Cyber-Insurance: Where do the opportunities lie?

Cyber Insurance is not a new phenomenon, it has been around for ten years. However, only recently have we seen a steady rise in the number of startups in the space. Despite this few/no significant exits have been seen and “steady” remains a key word underpinning growth. Below I explore the emerging opportunities across cyber-insurance.

Overall Trends

There are three notable trends within the industry:

1. Cyber coverage is increasing strongly — $20bn by 2020
2. Cyber risk remains undefined — “It’s more likely that it’s probably not insurable.” SwissRe
3. Insurers remain cautious to offer cyber insurance.

My View

• Cyber-insurance will take the “Vitality” insurance model i.e. incentivising preventative behaviour in an attempt to reduce risk.
• Funding will start flooding into cyber-insurance startups as the cyber-security market coalesces into a few, big players.
• Cyber-insurance coverage will remain narrow. This is because insurers do not know all their potential points of exposure due to limited data and history, off which to base their policies. Only time will help increase the breadth of coverage.

Overview of market opportunities

The cyber-insurance market has only a few players. This likely reflects the fact that insurers have long sales cycles, are hesitant to offer products where risk is not necessarily quantifiable and because the trend to purchase cyber insurance (particularly among SMEs) is rather new.

Startup examples:

• Security risk ratings: SecurityScorecard, UpGuard, BitSight, Prevalent Networks
• Risk modelling: Cyence, Kovrr, Zeguro, Threatinformer
• Standalone cyber-insurance: Coalition, At-Bay
• Personal: Surance

General Opportunities

• There still lacks a set of industry benchmarks for cyber risk standardisation. [Note, standardisation is subjective and only valuable when cases are compared against each other. Hence, onto my next point….]
• Huge growth opportunities exist for startups attempting to quantify the financial impact of cyber deficiencies. [At-Bay recently launched a product attempting to do just this.]
• The market is not ready for startups offering personal cyber insurance as a standalone product. However, in the long term this area does provide significant opportunity.

Now I shall assess the opportunities broken down into two categories; personal and business.

Personal Cyber-insurance

The “Internet of Things” is making us progressively more vulnerable to cyber attacks. It is therefore only a matter of time until demand for personal cyber insurance grows significantly.

My View

• Personal cyber-insurance will remain most popular as an add-on to existing insurance policies in the near future. WHY? Most people will only take out insurance following a trigger event (eg they have been hacked). Secondly, quantifying personal loss is near impossible and so premium value is likely to remain high if sold independently.

Opportunities

• Growing amounts of historical data are creating opportunities for insurers to better quantify personal cyber risk and thus offer a better product.
• Hacks are gradually educating consumers on cyber risk, moving the needle on what a house or life insurance policy should contain. Opportunities for startups therefore exist in helping insurers react to this changing consensus.

Cyber Insurance for Business

When it comes to commercial cyber insurance the largest customer growth segment will be among SMEs. Currently only 15% of SMEs have cyber insurance and yet they are the ones least likely to survive the financial consequences of a cyber event.

Five key areas cyber attacks hit SMEs; Phishing, Ransomware, Denial-of-service attacks, Credential stuffing and Outdated software.

Opportunities

• The new EU data regulations (GDPR and NISD) provide sudden and urgent demand for solutions reducing the financial impact of data misuse.
• Again, huge growth opportunities exist for startups attempting to quantify the financial impact of cyber deficiencies.
• No one is yet able to accurately quantify the long-term cost of reputation damage and put a price on customers a business may have had.
• Cyber insurance policies will remain incredibly narrow in coverage. This is because insurers do not know all their potential points of exposure due to limited data and history off which to base their policy.
• Defining points such as “are state-sponsored attacks covered by cyber insurance policies” will be key to the effective functioning of the industry.

Conclusion

Cyber insurance remains a hugely underserved market in terms of startup proliferation. However, GDPR and NISD are forcing a huge growth in sector demand and subsequently leading to a growth in the number of startups. Whether this will lead to a number of significant exits is yet to be seen but I would suggest the biggest opportunity exists for startups attempting to quantify the financial impact of cyber deficiency.

I would love to hear your thoughts on the cyber-insurance market so please do not hesitate to get in touch with your comments and views on the space!