Here’s an interesting contradiction- the insurance industry is heavily focusing on innovation, but letting others take the lead in cyber issues. And those ‘others’ are not always the good guys.
TLDR This column typically focuses on insurance innovation/InsurTech, and all the whiz-bang artificial intelligence, algorithms, pain points, data analysis, blockchain, and innovation integration points that accompany that pursuit. Of course those of you who have read much of what this author has written over the past year realize that there is a clear contention carried forth, that insurance and InsurTech is comprised of many parts, all of which comprise the Insurance Elephant- serving the insurance customer.
What does that have to do with the point of the opening paragraph? A thought that while the industry chases disruption of legacy/incumbent methods there are many who are truly disrupting business (including insurance businesses) through cyber gambits, and that the risk posed by cyber disruptors makes the potential outcome of ‘traditional’ InsurTech efforts (can innovation be traditional?) tiny in comparison. $2 trillion is the estimated 2019 global cost of cybercrime per Juniper Research (see bullet point 7 of 14 Most Alarming Cyber Security Statistics in 2019.) Let’s see, global insurance business is just over $5 trillion, so $2 trillion in a relatively new risk is- a lot! That amount makes the valuation of all the InsurTech unicorns seem like a relatively small school of InsurTech seahorses in a vast cyber ocean.
What brings the focus to cyber cover and cyber crime is a recent occurrence of cyber crime suffered by an upstate NY manufacturer. A good company, 50+ hard working employees, steady business growth, well run and until a few weeks ago, not concerned with cybercrime. Then came the digital wolf at the door- a ransomware gambit that adversely encrypted the firm’s entire set of digital books and operations, making the firm virtually blind, deaf, and dumb. The management of the company was simply unaware of what the next steps should be, who to contact, how to act, and unknowing of the immediate or long-term effects the attack would pose to the firm. And no real insurance coverage in place for the event or ensuing damage- typical CGL coverage hardly touches on the risk other than to mostly exclude the effects from coverage. First party property coverage doesn’t apply unless there is some ensuing physical damage caused by loss of computer operating capability.
Huh, I thought. How is this not an insurance and InsurTech opportunity that is front burner stuff? There are tens of millions of SMEs (small or medium enterprises) in North America alone, millions in Europe, more millions spread across the globe. Talk about pain points! But then, relative to many other business concerns few talk about it.
The cyber cover issue can be seen from multiple perspectives, but I considered three points:
- Sales/agency knowledge
- Customer awareness/preparation
- Protection and response
My colleague and all around great agent, Michael Porpora, was one of the cyber insurance gang with whom I discussed the sales end of cyber risk (thanks also to Brett Fulmer, Ben Guttman, and Joe Hollier). Michael summarized the SME cyber insurance market in this fashion:
- There is limited technical acuity (read as cyber product knowledge) within agencies that serve SMEs
- The risk is poorly understood
- The language of the risk is not understandable by customers or agents
- The product is as well known as something at the bottom of the vast depths of the ocean.
Well that’s comforting for a $2 trillion problem.
As we continued the discussion it was clear that typical policies afford little or no cyber cover, and the number of options for specialty coverage are not great. However, the opportunities for agents to educate their clients are many. As Michael said, “I use cyber insurance as a wedge,” or an entrée into a client’s office. Right now it’s an each time, every time offering for his clients. Seems an easy offering to businesspersons if the product knowledge is there- so why isn’t it? Seemingly an easy product to underwrite as the coverage limits are currently finite, so why isn’t the cover more commonly discussed? Is the risk the virtual asbestos of our era?
I considered that there may be an underground problem that simply hasn’t hit the mainstream press, i.e., there are many cyber occurrences that are resolved through payment of ransom, or are simply an added expense to the firms that experience the events. No one wants the public to know of an attack because there may be cascading liability concerns. Of course not acknowledging the problem doesn’t make it disappear. In the instance of the NY manufacturing firm, the approach was to address the issue in house, with the in-house IT staff wrestling the demon. Until the attack went from inconvenient to disastrous, and the perpetrators went from hackers to extortionists. It was coincidence alone that caused the firm to realize their CPA firm had resources to help the company deal with the layers of issues. Have they contacted the FBI? Not yet. Wonder how many ‘not yet’s exist such as the authorities remain unaware of the specific extent of the attacks. These instances are not all ‘Wannacrys’ so cyber issues remain akin to a thousand virtual paper cuts.
Customer awareness and response
What can companies do to identify exposures? Few SMEs can afford large IT staff, and the attack environment is continuously changing. Is there an InsurTech ‘wing’ that is focusing on the unique challenges of a business that is comprised of information/data and money? Not so much, but there are information security specialists whose primary business is to anticipate and identify cyber problems, to the point where they conduct ‘ethical hacking’ of client firms to detect digital weakness.
John Strand of Black Hills Information Security (BHIS) was kind enough to spend some time with me explaining how many Fortune 500 firms engage companies like BHIS to conduct (among other services) penetration tests in order to confirm the relative security of an organization’s tech superstructure. He mentioned that many cyber policies require ‘pen’ tests as part of the underwriting and renewal process, not unlike a building needing a risk assessment before cover can be bound. But even with a good cyber policy in place, ongoing diligence is needed because risks are changing and financial exposures are increasing. John mentioned this reality- most insureds that suffer an attack have more challenges at the initial stage- because there is a need for immediate resources and assistance that an indemnity only policy may not afford. Consider companies operating in GDPR environments- sure the fines can be extensive, but the need for immediate action requires resources. There are some parametric programs available that have as triggers identified GDPR violations, and as such a need for immediate operational changes to prevent ongoing problems. Other concerns John mentioned- not many carriers have specialized cyber claims departments, or tech programs that are commonly used or are becoming ubiquitous, e.g., payment programs, HIPPA, PCI, ISO, etc., that may be exposed to attack but not considered by users that way (their use is becoming a focus of required pen testing.) An optimistic note- the ethical hacking community is mutually cooperative because at this time there is plenty of business for all. John compared the business with the child’s game ‘Hungry Hungry Hippo- plenty of marbles on the playing surface, one simply reaches out and grabs.
Protection and response
Sales and customer knowledge concerns and needing technical expertise to identify issues up front. Is there a reasonable blending of the two? Seems there is, if the discussion I had with Andrea Holmes of Boxx Insurance is an indicator.
While not in a lot of jurisdictions- yet- Boxx Insurance is introducing a hybrid cyber product, one that not only provides cyber cover through brokers, but also educates customers, focuses on preparation for cyber issues, and provides monitoring service for clients. The four ‘legs’ of the firm’s approach could easily be an industry mantra- Predict, Prevent, Respond, Recover. The service is focused on SMEs, and the full suite of membership services places the participating firms somewhat on par with the bad guys who work at cyber 24/7, even affording cover for ‘rogue’ employees’ actions, or infections that may have been in place prior to signing on with Boxx. One might even consider services such as that provided by Boxx as being the virtual model of insurance IoT- the service potentially senses issues prior to damage occurring and advises the client to take action. Kind of like the water heater sensor that shuts off the main valve when a failure is imminent. How about that IoT, Matteo Carbone ? Customers in Ontario, Canada are enjoying the service, and it’s soon to be available in Chile and Singapore (and perhaps Quebec). The firm has some solid leadership (thanks for the intro, Hilario Intriago ), solid tech, government certifications, and proprietary processes, but it seems the approach is solid enough to encourage other InsurTech entrants.
Cyber risk cover- it has uses for every level of customer, because the effects never stay within the bounds of the customer that has the direct exposure. It is a risk that is a virtual Insurance Elephant, many unique parts but in the end it’s the whole beast. A $2 trillion beast that should be attracting a variety of entrepreneurs in any place on the globe. I wonder what a $ trillion valuation company is referred as? Unicorn’s unicorn?
Patrick Kelahan is a CX, engineering & insurance professional, working with Insurers, Attorneys & Owners. He also serves the insurance and Fintech world as the ‘Insurance Elephant’.
I have no positions or commercial relationships with the companies or people mentioned. I am not receiving compensation for this post.
Subscribe by email to join the other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research).