A look back at major happenings across the cyber insurance landscape in 2017 followed by a Q&A with Coalition CEO Joshua Motta.
While cyber direct premiums written hit just $1.34B in 2016, it’s estimated that cyber coverage could increase to $7.5B to as much as $20B by 2020. The spike in potential growth has resulted in both insurers jockeying for position as well as the formation of a host of new startups.
What insurers are saying about cyber insurance
How are insurers approaching the potential future growth of the market? One of the most notable announcements in 2017 was by AIG, the largest writer by direct premiums of standalone cyber insurance in 2016, which announced that it would add cyber coverage to its commercial casualty insurance in 2018. In other words, AIG would shift away from issuing policies that do not specify whether cyber losses are covered.
As AIG Global Head of Cyber Risk Insurance Tracie Grella said in October, “When you buy affirmative cyber coverage, you should be paying for it.”
This is a notable move that has others in the industry watching with interest.
Others are largely proceeding with caution when it comes to cyber. Here are some recent public comments from other chief executives on the potential growth area:
“Most of our – most of the in-force policies that we have are for small businesses, and I suspect that will continue in the near term. And I say that because I don’t think that cyber is adequately priced for larger risks. And I think that as we’ve seen a number of events happen over the course of the year, I think that the market will continue to get a bit more level set. We’re looking at both first party and third party coverage, and I think that we’ll continue evolving our product just as we do others over the course of the year. But it is one of many products that we offer. It is not the leading product that we’re focusing on at the moment. So I would say that’s probably a better discussion a year from now than right now.”
“There’s an increasing awareness and consciousness in the mind of the risk manager (of cyber risk) and whether that’s a job description for somebody in a big company or proprietor in a small business. I think there’s a greater sense of the need for the product and we think that’s a healthy thing and we think to a degree that we’ll be there to help solve that problem.
Having said that, we are extraordinarily mindful that it’s an emerging risk and there’s a lot about it we know and there’s a lot about it we don’t know and that gets factored into the way we think about the industries we want to write in, the individual risks we want to write, the lines we put out, the reinsurance programs that we have. And so we do think that it will continue to be a growing opportunity and we will continue to be cautious in the way we approach it.”
“The more you talk to specialists the more you come to the conclusion that it’s more likely that it’s probably not insurable. I think it’s clear the risk is accumulating. But the more intelligence we gather from the difference countries, and the more places we go, the more clear it is that very significant damage can be created by some parties to other countries.
It is a big risk so insurance should play a role so in these situations the only solution I can imagine, is if the states knows that there’s this whole series of risks which ultimately reinsurance cannot carry – so far I haven’t heard of any solution, without government support, that’s convincing in my mind. We need to be aware of developments, but we remain underweight, that’s our goal.”
Where are startups focusing?
When it comes to where startups are playing in the growing cyber market, we continue to see growth in investment to startups providing security risk ratings for cyber insurance — including by insurers.
In 2017, Security Scorecard raised a $27.5M Series C round from investors including AXA Strategic Ventures. Insurance Australia Group previously invested in cybersecurity threat rating startup UpGuard. Meanwhile, cybersecurity rating startup BitSight partnered with AXIS Pro in October 2016 to provide certain AXIS policyholders with BitSight security ratings for no additional premium and the option to request trial access to BitSight’s platform.
In September 2017, third-party cyber risk management platform CyberGRX partnered with BitSight to embed BitSight ratings within the CyberGRX Exchange. Earlier, FICO acquired Quadmetrics in June 2016 to wade deeper in the online security market and offer enterprise security scores for organizations.
However, these startups aren’t exclusively cyber insurance-focused and also provide solutions for other industries including financial services and retail. A breakdown of the four by funding and investors is below:
Guidewire acquires Cyence
One of the biggest deals in 2017 that put a spotlight on cyber insurance from a startup perspective was Guidewire’s purchase of cyber risk modeling startup Cyence for $275M.
Cyence provides a data listening and risk analytics solution, which combines collection of external data combined with risk modeling tools to support acturial, product management, underwriting, and enterprise risk functions. For Guidewire, one theme that stands out from the transaction is how Cyence differs in its approach to selling into insurers both from a personnel and budget standpoint. Today, Guidewire has over 300 P&C insurance customers, but bringing on new customers is typically a lengthly sales cycle that involves the entire organization including IT support. Cyence CEO Arvind Parthasarathi said the primary sponsor within insurers for its solution is typically the chief risk or chief underwriting officer.
As Guidewire CEO Marcus Ryu said on an analyst call, “(In our diligence process, most Cyence customers) described it having very modest or no IT involvement involved in the selection and contracting process, but that the business case development followed a somewhat different channel that what has been Guidewire’s experience historically. We see that as an intriguing go-to-market motion that could complement our general need to build institutional consensus including IT before a company moves forward with us.”
In October, Guidewire paid somewhere between 25 to 30X Cyence‘s forward-looking annual revenue for 2018 just over a year after Cyence launched out of stealth with $40M from NEA, IVP, and Dowling Capital Partners. Cyence had around 30 customers at the time of acquisition.
Tech startups look to underwrite cyber
Today, startups are continuing to crop up in cyber insurance with new technologies and value propositions. One of the newer venture-backed startups in cyber insurance is San Francisco-based Coalition, a managing general agent for Swiss Re and Argo Group. Coalition distributes its policies to small- and medium-sized businesses policies through an online portal for retail brokers. Founded by former co-founders or executives at Lookout and CloudFlare, Coalition also builds and provides free cybersecurity tools including anti-ransomware software to the businesses it works with. Coalition is licensed all 50 states and D.C.
The opportunity to sell cyber insurance to small businesses is a big one, not only because small businesses wouldn’t be able to sustain the financial consequences of a cyber event, but also because of the increased attacks on small businesses over time. But it’s also clear that many small businesses are still not prioritizing the purchase of cyber insurance. A recent study by the Better Business Bureau estimates that 15% of small businesses have cyber insurance.
Earlier this month, we caught up with Coalition CEO Joshua Motta to discuss key factors in insuring SMBs from a cyber risk perspective, working with retail brokers, and the broader cyber insurance market.
A condensed version of the Q&A is below:
On creating flywheel effects between data and coverage
When you look at SMBs, there are five things that really hit them from a cyber risk perspective. It’s not nation-state hackers, it’s phishing, it’s denial-of-service attacks, it’s ransomware, it’s credential stuffing, and it’s using old software with known vulnerabilities in which a hacker targets them with an exploit.
There are a lot of hackers that target JPMorgan because they are JPMorgan. A hacker doesn’t typically target a particular SMB because of their business, they target them because they’re using a machine that has an exploit that they have…We look at the same things they are and are trying to determine the likelihood that someone is going to be hacked or not and, based on that, we establish price or determine whether we’ll provide coverage.
We tell this to the insured and we link the risk to the price. If you take actions to reduce your risk, we lower your price or give you better coverage. Take DDoS. We give away CloudFlare. If you turn on CloudFlare or a solution we’ve approved, we will lower the business interruption waiting period from 8 hours or 12 hours to 1 hour. We also factor that into our underwriting process. We can detect if you’re using an anti-DDoS solution. If you are, not only do we give you a better coverage, we may give you a better price. And that’s where we can create a flywheel to where the better your security, the lower your price.
We also create a flywheel in other parts of our business. We have a front row seat on what losses are happening because we pay them out. So we see which controls are working and which aren’t. We can use that data to feed it back in our underwriting process or build better security apps to help protect our clients.
On creating a relationship with brokers
The way this works today, the broker has to give their client an application form, they have to get the insured to fill this out, get it signed, scan it, and send it back to the broker. The broker then forwards it to different insurance underwriters and the underwriters have to open up this PDF scan, look at the data, and make a determination as to how they’re going to price it. A week later, they send back their quote. If the client wants to make a change, underwriters have to re-run the process and send another quote. It’s all friction.
We’ve taken a product that’s very complicated and distilled it. We will try and preconfigure the coverages that we think make sense but they have full control. They can be in their client’s office and do it.
On the risk management side, we are giving brokers data on their quote-to-bind ratio, average limits and how successful they are to help them understand what coverage to give. But lets say there’s a Dyn outage again, we’ll also tell the broker which clients use Dyn and that they should probably reach out to them. If a client has a critical vulnerability that comes up, we’ll share that with the broker and the policyholder as well. We’re enlisting them (the brokers) as a risk management partner to us.
On getting past the lack of small businesses with cyber insurance today
The awareness is growing very quickly. Between the ransomware events and phishing, cyber risk is touching everyone. I think the real issue is there is an enormous portion of the market is not served by brokers today. It’s unserved because brokers can’t make money. If you look at the market, most cyber policies start at $1M in coverage. When you factor in their commission, they can’t spend a ton of time on the risk or else they won’t make any money. As a result, there is a hesitancy to lower the limits. We allow brokers to do that by making it simple.
On the interplay between cybersecurity and insurance
We’re vendor agnostic. At the end of the day, all we care about are effective solutions that lower risk. Very rarely will you see us recommending one particular company. What we fundamentally care about it is which ones work. Some of the apps we build are our own. Others don’t make sense, we’re not going to re-create CloudFlare. We want to have some apps we own and bring in some third-parties that can complement them. We want all these apps to be the flywheel of how you improve your security and tie that into an effective insurance program.
On cybersecurity companies offering threat protection warranties
One of the reasons cybersecurity is broken is because there is a fundamental misalignment of incentives. When you a buy a technology vendor’s product, you are presumably buying it to prevent a bad thing happening to you. When said bad thing happens and you call up that vendor, you can guess the response you’re going to get, which is “oh that’s too bad, if only you had bought this other thing I sell.” In the best case, a vendor has weak incentives to help you and in the worst case, they are malaligned.
On market forces in the broader cyber insurance industry
On the regulatory front, I think there will be some tailwinds. Increasingly, the regulators of certain industries are imposing standards of care for cybersecurity including increasingly recommending or requiring insurance. I think that will continue to broaden and, as a result of the pressure on those industries, all of the companies in other industries that work with them will have the pressure to get cyber insurance policies.
One of the more underreported trends in cyber is how business models in cyber crime have evolved. The biggest evolution we’ve seen in the last 12 to 24 months is ransomware. That’s an entirely new business model that used existing risks and threats that we all knew existed, but for different purposes. It’s anyone’s guess what the next thing will be. As the market matures for cyber crime, the division of labor is growing and cyber criminals are becoming more organized. The fact that that is accelerating is that is enabling more criminal activity and driving down the cost of cyber crime. What that means for companies is that it’s going to get much worse before it gets better.
On working with Swiss Re
You wouldn’t have thought they would be our first choice after their CEO came out and questions whether cyber is an insurable risk. But interestingly enough, I think that’s what made them a great partner because they’re skeptical. And they’re skeptical because they’re highly technical. They have a great deal of experience and a huge quantum of data in working through diverse risks all around the world. And I think this was one that was difficult for them to crack in which they were being very cautious. That made them a perfect match for us. Swiss Re doesn’t typically work with MGAs; we are the only cyber MGA that Swiss Re works with.