ket is “com­plete­ly non­com­pet­i­tive,” she says. “Once reg­u­la­tion catch­es up, cyber insur­ance is going to be required. This is around the cor­ner, and so, how do you, as an insur­ance com­pa­ny, posi­tion your­self to be in the right place at the right time, to pro­vide the right pol­i­cy to this green­field mar­ket, which is going to be champ­ing at the bit to get this kind of insurance?”

An esti­mat­ed 60 com­pa­nies write cyber insur­ance poli­cies today. As more insur­ers look to enter the busi­ness, “we fit into a very inter­est­ing area” because insur­ers need a gran­u­lar lev­el of data and analy­sis that “reflects the risks of small- and medi­um-size busi­ness­es,” Evans says. Insur­ance com­pa­nies capa­ble of per­form­ing sophis­ti­cat­ed assess­ments no mat­ter the size of a prospect will be posi­tioned to dif­fer­en­ti­ate their prod­ucts and more intel­li­gent­ly and com­pet­i­tive­ly offer cov­er­age to any­one want­i­ng it.

The market’s a vir­gin ter­ri­to­ry, so why wouldn’t you take the next step?” she asks.

More sto­ries relat­ed to the cyber insur­ance market:
Chal­lenges and oppor­tu­ni­ties ahead for cyber insur­ance industry
Under­writ­ers, InfoS­ec offi­cers must close gap on risk management
Cyber insur­ance is a great invest­ment, but can’t solve all secu­ri­ty needs




Posted in Cyber insurance, Featured Story