Fixing the broken Cyber Insurance market

It’s hard to align insurance with positive change

In theory insurance can act as a driver of change and in many markets achieves that goal. For example, most people have internalised that better locks and doors reduce the cost of insurance and even if it’s not a huge driver of purchase decisions is just enough to nudge behaviour in the right direction. 

However, in other more complex and fast changing areas, from climate related risks to cyber security and even healthcare, these relationships are much harder to quantify and would take far longer than a 1 year policy to bear out the cost of investment. The result of which is that at the moment insurance has little effect on driving effective risk mitigation in these areas. That’s sub-optimal for the client, the insurer and society.

This difficulty in quantification is because most insurance is priced on previous losses. For example, the number of car accidents or house fires is pretty consistent each year so it’s relatively easy to build a model of likelihood of accidents from the car type, miles driven, etc.

In contrast, other risks like cyber security change substantially, even by the week. This means that we simply don’t have enough data to build a model on past events. For example, in 2021 one of the major security software providers which was used in organisations as serious as the Pentagon was found to be hacked; that’s a whole new scenario. Moreover there are many complex combinations of holes that together might allow attackers access but in isolation may be ok. Compounding this, service providers such as the incident response teams and lawyers have relished in the confusion and charged exorbitant amounts for their services, often over £1000 an hour, which further compounds the cost of events.

Traditional insurance analysis methods make quantifying risk in fast changing domains hard, often simply defaulting to asking the company very high level questions (sometimes even on paper!), with typical questions like “how many data records do you have”, “how large is your organisation” and “which industry are you in”. This simply doesn’t provide an accurate or up-to-date picture of the risk profile of a business within the wider environment. 

There are more advanced analysis tools available, e.g. in cyber security Security Scorecard or BlackKite, and in climate risks many advanced modelling tools, but most insurers are traditionalists and prefer to lead on the experience of the previous year, rather than the analysis from a tool. More importantly even if one insurer is willing to build a new approach they must work with others to re-insure so any benefit is averaged out.

A quick look at how extreme these losses have become in cyber security

The collective costs of cybercrime are hard to fathom: By 2025, cybercrime is expected to be wiping off an estimated $10.5 trillion per year - roughly half the GDP of the USA, the world’s largest economy. Meanwhile, the average cost of a data breach currently stands at $4.35m

For many mid-sized companies, a threat of that scale can be existential. But larger scale companies are by no means sheltered from systemic cybersecurity risks; consider the recent breaches occurring at organisations like the Pentagon, NHS and nuclear research facilities. No matter the budget or size of the team, attacks are unavoidable, and despite the best efforts of companies, IT systems seem inherently vulnerable and impossible to fully secure. 

At any rate, even optimising the code and patching any vulnerabilities in legacy systems does not solve the problem, given that 95% of all breaches are the result of human error, often identity theft or phishing.  

While risk is inherent within an organisation, it is often reduced and managed through insurance. Unfortunately many insurers have made significant losses on cyber insurance in the past few years. Whereas a typical loss ratio (the percentage of premiums paid out) is around 40%, in cyber it has regularly been more than 100%. This has led to insurance firms backing out of the market, either covering very little (low limits), charging 4x the price of last year, or withdrawing cover completely. This has led to many firms being underinsured or not insured at all, opening them up to catastrophe.

With insurance stepping back we need an approach that actively invests in mitigating risk

The solution needs a long term approach where funds can be used to mitigate risk, and one that is able to take its own view on assessing risk whilst being back-stopped by some sort of catastrophe insurance that doesn’t need to engage in the day to day claims. 

This is where Captives, Mutuals or self-insurance come in. It is common practice amongst very large companies to essentially put the premiums aside (technically into a subsidiary company), drawing on some of it as it grows, to drive down the risk. It’s barely heard of in any mid-sized company (hundreds of millions of revenue) and never in smaller companies (10s of millions of revenue). 

The reason that they are only used only by very large companies is that they are complicated and expensive to set up, especially where it’s difficult to quantify the risk, this locks out the majority of the market. This doesn’t need to be the case, the mechanisms behind this are simple and can even be used for something as low-cost as bike insurance (as are doing). 

If we can make this as simple as taking out insurance in other areas, this captive or mutual structure enables alignment between the client and the provider more broadly. Rather than having to rely on outdated analysis methods, a company or even individual could instead truly understand the potential sources of risk and critically re-investing some of the premium to solve those issues, driving down that risk.

What is particularly exciting is that this creates a mechanism to line up insurers and clients in many other complex areas that are traditionally misaligned at a far more effective level than surface level efforts such as Prudential’s Vitality (discounts on shoes if you walk more). Imagine if we could truly quantify the complexity of healthcare, cyber and climate risks and effectively take proactive action to nudge them towards a much lower risk profile. We are already well on the way to setting this up in the cyber security domain and can see routes forward in climate risks. 
If this is an area of interest to you, please either reach out to Mark Hammond, David Channing or apply here.