The most active players in the fledgling but fast-growing cyber insurance market are hustling to differentiate themselves.
The early adopters and innovators are doing so by accelerating the promotion of value-added services—tools and systems that can help companies improve their security postures and thus reduce the likelihood of ever filing a cyber damages claim.
As more businesses look to purchase cyber liability policies, insurance sellers are striving to dial up the right mix of such services, a blend that can help them profitably meet this pent-up demand without taking on too much risk.
The incentive is compelling: consultancy PricewaterhouseCoopers estimates that the cyber insurance market will grow from about $2.5 billion in 2014 to $7.5 billion by 2020. European financial services giant Allianz goes a step further with its prediction that cyber insurance sales will top $20 billion by 2025.
This anticipated growth in demand for cyber liability coverage—coupled with the comparatively low level of loss claims—have combined to create strong competition in this nascent market.
The Insurance Information Institute estimated last year that about 60 companies offered standalone cyber liability policies. In total, more than 500 insurers provide some form of cyber risk coverage, according to a recent analysis by the National Association of Insurance Commissioners.
“There are quite a few players, so they are looking for ways to differentiate themselves and find competitive edges,” says David K. Bradford, co-founder and chief strategy officer for Advisen, an insurance research and analysis company.
Insurance companies make adjustments
Insurance carriers hot after a piece of this burgeoning market are beginning to offer value-added services to make their cyber offerings stand out.
Rather than growing these services in-house, most are partnering with vendors and consultants that specialize in awareness training, network security and data protection. Services that boost the value of cyber policies are being supplied for free, or offered at a discount.
• Typical cyber insurance valued-added services include:
• Phishing and cyber hygiene awareness training
• Incidence response planning
• Security risk assessments
• Best practices web portals and software-as-a-service tools
• Threat detection services
• Employee and customer identity theft coverage
• Breach response services
One measure of value-added services gaining traction comes from the Betterley Report, which recently surveyed 31 carriers that offer cyber policies. Betterley found that about half offered “active avoidance services,” while nearly all offered some sort of pre-breach planning tools.
Rick Betterley, president of Betterley Risk Consultants, which publishes the Betterley Report, says there is still has a long way to go. “There’s much more that can be done to help the insureds be better protected,” he says.
Betterley is a big proponent of adding risk-management services to cyber policies. He calls it Cyber 3.0, adding that it’s akin to the notion of insuring a highly protected risk in a property insurance policy. Cyber value-added services, he says, are the equivalent of fire insurance companies requiring sprinklers.
“It’s not required that insurance companies provide the services, but it’s required that they help insureds identify what services are likely to generate a reduction in premiums,” Betterley says.
Sector faces new challenges
That said, the cyber insurance sector is still finding its way. With auto crashes, fire or natural disasters, losses are well defined and fully understood. Cyber exposures, by contrast, are hard to pin down. Network vulnerabilities are extremely complex and continually evolving. And historic data on insurance claims related to data breaches remains, at least for the moment, in short supply.
An added challenge, Betterley says, is that insurance companies are unable to satisfactorily measure the effectiveness of security technologies and services in preventing a data breach.
Advisen’s Bradford agrees. “It’s a rapidly evolving area that changes day to day, and underwriters are definitely wary of recommending a particular vendor or approach,” he says.
Eventually, the insurance industry will figure out how to make meaningful correlations and separate the wheat from the chaff.
“In bringing in these value-added services, we can help shore up some of those areas where we’re seeing human error,” observes Dave Wasson, cyber liability practice leader at Hays Cos., a commercial insurance brokerage and risk management consultancy. “We’ll be at a point where we’ll know what makes a difference and we can put our money, time and efforts into those solutions.”
Eric Hodge, director of consulting at CyberScout Solutions, part of CyberScout, which underwrites ThirdCertainty.com, concurs. One ironic result of the recent ongoing spike of ransomware attacks aimed at businesses, Hodge notes, is that more hard data is getting generated that is useful for calculating loss profiles.
Along the same lines, settlements of class-action lawsuits related to breaches of high-profile retailers, such as Target and Sony, is helping amass data that will help the industry flesh out evolving actuarial tables.
“Losses from cyber attacks and data breaches are becoming easier to quantify,” Hodge says. “And market forces are absolutely lining up to reward the wider use of these activities. It’s harder to ignore the fiscal argument for an insurer to go the extra mile in helping the insured organizations make sure that a costly breach doesn’t occur.”
AIG blazes trail
One notable proponent leading the way is multinational insurance giant AIG, which is nurturing partnerships with about a half-dozen cybersecurity vendors.
AIG services—some of which are offered to policyholders at no cost—range from threat intelligence and cyber risk maturity assessments to active detection and vulnerabilities assessments.
RiskAnalytics, one of AIG’s partner vendors, provides threat intelligence services, including a service that detects and shuns blacklisted IP addresses. Any AIG insured with a minimum $5,000 policy can participate at no additional cost to them.
The company’s partnership is exclusive to AIG, and appears to be very popular.
“We’re bringing in multiyear contracts and the average sales price is on an impressive trajectory,” says RiskAnalytics Chief Operative Officer Kurt Lee. “It’s all born out of (customers) using that (introductory) service through the policy.”
Recognizing the trend, more vendors are seizing the opportunity to market their services to insurance carriers.
Vendors are willing to jump through the many hoops because a partnership with an insurance company is an opportunity to get a soft introduction to a potential client, says Mike Patterson, vice president of strategy at Rook Security, a managed security services provider (MSSP) that is proactively reaching out to carriers.
As with any new approach, broad adoption of cyber insurance value-added services isn’t without hurdles. One major obstacle is the “’this-isn’t-how-we’ve-always-done-it’ way of thinking,” observes CyberScout’s Hodge. “It’s like trying to change our election processes—people resist altering a system that has been in place for a couple hundred years.”
Another barrier is cost. Insurance companies tend to reserve free or discounted added services for heavyweight clients that spend small fortunes on annual premiums, says John Farley, vice president and cyber risk practice leader at insurance brokerage HUB International.
“Carriers can’t give away a lot of resources, so the smaller premium payers are not getting a lot of these services,” Farley says. “But if they can streamline and automate resources and figure out how to get customizable, usable information to the insurance buyer, that insurance carrier will probably stand out.”
Brian Branner, RiskAnalytics’ executive vice president, says that’s exactly one of the benefits that AIG derives from their partnership.
“If we can get the insureds to use the services we provide, we should lower AIG’s loss ratio because they’ll be safer organizations, and AIG should receive less claims,” he says.
Hidden costs of a breach can impact a large enterprise for years, and prove catastrophic to a small business. So insurance companies in the vanguard are looking to find business clients that are taking information security seriously.
As more companies buy cyber policies, and use any attendant services, the result could be a halo effect, says CyberScout’s Hodge.
“This is certainly something that the insurers are counting on,” Hodge says. “A more secure buyer is a lower actuarial risk to the insurer.”
Meanwhile, policyholders should steadily become better equipped to securely do business in an Internet-centric economy riddled with evolving exposures.
Says Hodge: “In my experience, the buyer is often pleasantly surprised by the improvement that can come about quickly in terms of knowing their risk, being compliant with their industry standards, and being able to indicate to the marketplace that they are taking good care of their customer’s information.”