Cyber trends 2021: IT security in insurtech
The increasing number of cyber attacks against businesses and organisations is not only putting companies on high alert, but it is fueling demand for cyber security cover.
The problem cannot be downplayed. According to a recent study by Pricewaterhouse Cooper, 96% of business leaders have accelerated their digitisation as a result of COVID-19.
Greater digitisation means a larger cyber footprint to protect. The International Data Corporation (IDC) predicts global spending on cyber security will hit $174.7bn by 2024, and funding for non US-based cybersecurity companies will rise by 20% in 2021.
Another study by Analysys Mason reveals that mobile device security will peak in terms of cyber attacks, with the security industry reaching $13bn by 2025 in that sector alone. Unsurprisingly, cyber insurance has become one of the fastest-growing sectors of insurance over the past two years as increased awareness in terms of potential losses has been laid bare.
In 2020, Gartner revealed an estimated $123.8bn was spent on preventing cyber security attacks worldwide. All this means that demand for the kind of cover that can provide compensation for companies in the wake of an attack, has risen several-fold while the impact of the past 12 months on the cyber risk landscape has been many-faceted.
Cyber protection and insurtech
Seth Rachlin, Global Insurance Industry Leader at Capgemini, believes insurtechs are partly responsible for the difficulties companies face when trying to protect themselves against harmful breaches.
He explains, “The cyber security market continues to grow driven by continued escalation in both the frequency and severity of cyber events. This is also resultant of the continued efforts on the part of insurance carriers to remove “silent cyber” cover from property and E&O policies, and force the purchase of standalone cyber insurance. More specifically, the dramatic increase in ransomware attacks is pushing more and more companies to see cyber insurance as an essential component of their broader insurance posture.”
But it’s not just about service and products not fitting the purpose. Advances in technology are happening as much for the criminal as they are for the corporations. “The single biggest challenge relating to cyber insurance is the rapidly changing nature of cyber-crime and the need for comprehensive cover that addresses all of the relevant attack vectors and associated types of loss,” Rachlin says.
“The pace of product change and the challenge of accurately pricing evolving risk creates a landscape where the contours of cyber cover and clarity as to the risks involved in providing it struggle to keep pace with the hackers.”
Jamie Akhtar, CEO and Co-Founder of CyberSmart, agrees. He says, “One of the biggest challenges is truly assessing cyber risk and providing support to manage it, not just transfer it. There is limited visibility, particularly in small and micro-sized organisations, and traditional backwards looking / outside-in models neglect the rapidly changing and diverse nature of both tech and SMEs.”
He continues, “Insurers will need to be more proactive in guiding the insured and seek comprehensive support in risk management.”
Making sure companies are adequately protected and assessing those protections, is essential for the industry to move forward. Thom Langford, security advocate at SentinelOne, which announced a partnership with Travelers insurance in June 2020, explains, “The main challenge is ensuring that the client is actually using and implementing effectively all of the controls that they say they are in order to reduce insurance premiums.”
He continues, “A once a year assessment is not always going to cut it, when those companies are very often proficient at passing audits anyway. Compliance to a standard does not always mean that an organisation is actually secure and following their own procedures. Ascertaining their true security posture is more challenging, and will require strong partnership and a high degree of trust between the insurtech industry and their clients.”
But Dr Mike Lloyd, Chief Technology Officer at RedSeal – a cloud security company based in California, believes insurtech companies have a way to go before they find a satisfactory solution to cyber cover. This is due to both services constantly evolving and not communicating well enough. He explains, “Cyber coverage limits are still too small, forcing brokers and customers to assemble towers, which grow more unwieldy as they get taller. The trend needs to move in the other direction – smaller towers with higher coverage per policy – but the market cannot move in that direction until insurers clearly understand the risk each client’s IT practices represent, and the degree of correlation with others.”
Lloyd also points out that creating cover that works well is down to so many different variables, and that losses accrued by a cyber attack are not always clear when agreements are drawn up.
“Policies are hard to price,” he says, “and they fall short of the desired coverage, because corporate IT networks are opaque. External assessment services can look at the Internet façade of a business and offer some measurements, but this is akin to insuring a building against fire, based on a photograph taken from across the street – you can tell whether the building is in terrible repair, or already smoking, but you really can’t see whether the internals of the building are well maintained and prepared.”
Lack of transparency is the greatest hindrance for insurtechs offering cyber cover, says Lloyd. “IT operations suffer the same problem – underwriters need reliable measures of the IT quality inside, not outside, the insured network. Customers are not willing or able to give the insurer enough visibility, so what is needed is a means to measure and report digital resilience from inside a network, providing a reliable assessment to insurers, without compromising the security of the network itself.”
But the lack of transparency happens for a reason - and insurtech companies are often the target of cyber attacks because the data they store on certain customers is highly sensitive. Lloyd explains, “Insurtech organisations face comparable challenges to law firms – neither is primarily in the business of internal digital security, and yet both come to know critical information about their clients, making them very attractive targets for cyber spies.
He continues, “Law firms have been targeted by attackers who know that law firms are frequently easier targets than their clients, because the law firms are not IT focused, and the attackers can get valuable data about many clients at once. Insurtech needs to learn from this, or they will be the next easy target as the market matures.”
Langford agrees, he says collaboration between customer and insurer will be the only way to improve cyber cover protection. “Insurers would do well to look to their own customer base to ascertain what are best/industry practices, and what do those companies do that takes them beyond that standard without ruining their business model.
He continues, “Ultimately the security teams of the insurtech industry and the security teams of their clients should be working together anyway to ensure that strong, meaningful and realistic controls are put in place, no matter what industry they are in. If cybercriminals work together, then the security profession needs to as well.”
Cyber insurance trends
Rachlin predicts that cyber insurance will emerge as one of the leading trends in insurtech over the next few months. He says, “Cyber insurance is one of the hottest areas within Insurtech as a number of digital-first startups and early-stage companies seek to capture the untapped market for cyber coverage for SMEs. These startups leverage AI and third party data for more accurate risk assessment and pricing and offer a suite of cyber protection services which, when combined with insurance cover, offer a truly complete cyber assurance solution for customers.”
Lloyd points out that insurtechs must fortify their own systems against attacks before offering adequate cover to effectively protect their customers. “The first obligation for insurtech is to practice what they preach,” he says. “It’s unreasonable to demand clients follow cyber due diligence thoroughly if those making the demand cannot do the same. In today’s world, this means automation of the measurement of security posture – you cannot hope to measure the risk profile of your insureds if you cannot quantify your own digital resilience ahead of future attacks. Measurement of defensive quality of IT networks is a top priority.”
Altaz Valani, Director of Insights Research at Security Compass, a cybersecurity company that provides advisory services, training, and development through SD Elements, believes customer centricity will be central to the developments taking place. “The digital transformation trend continues to disrupt traditional insurance companies. With an emphasis on customer needs, trends related to insurtech include the need for better data collection, shorter reporting cycles, and easy access to defensible reports. This also reflects an ongoing trajectory of cyber insurance maturity as more data becomes available.
“There is, therefore, a need to monitor more precisely, more frequently, and more easily in order to provide customers with enhanced or new cyber insurance coverage options.
Akhtar adds, “Insurtechs should be looking at recognised standards for information assurance in order to guide their security programs to an assured level. This means starting with the basics - achieving UK Cyber Essentials and working up to ISO 27001. In addition to data protection, this also helps demonstrate their commitment to security and to meet customer expectations.”
Insurance companies thrive on protecting others. But when everyone is threatened, as is the case with cyber crime, big questions tend to be raised. “Who insures the insurance? I hope the big insurance companies do insure one another as well, as this needs to be a closed loop,” says Joe Shenouda, cyber security architect of Cyber Consult.
He continues, “Essential damages are generally not covered like potential future lost profits, loss of value due to theft of your intellectual property, and the cost to improve internal technology systems, including any software or security upgrades after a cyber event. This is a surprise to most companies who think their cyber insurance DOES cover all this.”
Shenouda adds, “It's going to be a game of new standards emerging to cover all the latest hacking techniques, and if you are compliant you will be in a good spot, insurance-wise. If you are not certified or are still in the process of getting certified, it's time to hurry up. You will not get coverage if you don't comply with cybersecurity standards.”
Insurtech cyber investments
Where companies will be spending budgets on cyber security in 2021
- $1.74bn on infrastructure spending
- $64.2bn on security services
- $545m on cloud security
- $10.4bn on identity access management solutions
- $11.6bn on security network equipment
*via Feedzai Financial Crime Report Q1, 2021
Altaz Valani, Director of Insights Research at Security Compass, advises, “Data protection includes both security elements and privacy elements. The security side requires assessing the risk of a data breach across many different variables including network, systems, applications, endpoint devices, and users.
“Privacy elements include access controls, encryption. Both need to be addressed, so it is not surprising to see the industry evolving security frameworks beyond just the network perimeter. The challenge is integrating the creation and collection of information digitally without slowing down or hindering customers. This can be achieved by establishing policies that map to operational procedures without introducing risk.”
Cybercrime statistics in 2021
According to a study by Feedzai, cyber fraud attacks skyrocketed in 2020
- 650% increase in Account Take Over scams from Q4 2020 as compared to Q1 2020
- 250% increase in online banking fraud attacks
- 178% fraud rate increase for digital media
- 70% of all fraud is driven by card not present (CNP) transactions
- 48% drop in card present (CP) fraud attacks, though transaction volume only drops 20%
SLK Software: Optimising performance in the digital economy
Established in 2000 in Bengaluru, India, SLK Software recognises that fast-paced digital transformation is creating an unprecedentedly fertile period of opportunity for global businesses.
As such, with a firm belief in the power of simplification and automation to yield new and exciting experiences, the company has been challenging the status quo for over 20 years through an approach that is:
- Relationship oriented
- Strategically focused on a desired outcome
- Reliant on automation tech
Believing in purposeful automation
SLK’s specialisation in automation tech is full spectrum: artificial intelligence (AI) and machine learning (ML), Computer Vision, Natural Language Processing (NLP), Robotic Process Automation (RPA), and more, are all part of its core competencies.
Citing 90% productivity improvements, 30% business growth through better customer experiences, and up to 20x faster go-to-market capabilities, the reasons for its focus are clear.
The company currently serves the banking, financial services, insurance, retirement services, M&A, manufacturing, and supply chain sectors. Solutions offered include:
- Intelligent Business Transformation
- Agile IT Automation
Accelerating workflow processes
The latter is a tool specifically calibrated to enable business users an easy method for capturing document processes. This can occur across any application, with these individual tasks then seamlessly combined for both improved compliance and governance.
Carol Castelloni, VP of Transformation at CNA Insurance, highlighted this as providing critical support in helping the company meet its business objectives:
“SLK’s Avo Discover tool accelerates how we can document workflow processes, measure impacts on enhancements, and identifies future automation opportunities.” Liberated from having to focus on these process-driven aspects of business, CNA Insurance has been able to refocus its attention on creative problem-solving instead.
Ultimately, this is the most important benefit that SLK brings: it optimises the back end so that clients can channel their energy towards what matters the most, customers.
Read more about SLK Software and CNA Insurance in the June 2021 edition of FinTech Magazine.
Pictured: SLK Software team (source)