In our last post, we explored some of the structural problems affecting today’s cyber insurance market, including poor cybersecurity hygiene, aggregation risk and capital scarcity. Before cyber insurance can truly become a mainstay of the digital economy – as a widely available, widely affordable, consistently priced product – these problems need addressing. We have identified three principal levers that insurers have at their disposal:
- Mitigate individual risks through enhanced cybersecurity
- Rightsize exposure, especially for cyber catastrophes
- Expand access to capital for cyber underwriters
Pulling these levers will not unlock billions of cyber premiums overnight. However, it will create a functional cyber market and one that can be scaled sustainably – without the extreme volatility the line is seeing at present. We will look at each of these levers in our coming posts, starting today with the first: how to mitigate risks through enhanced cybersecurity.
Insurers must incentivise a new baseline in cyber risk mitigation
It is a fundamental law of insurance that bad risk brings higher premiums – and this is one-factor making cyber insurance unaffordable for many firms, especially small and medium-sized businesses (SMBs). However, mitigate the risk and lower premiums will tend to follow. Thankfully, in the case of cyber, a baseline of good practice is relatively easy for firms to achieve.
Many cyber-attackers use low-tech or no-tech approaches – like social engineering – to gain unauthorised access to buildings, data and systems. Well-communicated cybersecurity policies and staff education will therefore sweep the easiest hacking opportunities off the table.
These “soft” mitigations come with the disadvantage of impacts being difficult to quantify and reflect in policy prices. Regardless, it is almost certainly a net win for insurers – or brokers – to make cybersecurity content and resources freely available to insureds via a portal or similar.
Clearly, hackers can move through the gears and bring out higher-tech tools for harder-to-crack targets. But even here, a little bit of cyber defence can go a long way. A wide variety of cybersecurity software tools exist – from firewalls and antivirus packages to encryptors and password managers – to boost baseline security, all available on a mass-market basis.
In the case of “hard” mitigations such as these, the impact on claims is more easily quantifiable. Packages are either active or they are not, and they mean broadly the same thing from one implementation to another. Significant loss comparisons can therefore be drawn between different groups of insureds, opening the door to more sophisticated pricing.
It’s no surprise then to see a majority of players using risk-scanning tools (either first-party or via vendors) for underwriting, giving themselves a point-in-time reading of firms’ defences:
Source: Cyber Insurance – The Market’s View; PartnerRe and Advisen, 2021
These sorts of diagnostic tools will help insurers identify and reward good practice, either in the form of premium discounts or rebates on the purchase of security software; meanwhile, bad risks can be excluded. This all incentivises risk mitigation among insureds, which leads to better cybersecurity hygiene, lower losses and therefore lower premiums for the market as a whole – going some way towards solving the line’s affordability problem.
Towards real-time cyber risk-engineering with digital twins
Instilling a new baseline for good cybersecurity is a clear net win, but it isn’t the endgame – for hackers have more gears still. Because they can tap a global network of illicit expertise and will often probe company perimeters over many months, static defences – even constituting best practice – do not lastingly reduce risk. A more active, real-time approach is called for.
As we saw in our graphic above, cyber risk-scanning is by now well established. However, of those players scanning risks at the point of underwriting, only 37% are also doing so across the subsequent policy lifecycle. Repeat or continuous monitoring helps ensure cyber defences remain up to date and those new vulnerabilities are addressed as fast as possible, so we expect this practice to gain broader acceptance in the years ahead.
Ultimately, diagnostic scans will give way to predictive analytics leveraging digital twins.
Digital twinning is the creation of a replica network, meaning different “what if” scenarios can be tested whilst the real network remains untouched. This allows for continuous stress-testing, uncovering potential vulnerabilities before they arise. And by combining digital twins with self-learning AI, security teams can simulate the open-ended nature of a cyberattack, whereby a smart programme springs untold nasty surprises on the replica – but not real! – network.
Effectively, this is a way to stay ahead of the hackers by becoming a hacker yourself, getting to the bottom of your own weaknesses first and pre-empting any exploitation of them. In concrete terms, this kind of blank-slate scenario-planning with digital twins yields a set of risks scored by likelihood and business impact, empowering security teams to allocate resources efficiently – and, in theory at least, underwriters to dynamically price risk.
Source: Accenture Insurance Technology Vision 2021
So far, insurers have been slow to adopt digital twins, largely sitting at the experimentation stage. However, cybersecurity is proving to be a major driver for digital-twin adoption more broadly – so the cyber sector may be a good place for insurers to build out their efforts. Either way, 68% of insurance executives expect their organisations’ broad investment into digital twins to increase over the next three years (Accenture Insurance Technology Vision 2021).
Combining cyber insurance and mitigation through ecosystem partnerships
Developing a superior pricing model for a specific piece of security software – and then offering that superior price within the software’s footprint – unlocks previously priced-out demand and brings cyber insurers instant positional advantage in a widely unaffordable market. The quickest way to build these pricing models is through customer scale and broad exposure to different types of security software. And ecosystems offer a promising path forward.
In recent years, we have seen cyber insurers partner with cyber tech firms to offer risk management and risk transfer as a single bundle.
The efficacy of bundling is creating opportunities for other players in the distribution chain also. Managing General Agencies (MGAs) and brokers, with their customer proximity and sector specialisation, may be better placed than carriers to take care of the risk-management aspects, as well as any issues around the sharing of highly sensitive customer data.
Cover could be brought even closer to customers still, in the form of embedded insurance – with cyber tech firms selling white-labeled cover through their software suites. And with global spending on cybersecurity services as a whole dwarfing cyber insurance GWP, it may be more natural for buyers to get their cover via cybersecurity providers than their cybersecurity via cover providers.
The ultimate victors of this development may not be individual tech firms but rather managed security service providers (MSSPs). These could prove an efficient way to package multiple discreet cyber services and distribute them to small and medium-sized businesses (SMBs).
Source: Valuates Reports (June 2021)
Managed security has taken off because, typically, SMBs don’t have the resources for an in-house cybersecurity function. Nor are they well served by one-to-many relationships with lots of different tech vendors, brokers and insurers. By comparison, a one-to-one relationship with an MSSP could bring SMBs up-to-date cybersecurity software together with risk-adjusted insurance prices in a manner that’s both contractually straightforward and low on friction.
By boosting mitigation – be it through actuarially grounded financial incentives or distribution of security services – cyber insurers can reduce the likelihood of loss on individual accounts. This will help bring down the price of cover and grow the cyber insurance market through wider uptake. And mitigation is just one lever for improving today’s model.
In our next post, we consider two further levers insurers can pull: rightsizing exposures and expanding access to underwriting capital. Through action at multiple levels, we believe insurers can bring about a cascade of positive change in the cyber market – to the benefit of the overall digital economy. To learn more in the meantime, download our full cyber insurance report. And, if you’d like to discuss any of the ideas in this series further, please get in touch.