Yaffa Cohen-Ifrah explores how cyber insurance challenges can be overcome
As rapid digitisation and data collection comes to define the modern economy, the issue of cybersecurity has come to the fore, with a new breed of innovative software companies marketing their security solutions to enterprises, small and medium businesses and ordinary citizens keen on protecting their assets.
However, the cybersecurity industry took root in a very different world to the one we live in now. The magnitude of our cyber vulnerabilities has soared in tandem with the sheer volume of data and assets that now exist in cyberspace. This has given rise to an entirely new market - one designed to better gauge risks and utilise cyber best practices.
Despite the preparation, organisations must be ready for doomsday scenarios. By next year, the global cyber insurance market will reach up to $9bn, compared to less than $4bn in in 2017, according to projections from Munich Re. The market's exponential growth underscores the surging demand for solutions that not only help spur stronger cyber protection, but also minimise the impact of attacks. The market's maturation, and strengthening of clients' cyber readiness, will require insurers to address early challenges that make modelling risk more difficult than in other insurance verticals. Fortunately, these challenges are far from insurmountable.
Growth of cyber insurance
The 2013 Target data breach offers a case study on how cyber insurance can significantly limit the damage done to a business's bottom line. While the retail giant reported $61m in costs stemming from the breach, the company's insurance policy covered $44m of those losses - a loss reduction of 72%. The hefty payout highlighted the benefits of cyber coverage for clients. However, as more businesses purchase coverage, how can insurers formulate cyber policies that reflect the unique risks and vulnerabilities faced by each potential client?
A look at the trajectory of cyber insurance premiums shows the volatility of risk pricing. Cyber premiums are increasing three times faster than general property and casualty insurance premiums. On the one hand, this is hardly surprising given the mounting vulnerabilities of the digital age. There's another major factor driving high premiums, though: insufficient and inadequate data.
The relative dearth of historical data, and the difficulty of assessing clients' true cyber vulnerability - in part because organisations aren't always legally obligated to disclose cyber incidents if they don't affect consumers - can make pricing cyber risk feel like guesswork. But it doesn't have to be.
Insurers should start by leveraging accumulated data, which can provide illuminating insights into the scope and variety of threats. In 2017, Symantec revealed that there were a staggering 357m malware variants based on an examination of 225m devices across 157 countries. Using such accumulated data, insurers can better understand cyber risk and then model the impacts of different attack scenarios.
Additionally, rather than relying on clients to self-report information via lengthy questionnaires, insurers can gain better visibility into organisations' risk exposure by working alongside clients to conduct comprehensive inventories of their networks and digital assets - recommending products and processes for mitigating risk, and developing action plans to guide the client's response in the event of a breach. What holds true of cybersecurity generally also applies to cyber insurance: true protection for insurers is only possible with maximum visibility and continuous monitoring of threat.
Amid digital transformation and breakneck innovation, today's companies are looking for one thing above all when it comes to cybersecurity: assurance that their IT infrastructures are well-fortified and that their organisations have plans in place to contain the fallout, should bad actors strike. While each organisation must remain vigilant in the face of cyber threats, cyber insurers can bring unparalleled technical expertise and risk analysis to bear, ensuring that clients aren't flying blind in the often-stormy skies of cyberspace.
Ultimately, the cyber insurance market's legitimacy will be established by concrete results - not only in terms of attacks prevented, but also in payouts that reduce businesses' net losses following a breach. Crucially, because cyber insurers have a vested interest in keeping cyber incidents to a minimum, they will be key drivers of organisational change and improved cyber practices. Harmonising financial incentives with clients' security will be a true win-win.
Yaffa Cohen-Ifrah is CMO and head of corporate communications at Sapiens
