As threats multiply, cyber insurance and tech security industries start to merge
Gauging a company’s risk difficult as underwriters hunt for reliable data to build actuarial tables
By Byron Acohido, ThirdCertainty
A convergence between the cyber insurance and tech security sectors is fast gaining momentum.
If this trend accelerates, it could help commercial cyber liability policies arise as a fresh wellspring of insurance premiums just as life insurance caught on in the 1800s and auto policies took off in the 1900s.
The drivers are substantive. As companies scramble to mitigate risks posed by steadily worsening cyber threats, insurers and underwriters are hustling to meet overheated demand for cyber liability coverage. The cyber insurance market expanded by roughly 60 percent from 2014 to 2015 topping about $3 billion last year. ABI Research sees no slowing of that breakneck growth rate, and estimates the global cyber insurance market will top $10 billion by 2020.
Complimentary webinar: How identity theft protection has become a must-have employee benefit
However, for that projection to be realized, the insurance sector must somehow attain the capacity to build reliable actuarial tables fundamental to any type of insurance sales. Trouble is, gauging a company’s security posture has turned out to be a much more complex endeavor than anything the insurance industry has mastered before, such as assessing human life expectancy or calculating how much risk to assign a particular driver.
There is endless network traffic data, to be sure. But at present, there is no efficient means to bring it to bear. And to complicate things, companies fear bad publicity and often vigorously resist sharing the type of valuable attack intelligence needed to calculate risk profiles.
“It’s the wild, wild West,” says Mike Patterson, vice president of strategy at Rook Security. “Everyone is jumping in the market chasing premiums, and they are doing it without a full understanding of the risk involvement, from an underwriting perspective.”
Enter the burgeoning tech security sector. Security vendors supply some $75 billion worth of security hardware, software and services annually. And with cyber threats continuing to intensify, tech security is on track to continue growing at an estimated 5 percent to 12 percent annual rate for the next few years.
As security vendors develop and deliver ever more sophisticated prevention and detection technologies, they are amassing larger, richer data sets about the resiliency of company networks. It seems obvious to some that the accelerating convergence of insurance and security is inevitable.
“Underwriters are really trying to figure out how to quantify the risks of the policies they’re underwriting,” says Craig Hinkley, CEO of web application security vendor WhiteHat Security. “We’ve been researching our customers’ websites and web applications for 15 years, so we’re actually swimming in actuarial data right now.”
Models to watch
The questions of the moment: Who will be the early adopters? Which collaborations will emerge as enduring models? ThirdCertainty interviewed a handful of tech security vendors at the giant RSA cybersecurity conference in San Francisco in March who are testing the waters. Here’s a rundown:
WhiteHat recently struck a partnership with Franchise Perils, an insurer of online retail websites, by which Franchise Perils will contribute toward the purchase of WhiteHat’s flagship service, Sentinel, for any online retailer purchasing a cyber policy. This amounts to a steep discount, enticing clients to use WhiteHat’s cutting-edge technology.
Part of WhiteHat’s services include helping corporate clients test their digital defenses with a small army of ethical hackers who “attack” the company and expose weaknesses. If a company quickly fixes its vulnerabilities, WhiteHat will give it a higher score in its WhiteHat Security Index, ranging from 0 to 800—similar to a credit rating for consumers.
“That translates into a safer, more secure website and web application, which reduces the probably of you being hacked,” Hinkley says. “And that’s exactly what underwriters need to know for cyber insurance policies.”
For businesses that fix their vulnerabilities, WhiteHat guarantees that the companies will not get hacked. If they do get hacked, WhiteHat will pay up to $500,000 in remediation costs for the data breach.
This startup has just introduced an innovative threat intelligence monitoring and security posture scoring system aimed, for the moment, mainly at large enterprises in financial services, health care and government.
FourV’s goal is to enable a large retailer or bank to monitor the status of its network security day-to-day, or even hour-to-hour, much as a business routinely tracks daily sales, says Casey Corcoran, vice president of strategy at Four V.
“You could tell by noon whether the pattern that you’re seeing in your risk is shaping up properly for that day of the week,” says Corcoran, a former tech executive at Jos A. Bank Clothiers. “If it’s not, you can fix it.”
FourV CEO Derek Gabbard foresees a day in the not-too-distant future when a senior executive will wake up in the morning, glance at his or her Apple watch, and use a FourV app to check the company’s security risk index.
The idea is to create “risk discussions that are nontechnical, easy to understand, and jargon-less for the leadership team,” Gabbard says, “so that they have confidence in the work that the chief information security officer and his teams are doing.”
Once FourV gets some traction, and amasses large enough data sets, it expects to be able to see—and eventually to be able to predict— risk patterns in vertical industries. Such analysis should be very useful in building actuarial tables, Gabbard told ThirdCertainty. The company already has begun brainstorming how it might go about selling that data directly to the insurance industry, perhaps even developing a dashboard customized for underwriters.
This tech security vendor supplies managed security services and does forensics investigations of network breaches. Rook investigators respond like a cyber SWAT team to all types of cyber threats. It may be a minor data breach that is easily fixed, or a deadly cyber attack that requires teams of cyber investigators to jet around the globe.
Listen to a podcast: Drivers behind the rise of cyber insurance
Communication surrounding cyber attacks can be messy and full of mistakes that worsen the damage, according to J.J. Thompson, Rook’s CEO. So Rook’s new War Room app sets up a digital command center for tech and security teams to monitor attacks and to respond swiftly, Thompson says.
Whether Rook arrives before or after a breach, it quickly gets an inside look at the state of network security. The readiness of companies varies widely, Mike Patterson, Rook’s vice president of strategy, told ThirdCertainty. Some companies boast strong security staffs, resources and planning, while others only have one or two full-time security people—or none at all, .
“Not everyone is as prepared as they should be,” Patterson says. “But that’s changing, with much more awareness now on the importance of security and taking care of your data.”
Rook is proactively seeking to be the default option—brought in by the insurer—for post-breach incident response and forensics. It also is looking to provide a service by which Rook would be retained by a company to come in and improve security postures so that the client qualifies for cyber coverage and/or gets better pricing.
“It’s a really good opportunity to go shopping for cyber insurance because you’re going to get great rates and everyone is going to be a little bit slack on the writing terms because they want that business,” Patterson says.
ThirdCertainty’s Edward Iwata contributed to this story.
More stories related to cyber insurance:
Challenges and opportunities ahead for cyber insurance industry
Cyber insurance industry could face turf war, report warns
New exposures for SMBs spurs new need for cyber liability insurance