Danger mitigation for cyber insurance coverage: Digital instruments, twins and ecosystems
In our last post, we examined some of the structural issues affecting today’s cyber insurance market, including poor cybersecurity sanitation, aggregation risk, and capital scarcity. Before cyber insurance can truly become a mainstay of the digital economy – as a widespread, widely affordable, constant price product – these issues need to be addressed. We have identified three main levers available to insurers:
- Reduce individual risks through improved cybersecurity
- Rightsize exposure, especially in the event of cyber disasters
- Expand access to capital for cyber underwriters
Pulling these levers won’t unlock billions of cyber rewards overnight. However, a functioning and sustainably scalable cyber market will emerge – without the extreme volatility that the line is currently experiencing. We’ll look at each of these levers in our next posts, starting with the first one today: How to Mitigate Risk through Improved Cybersecurity.
Insurers need to incentivize a new baseline of cyber risk mitigation
It is a fundamental insurance law that bad risks bring higher premiums – and this is a factor that makes cyberinsurance unaffordable for many businesses, especially small and medium-sized enterprises (SMBs). However, if you reduce the risk, lower premiums will tend to follow. Fortunately, in cyber, it’s relatively easy for businesses to establish a best practice base.
Many cyber attackers use low-tech or no-tech approaches – such as social engineering – to gain unauthorized access to buildings, data and systems. Well-communicated cybersecurity guidelines and employee training will therefore wipe the simplest hacking opportunities off the table.
The disadvantage of these “soft” measures is that the effects are difficult to quantify and reflect in policy prices. Regardless of this, it is almost certainly an asset for insurers – or brokers – to make cybersecurity content and resources freely available to insured parties via a portal or the like.
Hackers can of course move around the hallways bringing out high tech tools for harder to crack targets. But here, too, a little cyber defense can go a long way. There are a variety of cybersecurity software tools – from firewalls and anti-virus packages to encryption and password managers – to enhance basic security, all of which are available on a mass market basis.
With such “hard” damage controls, the effects on the damage cases are easier to quantify. Packages are either active or not and, by and large, mean the same thing from one implementation to another. In this way, meaningful damage comparisons can be drawn between different groups of insured persons, which opens the door to more differentiated pricing.
It is therefore no surprise to see that the majority of stakeholders are using risk-scanning tools (either first-party or via-vendor) for underwriting to get an overview of the companies’ defenses for themselves at some point:
Click / tap to view a larger image.
Source: Cyber Insurance – The Market View; PartnerRe and Advisen, 2021
These types of diagnostic tools will help insurers identify and reward best practices, either in the form of premium discounts or discounts on security software purchases; meanwhile, serious risks can be ruled out. All of this creates incentives for the insured to reduce risks, which leads to better cybersecurity hygiene, lower damage and thus lower premiums for the overall market – a contribution to solving the line’s affordability problem.
On the way to cyber risk engineering in real time with digital twins
Creating a new foundation for good cybersecurity is a clear net profit, but it’s not the endgame – because hackers have even more equipment. Since they can access a global network of illegal know-how and often search company boundaries over many months, static defense measures – even as best practices – cannot permanently reduce the risk. A more active real-time approach is needed.
As we saw in our graphic above, cyber risk scanning is now well established. Of these actors who examine risks at the time of underwriting, however, only 37% also do so over the subsequent life cycle of the policies. Repeated or continuous monitoring helps to keep cyber defense up to date and to fix these new vulnerabilities as quickly as possible. We therefore expect this practice to find wider acceptance in the years to come.
Ultimately, diagnostic scans will give way to predictive analysis that leverages digital twins.
Digital twinning is the creation of a replicated network, which means that various “what-if” scenarios can be tested while the real network remains untouched. This enables continuous stress tests to uncover potential vulnerabilities before they arise. And by combining digital twins with self-learning AI, security teams can simulate the openness of a cyber attack, with an intelligent program triggering countless nasty surprises on the replica – but not in real life! – network.
In fact, this is a way to stay one step ahead of the hackers by becoming a hacker yourself, getting to the bottom of your own weaknesses and preventing them from being exploited. Specifically, this type of scenario planning with digital twins leads to a series of risks that are assessed according to the likelihood of occurrence and business impact and allow security teams to allocate resources efficiently – and at least in theory, the underwriters to dynamically assess risks.
Click / tap to view a larger image.
Source: Accenture Insurance Technology Vision 2021
So far, insurers have been slow to introduce digital twins and are mostly in the experimental phase. However, cybersecurity is proving to be a major driver of the adoption of digital twins in general – so the cybersector could be a good place for insurers to expand their efforts. In any case, 68% of insurance managers expect their company’s extensive investments in digital twins to increase over the next three years (Accenture Insurance Technology Vision 2021).
Combination of cyber insurance and damage control through ecosystem partnerships
Developing a superior pricing model for a particular security software – and then offering that superior price within the software’s footprint – unlocks a previously priced demand and gives cyber insurers immediate positional advantages in a largely unaffordable market. The quickest way to create these pricing models is by customer scale and the wide presence of different types of security software. And ecosystems offer a promising way forward.
In the past few years we’ve seen cyber insurers work with cyber tech firms to offer risk management and risk transfer as a single package.
The efficiency of the bundling also creates opportunities for other actors in the distribution chain. Due to their customer proximity and industry specialization, managing general agencies (MGAs) and brokers may be better positioned than carriers to take care of the aspects of risk management and all questions relating to the transfer of highly sensitive customer data.
Insurance coverage could be brought even closer to customers in the form of embedded insurance – with cyber tech companies selling white label coverage through their software suites. And with global cybersecurity services spending eclipsing the GWP of cyber insurance, it may be more natural for buyers to get their coverage through cybersecurity providers than their cybersecurity through coverage providers.
The ultimate winners of this development may not be individual technology companies, but managed security service providers (MSSPs). These could prove to be an efficient way of bundling several discrete cyber services and distributing them to small and medium-sized enterprises (SMEs).
Click / tap to view a larger image.
Source: Rated Reports (June 2021)
Managed security has caught on because SMEs typically do not have the resources for an internal cybersecurity function. They are also not well served by one-to-many relationships with many different technology providers, brokers, and insurers. In comparison, a one-on-one relationship with an MSSP could bring SMBs up to date cybersecurity software along with risk-adjusted insurance pricing in a contractually straightforward and seamless manner.
Cyber insurance is now at a turning point and poised for rapid growth. Find out more in our latest report Cyber Insurance: A Profitable Path to Growth.
By strengthening damage containment – whether through actuarial financial incentives or the distribution of security services – cyber insurers can reduce the likelihood of losses on individual accounts. This will help lower the insurance price and increase the cyber insurance market through wider adoption. And mitigation is just a lever to improve today’s model.
In our next post, we’ll look at two more levers that insurers can pull: adjusting exposures and expanding access to technical capital. We believe that by taking measures at several levels, insurers can bring about a cascade of positive changes in the cyber market – to the benefit of the entire digital economy. In the meantime, to find out more, download our full Cyber Insurance Report. And if you would like to discuss any other ideas in this series, please contact us.
Get the latest insurance industry insights, news, and research delivered to your inbox.