Data Breaches Are Driving Increasing Demand For Cyber Insurance
With our recent investment in OutThink, I’ve been digging deeper into cybersecurity and the opportunities in the space. Unfortunately, one thing that can definitely be said is that, despite the massive investment in cybersecurity, breaches still happen, and in fact are happening at an increasing rate.
The increased number of breaches, and their associated damage, has spurred the growth of cyber insurance — insurance to cover the cost of cybersecurity breaches. GDPR regulations, which increased the fines that can be levied on breaches, further increased the cost of breaches for companies and the importance of cyber insurance.
The Opportunity
However, unlike more established insurance products, like property and casualty insurance, the risk of a cyber breach is poorly understood which makes underwriting a challenge. This challenge is compounded by the difficulty in predicting the costs of cyber breaches, which can be enormous with Equifax’s breach in 2017 estimated to have cost them $700m. Because of these challenges, half of insurers at Lloyds don’t insure cyber and where insurers do cover cyber, they tend to limit the amount of cover despite customer appetite for more cover, with the limited protection available not coming close to covering the cost of a truly damaging cyber attack.
Existing cyber insurers typically use simplistic exposure and factor-based methods, which underestimate the risk and only 25% of insurers use external tools. This gap opens the space for new, digitally native cyber insurers, that can use technology to better quantify and manage cyber risk. The need for new insurers will only increase with the amount of code being written, which gives more code to exploit, and the growing sophistication of hackers.
The global cyber insurance market is projected to reach USD 14 Billion by 2022 and the US market is growing by about 30% per year. Uptake amongst large companies is estimated at 30% but for SMEs the number is probably under 10%.
Providing cyber insurance for SMEs is challenging as carrying out the regular and detailed assessments of technology that are necessary to understand risk for enterprise clients is uneconomical. Instead insurers put a ceiling on losses through pricing cushions, cover limits and line size restrictions, which may mean that policies don’t adequately meet the needs of customers.
I think there is a real gap for a business that can provide fit for purpose cyber insurance to SMEs. In particular, I’m excited by the potential of businesses that can combine cyber insurance with tools for SMEs to reduce their cyber risk. Tools could initially focus on the five essentials of cybersecurity for SMEs: backing up data, protecting org from malware, keeping mobile devices safe, using passwords and avoiding phishing. This would enable a basic level of cyber protection and providing a win-win for client and insurer by reducing claims and prices. In the US, Coalition this week announced a $90m Series C on the back of 600% growth in customer numbers showing the demand for cybersecurity solutions from SMEs.
Because an insurer would combine data across a number of clients, they would be well-positioned to understand risk factors and how to mitigate them, allowing them to suggest the most effective interventions and driving down the risk of their portfolio. However, this would require a level of technical expertise that is lacking at existing insurers, opening up an opportunity for new entrants.
I’m very keen to see how companies provide cyber insurance over the next few year and if you are building a company in the space, please get in touch.
