It’s that time of the year when the information security professionals of the world descend upon San Francisco for the annual RSA conference. Unfortunately, it’s also the time of the year when the cyber insurance industry can become something of a punching bag for some.
At RSA, hundreds of cyber security companies will be vying for billions of dollars of new cyber security business from thousands of information security professionals who come to San Francisco to understand the latest trends, cutting edge thinking and forward-looking innovations in cyber at sales booths, at presentations and at cocktail receptions. The competition for mindshare is intense, meaning increasingly if you aren’t offering a single malt your security cocktail reception simply won’t make the cut.
The tagline for the conference is “where the world talks security” and one of the topics that is increasingly talked about is cyber insurance. Unfortunately, all too often the dialogue from security professionals about cyber insurance isn’t at the cutting edge of where cyber risk management is going but includes outdated tropes about the cyber insurance industry.
Here are three statements that attendees of this year’s RSA conference may have heard:
- Underwriters: Insurers don’t know what they are doing when they are underwriting cyber insurance policies
- Claims: Cyber insurance policies don’t pay out on claims anyway, so they are a waste of time
- Insurance spend: Cyber insurance is a marginal purchase and enterprises are better off spending more money on cyber security
Unfortunately, such statements are at best outdated and at worst simply misleading.
1. Underwriters: Cyber insurers have been providing policies at scale for almost two decades, far longer than almost all attending security firms at RSA have been in existence. Not only has the industry sustained year-over-year topline growth of between 25-50% per annum, but underwriters have also been successfully and profitably making risk decisions on policies with loss ratios that have hovered around 30-40%. That’s not to say that the industry doesn’t have a long way to go in terms of improving pricing models and underwriting tools but the performance of the industry to date has been of underwriters, on the whole, making the right risk decisions at the right price.
2. Claims: If you look at the biggest cyber events of the previous 5 years, enterprises have received payouts that are regularly in the double and triple digit million dollars from cyber insurance policies (not to mention the support enterprises get from their insurers and the partners of their insurers in the event of a claim). All too often, the issue isn’t that enterprises aren’t receiving payouts on their cyber insurance policies, the issue is that enterprises aren’t purchasing enough coverage to meet the high cost of a cyber-attack. Information security professionals counter by pointing to high profile cases of insurers not paying out after a cyber event but the important point to note is usually these examples are from companies that did not purchase a robust standalone cyber insurance policy and instead sought to make claims on other policies, such as a property policy, which simply was not designed to respond to a cyber event. The insurance industry has a long way to go in terms of clarifying and communicating what is covered by different policies, which is why having a knowledgeable broker who specializes in cyber insurance policies is so critical, but the standalone affirmative cyber insurance market is working and paying claims as expected.
3. Insurance spend: In a matter of years the cyber insurance market has exploded from having ~50 providers of cyber insurance to ~200 and in the years to come its hard to imagine any 21st Century P&C insurer not participating in a risk that has become the number one item on insurance buyers’ minds, according to Allianz. There is now over $5B in standalone cyber insurance premium, and at current course and speed within 3-5 years, cyber insurance will be a larger spend item than any vertical within cyber security, including endpoint protection. Not only does this become an important spend item for enterprises, if over a century of history has taught us something about insurance, but it is also that when they enter a market they fundamentally change risk management. One only needs to look at automotive, building standards, electric appliance standards, and workers compensation to see the impact of the insurance industry when it becomes a risk management tool.
In fairness, the dialogue at RSA and within the information security community has moved on substantially. Many security professionals have moved from seeing cyber insurance as an oddity to a purchase to be considered, to a must-have item demanded by stakeholders, including the Board of Directors. The most forward-looking individuals and institutions are increasingly seeing cyber insurance as part of a risk management discussion that views cyber risk in holistic terms according to what risk should be accepted, avoided, mitigated or transferred through insurance. Although some outdated misconceptions pervade, increasingly when the “world talks security”, the world talks about risk transfer and mitigation in the same conversation.
Forward-looking cyber security professionals would be best to understand how cyber insurance is reshaping cyber risk management before sharing their views of insurers over that single malt.