Cyber Risk – The Landscape
Cyber risk and the feeling of cyber vulnerability is definitely in the air. Whether Equifax, Uber or the NHS, from incumbents to high-growth companies, no one seems to be immune to the cybercrime pandemic.
While over 143 million consumers saw sensitive personal information exposed through Equifax, Uber had to acknowledge the hack of around 600,000 drivers and 57 million users around the world and recover the data by settling a ransom, and the NHS attack was coined “the biggest ransomware offensive in history” as it infected more than 300,000 computers globally.
Cyber threats can come in many forms.
Newer forms of threats may consist of a network of hackers launching massive attacks on internet businesses or could take the simple form of fake news. Both hold the potential to either shut down services to millions of users or wreak havoc in volatile and unstable markets. An example of the latter type of hack is when anonymous chatbots are used to push endorsements through social media accounts, to create damage to specific brands or individuals. Interesting, eh? This example demonstrates the more detrimental side of Artificial Intelligence (AI).
In 2017, a fabricated news story was released targeting the co-creator of cryptocurrency, Ethereum—Vitalik Buterin. The news stated that Buterin had been killed in a car crash. This false story resulted in 20% of Ethereum’s $4 billion market value to disappear overnight. Buterin eventually posted a picture of himself to stop the rumors and reduce the impact of the news on Ethereum’s market valuation, but it wasn’t a small ordeal.
So why is the market for cybersecurity growing so quickly?
According to PwC, in 2015, the insurance industry’s global cyber risk exposure was in the region of $150 billion, while the estimate of the annual losses from cyberattacks were $400 billion. This puts the scale of the potential losses from cyberattacks on par with natural catastrophes, though cyber incidents are much more frequent.
As a result of high profile attacks, the market for cyber insurance has quickly begun to grow. Top executives of large companies rightly realize that hackers pose a serious concern to business, and many investors are looking at the cybersecurity market very closely.
The size of the cybersecurity market was USD $135 billion in 2017, and global spending on cybersecurity products and services is expected to exceed $1 trillion cumulatively from 2017 to 2021. Additionally, PwC estimates companies will be paying $7.5 billion for cyber insurance in 2020, up from $2.75 billion in 2015, and Gartner predicts it will reach $96 billion in 2018.
And this is where cybersecurity solutions come to the fore.
Chances are, everyone has heard about Guidewire’s well-publicized acquisition of Cyence for $275 million.
Why Cyence? Well, the company has developed one of the first economic cyber risk modelling platforms quantifying cyber risk in financial probabilistic terms. By combining data science and machine learning to the modelling needs of various departments within insurance companies, Cyence helps transform struggling actuarial approaches into digitally-aligned ones. Cyence will also augment Guidewire’s breadth of current offerings to its customers, particularly because core system implementation can no longer take years to deliver results.
BitSight Tech, that raised $90 million, gathers large volumes of data to deliver security insight from hundreds of internationally-located sensors. It classifies data into several risk categories, including botnets, spam, and malware, and then maps them to an organization’s known networks. Its algorithms analyze data sets for severity, frequency, duration, and confidence to create an overall rating for a company’s security health.
RedSeal, that raised $75 million, developed a cybersecurity analytics platform to help companies manage and prevent network breaches. It analyzes the network footprint of a business, and then creates analytical models to monitor the performance of the network, providing a digital resilience score that enables users to benchmark and set targets for network security, and suggests corrective actions for those at-risk assets that are identified.
While many of the solutions out there focus on data breaches, newer platforms look at the range of security breaches from newer means of communications, such as sensors.
The problem with sensors is Internet of Things (IoT) devices are not always designed with security in mind and often have little way of being patched when problems are detected. As we increasingly utilize the internet to connect to devices, this increases the risk for breaches, which is definitely a conclusion that came out of CES 2018.
You may have heard about the cyberattack on Dyn Inc. in 2016, an internet server farm located in the US and acquired by Oracle for $600 million. The attack was the work of a multi-national hacker group in which Mirai malware was used to turn networked devices into remotely controlled “bots” to create a botnet assault. Millions of internet-linked devices, such as printers, IP cameras, etc., operated in unison to disrupt the internet service of volumes of users. The attack was not limited to the US and included overseas traffic and also affected well-known brands, such as Twitter, Spotify, Netflix, and PayPal.
It is not hard to imagine a large-scale attack on a cloud service, causing billions in losses.
Insurers’ cybersecurity struggle
Insurers are still struggling to grasp the nature of cyber risk and understand how to structure their policies in ways that won’t leave them vulnerable to catastrophic losses. Executives are also wondering what level of risks they are comfortable absorbing. While the modern cyber threat is complex and rapidly evolving, as new cyber threats come to market, we do see this market expanding.
PwC posed the question in a report: “Insurers are relying on tight policy terms and conditions and conservative pricing strategies to limit their cyber risk exposures. But how sustainable is this approach as clients come to question the value of their policies and market bodies begin to express concerns about the level and concentration of cyber risk exposures?”
Insurers’ challenge—one that they’ve experienced since the 1990s—is trying to quantify cyber risk because they have very little experience with cyber risk. “It took 15 years to build the data sets that underlie the complex and detailed natural catastrophe models insurers rely on today”, says Tom Harvey, a product manager at Risk Management Solutions, which develops catastrophic risk models for insurers. While things are moving “a lot quicker” for cyber, he says, the data that companies collect is still quite inconsistent. That makes it difficult to aggregate information and study industry trends.
The insurance market, Lloyd’s of London, recently analyzed a hypothetical scenario in which a blackout in the North-eastern U.S. leaves 93 million people without power. It concluded that an event like that could cost insurers anywhere between $21 billion and $71 billion, illustrating how challenging it is to pinpoint the cost of such risks.
Today’s insurers are working to understand the economic scope of these devastating cyberattacks. Some large scale insurers, including AIG, Chubb, Hiscox and XL Catlin, have offered cyber policies for many years, and we estimate hundreds of companies sell a form of such products now—many of which are focused on data breaches.
James Tuplin, Head of Cyber & TMT, International at XL Catlin says:
“Cyber risk is an evolving area and one for which there is not yet masses of historical claims data. This means that as underwriters we need to be smart in our thinking and our use of modelling, data and analytics to get a handle on the potential exposures and to tailor coverage.
“Data science and modelling tools, for example the Guidewire Cyence Risk Analytics solution, can give organizations and their insurers an evaluation of their risks based on technical and behavioral data. These evaluations can then be used to create new insights into those risks using machine-learning techniques.
“This helps the organization to better understand its own risks, and helps insurers to underwrite and price those risks. This also helps insurers with their own risk management and helps us to understand potential losses and create new solutions and mitigation tools.”
Increased investment interest in cybersecurity
There are a number of sectors that could arguably become almost irrelevant to global economic conditions, and cybersecurity is one. Investment in cybersecurity startups broke records in 2017, totaling $7.63 billion across 550 deals—of which, 10 deals were mega-rounds of over $100 million.
Investors and large enterprises see cyber as an investment opportunity, as more investors are flocking to cybersecurity. 2017 saw investors show a growing interest in startups in growth stage rounds.
Which brings us to…
Our top InsurTech cybersecurity startups:
During our sourcing process, we met some amazing startups that we estimate to make up a third of the total cyber InsurTech market. We estimate there to be 50 interesting cybersecurity startups relevant for the insurance sector, and we will publish a follow-up article mentioning those top startups.
Small and medium sized businesses
Zeguro, which provides automated and tailored cyber risk mitigation and insurance services to small and medium sized businesses, has already finalized a global collaboration with our program partner Allianz and has amazing plans to transform the fate of small businesses around the globe through better risk insights and claim servicing. I cannot wait to see what they have in store. Sidd, who has an extensive background in cybersecurity explains in this short video why he decided to focus on the insurance market.
SecureHome is a smart home network system dedicated to preventing cybersecurity risks which combines enterprise grade intrusion detection system, behavior analytics, and machine learning. The idea came following a digital home intrusion where the intruders were directly interacting with young people. SecureHome’s customers get peace of mind that all their devices are not behaving in a way that invades their privacy, causes financial damage, or impacts their safety.
Corporate Cyber Threat Detection
Yaxa delivers threat protection by building behavioral models by learning the user’s own access patterns continuously, and, comparing the ongoing user sessions in real-time with the continuously updated models in order to detect deviations utilizing a dynamic behavioral fingerprinting process. It extracts, analyses, and builds behavioral profiles from live data packets and captures identity information with minimal IT intervention.