Cyber insurance is quickly becoming a must-have amid cybercrime, ransomware, and daily threats. The problem is that wading through insurers is a bit daunting. With that in mind, I went shopping.
For large enterprises, cyber policies are increasing the cost of doing business. Large firms such as Equifax, Marriott, and SolarWinds all had coverage to cushion the hit from high-profile data breaches. Smaller enterprises may not have the coverage.
I have a few working theories about the cyber insurance market.
- This year — 2021 — will be the year that cyber insurance evolves significantly. It’s possible that cyber insurance will be required for businesses much like home and auto.
- The market is dominated by massive insurers targeting large enterprises, but there will be segments of the marketing targeting mid-sized and smaller businesses.
- Cyber insurance could be part of a cloud services stack. For instance, Google Cloud’s partnership with Munich Re and Allianz is a start, but cyber insurance could be resold by cloud providers, web hosting, and other parts of the business technology stack.
- While cyber insurance may become part of a tech bundle or at least easier to acquire, there will be multiple players gunning for policies in a fragmented market. Reportlinker projects that cyber insurance will be a $70.6 billion global market in 2030, up $5.6 billion in 2019.
In any case, cyber insurance scouting needs to commence for businesses. According to the National Association of Insurance Commissioners (NAIC), the top 20 cyber insurance providers accounted for 92% of the market in the US.
Features risk mitigation tools
According to NAIC, AXA is the cyber insurance market share leader based on standalone policies. AXA’s cyber insurance covers North America and writes policies for data breach response and crisis management, privacy and security liability, business interruption, data recovery, cyber extortion and ransomware, and PCI among others.
AXA also provides risk mitigation resources via partners and an online service called CyberRiskConnect. Here’s a sample policy.
Three flavors of cyber insurance
AIG’s cyber insurance can be standalone or added to an existing policy as an endorsement. AIG also offers three cyber insurance products.
- CyberEdge, which covers the financial costs due to a breach as well as first-party costs.
- CyberEdge Plus to cover physical world losses caused by a cyber event including business interruption and property damages.
- CyberEdge PC, which can be added to traditional property and casualty policies.
AIG also offers threat scoring and analytics as well as tools to prevent attacks. AIG has a network of vendors to restore and recover, too.
Next-gen cyber insurance provider
Cowbell Cyber aims to automate data collection with its cloud platform, provide observability and monitoring, and then combine it with risk scoring, actuarial science, and underwriting. The company recently raised $20 million in venture funding.
The company’s portfolio includes cybersecurity awareness training, continuous risk assessment, and pre- and post-breach risk improvement services. Cowbell Cyber also has a free risk assessment service called Cowbell Factors, which adds a freemium element to selling cyber policies.
AI and data science can simplify cyber insurance
Corvus has a host of business insurance products but has a bevy of first-party cyber insurance offerings for business interruption, system failure, cyber extortion and ransomware, and breach response and remediation to name a few.
The company, which recently raised $100 million in venture funding, uses a broker-focused approach to use AI to analyze data to predict and prevent loss. The data Corvus brings together helps policyholders, underwriters, brokers, and reinsurers address market requirements. Phil Edmundson, CEO of Corvus, said that artificial intelligence and data science can simplify the cyber insurance workflow. “If you try to read a cyber policy even knowledgeable people would find it challenging,” he said.
Options for SMBs too
Travelers takes a broader approach to cyber insurance, with plans designed to mitigate risks for companies of all sizes. The insurer has cyber insurance plans for technology companies, public entities, and SMBs.
The company bundles pre- and post-breach services provided by Symantec and a hub to evaluate risks.
Travelers policies fall into these categories:
- CyberRisk, a broad policy for companies of all sizes that can be standalone or part of another liability policy.
- CyberRisk Tech for Technology Companies, designed for tech firms.
- CyberRisk for Public Entities, a policy aimed at municipalities, counties, utilities, and transit authorities.
- CyberFirst Essentials, a policy for small businesses that can be standalone or part of a broader business owner policy.
Big in cyber insurance
Compared to the big insurers, Beazley isn’t a household name, but NAIC rates the firm No. 4 with 11.2% market share just behind Travelers.
Beazley’s headliner is Beazley Breach Response, which is a customized policy based on a company’s situation. Beazley claims to be the “world’s best designed cyber insurance solution.” Beazley also covers breach response services for up to five million people.
For companies in specific industries, Beazley looks like an option. Beazley counts healthcare, higher education, hospitality, financial services, and retail as target industries.
Targeting the mid-market companies
While the big-name insurers are going after the large enterprises, midmarket companies may gravitate toward a specialist. Midmarket companies often have their own tech providers since they are often ignored by large enterprise vendors.
Cyber insurance companies may also shortchange the midmarket. Resilience offers cyber insurance with a few interesting perks. First, it combines insurance and expertise like the large players. And, second, Resilience includes a program where customers can earn credit to put toward security services and products.
Specializes in small businesses
Hiscox specializes in cyber insurance for small businesses. The firm is also spending heavily on marketing but is worth a look. The company offers a training academy to shore up small business defenses, or what it calls the “human firewall.”
According to Hiscox, its cyber insurance covers lost business revenue and data recovery costs, money lost to phishing, defense against fines and privacy lawsuits, and breach response. The Hiscox policies also include digital media upgrades. It doesn’t cover criminal action, fund transfer, infrastructure interruption, and prior acts of knowledge.
More notable providers
There is a bevy of other providers — and many insurers offer cyber insurance as part of a broader package of business offerings. Among those that looked interesting:
- Berkshire Hathaway Group’s Three small business insurance portfolio
- Liberty Mutual