As threats multiply, cyber insurance and tech security industries start to merge

Gauging a company’s risk difficult as underwriters hunt for reliable data to build actuarial tables

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A con­ver­gence between the cyber insur­ance and tech secu­ri­ty sec­tors is fast gain­ing momentum.

If this trend accel­er­ates, it could help com­mer­cial cyber lia­bil­i­ty poli­cies arise as a fresh well­spring of insur­ance pre­mi­ums just as life insur­ance caught on in the 1800s and auto poli­cies took off in the 1900s.

The dri­vers are sub­stan­tive. As com­pa­nies scram­ble to mit­i­gate risks posed by steadi­ly wors­en­ing cyber threats, insur­ers and under­writ­ers are hus­tling to meet over­heat­ed demand for cyber lia­bil­i­ty cov­er­age. The cyber insur­ance mar­ket expand­ed by rough­ly 60 per­cent from 2014 to 2015 top­ping about $3 bil­lion last year. ABI Research sees no slow­ing of that break­neck growth rate, and esti­mates the glob­al cyber insur­ance mar­ket will top $10 bil­lion by 2020.

Com­pli­men­ta­ry webi­nar: How iden­ti­ty theft pro­tec­tion has become a must-have employ­ee benefit

How­ev­er, for that pro­jec­tion to be real­ized, the insur­ance sec­tor must some­how attain the capac­i­ty to build reli­able actu­ar­i­al tables fun­da­men­tal to any type of insur­ance sales. Trou­ble is, gaug­ing a company’s secu­ri­ty pos­ture has turned out to be a much more com­plex endeav­or than any­thing the insur­ance indus­try has mas­tered before, such as assess­ing human life expectan­cy or cal­cu­lat­ing how much risk to assign a par­tic­u­lar driver.

There is end­less net­work traf­fic data, to be sure. But at present, there is no effi­cient means to bring it to bear. And to com­pli­cate things, com­pa­nies fear bad pub­lic­i­ty and often vig­or­ous­ly resist shar­ing the type of valu­able attack intel­li­gence need­ed to cal­cu­late risk profiles.

It’s the wild, wild West,” says Mike Pat­ter­son, vice pres­i­dent of strat­e­gy at Rook Secu­ri­ty. “Every­one is jump­ing in the mar­ket chas­ing pre­mi­ums, and they are doing it with­out a full under­stand­ing of the risk involve­ment, from an under­writ­ing perspective.”

Enter the bur­geon­ing tech secu­ri­ty sec­tor. Secu­ri­ty ven­dors sup­ply some $75 bil­lion worth of secu­ri­ty hard­ware, soft­ware and ser­vices annu­al­ly. And with cyber threats con­tin­u­ing to inten­si­fy, tech secu­ri­ty is on track to con­tin­ue grow­ing at an esti­mat­ed 5 per­cent to 12 per­cent annu­al rate for the next few years.

As secu­ri­ty ven­dors devel­op and deliv­er ever more sophis­ti­cat­ed pre­ven­tion and detec­tion tech­nolo­gies, they are amass­ing larg­er, rich­er data sets about the resilien­cy of com­pa­ny net­works. It seems obvi­ous to some that the accel­er­at­ing con­ver­gence of insur­ance and secu­ri­ty is inevitable.

Under­writ­ers are real­ly try­ing to fig­ure out how to quan­ti­fy the risks of the poli­cies they’re under­writ­ing,” says Craig Hink­ley, CEO of web appli­ca­tion secu­ri­ty ven­dor White­Hat Secu­ri­ty. “We’ve been research­ing our cus­tomers’ web­sites and web appli­ca­tions for 15 years, so we’re actu­al­ly swim­ming in actu­ar­i­al data right now.”

Mod­els to watch

The ques­tions of the moment: Who will be the ear­ly adopters? Which col­lab­o­ra­tions will emerge as endur­ing mod­els? Third­Cer­tain­ty inter­viewed a hand­ful of tech secu­ri­ty ven­dors at the giant RSA cyber­se­cu­ri­ty con­fer­ence in San Fran­cis­co in March who are test­ing the waters. Here’s a rundown:

White­Hat Security

White­Hat recent­ly struck a part­ner­ship with Fran­chise Per­ils, an insur­er of online retail web­sites, by which Fran­chise Per­ils will con­tribute toward the pur­chase of WhiteHat’s flag­ship ser­vice, Sen­tinel, for any online retail­er pur­chas­ing a cyber pol­i­cy. This amounts to a steep dis­count, entic­ing clients to use WhiteHat’s cut­ting-edge technology.

Craig Hinkley, WhiteHat Security CEO
Craig Hink­ley, White­Hat Secu­ri­ty CEO

Part of WhiteHat’s ser­vices include help­ing cor­po­rate clients test their dig­i­tal defens­es with a small army of eth­i­cal hack­ers who “attack” the com­pa­ny and expose weak­ness­es. If a com­pa­ny quick­ly fix­es its vul­ner­a­bil­i­ties, White­Hat will give it a high­er score in its White­Hat Secu­ri­ty Index, rang­ing from 0 to 800—similar to a cred­it rat­ing for consumers.

That trans­lates into a safer, more secure web­site and web appli­ca­tion, which reduces the prob­a­bly of you being hacked,” Hink­ley says. “And that’s exact­ly what under­writ­ers need to know for cyber insur­ance policies.”

For busi­ness­es that fix their vul­ner­a­bil­i­ties, White­Hat guar­an­tees that the com­pa­nies will not get hacked. If they do get hacked, White­Hat will pay up to $500,000 in reme­di­a­tion costs for the data breach.

FourV Sys­tems

This start­up has just intro­duced an inno­v­a­tive threat intel­li­gence mon­i­tor­ing and secu­ri­ty pos­ture scor­ing sys­tem aimed, for the moment, main­ly at large enter­pris­es in finan­cial ser­vices, health care and government.

Casey Corcoran, FourV Systems vice president of strategy
Casey Cor­co­ran, FourV Sys­tems vice pres­i­dent of strategy

FourV’s goal is to enable a large retail­er or bank to mon­i­tor the sta­tus of its net­work secu­ri­ty day-to-day, or even hour-to-hour, much as a busi­ness rou­tine­ly tracks dai­ly sales, says Casey Cor­co­ran, vice pres­i­dent of strat­e­gy at Four V.

You could tell by noon whether the pat­tern that you’re see­ing in your risk is shap­ing up prop­er­ly for that day of the week,” says Cor­co­ran, a for­mer tech exec­u­tive at Jos A. Bank Cloth­iers. “If it’s not, you can fix it.”

FourV CEO Derek Gab­bard fore­sees a day in the not-too-dis­tant future when a senior exec­u­tive will wake up in the morn­ing, glance at his or her Apple watch, and use a FourV app to check the company’s secu­ri­ty risk index.

Derek Gabbard, FourV Systems CEO
Derek Gab­bard, FourV Sys­tems CEO

The idea is to cre­ate “risk dis­cus­sions that are non­tech­ni­cal, easy to under­stand, and jar­gon-less for the lead­er­ship team,” Gab­bard says, “so that they have con­fi­dence in the work that the chief infor­ma­tion secu­ri­ty offi­cer and his teams are doing.”

Once FourV gets some trac­tion, and amass­es large enough data sets, it expects to be able to see—and even­tu­al­ly to be able to pre­dict— risk pat­terns in ver­ti­cal indus­tries. Such analy­sis should be very use­ful in build­ing actu­ar­i­al tables, Gab­bard told Third­Cer­tain­ty. The com­pa­ny already has begun brain­storm­ing how it might go about sell­ing that data direct­ly to the insur­ance indus­try, per­haps even devel­op­ing a dash­board cus­tomized for underwriters.

Rook Secu­ri­ty

This tech secu­ri­ty ven­dor sup­plies man­aged secu­ri­ty ser­vices and does foren­sics inves­ti­ga­tions of net­work breach­es. Rook inves­ti­ga­tors respond like a cyber SWAT team to all types of cyber threats. It may be a minor data breach that is eas­i­ly fixed, or a dead­ly cyber attack that requires teams of cyber inves­ti­ga­tors to jet around the globe.

Lis­ten to a pod­cast: Dri­vers behind the rise of cyber insurance

Com­mu­ni­ca­tion sur­round­ing cyber attacks can be messy and full of mis­takes that wors­en the dam­age, accord­ing to J.J. Thomp­son, Rook’s CEO. So Rook’s new War Room app sets up a dig­i­tal com­mand cen­ter for tech and secu­ri­ty teams to mon­i­tor attacks and to respond swift­ly, Thomp­son says.

Mike Patterson, Rook Security vice president of strategy
Mike Pat­ter­son, Rook Secu­ri­ty vice pres­i­dent of strategy

Whether Rook arrives before or after a breach, it quick­ly gets an inside look at the state of net­work secu­ri­ty. The readi­ness of com­pa­nies varies wide­ly, Mike Pat­ter­son, Rook’s vice pres­i­dent of strat­e­gy, told Third­Cer­tain­ty. Some com­pa­nies boast strong secu­ri­ty staffs, resources and plan­ning, while oth­ers only have one or two full-time secu­ri­ty people—or none at all, .

Not every­one is as pre­pared as they should be,” Pat­ter­son says. “But that’s chang­ing, with much more aware­ness now on the impor­tance of secu­ri­ty and tak­ing care of your data.”

Rook is proac­tive­ly seek­ing to be the default option—brought in by the insurer—for post-breach inci­dent response and foren­sics. It also is look­ing to pro­vide a ser­vice by which Rook would be retained by a com­pa­ny to come in and improve secu­ri­ty pos­tures so that the client qual­i­fies for cyber cov­er­age and/or gets bet­ter pricing.

It’s a real­ly good oppor­tu­ni­ty to go shop­ping for cyber insur­ance because you’re going to get great rates and every­one is going to be a lit­tle bit slack on the writ­ing terms because they want that busi­ness,” Pat­ter­son says.

ThirdCertainty’s Edward Iwa­ta con­tributed to this story.

More sto­ries relat­ed to cyber insurance:
Chal­lenges and oppor­tu­ni­ties ahead for cyber insur­ance industry
Cyber insur­ance indus­try could face turf war, report warns
New expo­sures for SMBs spurs new need for cyber lia­bil­i­ty insurance