A convergence between the cyber insurance and tech security sectors is fast gaining momentum.
If this trend accelerates, it could help commercial cyber liability policies create a fresh wellspring of insurance premiums, just as life insurance caught on in the 1800s and auto policies took off in the 1900s.
The drivers of change are substantive. As companies scramble to mitigate risks posed by steadily worsening cyber threats, insurers and underwriters are hustling to meet overheated demand for cyber liability coverage. The cyber insurance market expanded by roughly 60% from 2014-15, topping about $3 billion last year. ABI Research sees no slowing of that breakneck growth rate and estimates the global cyber insurance market will top $10 billion by 2020.
However, for that projection to be realized, the insurance sector must somehow attain the capacity to build reliable actuarial tables that are fundamental to any type of insurance sales. Trouble is, gauging a company’s security posture has turned out to be a much more complex endeavor than anything the insurance industry has mastered before — such as assessing human life expectancy or calculating how much risk to assign a particular driver.
There is endless network traffic data, to be sure. But, at present, there is no efficient means to bring it to bear. And to complicate things, companies fear bad publicity and often vigorously resist sharing the type of valuable attack intelligence needed to calculate risk profiles.
See Also: IRS Is Stepping Up Anti-Fraud Measures
“It’s the wild, wild West,” says Mike Patterson, vice president of strategy at Rook Security. “Everyone is jumping in the market chasing premiums, and they are doing it without a full understanding of the risk involvement, from an underwriting perspective.”
Enter the burgeoning tech security sector. Security vendors supply some $75 billion of security hardware, software and services annually. And with cyber threats continuing to intensify, tech security is on track to continue growing at an estimated 5% to 12% annual rate over the next few years.
As security vendors develop and deliver more sophisticated prevention and detection technologies, they are amassing larger, richer data sets about the resiliency of company networks. It seems obvious to some, but the accelerating convergence of insurance and security is inevitable.
“Underwriters are really trying to figure out how to quantify the risks of the policies they’re underwriting,” says Craig Hinkley, CEO of web application security vendor WhiteHat Security. “We’ve been researching our customers’ websites and web applications for 15 years, so we’re actually swimming in actuarial data right now.”
Models to watch
The questions of the moment: Who will be the early adopters?; and which collaborations will emerge as enduring models? ThirdCertainty interviewed a handful of tech security vendors at the giant RSA cybersecurity conference in San Francisco in March that are testing the waters. Here is a rundown on three of them:
WhiteHat recently struck a partnership with Franchise Perils, an insurer of online retail websites —Franchise Perils will contribute toward the purchase of WhiteHat’s flagship service, Sentinel, for any online retailer purchasing a cyber policy. This amounts to a steep discount, enticing clients to use WhiteHat’s cutting-edge technology.
Part of WhiteHat’s services include helping corporate clients test their digital defenses with a small army of ethical hackers who “attack” the company and expose weaknesses. If a company quickly fixes its vulnerabilities, WhiteHat will give it a higher score in its WhiteHat Security Index, ranging from 0 to 800 — similar to a credit rating for consumers.
“That translates into a safer, more secure website and web application, which reduces the probably of you being hacked,” Hinkley says. “And that’s exactly what underwriters need to know for cyber insurance policies.”
For businesses that fix their vulnerabilities, WhiteHat guarantees the companies will not get hacked. If they do get hacked, WhiteHat will pay as much as $500,000 in remediation costs for the data breach.
This start-up has just introduced an innovative threat intelligence monitoring and security posture scoring system aimed, for the moment, mainly at large enterprises in financial services, healthcare and government.
FourV’s goal is to enable a large retailer or bank to monitor the status of its network security day-to-day, or even hour-to-hour, much as a business routinely tracks daily sales, says Casey Corcoran, vice president of strategy at FourV.
“You could tell by noon whether the pattern that you’re seeing in your risk is shaping up properly for that day of the week,” says Corcoran, a former tech executive at Jos A. Bank Clothiers. “If it’s not, you can fix it.”
FourV CEO Derek Gabbard foresees a day in the not-too-distant future when a senior executive will wake up in the morning, glance at her Apple watch and use a FourV app to check the company’s security risk index.
The idea is to create “risk discussions that are nontechnical, easy-to-understand and jargon-less for the leadership team,” Gabbard says, “so that they have confidence in the work that the chief information security officer and his teams are doing.”
Once FourV gets some traction and amasses large enough data sets, it expects to be able to see — and eventually to be able to predict — risk patterns in vertical industries. Such analysis should be very useful in building actuarial tables, Gabbard told ThirdCertainty. The company already has begun brainstorming how it might go about selling that data directly to the insurance industry, perhaps even by developing a dashboard customized for underwriters.
This tech security vendor supplies managed security services and does forensics investigations of network breaches. Rook investigators respond like a cyber SWAT team to all types of cyber threats, whether that may be a minor data breach that is easily fixed or a deadly cyber attack that requires teams of cyber investigators to jet around the globe.
Listen to a podcast: Drivers behind the rise of cyber insurance
Communication surrounding cyber attacks can be messy and full of mistakes that worsen the damage, according to J.J. Thompson, Rook’s CEO. So Rook’s new War Room app has set up a digital command center for tech and security teams to monitor attacks and to respond swiftly.
Whether Rook arrives before or after a breach, it quickly gets an inside look at the state of network security. Mike Patterson, Rook’s vice president of strategy, told ThirdCertainty that the readiness of companies varies widely. Some companies boast strong security staffs, resources and planning, while others only have one or two full-time security people — or none at all.
“Not everyone is as prepared as they should be,” Patterson says. “But that’s changing, with much more awareness now on the importance of security and taking care of your data.”
Rook is seeking to be the default option — brought in by the insurer — for post-breach incident response and forensics. It is also looking to provide a service where Rook would be retained by a company to come in and improve security postures so the client qualifies for cyber coverage or gets better pricing.
“It’s a really good opportunity to go shopping for cyber insurance because you’re going to get great rates, and everyone is going to be a little bit slack on the writing terms because they want that business,” Patterson says.
ThirdCertainty’s Edward Iwata contributed to this story.