The increasing number of cyber attacks against businesses and organisations is not only putting companies on high alert, but it is fueling demand for cyber security cover.
The problem cannot be downplayed. According to a recent study by Pricewaterhouse Cooper, 96% of business leaders have accelerated their digitisation as a result of COVID-19.
Greater digitisation means a larger cyber footprint to protect. The International Data Corporation (IDC) predicts global spending on cyber security will hit $174.7bn by 2024, and funding for non US-based cybersecurity companies will rise by 20% in 2021.
Another study by Analysys Mason reveals that mobile device security will peak in terms of cyber attacks, with the security industry reaching $13bn by 2025 in that sector alone. Unsurprisingly, cyber insurance has become one of the fastest-growing sectors of insurance over the past two years as increased awareness in terms of potential losses has been laid bare.
In 2020, Gartner revealed an estimated $123.8bn was spent on preventing cyber security attacks worldwide. All this means that demand for the kind of cover that can provide compensation for companies in the wake of an attack, has risen several-fold while the impact of the past 12 months on the cyber risk landscape has been many-faceted.
Cyber protection and insurtech
Seth Rachlin, Global Insurance Industry Leader at Capgemini, believes insurtechs are partly responsible for the difficulties companies face when trying to protect themselves against harmful breaches.
He explains, “The cyber security market continues to grow driven by continued escalation in both the frequency and severity of cyber events. This is also resultant of the continued efforts on the part of insurance carriers to remove “silent cyber” cover from property and E&O policies, and force the purchase of standalone cyber insurance. More specifically, the dramatic increase in ransomware attacks is pushing more and more companies to see cyber insurance as an essential component of their broader insurance posture.”
But it’s not just about service and products not fitting the purpose. Advances in technology are happening as much for the criminal as they are for the corporations. “The single biggest challenge relating to cyber insurance is the rapidly changing nature of cyber-crime and the need for comprehensive cover that addresses all of the relevant attack vectors and associated types of loss,” Rachlin says.
“The pace of product change and the challenge of accurately pricing evolving risk creates a landscape where the contours of cyber cover and clarity as to the risks involved in providing it struggle to keep pace with the hackers.”
Jamie Akhtar, CEO and Co-Founder of CyberSmart, agrees. He says, “One of the biggest challenges is truly assessing cyber risk and providing support to manage it, not just transfer it. There is limited visibility, particularly in small and micro-sized organisations, and traditional backwards looking / outside-in models neglect the rapidly changing and diverse nature of both tech and SMEs.”
He continues, “Insurers will need to be more proactive in guiding the insured and seek comprehensive support in risk management.”
Making sure companies are adequately protected and assessing those protections, is essential for the industry to move forward. Thom Langford, security advocate at SentinelOne, which announced a partnership with Travelers insurance in June 2020, explains, “The main challenge is ensuring that the client is actually using and implementing effectively all of the controls that they say they are in order to reduce insurance premiums.”
He continues, “A once a year assessment is not always going to cut it, when those companies are very often proficient at passing audits anyway. Compliance to a standard does not always mean that an organisation is actually secure and following their own procedures. Ascertaining their true security posture is more challenging, and will require strong partnership and a high degree of trust between the insurtech industry and their clients.”
But Dr Mike Lloyd, Chief Technology Officer at RedSeal – a cloud security company based in California, believes insurtech companies have a way to go before they find a satisfactory solution to cyber cover. This is due to both services constantly evolving and not communicating well enough. He explains, “Cyber coverage limits are still too small, forcing brokers and customers to assemble towers, which grow more unwieldy as they get taller. The trend needs to move in the other direction – smaller towers with higher coverage per policy – but the market cannot move in that direction until insurers clearly understand the risk each client’s IT practices represent, and the degree of correlation with others.”
Lloyd also points out that creating cover that works well is down to so many different variables, and that losses accrued by a cyber attack are not always clear when agreements are drawn up.
“Policies are hard to price,” he says, “and they fall short of the desired coverage, because corporate IT networks are opaque. External assessment services can look at the Internet façade of a business and offer some measurements, but this is akin to insuring a building against fire, based on a photograph taken from across the street – you can tell whether the building is in terrible repair, or already smoking, but you really can’t see whether the internals of the building are well maintained and prepared.”
Lack of transparency is the greatest hindrance for insurtechs offering cyber cover, says Lloyd. “IT operations suffer the same problem – underwriters need reliable measures of the IT quality inside, not outside, the insured network. Customers are not willing or able to give the insurer enough visibility, so what is needed is a means to measure and report digital resilience from inside a network, providing a reliable assessment to insurers, without compromising the security of the network itself.”
But the lack of transparency happens for a reason - and insurtech companies are often the target of cyber attacks because the data they store on certain customers is highly sensitive. Lloyd explains, “Insurtech organisations face comparable challenges to law firms – neither is primarily in the business of internal digital security, and yet both come to know critical information about their clients, making them very attractive targets for cyber spies.
He continues, “Law firms have been targeted by attackers who know that law firms are frequently easier targets than their clients, because the law firms are not IT focused, and the attackers can get valuable data about many clients at once. Insurtech needs to learn from this, or they will be the next easy target as the market matures.”
Langford agrees, he says collaboration between customer and insurer will be the only way to improve cyber cover protection. “Insurers would do well to look to their own customer base to ascertain what are best/industry practices, and what do those companies do that takes them beyond that standard without ruining their business model.
He continues, “Ultimately the security teams of the insurtech industry and the security teams of their clients should be working together anyway to ensure that strong, meaningful and realistic controls are put in place, no matter what industry they are in. If cybercriminals work together, then the security profession needs to as well.”
Cyber insurance trends
Rachlin predicts that cyber insurance will emerge as one of the leading trends in insurtech over the next few months. He says, “Cyber insurance is one of the hottest areas within Insurtech as a number of digital-first startups and early-stage companies seek to capture the untapped market for cyber coverage for SMEs. These startups leverage AI and third party data for more accurate risk assessment and pricing and offer a suite of cyber protection services which, when combined with insurance cover, offer a truly complete cyber assurance solution for customers.”
Lloyd points out that insurtechs must fortify their own systems against attacks before offering adequate cover to effectively protect their customers. “The first obligation for insurtech is to practice what they preach,” he says. “It’s unreasonable to demand clients follow cyber due diligence thoroughly if those making the demand cannot do the same. In today’s world, this means automation of the measurement of security posture – you cannot hope to measure the risk profile of your insureds if you cannot quantify your own digital resilience ahead of future attacks. Measurement of defensive quality of IT networks is a top priority.”
Altaz Valani, Director of Insights Research at Security Compass, a cybersecurity company that provides advisory services, training, and development through SD Elements, believes customer centricity will be central to the developments taking place. “The digital transformation trend continues to disrupt traditional insurance companies. With an emphasis on customer needs, trends related to insurtech include the need for better data collection, shorter reporting cycles, and easy access to defensible reports. This also reflects an ongoing trajectory of cyber insurance maturity as more data becomes available.
“There is, therefore, a need to monitor more precisely, more frequently, and more easily in order to provide customers with enhanced or new cyber insurance coverage options.
Akhtar adds, “Insurtechs should be looking at recognised standards for information assurance in order to guide their security programs to an assured level. This means starting with the basics - achieving UK Cyber Essentials and working up to ISO 27001. In addition to data protection, this also helps demonstrate their commitment to security and to meet customer expectations.”
Insurance companies thrive on protecting others. But when everyone is threatened, as is the case with cyber crime, big questions tend to be raised. “Who insures the insurance? I hope the big insurance companies do insure one another as well, as this needs to be a closed loop,” says Joe Shenouda, cyber security architect of Cyber Consult.
He continues, “Essential damages are generally not covered like potential future lost profits, loss of value due to theft of your intellectual property, and the cost to improve internal technology systems, including any software or security upgrades after a cyber event. This is a surprise to most companies who think their cyber insurance DOES cover all this.”
Shenouda adds, “It's going to be a game of new standards emerging to cover all the latest hacking techniques, and if you are compliant you will be in a good spot, insurance-wise. If you are not certified or are still in the process of getting certified, it's time to hurry up. You will not get coverage if you don't comply with cybersecurity standards.”
Insurtech cyber investments
Where companies will be spending budgets on cyber security in 2021
- $1.74bn on infrastructure spending
- $64.2bn on security services
- $545m on cloud security
- $10.4bn on identity access management solutions
- $11.6bn on security network equipment
*via Feedzai Financial Crime Report Q1, 2021
Altaz Valani, Director of Insights Research at Security Compass, advises, “Data protection includes both security elements and privacy elements. The security side requires assessing the risk of a data breach across many different variables including network, systems, applications, endpoint devices, and users.
“Privacy elements include access controls, encryption. Both need to be addressed, so it is not surprising to see the industry evolving security frameworks beyond just the network perimeter. The challenge is integrating the creation and collection of information digitally without slowing down or hindering customers. This can be achieved by establishing policies that map to operational procedures without introducing risk.”
Cybercrime statistics in 2021
According to a study by Feedzai, cyber fraud attacks skyrocketed in 2020
- 650% increase in Account Take Over scams from Q4 2020 as compared to Q1 2020
- 250% increase in online banking fraud attacks
- 178% fraud rate increase for digital media
- 70% of all fraud is driven by card not present (CNP) transactions
- 48% drop in card present (CP) fraud attacks, though transaction volume only drops 20%