As hacks mushroom, all signs point to boom in cybersecurity insurance

Industry in better position to set policy pricing, help companies understand and model risk

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

In a full-throat­ed, clear-as-day affir­ma­tion that the nascent cyber insur­ance mar­ket is tru­ly poised to blos­som, insur­ance giant Aon last week announced that it will swal­low up cyber foren­sics stal­wart Stroz Fried­berg for an undis­closed sum.

Ed note_buyout partiesThe acqui­si­tion puts the Lon­don-based car­ri­er in a prime posi­tion to help bring to fruition Price­Wa­ter­house­C­oop­ers’ pre­dic­tion that com­pa­nies will spend $7.5 bil­lion on cyber lia­bil­i­ty poli­cies by 2020, up from $2.5 bil­lion in 2014. Euro­pean finan­cial ser­vices giant Allianz goes a step fur­ther pre­dict­ing that cyber insur­ance sales will top $20 bil­lion by 2025.

Relat­ed: Cyber insur­ers offer val­ue-added ser­vices to stand out

Keep in mind there has been one loom­ing show­stop­per to cyber insur­ance rapid­ly jelling as a major busi­ness sec­tor. Insur­ance under­writ­ers con­tin­ue to have a dev­il of a time tru­ly under­stand­ing cyber expo­sures, and there­fore they have been unable to put pol­i­cy pric­ing on any kind of ratio­nal footing.

Unlike the dam­ages caused by a nat­ur­al dis­as­ter or, say, a cus­tomer break­ing a leg on the cor­po­rate cam­pus, the reper­cus­sions of a net­work breach are extreme­ly com­plex, con­tin­u­al­ly evolv­ing and noto­ri­ous­ly dif­fi­cult to pin down.

Relat­ed pod­cast: As cyber threats rise, infos­ec and cyber insur­ance converge

How­ev­er, with this acqui­si­tion, Aon brings in-house Stroz Friedberg’s cyber­se­cu­ri­ty gov­er­nance and advi­so­ry ser­vices plat­forms. This includes Stroz’s pen­e­tra­tion test­ing, inci­dent response, dig­i­tal foren­sics, eDis­cov­ery and due dili­gence capa­bil­i­ties. It is going to be fas­ci­nat­ing to watch Aon’s attempt to bring Stroz’s cut­ting-edge secu­ri­ty tech­nolo­gies direct­ly to bear on deriv­ing much-need­ed cyber actu­ar­i­al tables.

Third­Cer­tain­ty asked Stroz Fried­berg CEO Michael Pat­sa­los-Fox, who will become CEO and co-chair of Aon’s Cyber Solu­tions Group, how he sees this merg­er play­ing out. Text edit­ed for clar­i­ty and length.

3C: How might this deal help advance the insur­ance industry’s under­stand­ing of cyber exposures?

Pat­sa­los-Fox: This acqui­si­tion is part of our mis­sion to help clients under­stand and mit­i­gate these new and evolv­ing risks in a rapid­ly chang­ing world. Cur­rent­ly, for a huge major­i­ty of orga­ni­za­tions, cyber risk is one of their least under­stood risks. Only a few years ago, cyber was con­sid­ered the respon­si­bil­i­ty of select func­tion­al groups with­in an orga­ni­za­tion, pri­mar­i­ly IT. It is now a larg­er, more dis­trib­uted chal­lenge that touch­es every part of an organization.

C-suite exec­u­tives are increas­ing­ly aware of the risk to their com­pa­nies’ data, rep­u­ta­tion and bot­tom line, but they do not have an ade­quate under­stand­ing of if and how they should respond, or whether con­ven­tion­al rec­om­men­da­tions on how to respond are sufficient.

Aon and Stroz Fried­berg are cre­at­ing a Cyber Risk Man­age­ment Advi­so­ry Group with the very focus of advanc­ing under­stand­ing around our clients’ cyber expo­sures and, based on that infor­ma­tion, help­ing to pro­tect them with com­pre­hen­sive cyber­se­cu­ri­ty services.

3C: What go-for­ward ram­i­fi­ca­tions do you anticipate?

Michael Patsalos-Fox, Stroz Friedberg CEO
Michael Pat­sa­los-Fox, Stroz Fried­berg CEO

Pat­sa­los-Fox: The com­bi­na­tion of Aon and Stroz Fried­berg makes sense from the per­spec­tive of build­ing bet­ter prod­ucts to bring bet­ter cov­er­age to clients, but it also brings rev­enues to insur­ance com­pa­nies at a low­er lev­el of risk.

Aon cur­rent­ly is an inter­me­di­ary (bro­ker) on behalf of com­pa­nies, pro­vid­ing them with insur­ance and risk trans­fer prod­ucts that give them bal­ance sheet pro­tec­tion and mit­i­gate the risk of an attack. As the fre­quen­cy and sever­i­ty of cyber risks increase, the relat­ed insur­ance prod­ucts need to be devel­oped to reflect that.

A com­pa­ny can­not expect to pass on its grow­ing risk expo­sure to oth­er peo­ples’ bal­ance sheets with no change in their approach, with­out incur­ring increased costs. The prod­ucts must there­fore change to include prac­tices to help insur­ance com­pa­nies and clients bet­ter under­stand the sever­i­ty of poten­tial inci­dents and reduce their impact when they do occur.

With a bet­ter under­stand­ing of com­pa­nies’ expo­sure to cyber risk, insur­ers can expand, cre­ate and design new cyber offer­ings to address their needs. It also enables insur­ers to be able to price prod­ucts well and decrease the risks they are tak­ing on in insur­ing against cyber risk.

3C: What is com­bin­ing your prod­ucts and ser­vices going to look like?

Pat­sa­los-Fox: When an orga­ni­za­tion comes to Aon for cyber insur­ance, togeth­er we are in a posi­tion to offer them a secu­ri­ty assess­ment, in order to iden­ti­fy any weak points in their secu­ri­ty infra­struc­ture and then reme­di­ate them, includ­ing through any pen­e­tra­tion test­ing or oth­er nec­es­sary proac­tive secu­ri­ty mea­sures. By doing this we have bet­ter infor­ma­tion on which to base a pol­i­cy, and also we can make the client more resilient, enabling us to offer them insur­ance at a bet­ter price and lev­el of coverage.

Pre­mi­um cyber cov­er­age already helps orga­ni­za­tions with access to cap­i­tal when they do have a breach, for exam­ple, cov­er­ing loss­es asso­ci­at­ed with not respond­ing well. Stroz Friedberg’s inci­dent response services—for exam­ple, hav­ing a retain­er in place—helps to ensure that an expert team is at the ready to min­i­mize dam­age, both from tech­ni­cal and legal report­ing per­spec­tives. Instead of hav­ing to go to an out­side provider for the retain­er, clients can now come to Aon.

3C: Do you antic­i­pate copy­cats; oth­er insur­ers and infos­ec ven­dors look­ing to sim­i­lar­ly part­ner up?

Pat­sa­los-Fox: While there are exist­ing part­ner­ships between cyber insur­ers and infor­ma­tion secu­ri­ty ven­dors, nobody else is doing this at the deep lev­el of inte­gra­tion that we are. Stroz Friedberg’s risk man­age­ment capa­bil­i­ties are core to the val­ue Aon wants to cre­ate for clients.

Giv­en the grow­ing mar­ket of tech-enabled busi­ness­es across all industries—whether that is auto­mo­tive, finan­cial ser­vices, pharmaceuticals—companies’ expo­sure to cyber risks is only going to increase. Both Aon and Stroz Fried­berg con­sid­er this acqui­si­tion core to improv­ing the ser­vices we can joint­ly offer our clients.

Through this acqui­si­tion, we are cre­at­ing a new form of val­ue and future demand. As this mod­el becomes more proven, we expect oth­ers will want to repli­cate it.

3C: Could there be a halo effect as this all plays out; com­pa­nies becom­ing more secu­ri­ty mature, as the cyber insur­ance mar­ket jells?

Pat­sa­los-Fox: With insur­ance com­pa­nies requir­ing more from com­pa­nies before they can offer them the best cov­er­age at the best rates, it could force com­pa­nies to adopt a more proac­tive mind-set toward address­ing and fix­ing their secu­ri­ty issues.

When insur­ance com­pa­nies equip them­selves with the full suite of capa­bil­i­ties and exper­tise to pro­vide clients with the tools to become more resilient, it may ease the com­plex­i­ty com­pa­nies face now when respond­ing to calls for more mature security.

In my expe­ri­ence deal­ing with boards on the issue of cyber risk, they rec­og­nize their huge respon­si­bil­i­ty, both per­son­al and fidu­cia­ry, to build sub­stan­tial and effec­tive cyber pro­grams. They also rec­og­nize that they can’t achieve every­thing they need to pro­tect an orga­ni­za­tion in one year, but view it as a con­tin­u­ing cycle of improve­ment toward mak­ing their orga­ni­za­tion less vul­ner­a­ble. When you com­bine the abil­i­ty and tools to do that with insur­ance, it real­ly is a win­ning com­bi­na­tion for boardrooms.

More sto­ries relat­ed to cyber insurance:
Not all cyber insur­ance is cre­at­ed equal
Chal­lenges and oppor­tu­ni­ties ahead for cyber insur­ance industry

Despite bar­ri­ers, cyber insur­ance catch­es on in key sectors

Posted in Featured Story