InsurTech is growing up, and cyber crime is too

Image TLDR   Don’t look now but the self-declared insurance disruptive force called InsurTech is maturing.  There, I’ve said it. And cyber crime issues need to become mainstream discussions.  There, I’ve said that, too.   Here are some compelling InsurTech maturity indicators seen in the media this week: Publication of articles discussing more mainstream concerns for […]

The post InsurTech is growing up, and cyber crime is too appeared first on Daily Fintech.

The local insurance agent- insurance ecosystem re-defined

Source

You don’t have to look very far to find an active insurance ecosystem- just visit the neighborhood insurance agent or contact a commercial broker.  They have been fostering the ecosystem method of serving customers since before the term was moved into the front row at the innovation and InsurTech get-together.

TLDR.  Read any of the volume of current discussion regarding insurance ecosystems and you’ll find references to smart device apps, on-demand, shopping or ride sharing companies that are adding insurance options (Paytm and LIC, Amazon and Acko, Flipkart and Digit) but these are not surprisingly in insurance markets that are developing through a ‘digital native’ business culture.  Ecosystems per se have been a difficult ground up start in more developed insurance markets, e.g., U.S., Canada, and Europe.  But what of the US and Europe- forget being part of an ecosystem?

A quick look at defining an insurance ecosystem finds:

Ecosystem- “An ecosystem is a new business paradigm in which firms use digital tools to leap over traditional industry boundaries or forge partnerships.”  (WHY ECOSYSTEMS ARE THE FUTURE OF INSURANCE, Accenture).

Huh.  Leap over traditional industry boundaries or forge partnerships.

Or this-

“we suggest that middle-market insurers may want to consider expanding their horizon well beyond the standard product and service options they typically offer policyholders (see figure 2). This would involve creating or joining a much broader ecosystem offering a wider range of business support solutions, as well as facilitating educational and networking opportunities for customers.”  (Building new ecosystems in middle-market insurance, Deloitte)

Hmmm.  Offering a wider range of business support solutions, as well as facilitating educational and networking opportunities for customers.

I suggest if we look past the urge to see ecosystems as a new paradigm in developed insurance markets you will find- the agency model.  Not just the independent or captive agents who are churn and burn lead chasers, but the agents who have a holistic approach to building relationships (old school suggestion of recognizing inter-connectivity of business- nascent ecosystems.)

Digital ecosystems such as are noted above typically didn’t begin as systems; they were applications.  WeChat was launched in 2011 as a mobile chat app by China digital giant, Tencent.  Within four years it had developed by the popular demand of users and affiliate companies into being a 200 million users per month- wait for it- ecosystem of users and providers.  The application was adding value to what was originally a form of communication.  It was accessible, easy to use, had features that were meaningful in daily life.  It’s said that WeChat was the impetus behind the explosive growth in use of QR codes in China.

How does that tie into insurance, or insurance ecosystems?

There are tens of thousands of insurance agents in the U.S. alone, each of whom is working to build business, retain customers, increase the actual or perceived value customers find in the agent’s service, in other words- working to sell a reason for the customers to interact with the agency more often than once per year.

Smart agents have figured ways to do this for years before digitization- sponsor little league, be active in the chamber of commerce, bring a dish to pass at the service organization luncheon, donate bicycles to good readers at school (Chris Paradiso !), names on bowling shirts, filling sandbags, holding a customer’s hand when a claim occurs, referring the accountant next door, keeping a bank account in the local 1st National, keeping abreast of business and tech changes, and so on.  Building the value he/she could bring to customers, being a resource.

How is it that agents can be the insurance ecosystems of today?  If in China- have your QR code on WeChat, of course.  Piggyback on the platform Tencent has constructed.  But in mature markets where the insurance industry has tenure, the model has it’s own reference- ‘legacy’- and the availability of carriers is a fractured confusion to customers?

Active agents have the basis- relationships with collaborative businesses/organizations, and a pool of mostly content customers.  How might the agent leverage these resources?

  • What does an agent’s website say when it’s opened? Chances are it says, “I want to sell you something.”  So, people visit the site when they need to buy insurance.  Why not have a splash page that showcases the value/connections/resources that the agent has built over time?  A site that is a resource pool for clients that also serves as a selling tool when needed. (not like that of the Life Insurance Corporation of India– love their resources but the splash page is crazy busy).
  • Collaborate with business partners- what’s wrong with having synchronization of messages within the respective websites? If the agent resides in a smaller community then resources are common, success of one results in success of another, and there’s that synergy thing to take benefit from.
  • Be an active part of social media that makes sense for business. Not just a ‘like’ clicker, but a question asker, expertise sharer (Billy Van Jura )
  • Don’t try to re-create the wheel- link to existing resources customers are familiar with. Have an FAQ link on your site?  Did you know that Pinterest has an insurance info page? The details aren’t too tough to get a link onto your page, and cross-clicks builds your digital presence.
  • Be an easy source of information/links for emergency, weather, and government contacts. Be the source customers want to keep as a favorite.
  • Build a smart device application that makes sense- not a selling tool but a resource for the user that can also serve as a selling tool.
  • Leverage the digital resources your stable of carriers has- they know that being a digital resource is important; some are better at it than others.
  • There’s a lot more that the reader can think of- convert your analog ecosystem into a digital version.

There are agents who are working to perfect targeted ecosystem plays, e.g., cyber insurance (Brett Fulmer, Joe Hollier, Ben Guttman in the US), or in unique SME plans (Michael Porpora ), or in facilitating service tools for high net worth customers (Kurt Thoennessen).  A very good example of building an ecosystem/resource platform is Pat West whose firm, Hedgequote’s primary function is to be a resource for those needing information on insurance and potential firms from which to purchase.

I regret I do not know many agents working outside of the US, but some good examples who are building services beyond the basic sales model include Muhammad Ayodeji working in Lagos, Nigeria, (who in addition to representing insurance well posts traffic and accident updates through Twitter), or Mark Callanan in Sydney, Aus, who investigates crop and parametric options for the farmers and farm landowners in the country.  And one never knows- the transition that German insurer DFV-AG   has forged from being a more traditional carrier to digital expert may lead the firm into digital ecosystem land.

The point is that ecosystems can be insurance businesses that truly offer a wider range of business support solutions, as well as facilitating educational and networking opportunities for customers.  Perhaps a clever player will build an ecosystem of business connections that is a digital repository of business links.  Ecosystem is still be defined- agents can evolve beyond the world of sales quotas and discussions about premiums.

“Alexa, who does my insurance agent recommend for plumbing repairs?”

 

Patrick Kelahan is a CX, engineering & insurance professional, working with Insurers, Attorneys & Owners. He also serves the insurance and Fintech world as the ‘Insurance Elephant’.

I have no positions or commercial relationships with the companies or people mentioned. I am not receiving compensation for this post.

Subscribe by email to join the other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research).

 

Cyber insurance- questions without many answers

image

TLDR When we last met it was agreed that cyber risk and cyber insurance are under-emphasized concepts in the SME insurance and InsurTech worlds, and discussion was had on the ‘underground’ nature of cyber attacks and associated non-publicity of cyber events.

It’s Ok to raise awareness and prompt discussion (and there was much of that after the article was posted), but does that move the issue forward in a practical way? 

If a penetration test identifies vulnerabilities, what then?  If the owner of an SME wants to protect her firm from potential actions of a rogue employee, the next step after installing solid tech is…?  And when you call your broker and ask for the most comprehensive cyber cover, what will his answer be and how can you know if it’s the correct answer?

After the 6/14 Daily Fintech  article posted I received an inquiry from Jay Weintraub  of InsureTech Connect through the fine folks at Caliber Corporate Advisers  (thanks, Meg MacDougal ! ) and he posed two pretty good points/questions:

  • The big question regarding insurance and cyber is not, “are we focused enough around this space”, but is, “what happens if insurance gets it wrong?”
    • “A cyber security disaster could be the next major ‘hurricane’, but unlike a hurricane which you can somewhat see coming to a single geography, a cyber breach is the equivalent of 1000 earthquakes happening simultaneously in places that don’t have fault lines- it’s a beast you can’t see coming, with unknown reach, so its imperative that we identify ways to mitigate the effects of that risk.”
  • A role of insurance is to help businesses when there is risk- that includes cyber security.
    • “Insuretechs and incumbents are well-positioned to help, but in the rush to protect businesses, they have to make sure they are not setting themselves up for catastrophic failure in the future. Cyber is simply too new and in some respects the factors that contribute to the losses are so varied that the legitimate question is, “have they modeled this correctly?” As of now the answer is that we don’t yet know.”

It could be said cyber insurance carriers don’t know enough to ask what we don’t know- the risks are new, evolving daily, and the direct and indirect costs of cyber events are being defined as you read this article.  Predicting the costs of risk hinges on adequate pools of data- experiential, financial, valuation, etc.; however, what is really known of cyber risk data?  The biggest consumers of cyber risk data seemingly are the companies whose primary role is protecting consumers/businesses from risk- virus protection companies like Symantec, McAfee, Webroot, or Kaspersky (among other peer companies), but are those companies proxies for cyber insurance?  Not so much- read the user license agreement and see what lengths those firms go to (or don’t) to provide post-cyber occurrence indemnification.  Symantec has taken some steps towards insurance through partnering directly with the data analytics firm CyberCube that serves as a SaaS platform for insurers and underwriters, but not as insurer.

If the risk detection/protection firms haven’t branched into cyber cover, why not?  Yes, it’s a different sort of distribution needed, and more breadth of coverage, but if demand is there from customers, does the InsurTech world not see opportunity in cyber?  AM Best reports that U.S. cyber insurance premiums have grown aggressively in the past few years- $2 billion in 2018 from a level of $ 996 million in 2015.  50% growth and billions in premiums.  The rating firm also notes that the number of claims grew to 10 million in 2018.  That’s a lot of customer needs.  Money and customers- opportunity, for InsurTech and unfortunately for the bad guys.

The answers aren’t clear but some of the points to consider are:

  • Cyber cover includes preparation (know the risk), prevention (antivirus, penetration tests, training), response, and repairs
  • Availability- there are larger carriers who have products for those who are interested, e.g., Chubb, AXA and AIG. Are these carriers accessible to SMEs?
  • There are many SMEs who see the typical business owner’s policy as sufficient, or choose to consider minimal liability cover as being adequate.
  • There’s not much public awareness of cyber occurrences- many who experience an event keep the trouble quiet. There needs to be more focus on the issue such as in Australia, where reporting an occurrence is mandatory.
  • The pool of available data is shallow, inhibiting the effectiveness of risk rating, suggesting premiums will be set higher to manage the carrier’s incomplete knowledge of the risk.
  • Large cyber occurrences are analogous to more traditional catastrophes- except they will cross far more regulated jurisdictions.
  • Cyber risk crosses the line of data security, and will have collateral effects with laws/regs like GDPR and HIPPA.
  • Cyber cover can accommodate products from parametric, indemnity, and reinsurance covers- response, repair, and cat.
  • Is cyber an opportunity area for virtual IoT-based insurance? Cyber monitoring as severity managers?

Those are just some of the thoughts that came to mind- much smarter persons have already considered these and others, which makes it surprising that cyber insurance is not more mainstream.

A parting thought for an article that raised way more questions than it answered- what of a person’s or company’s reputation, or brand in the wake of a cyber event?  Is that a recoverable risk?

I reached out to Ben Baker, a personal brand expert, marketing consultant, and radio host for cyber crime/risk perspective.

“Let’s not kid ourselves,” replied Ben, “cyber-crime, whether it is extortion or malicious attack, is a brand problem. Not only is the reputation of the attacked company at stake, but there is added potential harm if it affects the vendors and clients of the business attacked.

The gut reaction by vendors or clients is probably not, “how horrible is it that you were attacked” but rather, “how could you as a brand be so careless with my information?”  Cybercrime, when disclosed, can lead to huge trust issues in the attacked brand mishandled, and unfortunately, most companies do mishandle communicating through a crisis. “

Ben’s words suggest the cyber insurance discussion comes full circle, not only does a lack of urgency/information inhibit acquisition of cyber cover, but it ultimately can affect parts of an SMEs business that may be unrecoverable- reputation.

Patrick Kelahan is a CX, engineering & insurance professional, working with Insurers, Attorneys & Owners. He also serves the insurance and Fintech world as the ‘Insurance Elephant’.

I have no positions or commercial relationships with the companies or people mentioned. I am not receiving compensation for this post.

Subscribe by email to join the other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research).

 

Is InsurTech missing a $2 trillion opportunity?

Here’s an interesting contradiction- the insurance industry is heavily focusing on innovation, but letting others take the lead in cyber issues.  And those ‘others’ are not always the good guys.

TLDR   This column typically focuses on insurance innovation/InsurTech, and all the whiz-bang artificial intelligence, algorithms, pain points, data analysis, blockchain, and innovation integration points that accompany that pursuit.  Of course those of you who have read much of what this author has written over the past year realize that there is a clear contention carried forth, that insurance and InsurTech is comprised of many parts, all of which comprise the Insurance Elephant- serving the insurance customer.

What does that have to do with the point of the opening paragraph?  A thought that while the industry chases disruption of legacy/incumbent methods there are many who are truly disrupting business (including insurance businesses) through cyber gambits, and that the risk posed by cyber disruptors makes the potential outcome of ‘traditional’ InsurTech efforts (can innovation be traditional?) tiny in comparison.  $2 trillion is the estimated 2019 global cost of cybercrime per Juniper Research (see bullet point 7 of 14 Most Alarming Cyber Security Statistics in 2019.)   Let’s see, global insurance business is just over $5 trillion, so $2 trillion in a relatively new risk is- a lot!  That amount makes the valuation of all the InsurTech unicorns seem like a relatively small school of InsurTech seahorses in a vast cyber ocean.

What brings the focus to cyber cover and cyber crime is a recent occurrence of cyber crime suffered by an upstate NY manufacturer.  A good company, 50+ hard working employees, steady business growth, well run and until a few weeks ago, not concerned with cybercrime.  Then came the digital wolf at the door- a ransomware gambit that adversely encrypted the firm’s entire set of digital books and operations, making the firm virtually blind, deaf, and dumb.  The management of the company was simply unaware of what the next steps should be, who to contact, how to act, and unknowing of the immediate or long-term effects the attack would pose to the firm.  And no real insurance coverage in place for the event or ensuing damage- typical CGL coverage hardly touches on the risk other than to mostly exclude the effects from coverage.  First party property coverage doesn’t apply unless there is some ensuing physical damage caused by loss of computer operating capability.

Huh, I thought.  How is this not an insurance and InsurTech opportunity that is front burner stuff?  There are tens of millions of SMEs (small or medium enterprises) in North America alone, millions in Europe, more millions spread across the globe.  Talk about pain points!  But then, relative to many other business concerns few talk about it.

The cyber cover issue can be seen from multiple perspectives, but I considered three points:

  • Sales/agency knowledge
  • Customer awareness/preparation
  • Protection and response

 

Sales/agency knowledge

My colleague and all around great agent, Michael Porpora, was one of the cyber insurance gang with whom I discussed the sales end of cyber risk (thanks also to Brett Fulmer, Ben Guttman, and Joe Hollier).  Michael summarized the SME cyber insurance market in this fashion:

  • There is limited technical acuity (read as cyber product knowledge) within agencies that serve SMEs
  • The risk is poorly understood
  • The language of the risk is not understandable by customers or agents
  • The product is as well known as something at the bottom of the vast depths of the ocean.

 

Well that’s comforting for a $2 trillion problem.

As we continued the discussion it was clear that typical policies afford little or no cyber cover, and the number of options for specialty coverage are not great.  However, the opportunities for agents to educate their clients are many.  As Michael said, “I use cyber insurance as a wedge,” or an entrée into a client’s office.  Right now it’s an each time, every time offering for his clients.  Seems an easy offering to businesspersons if the product knowledge is there- so why isn’t it?  Seemingly an easy product to underwrite as the coverage limits are currently finite, so why isn’t the cover more commonly discussed?  Is the risk the virtual asbestos of our era?

I considered that there may be an underground problem that simply hasn’t hit the mainstream press, i.e., there are many cyber occurrences that are resolved through payment of ransom, or are simply an added expense to the firms that experience the events.  No one wants the public to know of an attack because there may be cascading liability concerns.  Of course not acknowledging the problem doesn’t make it disappear.  In the instance of the NY manufacturing firm, the approach was to address the issue in house, with the in-house IT staff wrestling the demon.  Until the attack went from inconvenient to disastrous, and the perpetrators went from hackers to extortionists.  It was coincidence alone that caused the firm to realize their CPA firm had resources to help the company deal with the layers of issues.  Have they contacted the FBI?  Not yet.  Wonder how many ‘not yet’s exist such as the authorities remain unaware of the specific extent of the attacks.  These instances are not all ‘Wannacrys’ so cyber issues remain akin to a thousand virtual paper cuts.

 

Customer awareness and response

What can companies do to identify exposures?  Few SMEs can afford large IT staff, and the attack environment is continuously changing.  Is there an InsurTech ‘wing’ that is focusing on the unique challenges of a business that is comprised of information/data and money?  Not so much, but there are information security specialists whose primary business is to anticipate and identify cyber problems, to the point where they conduct ‘ethical hacking’ of client firms to detect digital weakness.

John Strand of Black Hills Information Security (BHIS) was kind enough to spend some time with me explaining how many Fortune 500 firms engage companies like BHIS to conduct (among other services) penetration tests in order to confirm the relative security of an organization’s tech superstructure.  He mentioned that many cyber policies require ‘pen’ tests as part of the underwriting and renewal process, not unlike a building needing a risk assessment before cover can be bound.  But even with a good cyber policy in place, ongoing diligence is needed because risks are changing and financial exposures are increasing.  John mentioned this reality- most insureds that suffer an attack have more challenges at the initial stage- because there is a need for immediate resources and assistance that an indemnity only policy may not afford.  Consider companies operating in GDPR environments- sure the fines can be extensive, but the need for immediate action requires resources.  There are some parametric programs available that have as triggers identified GDPR violations, and as such a need for immediate operational changes to prevent ongoing problems.  Other concerns John mentioned- not many carriers have specialized cyber claims departments, or tech programs that are commonly used or are becoming ubiquitous, e.g., payment programs, HIPPA, PCI, ISO, etc., that may be exposed to attack but not considered by users that way (their use is becoming a focus of required pen testing.)  An optimistic note- the ethical hacking community is mutually cooperative because at this time there is plenty of business for all.  John compared the business with the child’s game ‘Hungry Hungry Hippo- plenty of marbles on the playing surface, one simply reaches out and grabs.

 

Protection and response

Sales and customer knowledge concerns and needing technical expertise to identify issues up front.  Is there a reasonable blending of the two?  Seems there is, if the discussion I had with Andrea Holmes of Boxx Insurance is an indicator.

While not in a lot of jurisdictions- yet- Boxx Insurance is introducing a hybrid cyber product, one that not only provides cyber cover through brokers, but also educates customers, focuses on preparation for cyber issues, and provides monitoring service for clients.  The four ‘legs’ of the firm’s approach could easily be an industry mantra- Predict, Prevent, Respond, Recover.  The service is focused on SMEs, and the full suite of membership services places the participating firms somewhat on par with the bad guys who work at cyber 24/7, even affording cover for ‘rogue’ employees’ actions, or infections that may have been in place prior to signing on with Boxx.  One might even consider services such as that provided by Boxx as being the virtual model of insurance IoT- the service potentially senses issues prior to damage occurring and advises the client to take action.  Kind of like the water heater sensor that shuts off the main valve when a failure is imminent.  How about that IoT, Matteo Carbone ?  Customers in Ontario, Canada are enjoying the service, and it’s soon to be available in Chile and Singapore (and perhaps Quebec).  The firm has some solid leadership (thanks for the intro, Hilario Intriago ), solid tech, government certifications, and proprietary processes, but it seems the approach is solid enough to encourage other InsurTech entrants.

Cyber risk cover- it has uses for every level of customer, because the effects never stay within the bounds of the customer that has the direct exposure.  It is a risk that is a virtual Insurance Elephant, many unique parts but in the end it’s the whole beast.  A $2 trillion beast that should be attracting a variety of entrepreneurs in any place on the globe.  I wonder what a $ trillion valuation company is referred as?  Unicorn’s unicorn?

 

Image source

Patrick Kelahan is a CX, engineering & insurance professional, working with Insurers, Attorneys & Owners. He also serves the insurance and Fintech world as the ‘Insurance Elephant’.

I have no positions or commercial relationships with the companies or people mentioned. I am not receiving compensation for this post.

Subscribe by email to join the other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research).

Cyber Risk Insurance translates Nerd-Speak to Boardroom-Speak

 

Cyber Risks Extra Extra

Reposted, as it is Chinese New Year for Zarc Gin, our regular Insurtech Expert based in China.

Why do Banks exist? That is not some deep, philosophical question about the role of money in society. Banks exist to protect your assets from thieves. Because they do a good job of this, they can make a lot of money lending some multiple of what they store in the vaults. The only difference now is that the modern version of Butch Cassidy and the Sundance Kid are getting monitor tans as they cyber-attack the vaults from their computers.

Money is one asset to protect. Data is another. So is data about assets. In the digital age, it is all about data. And data is easy to steal.

All the good things that we write about on Daily Fintech – all that agility/productivity enabled by data and connectivity – also benefit Butch Cassidy and the Sundance Kid.

Cyber Risk is one nerdy subject that gets Board level attention because the risk is so high. Global 2000 companies can lose $ billions from a single hack. The problem is that cyber security is also an intensely complex subject technically.

One reason that so many influential leaders subscribe to Daily Fintech is that we are good at translating Fin to Tech and Tech to Fin. So we are attracted to the challenge of translating Cyber Security Nerd-Speak to Boardroom-Speak. It is one of the toughest translation jobs around. Even with a lot of technical experience, Cyber Security can be daunting. Even with a lot of business experience, understanding how a Global 2000 Board thinks can be daunting. Both are tough on their own. Translating between the two is even tougher, because they could not be further apart.

That translation, though hard, is ultra-critical. The Board has to really understand Cyber Security and they are currently failing at this task. This article on LeadingBoards describes the problem very well

Cyber Security technology = big budgets & bigger risk

The global cybersecurity market reached $75 billion in 2015 and is expected to hit $170 billion in 2020 (source, Forbes).

This is one market where the “you never get fired for buying (insert Big Tech vendor)” mantra breaks down. In most other enterprise technology markets, the big vendors tend to win because the Boardroom does not really care who is picked. So the senior IT managers making the decision go for the vendor that is competent enough to do the job and big enough that if it all goes wrong they can say “but all our well-respected peers made the same decision”.

That defence breaks down in Cyber Security because the risk is so high. Nor can a Board simply say “the CISO who made the decision has already been fired”. The Board has to take direct responsibility. Which means the Board has to understand Cyber Security.

How is the Board supposed to understand something as nerdy as Cyber Security?

We take a lot of briefings on cyber security technology, because we know how important it is. Listening to all these super-smart tech guys explaining the latest cyber security teaches us that a) it is hugely complex and b) there is no silver bullet.

We use a simple mental map that translates Cyber Security to the analog world:

  • Perimeter Security is where most money is spent. Think fences, guards, dogs. The fundamental problem is that somebody will always get through. The bad guys also benefit from Moore’s Law and can use SMAC (Social Mobile Analytics Cloud) to collaborate and share (what has been dubbed Crime As A Service). You can be the biggest bank or the biggest government and you still get hacked.
  • Digital ID. Think body part scanners (finger, eye, voice etc) that determine who can get into the building. We have written a lot about Digital ID technology and it is improving at a remarkable pace. The problem is collusion with a trusted inside-person who is part of the crime gang; the person with perfect Digital ID is a criminal.
  • Protect from the inside. This assumes that both Perimeter Security and Digital ID is imperfect. One way to protect from the inside is process controls (for example needing more than one person to send a wire). This also suffers from the collusion problem, but it is better as it is harder for criminals to corrupt the two individuals in a process. Another way is to write code that is secure. The problem is that both better process and better code hit the agility/efficiency problem. Banks have to move fast and efficiently to beat competition AND be secure. One alone is not enough. For example, Banks want to use high level languages and tools that enable rapid time to market even if that means the developers are not thinking much about security.
  • Protect when data leaves the vault. This assumes that all three methods above will fail. The analogy here is marked banknotes used in a kidnap ransom. Again, the bad guys have very sophisticated technology to get rid of these markings, so this is yet another arms race.

If you cannot measure it, you cannot manage it

That is one of the oldest truisms of business. If you listen to the pitches of any Cyber Security vendor, you will hear that they have the solution. The problem – as any reasonable attentive business person can observe – is that even companies with all this smart technology still get hacked. The empirical evidence is that there is no silver bullet.

Insurance has historically worked on statistical models. This works fine – until it no longer works. When something fundamental changes, the models become deeply flawed. We have tracked this as it relates to catastrophes created by climate. The use of data and connectivity by cyber-criminals is analogous. The risk went up in unpredictable ways. It is no longer good enough to rely on historical models. Cyber Risk is like Climate Risk – the historical models do not predict the future accurately enough.

What companies want is something as simple as a cyber security safety rating. Insurance Companies have the right motivation to give an honest rating (unlike credit rating agencies that are paid by the seller). Insurance Companies won’t award a AAA cyber security safety rating to a BBB company, because they will pay in claims for getting it wrong.

That means Insurance Companies need to turn into cyber security experts. A tech vendor may say “we have the secret sauce” to change your rating from BBB to AAA and thus lower your premiums. The Board will say “sure, if you can convince our Insurance Company that this will lower our premiums, we have a deal.”

Startups in this risk metrics space include CyenceBitSight and Security Scorecard.

Cyber Risk Insurance is a data game and that is a problem

Cyber Risk is one of the fastest growing parts  of the Insurance market, accounting for over $3 billion in premiums.

Banks are in better shape than others. Protecting against thieves has been a core competency for longer.

Cyber Risk Insurance people differentiate between Micro and Macro. The latter is the news-worthy hacking between governments (cue image of the nerdy young Q in recent James Bond movies). Our concern is the more boring Micro Cyber Risk Insurance – exciting enough as this is about whether huge companies can lose $ billions from a single hack. The Micro could become the Macro if a number of Micro hacks led to a crisis of confidence in the financial system akin to September 2008.

Talking to experts in this relatively new field it is hard to get a lot of on the record quotes. That indicates a market that is nascent enough that the solutions are not obvious. To entrepreneurs that signals opportunity.

Image Source

Bernard Lunn is a Fintech deal-maker, investor, entrepreneur and advisor. He is the author of The Blockchain Economy and CEO of Daily Fintech.

Check out our advisory services (how we pay for this free original research).

To schedule an hour of Bernard’s time for CHF380 please click here to send an email.