After spending the last 2 years at most every InsurTech Conference across the US and EU, as well as security conferences such as RSA, I’m convinced that most of the insurance industry spells cyber with an “I” --- and I don’t blame them!
We all know the incredible growth opportunity that the cyber insurance market represents. With more than 170 US Carriers now offering cyber insurance, it’s easy to see that market participation is accelerating at an alarming pace. What’s concerning, however, is that the market’s understanding of cyber risk and its financial impact has struggled to keep up with premium growth.
In the arms race for cyber insurance market share, we’re seeing carriers offer more coverage while reducing premiums and the amount of data collected from their insureds
While a large systemic risk (think “Cyber 9/11”) has not yet materialized, it certainly does not mean the risk does not exist. We’re all waiting for the bubble to burst. Further, the limited history and lack of quantified, verified and contextual data about this emerging exposure is constraining the industry’s ability to grow. If we can’t effectively measure the financial impact of our insureds’ cyber risk and thus insurer capital requirements, how can we expect to cede more capacity to reinsurers and ultimately the capital markets through ILS in an ecosystem operating without transparency. Therefore, how do we arm the industry with the necessary tools and expertise to finally quantify their cyber financial risk and grow their portfolio profitably.
Given the dynamic nature of the most complex risk in the world, the challenge remains in how we leverage technology of tomorrow with the business models and infrastructure of today such that it translates to the culture of yesterday and can be understood. If we can accurately and rapidly quantify the potential financial impact an organization, we can finally talk about cyber risk in terms of dollars and ROI; we can talk about cyber risk in the language that CEO’s and Board Members understand and are able take action on - These are the solutions that will accelerate the sale “smart” cyber insurance.
But that’s only one part of the equation. Why? Cyber risk is not a technology risk; it’s a business risk. – In many cases brokers are the distribution force selling cyber insurance. Thus, the brokers and their clients must understand why they need cyber insurance or better yet, how they can optimize their security spend between risk mitigation and risk transfer by understanding their risk in dollars. To achieve this highly complex task, this requires a low-friction sales process with real-time intelligence such that any SMB and broker can easily digest the information and manage their sales pipeline as if it were Salesforce.
Secondarily, we need to provide prospects and insureds automated added value and insights into which critical security controls should be prioritized to reduce risk in a truly engaged process of trust that companies like Cytegic are bringing to the market. Cytegic’s groundbreaking platform immediately provides the insureds with actionable insights into their financial risk exposure, the risk to each organizational asset, and the critical controls the insureds can remediate to lower their financial impact. The comprehensiveness of the platform is surpassed only by its simplicity in elevating the role of the broker from a transactional agent to a trusted strategic advisor, all while accelerating sales.
Today, most managers rely on qualitative guidance from “heat maps” that describe their vulnerability as “low” or “high” based on vague estimates that lump together frequent small losses and rare large losses, but this approach doesn’t help managers understand if they have a $1 million problem or a $10 million one. At an executive level, how can you evaluate whether to invest in a new firewall and employee training vs. how much risk you want to insure if you’re unable to comprehend what the risk means to your business. As a result, companies continue to misjudge which cybersecurity capabilities they should prioritize and often obtain insufficient insurance protection as they fail to comprehend all the possible repercussions, causing a fundamental misunderstanding of how investments in security controls will decrease the probability of a successful attack. This in turn leads to an ineffective evaluation of how much risk the insured wishes to retain, mitigate and transfer.
The reality is that very few companies are able to quantify just how great their cyber risk and financial exposure truly is, preventing them from effectively protecting themselves.
It’s only natural to now ask -- how do you accomplish the highly challenging task of quantifying cyber risk at any degree of scalability from the smallest SMB to Fortune 500 Enterprises.
After evaluating most market solutions, I was fascinated with Cytegic’s patented, end-to-end platform global insurers are utilizing to solve the complex challenges in obtaining quantified and validated data, third party ecosystem risk and security posture optimization. When the industry has solutions that automatically identify an organization’s business assets, cyber risk and financial impact at any degree of granularity, the data “dust” that has been collected in the past will emerge as a flame. A flame without smoke is awareness. This awareness is fire and solutions like Cytegic’s are the gasoline.
Next we’ll talk about Managing The Cyber Insurance Revenue Engine