As the number of breaches resulting in multimillion dollar losses grows, the need for cyberinsurance is making itself evident – but many traditional insurers are still hesitant to enter the space. What does the future hold for this increasingly important market?
Earlier this year, Berkshire Hathaway CEO Warren Buffett commented:
“This is uncharted territory and it’s going to get worse, not better […] Frankly, I don’t think we or anybody else really knows what they’re doing when writing cyber. It’s just really, really early in the game. We don’t know what the interpretation of the policies will be. We don’t know the degree to which they’ll be correlated.”
He’s not the only one to express concerns. Travelers also commented on the lack of solid data available to insurance companies, saying: “there’s a lot about it we don’t know […] we will continue to be cautious in the way we approach it”.
“The more you talk to specialists the more you come to the conclusion that it’s more likely that it’s probably not insurable,” said the CEO of Swiss Re. “So far I haven’t heard of any solution, without government support, that’s convincing in my mind.”
“This is uncharted territory and it’s going to get worse, not better […] Frankly, I don’t think we or anybody else really knows what they’re doing when writing cyber.”
– Warren Buffett, CEO, Berkshire Hathaway
We recently discussed the “promising but problematic” cyberinsurance market, and the challenges traditional insurance firms are facing in the space. Some are becoming more confident in moving into this area, some relying on partnerships with security ratings firms (such as SecurityScorecard and Bitsight Technologies) to mitigate the problem of insufficient data.
But while many of them still remain cautious, a number of startups are slowly but surely appearing which are prepared to take on the task:
Coalition, which claims to be “the first technology-enabled cyber insurance solution”, raised $10 million in Series A funding early this year. Backed by Swiss Re Corporate Solutions and Argo Group, it provides companies with up to $10M of cyber and technology insurance coverage in all 50 states and the District of Columbia, and has been offering insurance and cybersecurity to SMBs since November 2017. According to San Francisco Business Times, it has more than 1,000 customers, and wrote over $1 million in insurance premiums during its first three months.
At-Bay, founded in 2016 and backed by Munich Re Group’s Hartford Steam Boiler, “provides cyber insurance for the digital age that empowers you to embrace technology fearlessly”. It emerged from stealth in 2017 with a $6 million seed funding round led by Lightspeed Venture Partners, and in May 2018 announced the completion of a $13 million Series A round. Like Coalition, it writes up to a $10 million aggregate limit.
Founded in 2017, Paladin Cyber says: “We make cyber protection easy, obtainable and affordable for small businesses. Simply put, we stop business from being hacked and keep them financially secure if they are.” As well as providing security tools and training, it offers up to $1 million in cyber liability coverage. This March, the company raised $4 million in seed funding from Lightbank and additional undisclosed investors.
In addition to cyberinsurance-specific startups, a number have sprung up which – like the ratings firms mentioned above – offer cyber risk analytics, modelling, and related services. A quick rundown on some of these players:
Founded in 2011, BitSight rates companies on their cybersecurity effectiveness, and says that it is both the first and most widely-used security ratings service. Total disclosed investment is at $91 million, with the most recent round (Series C, $40 million) having taken place in September 2016. In January, the company announced a record year in 2017 with over 90% worldwide sales growth and 75% customer growth.
Another security ratings service, SecurityScorecard claims to be “the most accurate rating of security risk for any organization worldwide”. The company, founded in 2013, has disclosed a total of $62.2 million in funding, with the most recent investment being $27.5 million in Series C, in October of last year.
Cyberwrite, a Gartner cool vendor for 2018 in the Insurance space, creates cyber risk profiles for SMBs to estimate the likelihood and impact of various types of cybersecurity incidents. Founded in 2016, it’s still in its early stages and so far has raised $1.6 million in seed funding.
Cyber resilience platform UpGuard (formerly known as ScriptRock) also offers security ratings, which they say “can even be used by corporate insurers in creating a cybersecurity insurance policy.” UpGuard has received $27 million in funding since being founded in 2012, with the most recent investment being $17 million Series B in 2016.
Prevalent Networks, founded in 2004, offers a third-party risk management and cyber threat intelligence platform. Its most recent disclosed investment came from a Series C round led by Insight Venture Partners in 2016 and raised $60 million, bringing total investment to $72 million.
Cyence, founded in 2014, brands itself as the “industry’s first economic cyber risk modeling platform quantifying cyber risk in probabilities and dollars”. After raising $40 million in a 2016 Series A round led by Dowling Capital Management, the company was snapped up by Guidewire Software in 2017 for approximately $275 million.
Backed by tech from cybersecurity company Symantec and investment from Trident Capital Ventures, CyberCube Analytics was established in 2015 and emerged from stealth in March this year. The company offers cyber risk analytics for insurance providers, and in May announced that Chubb had signed an agreement for the use of its analytics.
Founded late in 2016 and launched just a few months ago, Kovrr (formerly myDRO) uses AI tech to offer a “predictive cyber risk modeling platform empowering P&C insurers to manage the dynamic nature of cyber risk and to underwrite it efficiently”. The company already has offices in Tel Aviv and London, and recently showcased its solution at InsurTech event DIA Amsterdam. No funding has been disclosed.
Zeguro’s mission statement is “to simplify and streamline all tasks associated with managing cyber security and cyber insurance in a business”. Founded in 2016, the company completed a seed round in December 2017, but didn’t disclose the amount.
London-based ThreatInformer describes itself as having “a relentless focus on the cyber insurance industry”, and works to create client cyberinsurance profiles for brokers and underwriters. Founded in 2016, the company is a graduate of the Cyber London incubator, received $18,700 in accelerator funding, but has no other disclosed investment to date.
There are plenty more which offer similar services, and that’s without getting into security risk management and threat intelligence providers aimed at businesses rather than insurance companies. This selection demonstrates the success some of these have enjoyed so far – and the increasing number of startups which have been moving into this space over the past few years.
For many of these companies, SMBs (or insurance companies looking to provide them with cyber coverage) are a primary target, as they are considered the least able to recover from a breach.
At present, however, the majority do not have cyberinsurance – figures vary, but GlobalData’s UK Cyber Insurance 2017 report found that 13.7% of UK SMBs were covered. Though it doesn’t sound like an impressive number, that’s up from the company’s findings of 2% in 2014.
Allianz believes cyber insurance premiums will rise to $20 billion by 2025. At the beginning of 2018 they were at around $3 to 4 billion, so if Allianz is right that’s a big increase. But traditional insurance companies are beginning to offer coverage for cyber incidents, more and more startups are popping up, and adoption of cyberinsurance policies by businesses is likely to increase further as they become more readily available from big-name providers.
That’s particularly the case now that security has come under the spotlight – particularly with GDPR having come into effect, the cost of a breach is likely to increase yet again, with not just fines but also losses such as reputational damages likely to grow.
For businesses concerned about the potential impact of a cybersecurity incident, insurance may become an increasingly tempting prospect.