To stand out in a crowd, cyber insurance companies offer value-added services

Brokers partner with specialist suppliers to offer security consulting and training free or at a discount

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The most active play­ers in the fledg­ling but fast-grow­ing cyber insur­ance mar­ket are hus­tling to dif­fer­en­ti­ate themselves.

The ear­ly adopters and inno­va­tors are doing so by accel­er­at­ing the pro­mo­tion of val­ue-added services—tools and sys­tems that can help com­pa­nies improve their secu­ri­ty pos­tures and thus reduce the like­li­hood of ever fil­ing a cyber dam­ages claim.

As more busi­ness­es look to pur­chase cyber lia­bil­i­ty poli­cies, insur­ance sell­ers are striv­ing to dial up the right mix of such ser­vices, a blend that can help them prof­itably meet this pent-up demand with­out tak­ing on too much risk.

The incen­tive is com­pelling: con­sul­tan­cy Price­wa­ter­house­C­oop­ers esti­mates that the cyber insur­ance mar­ket will grow from about $2.5 bil­lion in 2014 to $7.5 bil­lion by 2020. Euro­pean finan­cial ser­vices giant Allianz goes a step fur­ther with its pre­dic­tion that cyber insur­ance sales will top $20 bil­lion by 2025.

This antic­i­pat­ed growth in demand for cyber lia­bil­i­ty coverage—coupled with the com­par­a­tive­ly low lev­el of loss claims—have com­bined to cre­ate strong com­pe­ti­tion in this nascent market.

The Insur­ance Infor­ma­tion Insti­tute esti­mat­ed last year that about 60 com­pa­nies offered stand­alone cyber lia­bil­i­ty poli­cies. In total, more than 500 insur­ers pro­vide some form of cyber risk cov­er­age, accord­ing to a recent analy­sis by the Nation­al Asso­ci­a­tion of Insur­ance Commissioners.

David Bradford, Advisen co-founder and chief strategy officer
David Brad­ford, Advisen co-founder and chief strat­e­gy officer

There are quite a few play­ers, so they are look­ing for ways to dif­fer­en­ti­ate them­selves and find com­pet­i­tive edges,” says David K. Brad­ford, co-founder and chief strat­e­gy offi­cer for Advisen, an insur­ance research and analy­sis company.

Insur­ance com­pa­nies make adjustments

Insur­ance car­ri­ers hot after a piece of this bur­geon­ing mar­ket are begin­ning to offer val­ue-added ser­vices to make their cyber offer­ings stand out.

Rather than grow­ing these ser­vices in-house, most are part­ner­ing with ven­dors and con­sul­tants that spe­cial­ize in aware­ness train­ing, net­work secu­ri­ty and data pro­tec­tion. Ser­vices that boost the val­ue of cyber poli­cies are being sup­plied for free, or offered at a dis­count.  Typ­i­cal cyber insur­ance val­ued-added ser­vices include:

• Phish­ing and cyber hygiene aware­ness training

• Inci­dence response planning

• Secu­ri­ty risk assessments

• Best prac­tices web por­tals and soft­ware-as-a-ser­vice tools

• Threat detec­tion services

• Employ­ee and cus­tomer iden­ti­ty theft coverage

• Breach response services

One mea­sure of val­ue-added ser­vices gain­ing trac­tion comes from the Bet­ter­ley Report, which recent­ly sur­veyed 31 car­ri­ers that offer cyber poli­cies. Bet­ter­ley found that about half offered “active avoid­ance ser­vices,” while near­ly all offered some sort of pre-breach plan­ning tools.

Rick Betterley_Betterley risk_400
Rick Bet­ter­ley, pres­i­dent of Bet­ter­ley Risk Consultants

Rick Bet­ter­ley, pres­i­dent of Bet­ter­ley Risk Con­sul­tants, which pub­lish­es the Bet­ter­ley Report, says there is still a long way to go. “There’s much more that can be done to help the insureds be bet­ter pro­tect­ed,” he says.

Bet­ter­ley is a big pro­po­nent of adding risk-man­age­ment ser­vices to cyber poli­cies. He calls it Cyber 3.0, adding that it’s akin to the notion of insur­ing a high­ly pro­tect­ed risk in a prop­er­ty insur­ance pol­i­cy. Cyber val­ue-added ser­vices, he says, are the equiv­a­lent of fire insur­ance com­pa­nies requir­ing sprinklers.

It’s not required that insur­ance com­pa­nies pro­vide the ser­vices, but it’s required that they help insureds iden­ti­fy what ser­vices are like­ly to gen­er­ate a reduc­tion in pre­mi­ums,” Bet­ter­ley says.

Sec­tor faces new challenges

That said, the cyber insur­ance sec­tor is still find­ing its way. With auto crash­es, fire or nat­ur­al dis­as­ters, loss­es are well defined and ful­ly under­stood. Cyber expo­sures, by con­trast, are hard to pin down. Net­work vul­ner­a­bil­i­ties are extreme­ly com­plex and con­tin­u­al­ly evolv­ing. And his­toric data on insur­ance claims relat­ed to data breach­es remains, at least for the moment, in short supply.

An added chal­lenge, Bet­ter­ley says, is that insur­ance com­pa­nies are unable to sat­is­fac­to­ri­ly mea­sure the effec­tive­ness of secu­ri­ty tech­nolo­gies and ser­vices in pre­vent­ing a data breach.

Advisen’s Brad­ford agrees. “It’s a rapid­ly evolv­ing area that changes day to day, and under­writ­ers are def­i­nite­ly wary of rec­om­mend­ing a par­tic­u­lar ven­dor or approach,” he says.

Even­tu­al­ly, the insur­ance indus­try will fig­ure out how to make mean­ing­ful cor­re­la­tions and sep­a­rate the wheat from the chaff.

In bring­ing in these val­ue-added ser­vices, we can help shore up some of those areas where we’re see­ing human error,” observes Dave Was­son, cyber lia­bil­i­ty prac­tice leader at Hays Cos., a com­mer­cial insur­ance bro­ker­age and risk man­age­ment con­sul­tan­cy. “We’ll be at a point where we’ll know what makes a dif­fer­ence and we can put our mon­ey, time and efforts into those solutions.”

Eric Hodge, direc­tor of con­sult­ing at IDT911 Con­sult­ing, part of IDT911, which under­writes, con­curs. One iron­ic result of the recent ongo­ing spike of ran­somware attacks aimed at busi­ness­es, Hodge notes, is that more hard data is get­ting gen­er­at­ed that is use­ful for cal­cu­lat­ing loss profiles.

Along the same lines, set­tle­ments of class-action law­suits relat­ed to breach­es of high-pro­file retail­ers, such as Tar­get and Sony, is help­ing amass data that will help the indus­try flesh out evolv­ing actu­ar­i­al tables.

Eric Hodge, director of consulting at IDT911 Consulting
Eric Hodge, direc­tor of con­sult­ing at IDT911 Consulting

Loss­es from cyber attacks and data breach­es are becom­ing eas­i­er to quan­ti­fy,” Hodge says. “And mar­ket forces are absolute­ly lin­ing up to reward the wider use of these activ­i­ties. It’s hard­er to ignore the fis­cal argu­ment for an insur­er to go the extra mile in help­ing the insured orga­ni­za­tions make sure that a cost­ly breach doesn’t occur.”

AIG blazes trail

One notable pro­po­nent lead­ing the way is multi­na­tion­al insur­ance giant AIG, which is nur­tur­ing part­ner­ships with about a half-dozen cyber­se­cu­ri­ty vendors.

AIG services—some of which are offered to pol­i­cy­hold­ers at no cost—range from threat intel­li­gence and cyber risk matu­ri­ty assess­ments to active detec­tion and vul­ner­a­bil­i­ties assessments.

Risk­An­a­lyt­ics, one of AIG’s part­ner ven­dors, pro­vides threat intel­li­gence ser­vices, includ­ing a ser­vice that detects and shuns black­list­ed IP address­es. Any AIG insured with a min­i­mum $5,000 pol­i­cy can par­tic­i­pate at no addi­tion­al cost to them.

The company’s part­ner­ship is exclu­sive to AIG, and appears to be very popular.

We’re bring­ing in mul­ti­year con­tracts and the aver­age sales price is on an impres­sive tra­jec­to­ry,” says Risk­An­a­lyt­ics Chief Oper­a­tive Offi­cer Kurt Lee. “It’s all born out of (cus­tomers) using that (intro­duc­to­ry) ser­vice through the policy.”

Rec­og­niz­ing the trend, more ven­dors are seiz­ing the oppor­tu­ni­ty to mar­ket their ser­vices to insur­ance carriers.

Ven­dors are will­ing to jump through the many hoops because a part­ner­ship with an insur­ance com­pa­ny is an oppor­tu­ni­ty to get a soft intro­duc­tion to a poten­tial client, says Mike Pat­ter­son, vice pres­i­dent of strat­e­gy at Rook Secu­ri­ty, a man­aged secu­ri­ty ser­vices provider (MSSP) that is proac­tive­ly reach­ing out to carriers.

Dis­man­tling roadblocks

As with any new approach, broad adop­tion of cyber insur­ance val­ue-added ser­vices isn’t with­out hur­dles. One major obsta­cle is the “’this-isn’t-how-we’ve-always-done-it’ way of think­ing,” observes IDT911’s Hodge. “It’s like try­ing to change our elec­tion processes—people resist alter­ing a sys­tem that has been in place for a cou­ple hun­dred years.”

Anoth­er bar­ri­er is cost. Insur­ance com­pa­nies tend to reserve free or dis­count­ed added ser­vices for heavy­weight clients that spend small for­tunes on annu­al pre­mi­ums, says John Far­ley, vice pres­i­dent and cyber risk prac­tice leader at insur­ance bro­ker­age HUB Inter­na­tion­al.

Car­ri­ers can’t give away a lot of resources, so the small­er pre­mi­um pay­ers are not get­ting a lot of these ser­vices,” Far­ley says. “But if they can stream­line and auto­mate resources and fig­ure out how to get cus­tomiz­able, usable infor­ma­tion to the insur­ance buy­er, that insur­ance car­ri­er will prob­a­bly stand out.”

Bri­an Bran­ner, Risk­An­a­lyt­ics’ exec­u­tive vice pres­i­dent, says that’s exact­ly one of the ben­e­fits that AIG derives from their partnership.

If we can get the insureds to use the ser­vices we pro­vide, we should low­er AIG’s loss ratio because they’ll be safer orga­ni­za­tions, and AIG should receive less claims,” he says.

Hid­den costs of a breach can impact a large enter­prise for years, and prove cat­a­stroph­ic to a small busi­ness. So insur­ance com­pa­nies in the van­guard are look­ing to find busi­ness clients that are tak­ing infor­ma­tion secu­ri­ty seriously.

As more com­pa­nies buy cyber poli­cies, and use any atten­dant ser­vices, the result could be a halo effect, says IDT911’s Hodge.

This is cer­tain­ly some­thing that the insur­ers are count­ing on,” Hodge says. “A more secure buy­er is a low­er actu­ar­i­al risk to the insurer.”

Mean­while, pol­i­cy­hold­ers should steadi­ly become bet­ter equipped to secure­ly do busi­ness in an Inter­net-cen­tric econ­o­my rid­dled with evolv­ing exposures.

Says Hodge: “In my expe­ri­ence, the buy­er is often pleas­ant­ly sur­prised by the improve­ment that can come about quick­ly in terms of know­ing their risk, being com­pli­ant with their indus­try stan­dards, and being able to indi­cate to the mar­ket­place that they are tak­ing good care of their customer’s information.”

More cyber insur­ance relat­ed stories:
As threats mul­ti­ply, cyber insur­ance and tech secu­ri­ty indus­tries start to merge
Cyber insur­ance ris­es to meet increas­ing secu­ri­ty challenges
Com­pa­nies tap into cyber insur­ance to man­age busi­ness risk

Posted in Featured Story