Insurers, businesses learning to measure cyber risk in dollars, cents
As digital threats multiply, market for coverage opens up, draws more players
By Byron Acohido and Rebecca Theim, ThirdCertainty
Serial entrepreneur and cybersecurity expert M. Ariel Evans is positioning her latest start-up to revolutionize the way insurance companies assess and price policies against cyber threats and how businesses protect themselves against cyber breaches.
An Israeli-American residing in Tel Aviv, Evans is now chief executive officer of InnoSec, a company that analyzes and manages risk from a cyber perspective. InnoSec’s cyber-risk management application, branded STORM, generates data to help companies manage cybersecurity risks and to allow insurance companies to measure prospective policyholders’ risk and price policies appropriately.
“There’s a huge need to be able to understand the relationship between cyber risk, cyber insurance and risk tolerance, and to quantify it in a way that organizations can understand, and allow them to have this very insightful information,” Evans says.
In the event of a major breach—such as the massive 2013 attack that cost retailer Target more than $200 million, or the recent worldwide WannaCry ransomware cryptoworm—cybersecurity insurance enables organizations to collect claims that help recover costs and remediate damage.
Huge growth potential
Although a tiny share of the $505.8 billion U.S. insurance market, the cybersecurity insurance sector is poised to go from negligible to nascent. Globally, the segment generates about $3 billion to $4 billion in premiums annually, according to global insurance company Allianz, an amount the company projects will grow to $20 billion by 2025, which would make it among the industry’s fastest-growing sectors.
As for the sector’s growth potential, in its third biannual survey of the market, the Council of Insurance Agents & Brokers found that:
• Only 29 percent of respondents’ clients had purchased any form of cyber coverage.
• But of those, 22 percent had purchased cyber insurance for the first time in the past six months.
• 40 percent had increased their coverage in the past six months.
• 70 percent had standalone policies.
While the promise is great, the sector’s obstacles are equally formidable. “Part of the challenge is that cyber risk isn’t like any other risk insurers and reinsurers have ever had to underwrite,” a 2015 report by professional services consultancy PwC asserted. “There is limited publicly available data on the scale and financial impact of attacks. The difficulties created by minimal data are heightened by the speed with which threats are evolving and proliferating. While underwriters can estimate the likely cost of systems remediation with reasonable certainty, there simply isn’t enough historical data to gauge further losses.”
STORM zeroes in on company assets responsible for the largest share of its profits, detects vulnerabilities linked to those assets, and then quantifies the potential financial consequences if those assets are compromised. For example, if an internet retailer’s order management system is interrupted by a denial of service, what will it cost the company?
“The insurance industry has struggled for the past several years to figure out how to price [cybersecurity] policies based on risk, because there’s no historical data,” Evans says. “If you look across the history of the insurance business—whether it’s life, casualty, auto or whatever—it’s all based on risk, it’s all based on metrics that show you how the risk to the prospect influences the policy’s price. This is where we’re getting [insurance companies] back to; we’re getting them back to basics. We understand how to do it” in the cyber risk arena.
After relocating to Israel a few years ago, Evans began working with several of the country’s start-ups, including InnoSec. The company early on drew upon the expertise of an executive who had been with the Israel Defense Forces’ Intelligence Corp, which has responsibility for information security within the country. “And so, they came up with this idea of how to manage risk and how to look at it from the cyber perspective, which is obviously very different than from an operational, legal or a financial perspective,” she says.
Evans spent 18 months helping InnoSec refine its products for enterprise-wide application before being named CEO.
STORM crunches data from companies’ change management databases, vulnerability scanners and security incident event management systems, and then integrates the information with InnoSec’s proprietary risk engine to answer such questions as:
• How well is an organization’s key business assets protected against a cyber attack?
• Is a company’s cyber budget adequate to mitigate the risk of a successful attack?
• What is being done related to cyber incidents a company witnesses?
• How much cyber risk exposure does a company have in actual dollars?
• How much should an insurance company charge a prospective policyholder based on its individual cyber risk profile?
• How can an insurance company monitor a policyholder’s compliance and “accumulated risk?”
InnoSec developed its first iteration of STORM about two years ago. Customers included the Bank of Jerusalem and Harel Insurance Investments and Financial Services, Israel’s third-largest insurance group. InnoSec’s first major U.S. customer was Amdocs, a multinational that specializes in software and services for communications, media and financial services providers and digital enterprises.
SMBs can’t afford breaches
As the cyber threat to companies and organizations increases, the next major growth opportunity will be servicing small- and medium-size businesses, which often have a lower risk tolerance for cyber attacks than larger companies, Evans says.
The market is “completely noncompetitive,” she says. “Once regulation catches up, cyber insurance is going to be required. This is around the corner, and so, how do you, as an insurance company, position yourself to be in the right place at the right time, to provide the right policy to this greenfield market, which is going to be champing at the bit to get this kind of insurance?”
An estimated 60 companies write cyber insurance policies today. As more insurers look to enter the business, “we fit into a very interesting area” because insurers need a granular level of data and analysis that “reflects the risks of small- and medium-size businesses,” Evans says. Insurance companies capable of performing sophisticated assessments no matter the size of a prospect will be positioned to differentiate their products and more intelligently and competitively offer coverage to anyone wanting it.
“The market’s a virgin territory, so why wouldn’t you take the next step?” she asks.
More stories related to the cyber insurance market:
Challenges and opportunities ahead for cyber insurance industry
Underwriters, InfoSec officers must close gap on risk management
Cyber insurance is a great investment, but can’t solve all security needs