Deloitte-Zurich form partnership to offer cyber risk services
As insurance, security vendors merge, lack of actuarial data makes pricing of policies difficult
By Melanie Grano, ThirdCertainty
Tech consultancy Deloitte and insurance giant Zurich have joined forces to make a bold attempt at smoothing obstacles preventing the emerging market for cyber liability policies from reaching full fruition.
In February, Deloitte’s cybersecurity practice group inked an agreement with Zurich North America to deliver cybersecurity consulting services to Zurich’s customers.
Businesses carrying Zurich’s Security & Privacy insurance coverage can now directly access pre-breach cyber risk assessment and management services supplied by Deloitte. The nonexclusive partnership is between the firms’ operations in the United States and Canada, though this is expected to expand to global markets over time.
Related podcast: Why tech security is converging with cyber insurance
The partnership is meant to address the current disparity between what organizations are seeking, in attempts to address rising cyber exposures, as compared to what the insurance industry is actually currently offering.
“From a buyer’s perspective, there is a misunderstanding about what cyber insurance policies cover, with many buying insurance because a board member or a regulator had asked a question, instead of thinking about what they need from the insurance,” says Adam Thomas, a principal in Deloitte’s Risk and Financial Advisory Cyber Risk Services.
One good example, Thomas says, is that a cyber policy is not likely to cover losses associated with reputational damage. Meanwhile, insurers have yet to demonstrate that they know how to effectively quantify complex cyber exposures. The result is a lack of clarity on both sides. “Buyers don’t know what they want; and the insurer says I can only offer coverages that I can quantify,” Thomas says.
Difficult to assess risks
Unlike damage from a natural disaster or an injury suffered by an employee, damage caused by a network breach is complex, constantly evolving and incredibly difficult to pin down.
The partnering of Deloitte and Zurich is the latest proof point that the way forward may lie in cybersecurity tech vendors and policy consultants joining forces with underwriters and insurers hungry to tap into pent up demand from companies desiring to mitigate rising cyber risks.
Tech security vendors already are amassing large, rich data sets on security threats and the resilience of enterprise networks. These will only get bigger as they develop more sophisticated prevention and detection technologies. Currently, these vendors supply some $75 billion worth of security hardware, software and services annually.
Big growth potential
With attacks continuing to intensify, tech security is on track to grow 5 to 12 percent annually for the next few years. Other major players in the insurance sector have acquired security firms or created partnerships of their own.
Last October, British insurance company Aon announced that it would swallow cybersecurity stalwart Stroz Friedberg for an undisclosed sum. In 2015, American International Group (AIG) formed partnerships with a number of cybersecurity experts including K2 Intelligence, BitSight Technologies, RSA, and Axio Global. The partnerships were made to bolster AIG’s CyberEdge risk management and insurance product.
Related Q&A: Stroz Friedberg CEO explains merger
Meanwhile, as threats increase in frequency and severity, the cyber insurance market will grow rapidly. Professional services firm PriceWaterhouse Coopers (PwC) has projected that companies will spend $7.5 billion on cyber liability policies by 2020, up from $2.5 billion in 2014. Allianz goes even further, predicting that cyber insurance sales will top $20 billion by 2025.
However, for these predictions to be realized, the insurance sector must gain the capacity to build the kind of reliable actuarial tables that are fundamental to sales insurance. As a result, many industry analysts see partnerships, or mergers, between insurers and security vendors as inevitable.
As malicious attacks continue, there’s going to be continued demand for cyber insurance, among other things. This will be driven, in part, by new connected devices. As Thomas says, “It wasn’t until recent years that people had to worry about a cyber attack on their washers. As we see evolution in the tech side … where there are nontraditional tech deliveries, we’re going to continue to see a lot of movement and interest around cyber insurance.”
A little education needed
However, part of the challenge with cyber insurance is that the buyer is generally the same person who buys all of the other types of insurance products the company has. Because cyber insurance is relatively new, many risk managers don’t understand it. On the other hand, the chief security officer understands the risks of cyber attacks but doesn’t understand insurance.
Therefore, education is still needed as less than a third of U.S. businesses have a cyber insurance policy in place.
Thomas sums it up this way, “You can’t buy insurance if you don’t know you need it. Areas like personally identifiable information and business interruption are well-understood problems, which is why insurers and the insured have gravitated there. Once it sinks in that there’s a lot more exposure to your enterprise because of enlarged attack surface, we’re going to see an uptake. There’s still a way to go, though, before we see a full appreciation of how cyber attacks and threats can impact an organization.”
More stories related to cyber insurance:
Challenges and opportunities ahead for cyber insurance industry
Cyber insurance industry could face turf war, report warns
New exposures for SMBs spurs new need for cyber liability insurance