Tag Archives: gdpr

Myth Busting on GDPR Insurance Policies

As we approach the one year anniversary of GDPR implementation, we have seen that many companies still don’t understand how the privacy regulation works or how to properly mitigate the risk. Earlier this year, Google, one of the largest technology companies in the world, was fined $57 million for a GDPR breach in France.

If companies with as many resources as Google are facing fines, how can far smaller businesses address this risk? One effective solution is to mitigate the risk through cyber insurance policies. Insurance helps businesses self-regulate their actions and acts as the last line of defense in the event of a major fine. But, not all policies are created equal, and it can be difficult to navigate the oftentimes confusing language in various insurance policies.

I’ve spent time evaluating numerous policies and examining GDPR-specific risks—even more so since my company, Coalition, developed a policy tailored to address GDPR. From this review, some myths and truths from GDPR became clear. Here are a few:

Myth: Only big companies and big fines matter

It is important to recognize that big businesses are not the only target of GDPR. While it is true that any business can be penalized, it’s safe to say that the largest fines are for the largest companies and the most egregious violations. However, this doesn’t mean that smaller fines and smaller offences aren’t being monitored.

In fact, smaller fines are levied on a regular basis. For example, one GDPR fine of $5,400 was issued for a retail establishment’s CCTV camera system that partially surveyed a public sidewalk. Even though it didn’t involve an egregious failure, nor an enormous company, action was taken and a fine levied. This points out two elements of GDPR that are myths: that only large companies and large fines matter. To a smaller company, any fine and attorney’s fees is enough to be deadly, and countries are monitoring activity for all companies.

See also: What GDPR Means for Insurtech  

Myth: Only European businesses need to comply with GPDR

Last year, the number of companies offering cyber insurance in the Lloyd’s of London commercial insurance market jumped more than 20%. According to Lloyd’s chief executive, gross written premiums for European cyber insurance could reach more than $2 billion annually by 2020, partly as a result of GDPR.

While this growth supports the fact that E.U. businesses need to mitigate the risk of compliance with GDPR, it fails to acknowledge that U.S. companies are also subject to GDPR. This is because GDPR has a much wider scope than just European companies. It protects personal data even across the Atlantic. Accordingly, a U.S. company can just as easily violate GDPR when collecting, using or maintaining data regarding E.U. citizens. Come time for fines, if a business only collects a third of its revenue from European customers, it will still be fined on its revenue from all markets. Therefore, businesses outside of Europe need to evaluate GDPR compliance and insurance, as well.

Myth: A vendor’s breach does not affect my company

Your business is liable if your trusted vendor lost your data. Therefore, you may consider requiring that your vendors procure GDPR insurance policies, naming your company as an additional insured. If your company was entrusted with data, you are liable even if one of your vendors loses the information.

Truth: Risk mitigation can help

A 2018 study of privacy professionals found that 56% of respondents were at companies that were not yet compliant with GDPR, and 19% said that their companies would never be fully compliant. This is clearly an unsustainable approach to GDPR.

Mitigation techniques are a crucial aspect of a good policy. Leading insurance companies help businesses comply with regulations by educating them and evaluating their privacy practices. The use of these techniques, in turn, help protect businesses against allegations.

Truth: The right cyber insurance policy could save your business.

From the day GDPR went into effect, May 25 of last year, to the end of this past January, there have been 91 GDPR fines issued. That is more than two fines per week. To purchase an insurance policy that will allow your business to survive a fine, it is paramount to review what specifically is covered. It is important to protect your company with a policy that covers you not only in the event of security failures and data breaches but also when often-forgotten repercussions arise regardless of whether data was compromised.

GDPR is unique in that it codifies privacy regulations. Not only are companies fined if they expose customer data as a result of a cyber breach, but companies are also receiving penalties for failure to follow their own privacy policies.

See also: Europe’s New Data Breach Requirements

Not following your own privacy policies is called “failure to comply” and can result in fines from GDPR. For example, if your company says in its privacy policy that it will delete certain information, which is also known as “the right to be forgotten,” it must hold up its promise. Failure to comply with that very privacy policy could result in fines and penalties. To mitigate this risk, companies should review their privacy policies regularly and also ensure that failure to comply is included in their chosen GDPR insurance policy.

Truth: Take action now

GDPR has been in effect for almost a year, so, if you haven’t yet taken measures to prepare your company for the event of a fine, do so now. Whether your company is big or small, it’s important you consider a GDPR insurance policy, and when you look be sure to find a policy that both covers fines resulting from a cyber breach and from failure to comply. Additionally, look to see if the insurance provider offers risk mitigation techniques and evaluate the provider’s payout limit. It can also be important to review the vendors critical to your business and encourage them to procure coverage as well to avoid a business disruption or third-party liability. With these considerations in mind, your business will be ready to purchase a policy that will prevent you from going under in the event of a fine.

Blockchain, Privacy and Regulation

The past several months have seen increased activity and focus on the promising technology of blockchain and its potential in the insurance industry. Blockchain has also reemerged as an important issue in the European Union (EU) following the go-live date of the General Data Protection Regulation (GDPR) on May 25 of this year.

As a side note to U.S. policymakers, including the California legislature, the GDPR was adopted two years before its effective date. There was a reason for that. There will be a considerable amount of scrambling in Sacramento this year as efforts are made to clarify the scope and limit the unintended consequences of the hastily enacted California Consumer Protection Act 0f 2018 (CCPA). Virtually everyone in the insurance environment – including startup and established insurtechs – need to keep a very close eye on what emerges during this effort in 2019.

Regardless, it is important for all those dealing with technology to understand how the E.U. is dealing with issues such as blockchain. Businesses in California should be paying particularly close attention to how the E.U. is attempting to reconcile GDPR and emerging technologies while the CCPA is moving inexorably to its effective date of Jan. 1, 2020. Multinational companies are already dealing with GDPR compliance given its long extraterritorial reach. Inevitably, how the E.U. is dealing with privacy will serve as at least a partial template for how privacy issues will be dealt with in the U.S.

E.U. commissioners are currently attempting to sort out the interaction between GDPR and blockchain technology. It is not a nice fit. To foster a dialogue on this issue, the E.U. Blockchain Observatory and Forum was created as a European Parliament pilot project. Per its website, the observatory’s mission is to monitor blockchain initiatives in Europe, produce a comprehensive source of blockchain knowledge, create an attractive and transparent forum for sharing information and opinion and make recommendations on the role the E.U. could play in blockchain.

On Oct. 16 of this year, the E.U. Blockchain Observatory and Forum published a thematic report, “Blockchain and the GDPR.” As noted in the report regarding blockchain and GDPR compliance:

“The issue of compliance of blockchain with GDPR is an important one. By specifying how personal data is to be protected, the GDPR will play a fundamental role in shaping digital markets in the Union. Considering its strong support of this nascent technology, the European Union clearly believes that blockchain technology has an equally important role in these markets, too, offering new paradigms for the ways we transact and interact with each other.” (Report, p.8)

See also: Blockchain’s Future in Insurance  

What is not clear at this point in time is how blockchain can flourish while remaining compliant with GDPR. There are those who think the fundamental structure of blockchain is irreconcilable with GDPR. That opinion is not prevailing at this time. As noted repeatedly in the report, GDPR compliance is not about the technology, it is about how the technology is used. There are clearly issues, even with private consortium blockchains, that need to be fully understood. The issue isn’t just where the data are housed, the issues also include who controls the data and, as the report repeatedly emphasizes, how that data are used.

The E.U. is ahead of the U.S. in efforts to balance the rights of natural persons regarding their own personal information and the improvements that can come from technological innovation. While various sectors of the economy, including insurance, seem to be gushing about the possibilities of blockchain, there is a singular silence about how this environment will comply with the host of state and federal requirements placed on all the participants in this distributed ledger technology. This isn’t just about privacy in general and the CCPA in particular, although the CCPA could disrupt blockchain even in the commercial context if there is no further clarification during the 2019 California legislative session.

The observatory’s report, however, serves as a reminder that the GDPR deals with personally identifiable information belonging to natural persons and not information that is shared with other business forms provided to businesses. That is an important distinction but not entirely dispositive. In the world of commercial insurance, there are sole proprietors who must have not only liability coverage but also workers’ compensation insurance. These are “natural persons” who under GDPR and currently under the CCPA could ask their personal data to be removed from a database. This is not consistent with the blockchain’s promise of immutable records. (See: Civil Code Sec. 1798.105)

Earlier this year, industry giants Marsh and IBM, working with Acord, teamed up to develop a commercial blockchain for proof of insurance. Acord is the Association for Cooperative Operations Research and Development, an industry-supported organization that, among many other functions, makes many of the forms used in the property and casualty insurance industry for the transaction of insurance (applications, certificates, etc.). The pilot participant for this is ISN, a global contractor and supplier information management business. Per Marsh’s announcement earlier this year, “A distributed ledger technology, blockchain is ideally suited to large networks of partners. It establishes a shared, immutable record of all the transactions that take place within a network and then enables permissioned parties access to trusted data in real-time.”

IBM and Marsh also recently announced that they are working on making the proof of coverage blockchain accessible to Marsh clients through Salesforce.

Recently, The Institutes, best known for its professional designation programs in the insurance industry, has launched its RiskBlock Alliance. Per its Sept. 23, 2018 announcement, “…a blockchain consortium representing 31 risk management and insurance companies, has launched Canopy, the industry’s first end-to-end reusable blockchain framework, using the Corda blockchain platform.” One of the use cases currently being developed for Canopy is proof of insurance.

In remarks on the National Association of Insurance Commissioners (NAIC) Innovation and Technology (EX) Task Force Oct. 15, 2018, conference call, Christopher McDaniel, president of RiskBlock Alliance, said, in response to an inquiry from Oregon Division of Financial Regulation Deputy Administrator TK Keen: “…if regulators have their own node on the blockchain, they could push a button and create a report, as long as the appropriate agreements were in place to share the information.” [NAIC Innovation and Technology (EX) Task Force conference call Oct. 15, 2018, draft minutes dated Oct. 26, 2018]

In a July 12, 2018, blog titled “Ultimate Guide to Blockchain in Insurance” from management consulting firm Accenture, it was noted that blockchain would facilitate “using shared loss histories to obtain data-driven insights on prospective customers for more sophisticated pricing.” I suspect that state insurance regulators would have a keen interest in how that would be accomplished. Workers’ compensation rating organizations such as the National Council on Compensation Insurance, Inc. (NCCI) or the Workers’ Compensation Insurance Rating Bureau of California (WCIRB), operating under license from state insurance regulators and serving as a critical part of the active regulation of insurance required under the McCarran-Ferguson Act, would most likely have a few questions as well.

In other words, while there has been much discussion about the promise of blockchain, that discussion needs to be fully integrated into the discussion of how all that data are going to be secured, shared, and stored within the context of existing and anticipated regulatory compliance requirements. This goes beyond insurance regulation and, as is the case with the EU, directly implicates the emerging and complex privacy environment as evidenced by the CCPA.

Take, for example, the issue of proof of coverage and the issuance of certificates of coverage within the workers’ compensation environment. These are two separate issues that require separate solutions. States maintain coverage verification portals for any person to verify workers’ compensation coverage. These are managed by rating organizations pursuant to statutory mandate and generally by self-insurance regulatory authorities. In some instances, such as with California’s Contractors State Licensing Board (CSLB), there are separate coverage disclosure requirements that are also accessible by the general public. This is not a testament to the accuracy of these systems, but rather only to their accessibility.

For blockchain to be effective in the workers’ compensation environment, therefore, it needs to have some degree of integration with public databases. That isn’t as easy as it may seem. For example, Labor Code Sec. 3715 states, “The nonexistence of a record of the employer’s insurance with the Workers’ Compensation Insurance Rating Bureau shall constitute in itself sufficient evidence for a prima facie case that the employer failed to secure the payment of compensation.” Does this mean that rating organizations should have a node on the proof of coverage blockchain, as should the Division of Labor Standards Enforcement (DLSE) and the Department of Insurance (CDI)?

If that is the case, then what does that mean for purposes of public records laws and whether the blocks in the blockchain are public records? In other words, if the blockchain is to serve a public purpose then it must take into account access issues that may not be present when the ledger is entirely for private transactions.

See also: How Insurance and Blockchain Fit  

A certificate of insurance is issued, arguably, by either an agent or broker or an insurance company. For most transactions, this is currently done through a writable .pdf document or done manually. This process is an open invitation for fraud. The work Acord is doing with Marsh and The Institutes underscores a technology solution may help make the certification of insurance coverage – both as to existence and to limits (for liability lines of insurance) more reliable and transparent. This is not an inconsequential matter, especially in California and considering the particular issue of whether some staffing companies are very much part of the problem.

The latter issue regarding staffing firms is a critical one for California. Given the Golden State’s broad regulation of employment relationships, it is at best vexatiously ironic that when it comes to staffing agencies, with some very limited exceptions, there is virtually no regulatory framework to verify the legitimacy of staffing firms and the way they do business. This is a problem – and a problem that needs to be resolved before applying a technology solution to the issue of bogus certificates of insurance.

And that finally leads us back to what the observatory noted in its thematic report: “… start with the big picture: how is user value created, how is data used and do you really need blockchain?”

How SMBs Drive Innovation in Cyber

Large organizations have long understood the intrinsic value of customer data. Using it to formulate and execute on key business decisions, enterprises can better meet customer demand, anticipate a buyer’s propensity to purchase and stay ahead of savvy competitors. Because of the substantial amounts of resources required to successfully leverage customer data, and considering its highly confidential nature, large companies have also traditionally led the pack in implementing cyber insurance to protect this crucial business asset.

Despite having fewer human and monetary resources, small and medium-sized businesses (SMBs) have started joining in on the data-driven movement, leveraging their existing customer data to deliver superior customer experiences and, in some cases, successfully compete with large organizations. Protecting that invaluable intelligence, however, has historically been overlooked. Many SMBs assume they aren’t as much of a target as large companies are, or they simply aren’t aware that cybersecurity tools are available to them. Plus, complex buying processes and exorbitant pricing often prohibit even the most knowledgeable SMBs from adequately protecting their assets.

New and Improved SMB Habits

Thankfully, times are changing. As SMBs continue to take advantage of the business benefits that leveraging customer data can provide, they’ve caught on to the merits of defending their customer data with cybersecurity measures such as cyber insurance. In fact, it’s fair to say SMBs will drive the next wave of cyber insurance adoption.

See also: Cyber: Black Hole or Huge Opportunity?  

According to recent research conducted by my company, demand for cyber insurance has skyrocketed among the SMB market as of late, with the highest quarterly growth being 150% and averaging approximately 69% per quarter. In Q2 of 2018 alone, 30% of our commercial insurance shoppers purchased cyber coverage, up from 12% a year ago. First-time cyber insurance shoppers are also on the rise among SMBs, having experienced a quarterly growth of 34% over the last year.

Key Factors Contributing to Cyber Insurance Growth

There are a variety of reasons for SMBs’ increasing enthusiasm for cyber insurance, such as a rise in SMB-targeted cyberattacks and widespread, difficult-to-detect network vulnerabilities. However, after analyzing our digital proprietary data collected from Q1 2017 to Q3 2018, we found the following three factors equally critical in driving SMB cyber insurance adoption:

1. Compliance Requirements

Compliance requirements such as HIPAA, PCI and DCI have contributed significantly to the growth of the SMB cyber insurance marketplace. Recent data privacy regulation rulings such as GDPR and the California Consumer Privacy Act may also be pushing adoption, as the percentage of our shoppers who stated compliance requirements as a motivating factor increased 39% quarter-over-quarter.

2. Contractual Components

In the past, mandating cyber insurance for SMBs was difficult, due to the lack of affordability and accessibility. Today, digital-first insurance providers have drastically reduced distribution costs, allowing organizations to enforce cyber insurance as an essential component of third-party vendor contracts. According to our data, nearly half (46%) of SMBs buying cyber insurance are purchasing due to contractual requirements.

3. Affordable Policies

The price of SMB cyber insurance has declined substantially over the past year, primarily due to carriers’ ability to provide tailored policies designed to meet SMB-specific needs. In April 2017, our data shows the average monthly premium cost for a $1 million cyber insurance policy was $270. By June 2018, however, the average monthly premium cost for a $1 million cyber insurance policy dropped to just $77.

The Future of Cyber Insurance Adoption

Compounding factors will continue to drive the SMB cyber insurance market. From a business perspective, state and federal regulations will likely make cyber insurance a mainstream business priority, and enterprise-level contractual requirements will make cyber insurance a must-have for third-party vendors. On the consumer side, customers will continue to take an increasingly active role in their personal cybersecurity, demanding SMBs effectively secure their personal data through security solutions, including cyber insurance.

See also: How to Create Resilient Cybersecurity Model  

Though our data is still maturing, the steady increase in SMB shopper awareness and overall market readiness indicate that 2018 serves as an inflection point for the mainstream adoption of cyber insurance. Furthermore, with the SMB population in the U.S. expected to exceed 34 million by 2025, cyber insurance will be an essential factor in securing our collective digital world, and we can expect any business with assets to secure, and long-term viability to protect, to make cyber insurance a critical element of their comprehensive cybersecurity plan.

Future of Insurance to Address Cyber Perils

Standalone cyber insurance can successfully address a subset of privacy and security costs related to personally identifiable information, personal health information, payment card industry losses and increasingly some business interruption. However, outside of four industries (retail, hospitality, healthcare and financial institutions) generally no single insurance policy adequately covers cyber perils that result in funds transfers/crypto losses, bodily injury or tangible property damage-type losses. Organizations of all sizes, geographies and industries increasing rely on data analytics and technology, such as cloud computing, Internet of Things and artificial intelligence. These advancements add new and unique cyber exposures. Modeling of worst-case cyber scenarios compared with a review of the scope and exclusions of the base forms of multiple lines of insurance reveals potential material gaps in cyber coverage.

The number of cyber incidents with losses greater than $1 million (through early September 2018)

Recognize Financial Statement Impact

According to the Risk and Insurance Management Society, organizations’ total cost of risk declined for the fourth year in a row in 2017, but cyber costs moved in the opposite direction, rising 33%. Most boards of directors and management now include cyber perils and solutions in corporate governance discussions as they learn more regarding the potential financial statement impact of high-profile cyber incidents. Yet, organizations only insure a relatively small portion of their intangible assets compared with insurance coverage for legacy tangible assets.

Prudent organizations will spend the appropriate amount of time and resources on the risk management areas that are likely to have the greatest return on investment. For example, a disproportionate amount of attention is focused on cryptocurrency exposures, which affects a relatively small proportion of the corporate insurance buying population and related monetary losses. These are generally excluded from standalone cyber insurance policies.

See also: The New Cyber Insurance Paradigm  

Almost every large organization and most middle-size organizations will have some reliance on distributed ledger technology within the next few years – either directly or via one of their third-party suppliers, distributors, vendors, partners or customers. It is important for organizations to educate and prepare themselves:

1. Understand the intended scope of standalone cyber and professional liability insurance policies

Typical standalone cyber insurance policies specifically exclude funds transfers, crypto transfers and other cash and securities monetary losses. Crime policies are intended to address fund losses under specified circumstances. Similarly, payment diversion fraud coverage for “spoofing,” “phishing” and other social engineering incidents is generally excluded under cyber policies but possibly covered under crime policies.

However, two federal appellate courts recently ruled that policyholders are entitled to crime insurance coverage for losses arising from social engineering schemes.

  • July 2018: Facebook investors filed two different securities lawsuits: (1) the first based on the Cambridge Analytica user data incident; and (2) the second following Facebook’s lower-than-expected quarterly earnings release due to lower growth rate caused in part by allegedly unanticipated expenses and difficulties in complying with the European Union General Data Protection Regulation (“GDPR”).
  • Aug. 8, 2018: Securities class action litigation against a publicly reporting media performance ratings company disclosed in its quarterly earnings release that GDPR-related changes affected the company’s growth rate, pressured the company’s partners and clients and disrupted the company’s advertising “ecosystem.”

Typical professional liability and cyber policies also specifically exclude shareholder derivative securities and similar fiduciary liability litigation. A well-crafted directors and officers insurance policy is recommended to provide certain defense and indemnity coverage for such claims.

Absent extensive policy wording customization, the typical cyber insurance policy specifically excludes all bodily injuries and tangible property damage – both first-party tangible property damage (the insured’s own property) and third-party tangible property damage (property owned by someone other than the insured).

2. Silent and affirmative cyber coverage under other lines of insurance

When cyber exposure losses first emerged, insurers had not priced cyber risks into their broadly worded legacy policies, such as property and general liability. However, absent specific cyber exclusions, such as the CL 380 Cyber Exclusion, it is possible that legacy property, general liability, environmental, product recall, marine and aviation could inadvertently cover unintended cyber perils, thus the so-called silent cyber insurance coverage.

After making the first unintended cyber claims payment, some insurers, but not yet all, either exclude or sub-limit cyber risk from new standard policies and renewals. Granting affirmative full cyber limits coverage for an additional premium in such legacy policies is rare and slow to develop. Silent cyber coverage remains. In fact, according to multiple large insurance companies, the 2017 total amount of cyber-related business interruption claims payments were greater under property insurance policies than under standalone cyber policies.

Furthermore, aggregated/correlated/systemic cyber exposures have the potential to cause damages that are multiples of any loss seen to date (i.e. 10,000 customers of a cloud provider or energy/power/utilities). Catastrophe modeling for aggregated/correlated/systemic cyber risk is in its infancy. Innovative approaches for assisting insurers concerned about aggregated, clash incidents – or two different policies covering the same cyber peril – and silent cyber exposures are starting to emerge.

See also: Cyber: Black Hole or Huge Opportunity?  

To achieve cyber resiliency, consider cyber as a peril rather than as a standalone insurance policy. Assess, test, improve, quantify, transfer and respond to the larger cyber risk management issues based on a cost-benefit analysis of resource allocation. Insurance is complementary to a robust cyber resiliency risk management approach. Each organization should identify and protect its critical intangible assets and balance sheet by aligning the cyber enterprise risk management strategy with corporate culture and risk tolerance.

All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy. If you have any questions about your specific coverage or are interested in obtaining coverage, please contact your Aon broker. For general questions about cyber insurance, contact: Stephanie Snyder at stephanie.snyder@aon.com.

Cyber: Black Hole or Huge Opportunity?

You own a house. It burns down. Your insurer only pays out 15% of the loss.

That’s a serious case of under-insurance. You’d wonder why you bothered with insurance in the first place. In reality, massive under-insurance is very rare for conventional property fire losses. But what about cyber insurance? In 2017, the total global economic loss from cyber attacks was $1.5 trillion, according to Cambridge University Centre for Risk Studies. But only 15% of that was insured.

I chaired a panel on cyber at the Insurtech Rising conference in September. Sarah Stephens from JLT and Eelco Ouwerkerk from Aon represented the brokers. Andrew Martin from Dyanrisk and Sidd Gavirneni from Zeguro, the two cyber startups. I asked them why we are seeing such a shortfall. Are companies not interested in buying or is the insurance market failing to deliver the necessary protection for cyber today? And is this an opportunity for insurtech start-ups to step in?

High demand, but not the highest priority

We’ll hit $4 billion in cyber insurance premium by the end of this year. Allianz has predicted $20 billion by 2025. And most industry commentators believe 30% to 40% annual growth will continue for the next few years.

A line of business growing at more than 30% per year, with combined ratios around 60%, at a time when insurers are struggling to find new sources of income is not to be sniffed at.

But the risks are getting bigger. My panelists had no problem in rattling off new threats to be concerned with as we look ahead to 2019. Crypto currency hacks, increasing use of cloud, ransomware, GDPR, greater connectivity through sensors, driverless cars, even blockchain itself could be vulnerable. Each technical innovation represents a new threat vector. Cyber insurance is growing, but so is the gap between the economic and insured loss.

The demand is there, but there are a lot of competing priorities. Today’s premiums represent less than 0.1% of the $4.8 trillion global property/casualty market. Let’s try to put that in context. If the ratio of premium between cyber and all other insurance was the same as the ratio of time spent thinking about cyber and other types of risk, how long would a risk manager allocate to cyber risk? Even someone thinking about insurance all day, every day for a full working year would spend less than seven minutes a month on cyber.

It’s not because we are unaware of the risks. Cyber is one of the few classes of insurance that can affect everyone. The NotPetya virus attack, launched in June 2017, caused $2.7 billion of insured loss by May 2018, according to PCS, and losses continues to rise. That makes it the sixth largest catastrophe loss in 2017, a year with major hurricanes and wildfires. Yet the NotPetya event is rarely mentioned as an insurance catastrophe and appears to have had no impact on availability of cover or terms. Rates are even reported to be declining significantly this year.

See also: How Insurtech Boosts Cyber Risk  

Large corporates are motivated buyers. They have an appetite for far greater coverage than limits that cap out at $500 million. Less than 40% of SMEs in the U.S. and U.K. had cyber insurance at the end of 2017, but that is far greater penetration than five years ago. The insurance market has an excess of capital to deploy. As the tools evolve, insurance limits will increase. Greater limits mean more premium, which in turn create more revenue to justify higher fees for licensing new cyber tools. Everyone wins.

Maybe.

Growing cyber insurance coverage is core to the strategy of many of the largest insurers.

Cyber risk has been available since at least 2004. Some of the major insurers have had an appetite for providing cyber cover for a decade or more. AIG is the largest writer, with more than 20% of the market. Chubb, Axis, XL Catlin and Lloyd’s insurer Beazley entered the market early and continue to increase their exposure to cyber insurance. Munich Re has declared that it wants to write 10% of the cyber insurance market by 2020 (when it estimates premium will be $8 billion to $10 billion). All of these companies are partnering with established experts in cyber risk, and start-ups, buying third party analytics and data. Some, such as Munich Re, also offer underwriting capacity to MGAs specializing in cyber.

The major brokers are building up their own skills, too. Aon acquired Stroz Friedberg in 2016. Both Guy Carpenter and JLT announced relationships earlier this year with cyber modeling company and Symantec spin off CyberCube. Not every major insurer is a cyber enthusiast. Swiss Re CEO Christian Mumenthaler declared that the company would stay underweight in its cyber coverage. But most insurers are realizing they need to be active in this market. According to Fitch, 75 insurers wrote more than $1 million each of annual cyber premiums last year.

But are the analytics keeping up?

Despite the existence of cyber analytic tools, part of the problem is that demand for insurance is constrained by the extent to which even the most credible tools can measure and manage the risk. Insurers are rightly cautious, and some skeptical, as to the extent to which data and analytics can be used to price cyber insurance. The inherent uncertainties of any model are compounded by a risk that is rapidly evolving, driven by motivated “threat actors” continually probing for weaknesses.

The biggest barrier to growth is the ability to confidently diversify cyber insurance exposures. Most insurers, and all reinsurers, can offer conventional insurance at scale because they expect losses to come from only a small part of their portfolio. Notwithstanding the occasional wildfire, fire risks tend to be spread out in time and geography, and losses are largely predicable year to year. Natural catastrophes such as hurricanes or floods can create unpredictable and large local concentrations of loss but are limited to well-known regions. Major losses can be offset with reinsurance.

Cyber crosses all boundaries. In today’s highly connected world, corporate and country boundaries offer few barriers to a determined and malicious assailant. The largest cyber writers understand the risk for potential contagion across their books. They are among the biggest supporters of the new tools and analytics that help understand and manage their cyber risk accumulation.

What about insurtech?

Insurer, investor or startup – everyone today is looking for the products that have the potential to achieve breakout growth. Established insurers want new solutions to new problems; investment funds are under pressure to deploy their capital. A handful of new companies are emerging, either to offer insurers cyber analytics or to sell cyber insurance themselves. Some want to do both. But is this sufficient?

The SME sector is becoming fertile ground for MGAs and brokers starting up or refocusing their offerings. But with such a huge, untapped market (85% of loss not insured), why aren’t cyber startups dominating the insurtech scene by now? The number of insurtech companies offering credible analytics for cyber seems disproportionately small relative to the opportunity and growth potential. Do we really need another startup offering insurance for flight cancellation, bicycle insurance or mobile phone damage?

While the opportunity for insurtech startups is clear, this is a tough area to succeed in. Building an industrial-strength cyber model is hard. Convincing an insurer to make multimillion-dollar bets on the basis of what the model says is even more difficult. Not everyone is going to be a winner. Some of the companies emerging in this space are already struggling to make sustainable commercial progress. Cyber risk modeler Cyence roared out from stealth mode fueled by $40 million of VC funding in September 2016 and was acquired by Guidewire a year later for $265 million. Today, the company appears to be struggling to deliver on its early promises, with rumors of clients returning the product and changes in key personnel.

The silent threat

The market for cyber is not just growing vertically. There is the potential for major horizontal growth, too. Cyber risks affect the mainstream insurance markets, and this gives another source of threat, but also opportunity.

Most of the focus on cyber insurance has been on the affirmative cover – situations where cyber is explicitly written, often as a result of being excluded from conventional contracts. Losses can also come from ” silent cyber,” the damage to physical assets triggered by an attack that would be covered under a conventional policy where cyber exclusions are not explicit. Silent cyber losses could be massive. In 2015, the Cambridge Risk Centre worked with Lloyd’s to model a power shutdown of the U.S. Northeast caused by an attack on power generators. The center estimated a minimum of $243 billion economic loss and $24 billion in insured loss.

In the current market conditions, cyber can be difficult to exclude from more traditional coverage such as property fire policies, or may just be overlooked. So far, there have been only a handful of small reported losses attributed to silent cyber. But now regulators are starting to ask companies to account for how they manage their silent cyber exposures. It’s on the future list of product features for some of the existing models. Helping companies address regulatory demands is an area worth exploring for startups in any industry.

See also: Breaking Down Silos on Cyber Risk  

Ultimately, we don’t yet care enough

We all know cyber risk exists. Intuitively, we understand an attack on our technology could be bad for us. Yet, despite the level of reported losses, few of us have personally, or professionally, experienced a disabling attack. The well-publicized attacks on large, familiar corporations, including, most recently, British Airways, have mostly affected only single companies. Data breach has been by far the most common type of loss. No one company has yet been completely locked out of its computer systems. WannaCry and NotPetya were unusual in targeting multiple organizations, with far more aggressive attacks that disabled systems, but on a very localized basis.

So, most of us underestimate both the risk (how likely), and the severity (how bad) of a cyber attack in our own lives. We are not as diligent as we should be in managing our passwords or implementing basic cyber hygiene. We, too, spend less than seven minutes a month thinking about our cyber risk.

This lack of deep fear about the cyber threat (some may call it complacency) goes further than increasing our own vulnerabilities. It also the reason we have more startups offering new ways to underwrite bicycles than we do companies with credible analytics for cyber.

Rationally, we know the risk exists and could be debilitating. Emotionally, our lack of personal experience means that cyber remains “interesting” but not “compelling” either as an investment or startup choice.

Getting involved

So, let’s not beat up the incumbents again. Insurance has a slow pulse rate. Change is geared around an annual cycle of renewals. It evolves, but slowly. Insurers want to write more cyber risk, but not blindly. The growth of the market relies on the tools to measure and manage the risk. The emergence of a new breed of technology companies, such as CyberCube, that combine deep domain knowledge in cyber analytics with an understanding of insurance and catastrophe modeling, is setting the standard for new entrants.

Managing cyber risk will become an increasingly important part of our lives. It’s not easy, and there are few shortcuts, but there are still plenty of opportunities to get involved helping to manage, measure and insure the risk. When (not if) a true cyber mega-catastrophe does happen, attitudes will change rapidly. Those already in the market, whether as investors, startups or forward thinking insurers, will be best-positioned to meet the urgent need for increased risk mitigation and insurance.