Wednesday, January 25

Risk mitigation for cyber insurance: Digital tools, twins and ecosystems | Insurance Blog


In our latest article, we explored some of the structural issues affecting the electronic insurance market today, including poor cybersecurity cleanliness, pooling risks and a scarcity of capital. Before e-insurance can truly become a mainstay of the digital economy — as a widely available, widely affordable and fixed product — these issues must be addressed. We have identified three main tools at the disposal of insurance companies:

  1. Mitigating individual risks by enhancing cybersecurity
  2. Exposure rights, especially for cyber disasters
  3. Expand access to capital for online subscribers

Pulling these levers will not unlock billions of electronic premiums overnight. However, it will create a functional electronic marketplace that can be scaled sustainably – without the extreme volatility the streak is currently experiencing. We’ll look at each of these levers in our upcoming posts, starting from day one: How to mitigate risk by strengthening cybersecurity.

Insurers must stimulate a new baseline in mitigating cyber risks

It’s an insurance canon that bad risks bring in higher premiums – and that’s one factor that makes e-insurance unaffordable for many businesses, especially small and medium-sized businesses (SMBs). However, mitigate the risks and lower premiums will tend to follow. Fortunately, in the case of the Internet, it is relatively easy to achieve a good practice baseline for businesses.

Many cyber attackers use low-tech or non-technological methods – such as social engineering – to gain unauthorized access to buildings, data, and systems. Hence, well-communicated cybersecurity policies and employee education will sweep the easiest hacking opportunities off the table.

These “soft” mitigating measures come with the disadvantage of impacts that are difficult to measure and reflected in policy prices. Regardless, it is almost certainly a net gain for insurers – or intermediaries – to make cybersecurity content and resources freely available to insured through a web portal or similar.

It is clear that hackers can move through gears and take out high-tech gadgets for hard-to-crack targets. But even here, a little cyber defense can go a long way. A variety of cybersecurity software tools exist—from firewalls and antivirus packages to encryption tools and password managers—to enhance basic security, all of which are available on a mass market basis.

In the case of “hard” dilutions like these, the impact on claims is more quantifiable. Packages are either active or inactive, and broadly mean the same thing from one application to another. So great comparisons of loss can be made between different groups of insured, opening the door to more sophisticated pricing.

It is not surprising, then, to see the majority of players using risk screening tools (both first-party and cross-seller) to underwrite, giving themselves an accurate reading of the companies’ defenses:

Click/tap to view larger image.
Source: Electronic Insurance – Market View; PartnerRe and Advise, 2021

These types of diagnostic tools will help insurance companies identify and reward good practices, either in the form of premium discounts or rebates on security software purchases; In the meantime, bad risks can be ruled out. All this stimulates risk mitigation among the insured, which leads to better cybersecurity cleanliness, reduced losses and therefore lower premiums for the market as a whole – somehow going towards solving the affordability issue in the line.

Towards engineering Internet risk in real time using digital twins

Infusing a new baseline of good cybersecurity is a clear net gain, but it’s not the end of the game – hackers still have more gear. Because they can tap into a global network of illicit expertise and often investigate a company’s perimeter over a period of several months, consistent defenses—even comprising best practices—do not permanently reduce risk. A more active, real-time approach is required.

As seen in the graphic above, cyber risk screening is now well established. However, of those players who screen risk at the point of underwriting, only 37% do so during the subsequent policy life cycle. Frequent or continuous monitoring helps ensure that cyber defenses remain up to date and that these new vulnerabilities are addressed as quickly as possible, so we expect this practice to gain wider acceptance in the coming years.

Ultimately, diagnostic scans will give way to predictive analytics that take advantage of digital twins.

Digital twinning is the creation of a symmetric network, which means that different “what if” scenarios can be tested while the real network remains the same. This allows continuous stress testing, detecting potential weaknesses before they arise. By combining digital twins with self-learning AI, security teams can simulate the open nature of a cyberattack, in which an intelligent program unleashes untold nasty surprises on the replica – but it’s not real! – network.

Effectively, this is a way to stay ahead of hackers by becoming a hacker yourself, getting to know your weaknesses first and avoiding any exploitation of them. In concrete terms, this kind of blank slate scenario planning with digital twins results in a pool of risks that are scored by likelihood and business impact, enabling security teams to allocate resources efficiently — and, in theory at least, insurers for dynamic pricing risk.

Click/tap to view larger image.
Source: Accenture Insurance Technology Vision 2021

So far, insurance companies have been slow to adopt digital twins, and are largely sitting in beta. However, cybersecurity is proving to be a major driver of digital twin adoption on a larger scale – so the cyber sector may be a good place for insurance companies to build their efforts. Either way, 68% of insurance executives expect to increase their organizations’ broad investment in digital twins over the next three years (Accenture Insurance Technology Vision 2021).

Combine cyber insurance and mitigation through ecosystem partnerships

Developing a superior pricing model for a specific piece of security software—and then offering that superior price within the program’s impact range—opens up previously priced demand and brings electronic insurers an immediate positional advantage in a broadly unaffordable market. The fastest way to build these pricing models is through customer scale and broad exposure to different types of security software. Ecosystems offer a promising way forward.

In recent years, we’ve seen e-insurers team up with e-tech companies to offer risk management and risk transfer as one package.

Gathering activity creates opportunities for other players in the distribution chain as well. Managing public agencies and intermediaries, with their closeness to clients and their specialization in the sector, may be in a better position than carriers to take care of aspects of risk management, as well as any issues with sharing highly sensitive client data.

Coverage can still be rolled out to customers, in the form of embedded insurance — with electronic tech companies selling white cover through their software suites. And with global spending on cybersecurity services as a whole dwarfing GWP for cyber insurance, it may be natural for buyers to get their coverage through cybersecurity providers more than cybersecurity through coverage providers.

The ultimate victors in this development may not be individual technology companies, but rather managed security service providers (MSSPs). This can be an effective way to package and distribute many confidential electronic services to small and medium-sized businesses (SMBs).

Click/tap to view larger image.
Source: Evaluation Reports (June 2021)

Managed security has taken off because small and medium businesses typically don’t have the resources for an internal cybersecurity function. Nor is it served by one-to-one relationships with many different technology vendors, brokers, and insurance companies. In comparison, a one-to-one relationship with MSSP can bring the latest SME cybersecurity software along with risk-adjusted insurance rates in a contractually straightforward, low-friction manner.

By promoting mitigation—whether through actuarial-based financial incentives or the distribution of security services—electronic insurers can reduce the potential for loss on individual accounts. This will help reduce the price of coverage and grow the electronic insurance market through wider uptake. And mitigation is just one lever to improve today’s model.

In our next article, we consider two additional factors that insurance companies can withdraw: legalizing exposures and expanding access to underwriting capital. By working at multiple levels, we believe insurers can bring about a chain of positive change in the cyber market – for the benefit of the overall digital economy. To find out more in the meantime, Download our full online insurance report. And if you would like to discuss any of the ideas in this series further, please contact us.

Get the latest insurance industry insights, news and research straight to your inbox.

Disclaimer: This content is provided for general information purposes and is not intended to be used in place of consulting with our professional advisors.


Leave a Reply

Your email address will not be published. Required fields are marked *