eSentire: Managing risk through cybersecurity and insurance
InsurTech Digital speaks to eSentire’s Chief Channel Officer, Bob Layton, about a growing shift in risk management to protect against cyber attacks.
With 25 years of experience in the technology industry, Layton has spent the last decade driving transformation and international expansion through channel-leveraged strategies. He has successfully created new strategy and execution models that have led to MRR growth and new routes to market in security, services, and SaaS platforms.
What is the big issue facing companies around risk management? How do they turn to cyber insurance and cybersecurity companies for help?
In general, with risk management, you want to identify risk exposures, quantify and rank those potential problems, and then respond to them. For most companies, the biggest issue they have is they don’t know how to respond effectively and in a timely way. Most teams are often small, and resources are very tight, leaving them to either accept more risks than they really want or just avoid or ignore certain risks altogether.
Certainly, the better risk management model is to look at risk reduction and risk transfer services, which is where cybersecurity and cyber insurance companies come into play. Cybersecurity companies help mitigate risks, reducing the likelihood of an incident through loss control programmes. It’s about building cyber resilience - how well you anticipate, withstand and recover from cyber attacks, to prevent your business from being disrupted.
Cyber insurance companies provide risk transfer, moving the ownership of the risk off of the company and onto the insurer. Cybersecurity implementations help companies protect their systems as much as possible, while cyber insurance policies cover costs if something goes wrong. The balance between cyber insurance and cybersecurity protection is organisations able to demonstrate strong cyber programmes are typically rewarded with lower premiums and stronger insurance policies.
Insurance and security companies are both concerned about managing risk for their customers, but are they able to speak the same language around these areas?
Insurers must speak the same language as security companies about risk management. Without ‘risk reduction’ through security companies, ‘risk transfer’ doesn’t exist. Insurers aren’t going to provide coverage to customers that don't have ‘risk reduction’ controls in place.
What does this mean in practice? Insurers have to understand what processes have been implemented and what security is in place, as well as how those implementations compare to other companies in the same sector or size of the company. This helps insurers understand potential risk levels and what ‘good’ looks like.
To build on this, insurers want to understand risk profiles, what kinds of attacks take place, and the typical impact of those attacks. For many companies, it is hard to compare ‘like with like’ when it comes to incident response times and financial impact, as this data is harder to get. But this is something that we have worked on to share that data in the right format for insurers to use in their models, so they can see the impact that attacks might have and the impact that strong security models can have in reducing risk as well.
With this, insurers are adding more technical resources – underwriters with more technical backgrounds, risk engineering teams, security engineering teams, etc. – to speak to both ‘risk reduction’ and ‘risk transfer’.
As a good partner, we are doing our part to educate our insurance partners, both in terms of threats we are seeing and controls to help mitigate those threats. In terms of new threats, we are sharing security advisories and publications from our Threat Response Unit (TRU) team regularly.
TRU’s insights provide our insurance partners with a look at what’s happening in the wild in terms of threats. And when it comes to educating our insurance partners on what controls can help mitigate common risks, we certainly will spend time with individual teams (or even individual producers), but we also work with insurers overall to provide other thought leadership content (webinars, podcasts, blogs, etc.) to educate their teams further.
Cyber insurance and cybersecurity companies should work together, but how can they make this happen in practice?
Enablement is the key. We partner with several insurers today - they lean on us to help customers with deficiencies, often during underwriting. The practical way to make this happen is to educate the insurers’ teams on which controls we can help with and then provide them with avenues to reach out, should they need help.
Insurers sometimes connect us directly to a customer or broker so that we can jointly help a customer with an overall approach to reducing risk. This helps them win business with customers that they would otherwise have to turn away as the level of risk and the policy costs would be too high.
Occasionally, we sit on marketplaces with insurers, and customers find us that way. In other cases, we provide thought leadership (webinars, blogs, live events, etc.) with our insurance partners, which drives interest that way.
Insurance companies need more data on cybersecurity to price risk and make policies available to customers, so how can they find this data and make the right fit for their actuarial models?
In general, insurers need to work with security vendors (like eSentire) that can provide useful data for modelling - this is useful both at an aggregate level and when looking at pricing individual risks.
At an aggregate level, we can provide significant data about what we are seeing. This includes overall threat intelligence such as what threats are out there and how to stop them. This helps insurers build better insurability models and requirements to bind but also helps them understand what types of customers are being targeted, how they are targeted, and where they can make improvements.
We pride ourselves on the level of asset and vulnerability data we can share to help predict which customer assets are most likely to be breached, to prioritise their remediation. This makes cyber insurance a more strategic risk management tool for customers, which improves the offer to the customer.
For individual risks, insurers have no ‘inside’ view of what’s happening in a customer’s environment. Instead, they rely on other forms of data like an application, low-level external scans on prospective customers to see their current status, and industry/claims data to underwrite and bind.
At eSentire, we have a significant amount of data about our customers in aggregate that is helpful for insurers to determine the level of risk that exists in the market and that can help both customers and insurance providers improve their security posture.
What does the future hold around cyber insurance? Will it continue to be a growth market in its own right, or will it be subsumed into the overall risk management market?
We see the cyber insurance market continuing to hold strong for the foreseeable future. Most insurers are getting better at understanding cyber threats, how likely those potential attacks are to succeed, and then underwriting risk more accurately. We saw premiums jump previously, but now they are leveling off or going down in many cases. This is a sign that insurers are getting better at pricing risk and that the market has somewhat settled.
Last year we saw a dip in ransomware attacks, and this year it’s back up - it will be interesting to see how that affects premiums later this year and into the next twelve months.
To ensure success, insurance companies must continue working hand-in-hand with security vendors to complete the overall risk management cycle. eSentire works with several insurers today to help them de-risk their portfolio and help create insurability for their insureds.