Deloitte-Zurich form partnership to offer cyber risk services

As insurance, security vendors merge, lack of actuarial data makes pricing of policies difficult

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Tech con­sul­tan­cy Deloitte and insur­ance giant Zurich have joined forces to make a bold attempt at smooth­ing obsta­cles pre­vent­ing the emerg­ing mar­ket for cyber lia­bil­i­ty poli­cies from reach­ing full fruition.

In Feb­ru­ary, Deloitte’s cyber­se­cu­ri­ty prac­tice group inked an agree­ment with Zurich North Amer­i­ca to deliv­er cyber­se­cu­ri­ty con­sult­ing ser­vices to Zurich’s customers.

Busi­ness­es car­ry­ing Zurich’s Secu­ri­ty & Pri­va­cy insur­ance cov­er­age can now direct­ly access pre-breach cyber risk assess­ment and man­age­ment ser­vices sup­plied by Deloitte. The nonex­clu­sive part­ner­ship is between the firms’ oper­a­tions in the Unit­ed States and Cana­da, though this is expect­ed to expand to glob­al mar­kets over time.

Relat­ed pod­cast: Why tech secu­ri­ty is con­verg­ing with cyber insurance

The part­ner­ship is meant to address the cur­rent dis­par­i­ty between what orga­ni­za­tions are seek­ing, in attempts to address ris­ing cyber expo­sures, as com­pared to what the insur­ance indus­try is actu­al­ly cur­rent­ly offering.

Adam Thomas, Deloitte Risk and Finan­cial Advi­so­ry Cyber Risk Ser­vices principal

From a buyer’s per­spec­tive, there is a mis­un­der­stand­ing about what cyber insur­ance poli­cies cov­er, with many buy­ing insur­ance because a board mem­ber or a reg­u­la­tor had asked a ques­tion, instead of think­ing about what they need from the insur­ance,” says Adam Thomas, a prin­ci­pal in Deloitte’s Risk and Finan­cial Advi­so­ry Cyber Risk Services.

One good exam­ple, Thomas says, is that a cyber pol­i­cy is not like­ly to cov­er loss­es asso­ci­at­ed with rep­u­ta­tion­al dam­age. Mean­while, insur­ers have yet to demon­strate that they know how to effec­tive­ly quan­ti­fy com­plex cyber expo­sures. The result is a lack of clar­i­ty on both sides. “Buy­ers don’t know what they want; and the insur­er says I can only offer cov­er­ages that I can quan­ti­fy,” Thomas says.

Dif­fi­cult to assess risks

Unlike dam­age from a nat­ur­al dis­as­ter or an injury suf­fered by an employ­ee, dam­age caused by a net­work breach is com­plex, con­stant­ly evolv­ing and incred­i­bly dif­fi­cult to pin down.

The part­ner­ing of Deloitte and Zurich is the lat­est proof point that the way for­ward may lie in cyber­se­cu­ri­ty tech ven­dors and pol­i­cy con­sul­tants join­ing forces with under­writ­ers and insur­ers hun­gry to tap into pent up demand from com­pa­nies desir­ing to mit­i­gate ris­ing cyber risks.

Tech secu­ri­ty ven­dors already are amass­ing large, rich data sets on secu­ri­ty threats and the resilience of enter­prise net­works. These will only get big­ger as they devel­op more sophis­ti­cat­ed pre­ven­tion and detec­tion tech­nolo­gies. Cur­rent­ly, these ven­dors sup­ply some $75 bil­lion worth of secu­ri­ty hard­ware, soft­ware and ser­vices annually.

Big growth potential

With attacks con­tin­u­ing to inten­si­fy, tech secu­ri­ty is on track to grow 5 to 12 per­cent annu­al­ly for the next few years. Oth­er major play­ers in the insur­ance sec­tor have acquired secu­ri­ty firms or cre­at­ed part­ner­ships of their own.

Last Octo­ber, British insur­ance com­pa­ny Aon announced that it would swal­low cyber­se­cu­ri­ty stal­wart Stroz Fried­berg for an undis­closed sum. In 2015, Amer­i­can Inter­na­tion­al Group (AIG) formed part­ner­ships with a num­ber of cyber­se­cu­ri­ty experts includ­ing K2 Intel­li­gence, Bit­Sight Tech­nolo­gies, RSA, and Axio Glob­al. The part­ner­ships were made to bol­ster AIG’s CyberEdge risk man­age­ment and insur­ance product.

Relat­ed Q&A: Stroz Fried­berg CEO explains merger

Mean­while, as threats increase in fre­quen­cy and sever­i­ty, the cyber insur­ance mar­ket will grow rapid­ly. Pro­fes­sion­al ser­vices firm Price­Wa­ter­house Coop­ers (PwC) has pro­ject­ed that com­pa­nies will spend $7.5 bil­lion on cyber lia­bil­i­ty poli­cies by 2020, up from $2.5 bil­lion in 2014. Allianz goes even fur­ther, pre­dict­ing that cyber insur­ance sales will top $20 bil­lion by 2025.

How­ev­er, for these pre­dic­tions to be real­ized, the insur­ance sec­tor must gain the capac­i­ty to build the kind of reli­able actu­ar­i­al tables that are fun­da­men­tal to sales insur­ance. As a result, many indus­try ana­lysts see part­ner­ships, or merg­ers, between insur­ers and secu­ri­ty ven­dors as inevitable.

As mali­cious attacks con­tin­ue, there’s going to be con­tin­ued demand for cyber insur­ance, among oth­er things. This will be dri­ven, in part, by new con­nect­ed devices. As Thomas says, “It wasn’t until recent years that peo­ple had to wor­ry about a cyber attack on their wash­ers. As we see evo­lu­tion in the tech side … where there are non­tra­di­tion­al tech deliv­er­ies, we’re going to con­tin­ue to see a lot of move­ment and inter­est around cyber insurance.”

A lit­tle edu­ca­tion needed

How­ev­er, part of the chal­lenge with cyber insur­ance is that the buy­er is gen­er­al­ly the same per­son who buys all of the oth­er types of insur­ance prod­ucts the com­pa­ny has. Because cyber insur­ance is rel­a­tive­ly new, many risk man­agers don’t under­stand it. On the oth­er hand, the chief secu­ri­ty offi­cer under­stands the risks of cyber attacks but doesn’t under­stand insurance.

There­fore, edu­ca­tion is still need­ed as less than a third of U.S. busi­ness­es have a cyber insur­ance pol­i­cy in place.

Thomas sums it up this way, “You can’t buy insur­ance if you don’t know you need it. Areas like per­son­al­ly iden­ti­fi­able infor­ma­tion and busi­ness inter­rup­tion are well-under­stood prob­lems, which is why insur­ers and the insured have grav­i­tat­ed there. Once it sinks in that there’s a lot more expo­sure to your enter­prise because of enlarged attack sur­face, we’re going to see an uptake. There’s still a way to go, though, before we see a full appre­ci­a­tion of how cyber attacks and threats can impact an organization.”

More sto­ries relat­ed to cyber insurance:
Chal­lenges and oppor­tu­ni­ties ahead for cyber insur­ance industry
Cyber insur­ance indus­try could face turf war, report warns
New expo­sures for SMBs spurs new need for cyber lia­bil­i­ty insurance

Posted in Featured Story