Can a startup hit the $ 20 billion cyber risk insurance market?
Over the past few years, the cumulative annual growth rate of the cyber risk insurance market is 25-50%. According to the Betterley Report of 2015, the amount of annual insurance premiums is almost 2.75 billion US dollars. An entire ecosystem of insurers, brokers / brokers, analysts / consultants, and insurance market information collectors is growing, and everyone is trying to get the most out of the current favorable environment. While large insurance corporations are trying to solve the problems of cyber-risk insurance, newcomers to the market are trying to undermine this whole ecosystem. And the battle has just begun.
Company risk management is the most important task of top managers. In the first place among the risks is the threat of business destruction. Business can be undermined by natural disasters and political turmoil - threats that are more understandable than cyber risks. According to the Allianz 2016 risk barometer, cyber risks are the most likely causes of problems in the long run.
The most real risks in the long term (10 years or more)
- Cyber ​​attacks: 33%
- Interruption of activities (including due to supply failure): 11%
- Terrorism: 9%
')
Cyber ​​attacks are the most serious threat to business in the long run. The impact of new and digital technologies is also among the top ten risks identified. (Source: Allianz Global Corporate & Specialty. The percentage of responses of 824 respondents is indicated. The respondents indicated three of the most serious threats. Source 2: The study of the most serious risks in the long run, conducted by Allianz in 2016; 800 risk management specialists participated from 40 countries).
With the growing number of invader countries and rogue countries, corporate risk managers have to change their attitude towards risks. Risk insurance is usually the first step. When there are many thirsty buyers, many equally thirsty suppliers appear.
According to the AIG Corporation, the amount of insurance premiums for 2015 received by insurers was $ 1.6 billion. According to Allianz, this amount will amount to 20 billion by 2025. On average, 24% of US enterprises need cyber-protection (Source: Council of Insurance Agents and Brokers, 75 brokers, September 2015).
Only about 40% of Fortune 500 companies have insured themselves against cyber risks, and they have not even acquired the full protection package against all possible threats. There are more than 18,000 medium-sized companies with total revenues of US $ 250 million engaged in professional services, retail sales and various industries that require cyber-risk insurance.
It is obvious that the power of market demand stimulates the rapid growth of the insurance market, even if new players do not have sufficient experience. Informal conversations at cyber-defense offices converge to statements like: “No one understands this, but this is the billionth market” and “this is the best thing that has been invented since the invention of the fire.”
Corporate clients are ready to buy insurance, but they do not quite understand what risks they are protected from. According to a survey of insurance payments conducted by NetDiligence in 2015, 48% of respondents admitted that they are poorly versed in cyber risks, and therefore they cannot adequately protect against them.
And 46% of companies do not have data on the price of such risks at all. The main questions that corporations are looking for answers to are: (a) What exactly is at risk - the sustainability of the business? Will we get a DDoS attack? Or are we threatened with the theft of intellectual property? Do we keep customers' financial, medical, personal information? (b) What is the likelihood of the realization of such threats? and (c) What are the possible losses?
As is the case with most developing areas, some systematization and a risk assessment scheme are urgently needed. The scheme developed by the US National Institute of Standards and Technology (NIST) is just a starting point, much more needs to be done. Within the framework of such a scheme, it is possible to optimize various tools, technologies and practices for assessing cyber risks. Among the first innovations should be the proposal of a risk assessment matrix and an attempt to become a FICO supplier who developed a credit rating of a potential borrower in the US Among the startups that have taken hold of the development of a risk matrix are Security Scorecard, BitSight and Cyence. Companies that specialize in risk management and regulatory compliance have entered the market and offer risk management tools. The gold rush begins.
Opportunity: insurance trading engine
Despite the huge demand, insurers have to dodge in order to competently submit their proposal, and determine how much to ask for it. In such a young market, it is difficult to predict the loss rate and product profitability, not to mention determining the amount needed to protect against future cyber catastrophes. Based on the table of insurance payments for the last hundred years, you can determine the size of insurance premiums, and predict earthquakes and floods. But how do companies like AIG and Allianz get such analytics for cyber risks? Almost nowhere.
The company came to the market Symantec and seeks to become a major player. According to Roxana Divol - CEO / First Vice President, Head of Web Security, and Curator of Cyber ​​Risk Insurance at Symantec - they detect 800,000 information security events every second. The company employs statistics that collect data both for past periods and in real time, so as to create new products that meet the specific needs of consumers.
It is very difficult to predict in what form, in what scale, and when the cyber threat will appear. How will these threats affect insurance payments and how will these risks evolve? Often, we don’t even know what is happening - take at least the incidents for 2016. “Other mistakes” and “Other incidents” make up almost 30% of all incidents.
How do insurance companies assess their “maximum probable damage” in the case of cyber risks at the macro level? And when several parties are affected, how to determine the responsibility of the first / third parties? If I forward a malicious file to the other side, not realizing the threat, will I put myself at risk? The time period for filing a claim for damages may also be important for the insured. One expert complained that we understand that a fire broke out when we see smoke. What about cyber attacks? We may not be aware of the attack taking place for more than 300 days.
How, then, can a risk management specialist apply this logic when choosing the optimal amount of insurance protection, determining the amount of the insurance premium and exceptions to insurance coverage? Which insurance claims can I reject? What will be the consequences of a statewide attack (North Korea / Sony)? According to the cyber risk insurance research study of the Hannover Research Center (November 2014), half of the insurance companies do not have cyber risk specialists.
Even brokers and brokers have a hard time. After researching the cyber risk insurance market, the Council of Insurance Agents and Brokers concluded that 71% of brokers do not understand what exactly is being insured. So brokers act in the dark.
The Council also reports: “Much depends on the broker’s personal ability to assess the pitfalls and subtleties of insurance and competently provide information to different clients whose interests vary greatly. The main problems are the lack of standardized terminology and the difficulty of defining insurance exemptions. ”
If we decide that insurance of general commercial liability (CGL) or liability of directors and senior officials (D & O) is enough, then we can expect a serious trick. When DSW, which sells shoes, was subjected to a hacker attack, the insurance company AIG tried to reject the claim, attributing their loss to exceptions to the policy. However, after litigation, the court ordered to pay the insurance amount of DSW.
Simply put, corporations will need to provide simpler tools in the near future to clarify the following questions: a) what their insurance covers, how it relates to business risks and what are the exceptions; b) which insurers are the most experienced in this field; c) and how can the insurance premium be reduced? Over time, an online insurance market may appear.
Insurers do not attach much importance to the use of tools and safety features. According to the data of the Hanover Research Center dated November 2014, there is an interesting trend: the most important is the information on the risk management philosophy, and the second place is the nature of the stored information.
When insuring cyber risks, what information is in the first place in importance? (N = 73)
- The company's philosophy in risk management: 25%
- Nature of stored information / historical data: 23%
- Safety tests and audit information: 16%
- Network / firewall data protection updates: 15%
- Own / third-party IT services: 5%
- The volume of stored information / historical data: 4%
- Compliance and PCI Security Compliance: 4%
- Data encryption: 3%
- Other: 4%
The space occupied by information on network data protection / firewall updates is ridiculous, and, unfortunately, very little space is allocated to the encryption data. This should change. As insurance companies pay more attention to the importance of various information security technologies, the criteria for cyber risk insurance may change. In Silicon Valley should understand that technology does not solve all problems. Important people, practices and politics.
It may take a long time until we understand how utopian is the dream of the invisible work of security systems, which magically protects us from all misfortunes, regardless of our miscalculations, weaknesses and peculiarities. When this happens, we will not need cyber risk insurance. In the meantime, the 19-year-old child prodigy is going to undermine the $ 20 billion market.
Lots of opportunities: risk measurement and analysis tools
Company risk management is the most important task of top managers. In the first place among the risks is the threat of business destruction. Business can be undermined by natural disasters and political turmoil - threats that are more understandable than cyber risks. According to the Allianz 2016 risk barometer, cyber risks are the most likely causes of problems in the long run.
The most real risks in the long term (10 years or more)
- Cyber ​​attacks: 33%
- Interruption of activities (including due to supply failure): 11%
- Terrorism: 9%
')
Cyber ​​attacks are the most serious threat to business in the long run. The impact of new and digital technologies is also among the top ten risks identified. (Source: Allianz Global Corporate & Specialty. The percentage of responses of 824 respondents is indicated. The respondents indicated three of the most serious threats. Source 2: The study of the most serious risks in the long run, conducted by Allianz in 2016; 800 risk management specialists participated from 40 countries).
With the growing number of invader countries and rogue countries, corporate risk managers have to change their attitude towards risks. Risk insurance is usually the first step. When there are many thirsty buyers, many equally thirsty suppliers appear.
According to the AIG Corporation, the amount of insurance premiums for 2015 received by insurers was $ 1.6 billion. According to Allianz, this amount will amount to 20 billion by 2025. On average, 24% of US enterprises need cyber-protection (Source: Council of Insurance Agents and Brokers, 75 brokers, September 2015).
Only about 40% of Fortune 500 companies have insured themselves against cyber risks, and they have not even acquired the full protection package against all possible threats. There are more than 18,000 medium-sized companies with total revenues of US $ 250 million engaged in professional services, retail sales and various industries that require cyber-risk insurance.
It is obvious that the power of market demand stimulates the rapid growth of the insurance market, even if new players do not have sufficient experience. Informal conversations at cyber-defense offices converge to statements like: “No one understands this, but this is the billionth market” and “this is the best thing that has been invented since the invention of the fire.”
Corporate clients are ready to buy insurance, but they do not quite understand what risks they are protected from. According to a survey of insurance payments conducted by NetDiligence in 2015, 48% of respondents admitted that they are poorly versed in cyber risks, and therefore they cannot adequately protect against them.
And 46% of companies do not have data on the price of such risks at all. The main questions that corporations are looking for answers to are: (a) What exactly is at risk - the sustainability of the business? Will we get a DDoS attack? Or are we threatened with the theft of intellectual property? Do we keep customers' financial, medical, personal information? (b) What is the likelihood of the realization of such threats? and (c) What are the possible losses?
As is the case with most developing areas, some systematization and a risk assessment scheme are urgently needed. The scheme developed by the US National Institute of Standards and Technology (NIST) is just a starting point, much more needs to be done. Within the framework of such a scheme, it is possible to optimize various tools, technologies and practices for assessing cyber risks. Among the first innovations should be the proposal of a risk assessment matrix and an attempt to become a FICO supplier who developed a credit rating of a potential borrower in the US Among the startups that have taken hold of the development of a risk matrix are Security Scorecard, BitSight and Cyence. Companies that specialize in risk management and regulatory compliance have entered the market and offer risk management tools. The gold rush begins.
Opportunity: insurance trading engine
Despite the huge demand, insurers have to dodge in order to competently submit their proposal, and determine how much to ask for it. In such a young market, it is difficult to predict the loss rate and product profitability, not to mention determining the amount needed to protect against future cyber catastrophes. Based on the table of insurance payments for the last hundred years, you can determine the size of insurance premiums, and predict earthquakes and floods. But how do companies like AIG and Allianz get such analytics for cyber risks? Almost nowhere.
The company came to the market Symantec and seeks to become a major player. According to Roxana Divol - CEO / First Vice President, Head of Web Security, and Curator of Cyber ​​Risk Insurance at Symantec - they detect 800,000 information security events every second. The company employs statistics that collect data both for past periods and in real time, so as to create new products that meet the specific needs of consumers.
It is very difficult to predict in what form, in what scale, and when the cyber threat will appear. How will these threats affect insurance payments and how will these risks evolve? Often, we don’t even know what is happening - take at least the incidents for 2016. “Other mistakes” and “Other incidents” make up almost 30% of all incidents.
How do insurance companies assess their “maximum probable damage” in the case of cyber risks at the macro level? And when several parties are affected, how to determine the responsibility of the first / third parties? If I forward a malicious file to the other side, not realizing the threat, will I put myself at risk? The time period for filing a claim for damages may also be important for the insured. One expert complained that we understand that a fire broke out when we see smoke. What about cyber attacks? We may not be aware of the attack taking place for more than 300 days.
How, then, can a risk management specialist apply this logic when choosing the optimal amount of insurance protection, determining the amount of the insurance premium and exceptions to insurance coverage? Which insurance claims can I reject? What will be the consequences of a statewide attack (North Korea / Sony)? According to the cyber risk insurance research study of the Hannover Research Center (November 2014), half of the insurance companies do not have cyber risk specialists.
Even brokers and brokers have a hard time. After researching the cyber risk insurance market, the Council of Insurance Agents and Brokers concluded that 71% of brokers do not understand what exactly is being insured. So brokers act in the dark.
The Council also reports: “Much depends on the broker’s personal ability to assess the pitfalls and subtleties of insurance and competently provide information to different clients whose interests vary greatly. The main problems are the lack of standardized terminology and the difficulty of defining insurance exemptions. ”
If we decide that insurance of general commercial liability (CGL) or liability of directors and senior officials (D & O) is enough, then we can expect a serious trick. When DSW, which sells shoes, was subjected to a hacker attack, the insurance company AIG tried to reject the claim, attributing their loss to exceptions to the policy. However, after litigation, the court ordered to pay the insurance amount of DSW.
Simply put, corporations will need to provide simpler tools in the near future to clarify the following questions: a) what their insurance covers, how it relates to business risks and what are the exceptions; b) which insurers are the most experienced in this field; c) and how can the insurance premium be reduced? Over time, an online insurance market may appear.
Opportunity: The Importance of Tools and Technologies
Insurers do not attach much importance to the use of tools and safety features. According to the data of the Hanover Research Center dated November 2014, there is an interesting trend: the most important is the information on the risk management philosophy, and the second place is the nature of the stored information.
When insuring cyber risks, what information is in the first place in importance? (N = 73)
- The company's philosophy in risk management: 25%
- Nature of stored information / historical data: 23%
- Safety tests and audit information: 16%
- Network / firewall data protection updates: 15%
- Own / third-party IT services: 5%
- The volume of stored information / historical data: 4%
- Compliance and PCI Security Compliance: 4%
- Data encryption: 3%
- Other: 4%
The space occupied by information on network data protection / firewall updates is ridiculous, and, unfortunately, very little space is allocated to the encryption data. This should change. As insurance companies pay more attention to the importance of various information security technologies, the criteria for cyber risk insurance may change. In Silicon Valley should understand that technology does not solve all problems. Important people, practices and politics.
It may take a long time until we understand how utopian is the dream of the invisible work of security systems, which magically protects us from all misfortunes, regardless of our miscalculations, weaknesses and peculiarities. When this happens, we will not need cyber risk insurance. In the meantime, the 19-year-old child prodigy is going to undermine the $ 20 billion market.
Source: https://habr.com/ru/post/307608/
All Articles