Cyber Insurance is among my InsurTech trends predictions for 2018. The attention Cyber insurance receives has increased in the past year in the wake of media coverage of cyber attacks and Trump administration. Business owners may not have noticed that Cyber attacks and (black hat) hackers have been around for many years and neither have cyber insurance policies. However, until recently, cyber insurance standalone products were tailored mainly for large corporate and were not adapted to the needs of small and medium-size businesses.
According to an Inc.com article, a research conducted by the National Cyber Security Alliance found that almost 50 percent of small businesses have experienced a cyber attack and that more than 70 percent of attacks target small businesses. As much as 60 percent of hacked small and medium-sized businesses go out of business after six months. The high percentage number is the reason that cyber insurance is critical for companies of all size.
To better understand the opportunity in the Cyber insurance products I would like to share with you an interview with Nir Perry, the CEO and founder of CyberWrite, a company dedicated for the development of cyber insurance technologies.
[G] Let’s start with your background. Can you share your journey to cyber and cyber insurance?[N] I have been working in Cyber risk management since 2001. I started my career in the Israeli Air Force information security unit. I worked for PwC and Accenture in Italy and consulted on risk management and security strategy to clients like Deutsche Bank, UniCredit, Allianz and similar high profile companies. In 2015I started noticing a spike cyber insurance purchasing by enterprises and anticipated the need by SMB’s which do not have the financial resources to deal with cyber threats. Due to the spike in cyber attacks in recent years with victims like Sony and Target, an increasing number of insurers stated offering cyber insurance policies for both enterprises SMB’s (Small-medium Businesses).
I gained a lot of experience and knowledge and decided to translate that into technology for cyber insurance underwriting and to build a tool that will enable customers to select a policy that fits their business' cyber risk.
I was always eager to be a part of the innovation eco-system. Insurance for me is especially interesting since my father and brother work in the field, so I founded CyberWrite to solve some of the existing gaps in the market.
[G] Where was the turning point for this market?
[N] I think that the Target breach in 2013 was a turning point for the cyber insurance industry. The hack to Sony and the nearly devastating result motivated the market to demand more coverage and the insurance companies to offer cyber insurance policies with better coverage, and related services such as PR, Incident response, credit monitoring and disaster recovery teams to join the eco-system as well.
[G] What’s the challenge insurance companies are facing which you are solving?
[N] To underwrite an enterprise client that is looking for a $50mm to $500mm coverage, the underwriter needs to send a team to audit and to evaluate the client. It is expensive to send a team to a client’s site, but that expense is worthwhile because of the high premium that reaches hundreds of thousands of USD. On the other hand, SMB policy premium will be anywhere from $100 to $50,000, and it doesn’t make economic sense for the insurance company to send a team of cyber experts since it would kill the profitability of the whole product. There was a need for a scalable platform to serve the SMBs.
The platform can do two things. The first is to profile and provide underwriting recommendations based on a specific client based on data and limited breach historical data. The second is to enable an agent to sell a cyber policy. The agent can provide his customer with an "easy to read" report that estimates monetary damage in case of an attack or a breach. The overall goal is to enable small and medium businesses to purchase the right coverage for them. Without such tool, the insurance company does not feel comfortable providing the policy and the agent lacks the means to service the customer.
This type of insurance product wasn’t common 2-3 years ago. Today, there are new products. Insurers are making a great effort to offer new exciting products to customers to win this great opportunity. Cyberwrite is here to provide technologies to enable them to gain this market.
[G] Tell me a little bit about the leadership of CyberWrite?
[N] Besides me, the company is led by Mr. Rami Parient who brings extensive knowledge and experience as a P&C chief actuary and Chief Risk Officer with over 20 years of experience in the market. We are a great match as I bring cyber risk management experience and Rami brings decades of experience in the insurance industry. Our combined knowledge and expertise are fundamental to the success of the company because CyberWrite delivers a platform that collects relevant data in real time and translates it from cyber data to insurance coverage score dedicated to the policy of our customers. We are proud to have a team of amazing engineers in Israel and Europe, and we have an active advisory board including insurance and cyber security executives from Silicon Valley and Israel.
[G] What is your advantage and uniqueness?
[N] Our platform collects the much-needed data on the fly, analyzes it using machine-learning techniques, and provides a benchmark of the insured to over 50,000 other similar companies and a financial impact assessment in several minutes. One of our unique characteristics is that our platform conducts risk profiling and scoring for each coverage of the insurance policy! Not one score. Both insurers and broker love our concept and product for our scoring capabilities.
Also, we offer a dedicated, tailored algorithm to each insurance company implemented into our system. We developed a unique methodology and workshop to assess a cyber insurance policy of a company, and then we develop the analytics needed to adapt our system to that specific policy. No two insurance companies will get the same report.
Eventually, our capability to provide analytics in minutes enables insurers to sell more while keeping the risk under control.
“If you have customer data, or your business depends on internet services, you should consider buying cyber insurance.”
[G] What do you think about Cyence acquisition by Guidewire for $300mm after just two years of activity in the cyber insurance market?
[N] It is a validation for us that the market needs cyber technologies. It is a great motivator for us because we recognize the acquisition as a very positive signal of the need for the technology that we provide.
[G] How complicated is your product to use?
[N] Using the platform is straightforward and the best part is -- you do not need to be a cyber expert to use it. The insurance agent enters the company’s name, website, and a couple of other inputs and within several minutes, the platform presents the report.
Our report has three parts. The first section of the report displays the insurer’s policy coverages, and it breaks them down to the coverage level, and a calculated cyber risk score. We add a graph to visualize the comparison between the customer and the average. It is easy to identify for which coverage the customer is riskier than the market and vice-versa.
The second section provides a more detailed risk domains analysis. For example, social exposure and security patching or regulatory risks level. In essence, our product is a benchmark platform. The third section is financial impact estimator. In this section, the agent can help the customer to digest the risk report and apply the coverage that she is looking for based on her business goals. Furthermore, the agent can present market insights and recommend coverage to meet the customer’s business risk and objectives.
All of the data we collect is public data. We do not have access to internal networks. However, because of the nature of security level in SMB’s which lacks the budget to implement an effective cybersecurity defense, this data is sufficient for us to assume the risk levels of the reviewed customers.
[G] Who is your target audience? Who is going to use CyberWrite?
[N] It varies. Our potential clients are with carriers, MGA’s, agents and even re-insurance companies.
[G] Can you talk about your current customers?
[N] We made a soft launch two months ago (December 2017), and we are working with several large carriers. We founded the company in January 2017 and are very satisfied to see this adoption of our solutions
[G] How businesses purchase cyber insurance?
[N] There are different types of Cyber insurance customers. The enterprises would use one channel which the SMB’s would probably use another. The small business owners usually approach an insurance agent who sold them their business owner insurance for example. The problem is knowledge and data. Most agents want to provide excellent service to their clients but don’t know cyber risk and cybersecurity. We recognized this issue and made sure that our report is readable and understandable by everyone, agent and customer alike. Both can use the report as a base for discussion. As I mentioned earlier, our technological advantage is that we can “translate” cyber data into insurance coverages and map it to a policy.
[G] What does it mean?
[N] We developed algorithms that analyze which cyber data impacts which coverages and in what way based on machine learning and actuarial science. We collect cyber data and translate it into insurance policy meaningful insights that the agent, their customers, and the underwriters can use. It is a capability that currently doesn’t exist in the market. It is important to understand however that we benchmark the risk. We don’t know who will get breached; no one can provide that.
[G] There is very little information or historical actuarial tables for cyber insurance. What type of other cyber insurance products did the insurance companies use?
[N] So far, the focus in the Insurtech innovation was on large companies. Several firms provide a cyber score report such as Security Scorecard, BitSight, and Guidewire. These firms generate a very detailed report on a large company with detailed cyber data. We created something agile, on-demand which does not require you to be an expert to use. We did this based on interviews with potential clients and mapping their needs.
Regarding the historical data, the more we collect data, the more we can bridge this gap.
[G] At what stage, do you think, a business should buy cyber insurance?
[N] I believe that every business that stores his customers’ data, or any company that relies on the internet to sell or makes transactions, needs to hedge the risk and buy a cyber risk coverage. Even a coffee shop that has a website needs one. It can be for coverage of $100,000 that will cost them $500 a year and if it is a chain of coffee shops that need coverage of $3mm what will cost about $3,000 a year. The bottom line is that every company that has customer data and do business on the internet should buy cyber insurance.
It is the only solution that would pay back damages – your anti-virus and firewall are important, but will not pay you back in case of a breach.
[G] National Institute of Standards and Technology (NIST) and the Federal Financial Institutions Examination Council (FFIEC) released guidelines and tools Cybersecurity Assessment Tool (CAT) do companies use them?
[N] Enterprise most certainly do, and they use compliance and consulting services from big4 and other consulting companies to implement such frameworks into their operations. For small businesses, well… if they use anti-virus and a firewall and have a backup that’s great. But nothing near the NIST framework to the best of my knowledge. They can use the guidelines in the limitations of their budget and actual needs.
[G] What do you think about the risks that mobile devices and IoT introduce?
[N] Mobile is not a new issue. There are many cybersecurity solutions available to deal with mobile related threats for about ten years now. Companies such as Good and other Mobile Device Management (MDM) and Mobile Application Management (MAM) tools cover most of the risks and enable, for example, BYOD programs for enterprises. I rarely see this with SMB’s.
IoT is a different story. It is still an iceberg. I don’t think that we know the depth of the risk that the “IoT” is going to present. Think about a smart house that contains a smart refrigerator, a smart A/C, and a smart dog.
Our dependency as humans on these devices increases year by year. The ability of attackers, whether those who want to gain economic value or state-sponsored attackers with a goal is to cause harm to another country, to use IoT as an attack vector, increases with direct correlation to our dependency. There is still many places for improvement regarding standards business owners should be concerned about how this might impact their businesses.
I assume we will see in the next couple of years additional security solutions to deal with IoT and Personal Cyber Insurance policies to cover the risk to the household and smart-home.
[G] Thank you very much for your time, Nir.
[N] Thank you.