The cyber insurance industry is taking baby steps away from a long and messy infancy. For the hundreds of companies that offer policies, toddlerhood is here, and it means exerting more influence over how clients protect their networks and information.
For years, headlines have fixated on how big firms like AIG and Zurich have been locked in legal disputes over specific claims, but insurers are now trying to be more proactive with customers. The smartest approach for everyone, they say, is to prevent breaches from happening in the first place. Key to that, and saving money, is trying to identify the products that are most effective.
Marsh, the global insurance broker and risk adviser, last month published its first list of Cyber Catalyst-designated products, a tag given to 17 services that a group of insurance firms say its clients should consider, including offerings like FireEye’s Endpoint tool and CrowdStrike penetration testing service. Insurers for years have assessed security products, and partnered with vendors, but the breadth of the Cyber Catalyst program proves the industry thinks it has enough data about prior security incidents to help clients avoid breaches in the future.
It’s a shift that could result in insurance companies, rather than chief information security officers, dictating which products Fortune 500 clients rely on to secure their data, said BitDiscovery CEO Jeremiah Grossman, who has studied the market trends for years.
“It’s just like when you buy fire insurance, the insurer will say ‘You need to have a fire extinguisher,’” he said. “Imagine going to Geico and you get an auto insurance quote but neither you nor Geico knows even know what kind of car you drive. That’s what’s happening now, because companies don’t even know what they have online.”
The Cyber Catalyst program works like this: Security vendors submit their products to cyber insurers including Beazley, XL, Allianz, Zurich and AXA for their review. Those firms base the decision on whether to include a product in the Catalyst program based on the technical capabilities, vendors’ track record and the ease with which customers can configure the tool. Then, they send the assessments to Marsh.
Marsh declined to say how insurers conduct the assessments on each product. For now, though, it seems like most of the products on the list were at fault in fewer breaches than their competitors (Marsh says adding a security vendor to the Cyber Catalyst program doesn’t count as an endorsement.)
“The carriers are paying ransomware claims every day,” said Thomas Reagan, a cyber practice leader at Marsh. “They read the forensic reports around ransomware claims, and they read them around system outages. They’re looking at the things that are going wrong every day, so this is about which products are most important in tackling real risk.”
More than 150 vendors submitted their product for consideration this year, Marsh says, and the firm is aiming for another round of applications in the spring.
For insurance clients considering whether to switch their email security or penetration testing tool to become part of the Cyber Catalyst program, the immediate benefit remains unclear. It’s up to each carrier to decide how to incentivize customers, if at all. Cyber insurance premiums already are relatively cheap (policies typically cost 2% of a liability limit, Grossman said) so carriers could dangle higher limits in front of their clients (offering $100,000 worth of coverage, up from $50,000, for the same price, for instance).
It’s not clear if any companies actually are making the switch to cash in in such a way.
The strategy is poised to give insurers more control over corporate spending decisions at a time when overall insurance growth is slated to continue by just 2.6% in North America, according to EY. At the same time, cyber insurance is set to more than triple to $17.3 billion by 2023, up from $4.5 billion in 2017.
With this, insurers’ access to the kind of client data they need for their own offerings will also grow exponentially. Forrester analysts Heidi Shey and Paul McKay described the Cyber Catalyst program as a “promotional campaign for cyberinsurers and security vendors to get their products into the doors of more businesses.” They went on to recommend that businesses not make their purchasing decisions based on the Cyber Catalyst products, but based on their own specific needs regardless of the incentive.
And while that may be sage advice, it won’t stop the insurance industry’s ultimate goal of offering cyber insurance packaged with a suite of specific products to fill anti-virus or email security needs, Grossman said.
“It’s about the bottom line,” he added.