In our previous post, we examined some of the structural issues affecting today’s cyber insurance market, including poor cyber security hygiene, risk of aggregation and lack of capital. Before cyber insurance can truly become a mainstay of the digital economy – as a widely available, universally affordable product with consistent pricing – these problems need to be addressed. We have identified three main levers that the insurance companies have at their disposal:
- Reduce individual risks through improved cyber security
- Exposure in the right size, especially for cyber disasters
- Increase access to capital for cyber guarantees
Pulling on these levers will not unlock billions of cybercrimes overnight. However, it will create a functional cyber market and one that can be scaled in a sustainable way ̵1; without the extreme volatility that the line currently sees. We will look at each of these levers in our upcoming posts, starting today with the first: how to reduce risks through improved cyber security.
Insurers must justify a new baseline for limiting cyber risks
It is a basic insurance law that bad risk results in higher premiums – and this is a factor that makes cyber insurance unaffordable for many companies, especially small and medium-sized enterprises (SMEs). However, reduce the risk and lower premiums tend to follow. Thankfully, when it comes to cyber, a baseline for good practice is relatively easy for companies to achieve.
Many cyber-attackers use low-tech or non-technical methods – such as social engineering – to gain unauthorized access to buildings, data and systems. Well-communicated cyber security policies and staff training will therefore sweep the simplest hacking opportunities off the table.
These “soft” restrictions have the disadvantage that the effects are difficult to quantify and reflect in policy prices. Regardless, it is almost certainly a net gain for insurers – or brokers – to make cybersecurity content and resources freely available to policyholders through a portal or the like.
It is obvious that hackers can go through the gears and develop high-tech tools for more difficult to crack targets. But even here, a little cyber defense can go a long way. There is a wide range of software tools for cyber security – from firewalls and antivirus packages to encryptions and password managers – to increase basic security, all available on a mass market basis.
In the case of “hard” constraints such as these, the effects on claims are more easily quantified. The packages are either active or not, and they mean pretty much the same thing from one implementation to another. Significant claims comparisons can therefore be made between different groups of insured, which opens the door to more sophisticated pricing.
It is then no surprise to see a majority of players using risk scanning tools (either from first parties or through suppliers) for issue guarantees and giving themselves a reading of the companies’ defenses:
Source: Cyber Insurance – Market View; PartnerRe and Advisen, 2021
This type of diagnostic tool will help insurers identify and reward good practice, either in the form of premium rebates or rebates when purchasing security software; meanwhile, bad risks can be ruled out. All this stimulates risk reduction among insured persons, which leads to better cyber security hygiene, lower losses and therefore lower premiums for the market as a whole – which goes a long way towards solving the line’s affordable problems.
Against real-time cyber-risk technology with digital twins
Creating a new baseline for good cyber security is a clear net gain, but it’s not the end game – for hackers have even more tools. Because they can leverage a global network of illegal expertise and often examine the company’s perimeter for many months, static defenses – even best practices – do not permanently reduce the risk. A more active approach in real time is required.
As we saw in our graphic above, cyber risk scanning is well established by now. But of the players who scan risks at the time of subscription, only 37% also do so during the subsequent policy life cycle. Repeated or continuous monitoring helps to ensure that cyber defense remains up to date and that these new vulnerabilities are addressed as quickly as possible, so we expect this practice to gain wider acceptance in the coming years.
Ultimately, diagnostic scans will give way to predictive analytics that utilize digital twins.
Digital twinning is the creation of a replica network, which means that different “think about” scenarios can be tested while the real network remains untouched. This enables continuous stress tests and reveals potential vulnerabilities before they occur. And by combining digital twins with self-learning AI, security teams can simulate the open nature of a cyberattack, with a smart program providing countless nasty surprises on the line – but not real ones! – network.
This is actually a way to stay ahead of the hackers by becoming hackers yourself, get to the bottom of your own weaknesses first and prevent any exploitation of them. In concrete terms, this type of vacuum scenario planning with digital twins provides a set of risks that are emphasized according to probability and business impact, which gives security teams the opportunity to allocate resources efficiently – and at least in theory insurers to dynamically price risks.
Source: Accenture Insurance Technology Vision 2021
So far, insurance companies have been slow to adopt digital twins, largely at the experimental stage. However, cybersecurity has proven to be an important driver for the adoption of digital twins more generally – so the cyber sector can be a good place for insurance companies to expand their efforts. However, 68% of insurance executives expect their organizations’ broad investment in digital twins to increase over the next three years (Accenture Insurance Technology Vision 2021).
Combine cyber insurance and restriction through ecosystem partnerships
Developing a superior pricing model for a specific security software – and then offering the superior price within the software’s footprint – unlocks previously priced demand and gives cyber insurance companies immediate positional advantages in a very unaffordable market. The fastest way to build these pricing models is through customer scale and broad exposure to different types of security software. And ecosystems offer a promising way forward.
In recent years, we have seen cyber insurance companies collaborate with cyber technology companies to offer risk management and risk transfer as a single package.
The efficiency of packaging also creates opportunities for other players in the distribution chain. Management of General Agencies (MGA) and brokers, with their customer proximity and sector specialization, may have better conditions than carriers to take care of the risk management aspects, as well as all issues related to the sharing of very sensitive customer data.
Coverage could be brought even closer to customers, in the form of built-in insurance – with cyber technology companies selling white-labeled coverage through their software suites. And with the global spending on cybersecurity services as a whole reducing the GWP of cyber insurance, it may be more natural for buyers to get their coverage through cybersecurity providers than their cybersecurity through coverage providers.
The ultimate winners of this development may not be individual technology companies but rather providers of managed security services (MSSPs). These can prove to be an effective way to package several discrete cyber services and distribute them to SMEs.
Source: Valuates Reports (June 2021)
Managed security has gained momentum because SMEs usually do not have the resources for an internal cyber security function. They are also not well served by one-to-many relationships with many different technical suppliers, brokers and insurance companies. By comparison, a one-to-one relationship with an MSSP can bring SMEs’ up-to-date cybersecurity programs together with risk-adjusted insurance rates in a way that is both contractually uncomplicated and low-friction.
By increasing the constraint – whether through insurance-based financial incentives or the distribution of security services – cyber insurance companies can reduce the likelihood of loss on individual accounts. This will help lower the price of coverage and grow the cyber insurance market through a wider spread. And limitation is just a lever to improve today’s model.
In our next post, we are considering two more leverages that insurance companies can pull: rights-size exposures and expanding access to insurance capital. Through measures at several levels, we believe that insurance companies can bring about a cascade of positive change in the cyber market – to the benefit of the overall digital economy. To learn more in the meantime, download our full cyber insurance report. And if you want to discuss any of the ideas in this series further, please contact us.
Get the latest insurance industry insights, news and research delivered straight to your inbox.
Disclaimer: This content is provided for general information purposes only and is not intended to be used in consultation with our professional advisors.