As hacks mushroom, all signs point to boom in cybersecurity insurance
Industry in better position to set policy pricing, help companies understand and model risk
By Byron Acohido, ThirdCertainty
In a full-throated, clear-as-day affirmation that the nascent cyber insurance market is truly poised to blossom, insurance giant Aon last week announced that it will swallow up cyber forensics stalwart Stroz Friedberg for an undisclosed sum.
The acquisition puts the London-based carrier in a prime position to help bring to fruition PriceWaterhouseCoopers’ prediction that companies will spend $7.5 billion on cyber liability policies by 2020, up from $2.5 billion in 2014. European financial services giant Allianz goes a step further predicting that cyber insurance sales will top $20 billion by 2025.
Keep in mind there has been one looming showstopper to cyber insurance rapidly jelling as a major business sector. Insurance underwriters continue to have a devil of a time truly understanding cyber exposures, and therefore they have been unable to put policy pricing on any kind of rational footing.
Unlike the damages caused by a natural disaster or, say, a customer breaking a leg on the corporate campus, the repercussions of a network breach are extremely complex, continually evolving and notoriously difficult to pin down.
Related podcast: As cyber threats rise, infosec and cyber insurance converge
However, with this acquisition, Aon brings in-house Stroz Friedberg’s cybersecurity governance and advisory services platforms. This includes Stroz’s penetration testing, incident response, digital forensics, eDiscovery and due diligence capabilities. It is going to be fascinating to watch Aon’s attempt to bring Stroz’s cutting-edge security technologies directly to bear on deriving much-needed cyber actuarial tables.
ThirdCertainty asked Stroz Friedberg CEO Michael Patsalos-Fox, who will become CEO and co-chair of Aon’s Cyber Solutions Group, how he sees this merger playing out. Text edited for clarity and length.
3C: How might this deal help advance the insurance industry’s understanding of cyber exposures?
Patsalos-Fox: This acquisition is part of our mission to help clients understand and mitigate these new and evolving risks in a rapidly changing world. Currently, for a huge majority of organizations, cyber risk is one of their least understood risks. Only a few years ago, cyber was considered the responsibility of select functional groups within an organization, primarily IT. It is now a larger, more distributed challenge that touches every part of an organization.
C-suite executives are increasingly aware of the risk to their companies’ data, reputation and bottom line, but they do not have an adequate understanding of if and how they should respond, or whether conventional recommendations on how to respond are sufficient.
Aon and Stroz Friedberg are creating a Cyber Risk Management Advisory Group with the very focus of advancing understanding around our clients’ cyber exposures and, based on that information, helping to protect them with comprehensive cybersecurity services.
3C: What go-forward ramifications do you anticipate?
Patsalos-Fox: The combination of Aon and Stroz Friedberg makes sense from the perspective of building better products to bring better coverage to clients, but it also brings revenues to insurance companies at a lower level of risk.
Aon currently is an intermediary (broker) on behalf of companies, providing them with insurance and risk transfer products that give them balance sheet protection and mitigate the risk of an attack. As the frequency and severity of cyber risks increase, the related insurance products need to be developed to reflect that.
A company cannot expect to pass on its growing risk exposure to other peoples’ balance sheets with no change in their approach, without incurring increased costs. The products must therefore change to include practices to help insurance companies and clients better understand the severity of potential incidents and reduce their impact when they do occur.
With a better understanding of companies’ exposure to cyber risk, insurers can expand, create and design new cyber offerings to address their needs. It also enables insurers to be able to price products well and decrease the risks they are taking on in insuring against cyber risk.
3C: What is combining your products and services going to look like?
Patsalos-Fox: When an organization comes to Aon for cyber insurance, together we are in a position to offer them a security assessment, in order to identify any weak points in their security infrastructure and then remediate them, including through any penetration testing or other necessary proactive security measures. By doing this we have better information on which to base a policy, and also we can make the client more resilient, enabling us to offer them insurance at a better price and level of coverage.
Premium cyber coverage already helps organizations with access to capital when they do have a breach, for example, covering losses associated with not responding well. Stroz Friedberg’s incident response services—for example, having a retainer in place—helps to ensure that an expert team is at the ready to minimize damage, both from technical and legal reporting perspectives. Instead of having to go to an outside provider for the retainer, clients can now come to Aon.
3C: Do you anticipate copycats; other insurers and infosec vendors looking to similarly partner up?
Patsalos-Fox: While there are existing partnerships between cyber insurers and information security vendors, nobody else is doing this at the deep level of integration that we are. Stroz Friedberg’s risk management capabilities are core to the value Aon wants to create for clients.
Given the growing market of tech-enabled businesses across all industries—whether that is automotive, financial services, pharmaceuticals—companies’ exposure to cyber risks is only going to increase. Both Aon and Stroz Friedberg consider this acquisition core to improving the services we can jointly offer our clients.
Through this acquisition, we are creating a new form of value and future demand. As this model becomes more proven, we expect others will want to replicate it.
3C: Could there be a halo effect as this all plays out; companies becoming more security mature, as the cyber insurance market jells?
Patsalos-Fox: With insurance companies requiring more from companies before they can offer them the best coverage at the best rates, it could force companies to adopt a more proactive mind-set toward addressing and fixing their security issues.
When insurance companies equip themselves with the full suite of capabilities and expertise to provide clients with the tools to become more resilient, it may ease the complexity companies face now when responding to calls for more mature security.
In my experience dealing with boards on the issue of cyber risk, they recognize their huge responsibility, both personal and fiduciary, to build substantial and effective cyber programs. They also recognize that they can’t achieve everything they need to protect an organization in one year, but view it as a continuing cycle of improvement toward making their organization less vulnerable. When you combine the ability and tools to do that with insurance, it really is a winning combination for boardrooms.
More stories related to cyber insurance:
Not all cyber insurance is created equal
Challenges and opportunities ahead for cyber insurance industry
Despite barriers, cyber insurance catches on in key sectors