Cyber insurance uptake is growing, but understanding the risk and impact of an attack requires data analytics on a rapidly changing threat landscape
Cyber-attacks can paralyse a business, forcing it to incur huge losses by taking away its ability to trade. Cyber insurance exists for this very reason, but as a fairly new line of cover developed to respond to a growing threat, there isn’t a whole lot of data to inform the underwriting of policies. As a result, a whole industry has grown out of the need to provide such data and analytics to help price coverage —and Peter Littlejohns takes a look at six companies doing just that.
As of the 2019 Regional Risks for Doing Business report, the World Economic Forum has branded cyber-attacks as the number one risk to companies doing business in Europe and the US — the second consecutive year it has taken top spot.
Cyber insurance penetration rates have been growing across both regions in recent years, but they still remain low compared to other types of cover.
Several insurance companies are trying to reach more businesses with cyber coverage, but doing so requires data and analytics, and with this type of insurance having been barely tested, these prerequisites are is hard to come by.
Zurich UK CEO Tulsi Naidu says: “While organisations are increasingly alert to the impact cyber-attacks can have, many do not yet fully appreciate the dangers, and must step up their efforts to combat the threat.
“As such, this is an area of insurance we expect to see grow.”
Necessary for this growth is risk data and the analytics capability to understand it.
This need has spawned a whole industry aiming to assist insurers in gaining insights into the level of risk a company has, and ultimately give them the means to underwrite policies.
Six companies providing data analytics needed to underwrite cyber insurance policies
Formed in 2016 by a mix of cyber insurance and security professionals — two of whom worked on cyber resilience for the US government — Arceo aims to give underwriters and brokers the ability to cover cyber risk more effectively.
To do this, the company provides both providers and brokers with a suite of tools they can use to not only price risk, but give their customers the knowledge to reduce it too.
Data analytics on internal cyber security systems within a business are compared with the latest information on the threat landscape to establish where the gaps in coverage are, allowing insurance customers to manage it better or insure it.
Recently receiving a $37m bump in investment-led venture capital companies Lightspeed Venture Partners and Founders Fund, Arceo is actively working to expand its customer base.
A recently announced member of European insurtech accelerator programme Plug and Play, Cytegic is on a similar path to Arceo.
Founded by Shay Zandani and Elon Kaplan in 2012, the insurtech’s product, called Automated Cyber Risk Officer, allows organisations to analyse their risk of a breach by scanning systems to find out where the gaps in their security are — based on the latest threats.
The technology is marketed to insurance companies, who can get a better understanding of who they’re covering and what sort of financial damage would result from an attack.
But it also gives insured businesses the advice required to invest in cyber security products or extend their coverage to transfer the risk.
Corax provides a platform insurers can use to model an attack scenario on a company, gaining insight into the impact a cyber-attack might have on the organisation.
Founded in 2013 by CEO Jonathan Pope and CTO Tom Beale, the software already has data from more than 10 million companies — delivering improved accuracy for underwriting and cyber risk analytics.
The company also allows insurance companies to input their own risk features into its model, giving them the chance to examine cyber risk on an individual basis as well as using the mass of data as a benchmark.
Founded in 1971 by Christian Kryder, who has since left the company, Verisk has been an active player in the data analytics space for decades, helping insurers to better assess risk as a key part of its business.
In June this year, it launched Cyber Underwriting Report — software embedded with AI-based modelling capabilities that draws on data from 12.4 million businesses and 100,000 cyber attacks.
The programme outputs a cyber-risk score based on the internal cyber security measures taken by a company and the current threat landscape, benchmarking it against industry peers with a separate score and revealing which interconnected companies could be affected by an attack.
Reports also give a score based on a business’s predicted resilience to business interruption, including how long it’s likely that trading would be suspended and the financial impact that could have.
Cyber security firm Symantec has been providing insight into the cyber threat landscape for years through its reports, but in 2015 it launched CyberCube to turn its data into insights for the insurance industry.
Founded by CEO Pascal Millaire, former Symantec vice president of cyber insurance, the company is now a separate entity that continues to integrate data from its parent to inform its cyber risk models.
Similar to other products in this list, CyberCube uses modelling software to gain insight into the risk of a cyber attack and its likely impact on a business.
But a key focus for the insurtech is giving insurers an overview of their aggregation risk — the financial hit they’d incur if a broad attack caused a spike in claims.
Insurance brokerage and advisory firm Aon recently partnered with CyberCube, giving it the ability to offer insurers a tool to understand and adjust their own appetite for cyber risk as the threat landscape changes by using analytics.
Guidewire produces software for the insurance industry that assists with day-to-day processes such as claims and billing, but it has since moved into cyber analytics through the acquisition of Cyence.
Its founder and CEO Arvind Parthasarathi started the company, like many others on this list, to address the shortfall in risk knowledge around cyber attacks.
Cyence collects its own risk information using a process it calls “data listening”, which in practice means using AI to draw data on things like the network structure of a business and which service providers it’s connected to, straight from the internet.
This approach differs from the internal scanning procedures of some of the others on this list, but the company claims it gives it enough to estimate the financial risk and probability of a cyber attack on a business.
Among Cyence’s clients are Lloyd’s of London, the world’s oldest insurance market, German giant Allianz and several ratings agencies.