Tag Archives: notpetya

Cyber: Black Hole or Huge Opportunity?

You own a house. It burns down. Your insurer only pays out 15% of the loss.

That’s a serious case of under-insurance. You’d wonder why you bothered with insurance in the first place. In reality, massive under-insurance is very rare for conventional property fire losses. But what about cyber insurance? In 2017, the total global economic loss from cyber attacks was $1.5 trillion, according to Cambridge University Centre for Risk Studies. But only 15% of that was insured.

I chaired a panel on cyber at the Insurtech Rising conference in September. Sarah Stephens from JLT and Eelco Ouwerkerk from Aon represented the brokers. Andrew Martin from Dyanrisk and Sidd Gavirneni from Zeguro, the two cyber startups. I asked them why we are seeing such a shortfall. Are companies not interested in buying or is the insurance market failing to deliver the necessary protection for cyber today? And is this an opportunity for insurtech start-ups to step in?

High demand, but not the highest priority

We’ll hit $4 billion in cyber insurance premium by the end of this year. Allianz has predicted $20 billion by 2025. And most industry commentators believe 30% to 40% annual growth will continue for the next few years.

A line of business growing at more than 30% per year, with combined ratios around 60%, at a time when insurers are struggling to find new sources of income is not to be sniffed at.

But the risks are getting bigger. My panelists had no problem in rattling off new threats to be concerned with as we look ahead to 2019. Crypto currency hacks, increasing use of cloud, ransomware, GDPR, greater connectivity through sensors, driverless cars, even blockchain itself could be vulnerable. Each technical innovation represents a new threat vector. Cyber insurance is growing, but so is the gap between the economic and insured loss.

The demand is there, but there are a lot of competing priorities. Today’s premiums represent less than 0.1% of the $4.8 trillion global property/casualty market. Let’s try to put that in context. If the ratio of premium between cyber and all other insurance was the same as the ratio of time spent thinking about cyber and other types of risk, how long would a risk manager allocate to cyber risk? Even someone thinking about insurance all day, every day for a full working year would spend less than seven minutes a month on cyber.

It’s not because we are unaware of the risks. Cyber is one of the few classes of insurance that can affect everyone. The NotPetya virus attack, launched in June 2017, caused $2.7 billion of insured loss by May 2018, according to PCS, and losses continues to rise. That makes it the sixth largest catastrophe loss in 2017, a year with major hurricanes and wildfires. Yet the NotPetya event is rarely mentioned as an insurance catastrophe and appears to have had no impact on availability of cover or terms. Rates are even reported to be declining significantly this year.

See also: How Insurtech Boosts Cyber Risk  

Large corporates are motivated buyers. They have an appetite for far greater coverage than limits that cap out at $500 million. Less than 40% of SMEs in the U.S. and U.K. had cyber insurance at the end of 2017, but that is far greater penetration than five years ago. The insurance market has an excess of capital to deploy. As the tools evolve, insurance limits will increase. Greater limits mean more premium, which in turn create more revenue to justify higher fees for licensing new cyber tools. Everyone wins.

Maybe.

Growing cyber insurance coverage is core to the strategy of many of the largest insurers.

Cyber risk has been available since at least 2004. Some of the major insurers have had an appetite for providing cyber cover for a decade or more. AIG is the largest writer, with more than 20% of the market. Chubb, Axis, XL Catlin and Lloyd’s insurer Beazley entered the market early and continue to increase their exposure to cyber insurance. Munich Re has declared that it wants to write 10% of the cyber insurance market by 2020 (when it estimates premium will be $8 billion to $10 billion). All of these companies are partnering with established experts in cyber risk, and start-ups, buying third party analytics and data. Some, such as Munich Re, also offer underwriting capacity to MGAs specializing in cyber.

The major brokers are building up their own skills, too. Aon acquired Stroz Friedberg in 2016. Both Guy Carpenter and JLT announced relationships earlier this year with cyber modeling company and Symantec spin off CyberCube. Not every major insurer is a cyber enthusiast. Swiss Re CEO Christian Mumenthaler declared that the company would stay underweight in its cyber coverage. But most insurers are realizing they need to be active in this market. According to Fitch, 75 insurers wrote more than $1 million each of annual cyber premiums last year.

But are the analytics keeping up?

Despite the existence of cyber analytic tools, part of the problem is that demand for insurance is constrained by the extent to which even the most credible tools can measure and manage the risk. Insurers are rightly cautious, and some skeptical, as to the extent to which data and analytics can be used to price cyber insurance. The inherent uncertainties of any model are compounded by a risk that is rapidly evolving, driven by motivated “threat actors” continually probing for weaknesses.

The biggest barrier to growth is the ability to confidently diversify cyber insurance exposures. Most insurers, and all reinsurers, can offer conventional insurance at scale because they expect losses to come from only a small part of their portfolio. Notwithstanding the occasional wildfire, fire risks tend to be spread out in time and geography, and losses are largely predicable year to year. Natural catastrophes such as hurricanes or floods can create unpredictable and large local concentrations of loss but are limited to well-known regions. Major losses can be offset with reinsurance.

Cyber crosses all boundaries. In today’s highly connected world, corporate and country boundaries offer few barriers to a determined and malicious assailant. The largest cyber writers understand the risk for potential contagion across their books. They are among the biggest supporters of the new tools and analytics that help understand and manage their cyber risk accumulation.

What about insurtech?

Insurer, investor or startup – everyone today is looking for the products that have the potential to achieve breakout growth. Established insurers want new solutions to new problems; investment funds are under pressure to deploy their capital. A handful of new companies are emerging, either to offer insurers cyber analytics or to sell cyber insurance themselves. Some want to do both. But is this sufficient?

The SME sector is becoming fertile ground for MGAs and brokers starting up or refocusing their offerings. But with such a huge, untapped market (85% of loss not insured), why aren’t cyber startups dominating the insurtech scene by now? The number of insurtech companies offering credible analytics for cyber seems disproportionately small relative to the opportunity and growth potential. Do we really need another startup offering insurance for flight cancellation, bicycle insurance or mobile phone damage?

While the opportunity for insurtech startups is clear, this is a tough area to succeed in. Building an industrial-strength cyber model is hard. Convincing an insurer to make multimillion-dollar bets on the basis of what the model says is even more difficult. Not everyone is going to be a winner. Some of the companies emerging in this space are already struggling to make sustainable commercial progress. Cyber risk modeler Cyence roared out from stealth mode fueled by $40 million of VC funding in September 2016 and was acquired by Guidewire a year later for $265 million. Today, the company appears to be struggling to deliver on its early promises, with rumors of clients returning the product and changes in key personnel.

The silent threat

The market for cyber is not just growing vertically. There is the potential for major horizontal growth, too. Cyber risks affect the mainstream insurance markets, and this gives another source of threat, but also opportunity.

Most of the focus on cyber insurance has been on the affirmative cover – situations where cyber is explicitly written, often as a result of being excluded from conventional contracts. Losses can also come from ” silent cyber,” the damage to physical assets triggered by an attack that would be covered under a conventional policy where cyber exclusions are not explicit. Silent cyber losses could be massive. In 2015, the Cambridge Risk Centre worked with Lloyd’s to model a power shutdown of the U.S. Northeast caused by an attack on power generators. The center estimated a minimum of $243 billion economic loss and $24 billion in insured loss.

In the current market conditions, cyber can be difficult to exclude from more traditional coverage such as property fire policies, or may just be overlooked. So far, there have been only a handful of small reported losses attributed to silent cyber. But now regulators are starting to ask companies to account for how they manage their silent cyber exposures. It’s on the future list of product features for some of the existing models. Helping companies address regulatory demands is an area worth exploring for startups in any industry.

See also: Breaking Down Silos on Cyber Risk  

Ultimately, we don’t yet care enough

We all know cyber risk exists. Intuitively, we understand an attack on our technology could be bad for us. Yet, despite the level of reported losses, few of us have personally, or professionally, experienced a disabling attack. The well-publicized attacks on large, familiar corporations, including, most recently, British Airways, have mostly affected only single companies. Data breach has been by far the most common type of loss. No one company has yet been completely locked out of its computer systems. WannaCry and NotPetya were unusual in targeting multiple organizations, with far more aggressive attacks that disabled systems, but on a very localized basis.

So, most of us underestimate both the risk (how likely), and the severity (how bad) of a cyber attack in our own lives. We are not as diligent as we should be in managing our passwords or implementing basic cyber hygiene. We, too, spend less than seven minutes a month thinking about our cyber risk.

This lack of deep fear about the cyber threat (some may call it complacency) goes further than increasing our own vulnerabilities. It also the reason we have more startups offering new ways to underwrite bicycles than we do companies with credible analytics for cyber.

Rationally, we know the risk exists and could be debilitating. Emotionally, our lack of personal experience means that cyber remains “interesting” but not “compelling” either as an investment or startup choice.

Getting involved

So, let’s not beat up the incumbents again. Insurance has a slow pulse rate. Change is geared around an annual cycle of renewals. It evolves, but slowly. Insurers want to write more cyber risk, but not blindly. The growth of the market relies on the tools to measure and manage the risk. The emergence of a new breed of technology companies, such as CyberCube, that combine deep domain knowledge in cyber analytics with an understanding of insurance and catastrophe modeling, is setting the standard for new entrants.

Managing cyber risk will become an increasingly important part of our lives. It’s not easy, and there are few shortcuts, but there are still plenty of opportunities to get involved helping to manage, measure and insure the risk. When (not if) a true cyber mega-catastrophe does happen, attitudes will change rapidly. Those already in the market, whether as investors, startups or forward thinking insurers, will be best-positioned to meet the urgent need for increased risk mitigation and insurance.

Reinsurance: Dying… or in a Golden Age?

Much has been said about the challenges facing the reinsurance industry, to the point where the industry and a few of its major players have been characterized as being in a potentially terminal decline. However, to focus on recent results is to overlook fundamental changes in the nature of risk in the 21st century that could benefit the world’s major reinsurers, with opportunities unlike any seen before in the modern history of reinsurance.

A difficult financial backdrop for reinsurance in 2017

Financial results for major reinsurers in 2017 saw substantial contractions from prior years, driven by large catastrophe losses from hurricanes and California wildfires. These results have been followed by cost reduction in the reinsurance industry, which has elicited surprise in two conflicting ways. For some, the surprise was that the cost-reduction efforts could affect reinsurance, given that such exercises were more common for their cedent primary carrier clients. For others, the surprise was that it had taken so long for a focus on cost to come to the reinsurance market.

Concerns about the future financial performance of the reinsurance industry are held at the very highest levels of leadership among major reinsurers. In response to questions about the company’s 2017 performance, Swiss Re CEO Christian Mumenthaler commented on the state of the property catastrophe market that “we need to get used to a world where margins are much lower.” Given that property catastrophe profits have been one of the best-performing segments, not just in reinsurance,but in the entire insurance industry, according to McKinsey, this is an unwelcome development for the medium-term profitability of reinsurance firms.

Bearish commentators do not blame recent poor results on an unfortunate confluence of large-scale U.S. property losses, excess capital in the reinsurance industry or a temporary soft market. Rather, global advisory firm EY points to “clear signs that reinsurers face a long-term structural phenomenon rather than a short-term fluctuation of the insurance cycle.” EY goes on to warn in a report on the reinsurance industry that there is “compelling evidence that reinsurers are inexorably moving toward a ‘dead end’ with their legacy business models.”

The potential for reinsurance, with a longer-term lens

Such pronouncements about the potential for the reinsurance industry to perish are, however, overblown. Far from the rapidly changing risk environment undercutting the role of reinsurance, changes in the nature of risk have the potential to unlock a golden age of reinsurance where reinsurance institutions could play an even more important role in the future of the global economy than ever before. Two megatrends affecting society in the 21st century could bode very well for the reinsurance industry.

The shift from physical to non-physical assets on balance sheets

First, the emergence of non-physical assets fundamentally alters the nature of risk, which will require major changes in the P&C insurance industry.

According to Ocean Tomo, in 1975, more than 80% of the market capitalization of the S&P 500 was derived from physical assets and infrastructure. Property insurers, therefore, had a key role in insuring the most valuable assets of the business community. However, by 2015, property assets made up a relatively small share of the value of businesses, with 87% of that value being tied to intangible assets. For centuries, the P&C insurance industry was focused on the protection of property, but in the space of a generation the relative importance of physical property has declined precipitously. Risk to assets hasn’t gone away; there has just been a shift from physical to non-physical assets.

See also: The Dawn of Digital Reinsurance  

The shift toward digital risks as a driver of risk to a company’s income statement

Second, the emergence of digital risk is fundamentally changing the potential causes of loss for businesses. When you move beyond a balance sheet perspective, where physical property has declined in importance, and look at the income statements of contemporary businesses, you also see an increasing reliance on digital technologies with substantial potential for business interruption when these technologies are disrupted. These losses are already being witnessed today with the recent NotPetya attack illustrating that many major businesses can lose hundreds of millions of dollars from a single cyber event. It is, therefore, no surprise that cyber risk has skyrocketed in importance from the #15 item on the minds of risk managers in 2013 to the #2 item on the minds of risk managers in 2018, according to a report from Allianz.

What is remarkable is not just the meteoric rise in importance of cyber risk over the past five years but the fact that we are just scratching the surface of a megatrend that promises to have an even greater impact in the years to come. Changes in technology are fundamentally changing the nature of risk due to the digitization of the economy, the automation of entire industries and the explosion of Internet of the Things (IoT) devices. As the economy shifts from having 10 billion Internet of Things (IoT) devices to more than 200 billion IoT devices, sources of digital risk are set to skyrocket, along with the potential for cyber losses.

The foundation for any financial risk transfer product – where is the financial loss?

Estimating the financial impact of cyber risk is a difficult endeavor. A recent piece of research conducted by RAND, supported by the CyberCube unit of Symantec and the Hewlett Foundation, estimated that cybercrime today costs the global economy at least $275 billion to as much as several trillion dollars. When you layer on the emergence and deployment of new technologies, this number will only increase over time.

Not only will these losses due to cyber events rise, but cyber catastrophe modeling research undertaken by CyberCube suggests that there will be a shift from attritional day-to-day losses affecting individual to firms to more and more large-scale losses affecting multiple companies simultaneously from global aggregation events. Such events were once deemed somewhat theoretical, but the last 18 months have revealed a series of cyber aggregation events that have shown that cyber events have the potential to lead to simultaneous losses from many companies, and we are just at the beginning of a major technological change.

In many cases, the absolute level of risk for the global economy will decline. For example, with the emergence of new safety features in automated cars, the incidence of property and casualty losses from automobiles will decline.

However, new sources of catastrophic risk emerge as the potential arises for mass losses from the simultaneous failure of the technology affecting thousands of companies simultaneously. CyberCube has identified more than 1,000 technology “single points of failure” that could pose sources of aggregation risk to insurers, and this number will only grow as the years go by and new cloud-connected technologies are rolled out. To draw an analogy to the property insurance market, you can expect far fewer one-off damages from one-off fires burning down a single home and far more wildfires destroying entire towns.

Implications for reinsurers

So what are the implications for reinsurers?

1. The foundation for any financial risk transfer product – where is the financial loss?

Changes in the nature of company assets, technology and the emergence of connected digital risk are reducing absolute levels of risk to the society overall but concentrating the potential for financial losses in a smaller number of catastrophic events. This is precisely the type of risk and financial transfer that the reinsurance industry can provide.

2. Emerging cyber risk is so complex that the largest and most sophisticated reinsurers stand to gain the most from this shift in the risk landscape

Given that cyber risk is not geographically constrained, the ability of smaller and less sophisticated reinsurers to participate in a large number of geographically diversified natural catastrophe treaties is diminished. The nature of cyber risk is so complex and dynamic that only reinsurers with a critical mass of expertise in connected digital risk will be able to effectively understand, monitor and model cyber risk. There will be more differentiated insight in cyber risk than in natural catastrophe risk.

3. Investment from reinsurers is needed to understand cyber risk today, in advance of catastrophe events that could create tremendous financial opportunities for reinsurers in the future

It is a cliché to say that it is just a matter of “if not when” for cyber attacks on individual companies. What is becoming increasingly apparent is that the same can be said for catastrophic cyber aggregation events that cause material damage to many companies simultaneously. When this happens, insurance history suggests that demand for coverage will increase, capital will flee the market and prices will harden. The reinsurance market for cyber as a peril might be small today, but reinsurers that have taken the time to invest in their own capabilities ahead of these events, with informed capital to deploy when market demand spikes, will benefit tremendously.

See also: Mamas, Tell Your Kids to Sell Reinsurance  

Conclusion: Terminal decline or golden age?

The nature of risk is fundamentally changing, which means the nature of financial risk transfer also must change. 2017 may have been a bad year for the financial performance of the reinsurance industry, but this is a market where time horizons need to be considered over many decades and certainly not over the results from one financial year alone.

Far from the reinsurance industry being in a potentially terminal decline, changes in the nature of risk in the 21st century, stand to benefit the most sophisticated players in the reinsurance industry if they can take advantage of digital trends and understand new risk concentrations.

Reinsurers that invest in understanding the nature of cyber risk, and the sources of catastrophic losses, not only stand to benefit in outsized ways relative to other insurers, but they also stand to help society reap the tremendous rewards of new technology by mutualizing financial risk when technology inevitably goes wrong.

The reinsurance industry as a whole is neither in terminal decline nor at the beginning of a new golden age. It is the action of individual reinsurance companies, and their efforts to understand, quantify and model digital risk that forms the basis of whether they will thrive or falter in this emerging digital age.

Breaking Down Silos on Cyber Risk

The cyber attacks in the past year spread with startling frequency and intensity and demonstrated that cyber risk is not only a concern for organizations holding sensitive or regulated data, but also a material threat to businesses across all industries. The WannaCry and NotPetya attacks, for example, resulted in large-scale interruptions to global commerce, with companies reporting significant losses in sales caused by business disruption. Far-reaching regulations such as the EU’s General Data Protection Regulation (GDPR) open up businesses to large potential fines and consumer class action suits. The cost of cyber crime keeps rising, with data breaches predicted to cost businesses a total of $8 trillion over the next four years, exceeding worldwide IT security spending, which is expected to be upward of $120 billion by 2021. In this climate, executive teams must urgently stop thinking about cyber risk as an IT issue and lead a shift to managing its impact across the entire organization.

Companies’ cyber exposure has dramatically increased beyond the risks to their data and intellectual property (IP), exacerbated by the convergence of the physical and digital worlds. To drive efficiencies, organizations are bringing processes and infrastructure online, for example, through connected grid systems, supervisory control and data acquisition (SCADA) and industrial control systems (ICS). At the same time, the need to innovate and compete drives businesses to introduce an ever-increasing number of endpoints, significantly expanding the cyber attack surface – whether through a retail bank’s mobile app, a manufacturer of connected cars or even office equipment like printers or employee devices. Every change in a company, be it an M&A transaction, working with a contractor, introducing new software or moving data to the cloud, affects a company’s cyber risk posture. Securing this shifting target requires a holistic view of how all the activities of all departments affect the company’s exposure.

See also: How to Manage Claims Across Silos

One of the core business challenges hampering executives’ ability to look at the impact of cyber risk beyond individual silos is that members of the C-suite are not collaborating effectively over this issue. Every executive has a different lens on how to view, assess and manage cyber risk: The general counsel, for example, will be focused on compliance with information security regulations and disclosure requirements; the chief information security officer (CISO) and chief information officer (CIO) implement technical controls and remediation efforts; the chief risk officer (CRO) and chief financial officer (CFO) will be quantifying the financial exposure to cyber risk and mitigating it through insurance; product developers may view security as a roadblock to meeting product launch deadlines; and human resources (HR) will institute internal training for employees. Multiple parallel work streams like these exist in silos, rarely with any common framework for taking an integrated view.

The fragmented cybersecurity market reinforces these challenges, as organizations work with multiple providers for different elements of their security needs. For example, a company may contract with an incident response provider for post-breach services, separate external experts on assessments or penetration testing exercises and a separate insurance broker to assess the implications of cyber risk from a balance sheet perspective. Multiple providers such as these are working with different internal stakeholders, who aren’t effectively communicating with each other, exacerbating the ineffectiveness of the approach.

As companies wake up to the impact that cyber risk can have on their business, C-suites in mature companies will break down organizational silos to create a holistic view of their risk exposure. CROs and CISOs will work collaboratively with others across the C-suite, including IT, legal teams, HR and finance, to understand how technical vulnerability affects financial exposures and potential risk scenarios. This will happen in sectors beyond the early adopters in financial services, healthcare and retail. As an example, a shipping firm will assess how cyber risk affects physical operations and revenue-generating activities, such as tankers being remotely diverted by hacked GPS systems, or look at the potential benefits of smart contracts and blockchain technologies with regard to tracking goods and inventory and verifying manifests.

To support more coordination and informed decisions within organizations around their cyber risk management, they need a technology platform such as the one Aon Cyber Solutions is building to provide a single point of visibility into all aspects of an enterprise’s cyber risk profile, across all C-suite functions. The platform will enable companies to conduct cyber risk assessments, dynamically quantify risk across multiple dimensions, optimize efforts to remediate risk and reduce the organization’s overall risk posture. Executives can leverage quantitative information in real time to model security plans and budgets, as well as receive recommendations as the threat landscape evolves and requires new insurance options. Bringing together all the elements that affect cyber maturity across the organization through a centralized portal view enables anyone in the C-suite – whether it’s the chief executive looking for a high-level view, or the CFO or CRO prioritizing investment decisions, or the CISO examining the remediation activity – to have a more holistic understanding of how the activity within their function affects the company’s cyber exposure as a whole.

See also: How to Link Risk and Strategy  

The industry needs to collaborate to drive this holistic approach. For our part, Aon has teamed up with Apple, Cisco and Allianz. This combined solution helps protect a wider range of companies from cyber breaches associated with ransomware and other malware-related threats. Customers who deploy Apple devices and software and Cisco cybersecurity products, such as Cisco Ransomware Defense, and conduct Aon’s Cyber Resilience Evaluation, will be eligible to apply for more enhanced cyber insurance coverage than are available in existing cyber insurance products through Allianz. In addition, companies can take advantage of access to Cisco’s or Aon’s industry-leading incident response teams, should an incident occur.

Through these and other innovative solutions, Aon Cyber Solutions is focused on helping companies eliminate the silos that typically hamper effective cyber risk management. This is an urgently needed shift in thinking throughout a currently fragmented industry, so that clients can manage their evolving cyber risk exposure in a digital, connected and regulated world.

What if You Had a Cyber Risk Score?

There have been three major global cyberattacks in the last six months. These attacks have caused extensive system damage and monetary loss. Some companies affected remain crippled weeks or months after the attack. Will this rate of “one every other month” continue? Nobody knows, of course. But, as a recent Wall Street Journal op-ed suggests, ransomware will remain the dominant attack method of choice, and the problem “isn’t going anywhere.” The article claims that “cybercriminals launch hundreds of millions of attacks daily across the globe, and recent studies have found that as many as 60% involve ransomware.” Why? Because they are easy, and they work.

Without a robustly secured network, it is impossible for most entities to withstand a targeted or random cyberattack. So most companies, big or small, generally enlist the help of third-party vendors, which traffic a multitude of software products, modules or platforms to keep cybercriminals from exploiting vulnerabilities. But, because nothing is fail-safe, companies must still consider buying insurance to protect against the staggering potential of loss that a global cyberattack can cause.

See also: Why Buy Cyber and Privacy Liability. . .  

Cyber is no different from other risks that an organization could be exposed to (e.g., fire, burglary, flooding, power failure, strikes and liability issues). Businesses have to consider insurance against cyber-attacks and the relating financial consequences. This kind of insurance policy is known as Cyber Liability Insurance Coverage, or CLIC. With the estimated annual costs to the global economy from cybercrime estimated between $375 billion and $575 billion in 2014 alone and the average cost of a corporate data breach at more than $3 million per incident, it is understandable why cyber insurance is catching on.

Still, there seems to leave a lot of room for error, rounding or otherwise, in a market where U.S. insurers wrote approximately $1.3 billion in cyber coverage last year. This is expected to reach $14 billion by 2022. There is industry data that shows insurance premiums could range from $800 to $1,200 for SMEs/SMBs with revenues of $100,000 to $500,000 (on the low end) to more than $100,000 for SMEs/SMBs with revenues in the millions. Allianz SE, the largest insurer in the world, expects these premiums to skyrocket by 2025. Furthermore, the Insurance Information Institute estimates that the third-largest risk for companies worldwide is cybercrime, not in the least due to cyber attacks such as WannaCry and Petya/NotPetya.

As it stands right now, insurance companies have limited resources to address the growing number of CLIC applicants. There are the obvious factors that come into play when calculating an insurance premium: the nature of the business, the vulnerability (attractiveness for cyber crooks) of the data, the size of the company and the amount of revenues, etc. But pinpointing the exact risk is still evolving. Currently, insurers mostly rely on questionnaires or third-party onsite assessments to estimate the cybersecurity posture of applicants, which is time-consuming and expensive. Because this branch of insurance is not mature enough, there is a lack of specialized and qualified personnel that have the experience and expertise to perform cyber risk assessments. In many cases, the onsite assessments are conducted by junior staff members of the insurer and junior security consultants using non-standardized methods.

My guess is that insurance companies still don’t know exactly what they are insuring and what to charge, because there are still inefficiencies in the market. There are conflicting definitions of what exactly makes a system “secure” and what constitutes a threatening vulnerability that must be decided upon. Knowledge still has to be gained to determine how to manage risk. Most insurance companies are large enough to have a staff of security officers and to use third-party vendors to protect themselves from cyber vulnerabilities. But what to do about assessing insurance candidates?

The good news is that there is progress being made where advanced simulation can help assess the various attack vectors that are being used today. The value of such a CLIC assessment would derive from being able to put an aggregate “risk score” on an insurance candidate. The score would be based on known and acceptable risk calculating methods such as NIST, CVSS3 and DREAD. It would be provided to each applicant based on the results from a simulated assessment done on its network, testing all its security controls.

See also: How Data Breaches Affect More Than Cyberliability  

The value from such technology comes from insurers being able to know within a few hours if they should provide coverage to an applicant based on demonstrated risk, how much coverage to provide the applicant without putting the insurers at risk and how much in premiums to charge based on an accepted risk score provided after the assessment. Providing a uniform score for cyber insurance applicants reduces the exposure level for insurers, possibly saving millions of dollars and could even lead to revenue growth by raising premium prices to match the risk level.