Cyber insurance is a relatively young and immature market. The first products were brought out in the 1990s, largely as an extension of professional liability insurance. As the use of technology has become pervasive, key to running almost any business today, risks related to technology infrastructure and activities have expanded.
Cyber risks are generally excluded from more general purpose insurance designed for protecting business operations and operators. To counter this, a new type of insurance was introduced that specifically focused on cyber risks, covering costs such as those related to business disruption, extortion, theft, data loss and incident response activities.
Cyber incidents can have far-reaching impacts in terms of lost revenues and damage to the brand and reputation of those organisations impacted. Cyber insurance is increasingly being seen as essential in achieving the resilience required to weather the fallout from incidents.
But cyber insurance is still a new and relatively untrusted product. Coverage varies widely and fails to meet the needs of many clients. According to insurer Mactavish, 35% of organisations have not purchased cyber insurance because they see it as unfit for purpose. PwC estimates that the market for cyber insurance will grow from $2.5 billion in 2018 to reach $7.5 billion by the end of the decade. But changes must happen to make that a reality.
The Cyber Catalyst programme
A new initiative from insurance broker Marsh aims to effect that change. Called the Cyber Catalyst programme, the aim is for cyber insurance providers to identify those cybersecurity technologies and services that they consider to be effective in adequately reducing cyber risk. With Microsoft as the technical adviser, eight cyber insurance providers evaluated more than 150 cybersecurity solutions that spanned data, network, infrastructure, endpoint, application and messaging security, IoT controls, identity and access management offerings, and risk and compliance tools.
The criteria used in the evaluation were:
- Demonstrated ability to reduce cyber risk in organisations.
- The ability to quantitatively measure and report on how the tool will reduce the frequency or severity of cyber incidents.
- Evidence of successful implementation by customers.
- Increased efficiency for users of the product or service in their efforts to reduce cyber risk.
- Broad applicability of the product or service among a range of industries and organisational types.
- Distinguishing features and characteristics that differentiate a product with regard to similar offerings.
At the end of the evaluation process, 17 cybersecurity products and services from 15 vendors were selected as approved Cyber Catalyst solutions. Organisations that adopt these solutions as part of their cyber risk reduction programmes may be considered for enhanced terms and conditions when negotiating insurance policies with those insurance providers participating in the initiative. It is anticipated that a second round of evaluations will be held in 2020, adding to the roster of technology products and solutions that will help organisations to ensure that they are not denied a payout after an incident because they are deemed not to have taken sufficient steps to secure their operations.
Greg Funaro, VP Global Communications at Digital Guardian, which is one of the technology providers chosen under the Cyber Catalyst programme for its Data Protection Platform, states that this is a really great idea that will make it easier for organisations to determine which products and services will help them adequately address cyber risks. He likens it to the market for car insurance, whereby car insurance brokers help those wishing to purchase insurance to sort through the wide variety of offerings to find which is best suited to their needs and their risk profile. When purchasing car insurance, few would opt for the first provider they encounter, rather looking for options that are proven to be tried and tested.
Providing those in charge of procuring security tools with the ammunition that they need to gain the attention of the C suite in organisations, who will have the final say in budget decisions that impact the enterprise as a whole, is never an easy task. Security products have long been seen by many as a grudge purchase, whereby money is spent on preventing things that may or may not happen. Unfortunately, security incidents and breaches are now seen as more or less inevitable. Whilst that may be so, anything that can be done to reduce the number of incidents and to limit or contain the damage that incidents they do experience cause will gain the attention of the board and will ease the burden of gaining budget dollars.
As Funaro states, the evaluation process undergone by those who submitted their solutions for evaluation was long and arduous. By championing a product or service selected for the Cyber Catalyst programme, those in charge of procuring such products will be in a better position to argue their case and to prove that, when disaster does strike, their insurance cover will actually be fit for purpose.
In time, it is likely that purchasing cyber insurance will become as commonplace as insuring a car is. It may, as with car insurance, even become a binding obligation – perhaps not by regulators, but certainly by stakeholders in the business. If there is one thing that is for sure, it is that cyber insurance will have a key part to play in negotiating the journey towards achieving greater cyber resilience in the face of adversity.