Cyber Insurance: How Technology Could Help Create a Huge Market

This is the second article of a series of six that aim to detail how technology is reshaping the insurance industry alongside six main areas (for the first article, click here)

Let’s go through what could be the most promising insurance vertical in the coming years: cyber insurance . The Cyber Security market is expected to grow from $138B in 2017 to $232B in 2022 according to MarketsandMarkets, as threats are increasingly growing with 1.091 data breaches in 2016 (+40% yoy) and 1.579 in 2017 (+45% yoy) according the Identity Theft Resource Center. This should keep growing as the number of Internet users will grow from 3.8B in 2017 to 6B+ by 2022 according to Cyber Security Ventures. Assuming there is no way to perfectly avoid the cyber threat, we are watching the Cyber Insurance industry through 3 main areas: secure data, monitor security breaches, price Cyber risks.

Secure data as much as possible

Following the thousands of data breaches that occurred over the past years, more than 700M data were stolen in 2016 & 2017 according to Wikipedia, and still counting this year… There, we have been focusing for years on basic means to make it more complex to access data, by leveraging firewalls for instance. To go further on Data Loss Prevention, you need to identify sensitive data among organizations and set-up processes and rules to reduce the risk of data loss or data breach. The main difference between the two is that data loss comes from inside the company mainly due to employee’s misbehaviors, whereas data breach comes from outside where hackers are stealing data on purpose.

With the development of cloud storage that companies are now using, several startups positioned themselves on secured cloud storage that strengthen the level of security for data they host. In France, Lena Cloud, for instance, is providing this kind of service with several levels of security: from encryption, to leak monitoring or live threat monitoring. In Switzerland, SecureSafe is addressing the same market need starting with a secured system of authentication to access their service (‘Zero Knowledge’). Of course, Amazon Web Services offers several options to secure storage: from data encryption with different levels of keys management, to their service ‘Macie’ that leverages Machine Learning to identify sensitive data and monitor how they are accessed to identify potential threats. On the infrastructure side as well, Seclab has developed a patented technology to secure network interconnections with many use cases in the IoT, SmartCity or Autonomous Cars spaces.

On data protection, though, the main trend we are looking at is encryption and how to make it more complex to read data. It makes sense to strengthen the ultimate protection when considering data breaches will happen anyway. In Europe, we’ve seen many startups focusing on that part of the Cyber Security industry. BoxCryptor, in Germany, or AxCrypt, in Sweden, have developed solutions to encrypt files and data directly on your computer or wherever you store them. The main challenge here is to manage encryption and security in a world of exchanges and flows: it’s not only encrypting a file, then sharing it. Encryption should be done on any kind of data a service is using and in live. Many applications rely on sharing data or leveraging data flows: teleconsultation, cloud storage, IoT data collection, messaging, API, etc. In the UK, Psyphr offers to integrate its security solution directly into customers’ environment with dedicated tools to monitor risks as well. In Spain, Hush has developed its encryption solution around workflows and file sharing. In France, Tanker has developed an end-to-end encryption SDK approved by ‘ANSSI’, the French authority for Cyber Security. You can easily integrate this solution into any application to make it safer.

In an insurance standpoint, enhancing the protection surrounding data will increasingly become a requirement. The first example we have in that space is the partnership between Aon, Allianz, Cisco and Apple to offer a dedicated Cyber Security / Cyber Insurance solution. There, Aon is proving its expertise in Cyber risk assessment, Cisco and Apple hardware solutions have been selected as particularly safer, and on top of that Allianz is covering risks with its insurance policies.

Monitor security breaches

According to PwC France, 76% of French SMEs have already faced a cyber-attack. Then comes the necessity to be acknowledged when a hacker has managed to enter your network and even more when a data breach has occurred. For years, antivirus software was the only way to track threats based on signature analysis (identifying patterns they already knew, which required a regular update to make sure it covered the last virus). In a constantly changing threat landscape, Intrusion Detection Systems should help identify abnormal activities on networks or data sets. Here, information is key and it matters to be aware of a security breach (before, during or after it has occurred), as it is the first step to strengthen your Cyber protection. Being aware of data leaks will be even more important when the GDPR (General Data Protection Regulation) will be live on May 25^th, 2018, as companies managing personal data will have to report any breach to the regulator, maximum 72h after it occurred.

Several startups are addressing that market need by combining service and technology. In France, CyRating is offering a service to rate level of Cyber risk for organizations and compare it to the market. Then companies can more easily take decision to strengthen security. In the UK, DynaRisk is focusing on B2C to provide customers with a security score leveraging 50+ risk factors. Both startups are leveraging data collected among customers on their behavior, IT infrastructure, habits, etc. They leverage then their own algorithm to assess the level of risk.

To go further, startups leverage technology to live monitor threats. In France, Alsid has developed ‘Directory Security Compliance’, a solution to monitor threats directly on infrastructures. That’s a way to both anticipate the risk by identifying weaknesses or breaches that could be fixed, and to get informed in case of attack. In the Netherlands, CyberSprint has developed ‘Digital Risk Monitoring’, a platform to get real-time insights on the level of risk surrounding an organization by monitoring networks.

Looking for data leaks is another way to monitor breaches, after they have occurred. In France, CybelAngel leverages Artificial Intelligence to crawl the Web (and dark Web) and look for potential sensitive data that might have been stolen. LeakWatch is offering a SaaS solution to easily identify data that would have been compromised and exposed online.

In the insurance industry, AXA has been active on that topic through its investment arm that took positions, in the US, in Security Scorecard that live-track vulnerabilities and deliver rating on 10 risk factors to secure the ecosystem surrounding any organization. It also invested in Contrast Security that allows to integrate threat monitoring and fixing directly into software. Big tech players are also considering that growing market and Google recently announced Chronicle, a subsidiary dedicated to Cyber Security to help companies monitor online threats.

Price the risk

The cost of data breaches is said to cumulate at $8Tr between 2017 and 2022 according to Juniper Research, as cyber risks are mixed: from sensitive or patented data stolen from an industrial company, to customers’ data stolen from a web platform. Last year, ‘WannaCry’ a ransomware – a new kind of virus – hacked several industries including a car manufacturer that had to stop several of its production factories. In that specific case, the associated cost is huge and quite easy to price by assessing how many cars were not produced due to that production break. On the other hand, data breaches of customers’ data often occur among big tech firms. But in those cases, it is more difficult to size the price of such a loss. Customers can obviously report that incident as they have been exposed or their personal data compromised (starting with payment details), but it remains tough to assess the real cost of those hacks for the companies themselves: is the damage more on the final customer or on the web platform itself? Are the data stolen critical for customers (name, address, contact, payment details, …)? Is there any impact for the platform beyond trust and reputation?

From an insurance standpoint, assessing the risk and pricing the cost of cyber damages is key to develop relevant cyber insurance policies. According to the OECD the cyber insurance was a $3.5B market in terms of total premiums in 2016 with a CAGR of 30% over the 5 years before. Few startups are focusing on that part of the cyber market. In Switzerland, CyQuant is focusing on risk assessment and pricing, combining technology and risk modeling skills. Their tool is dedicated to (re)insurance players that will increasingly need technology to help them price the risk. Indeed, the core business of insurers is currently to rely on historical data that actuaries leverage to price a specific risk. In the cyber industry, threats are new and ever-changing. On different use cases, Data Scientists have already shown their ability to accurately size risks based on huge amounts of behavioral data.

As the cyber insurance market grows, technology will be key to deal with huge amounts of live data. That’s why we see more startups leveraging Artificial Intelligence (and more specifically Machine Learning) to generate value from behavioral data. In the UK, Darktrace or Cybereason and Versive in the US, have long been leveraging this kind of technology to identify unknown threats.

Cyber threats will also increase as IoT keeps growing: Juniper Research expect 46B connected devices by 2022. And IoT need to have the same features for upgrade as software have: every time developers identify breaches or even threats, they fix it and offer users to upgrade their software. It is a huge challenge for IoT developers to build a by-design capacity to upgrade software embedded on connected devices. Recall hacks of connected cars…

Data is massively piling at an increasing pace, IDC expect the world to create 265 trillion gigabytes of data in 2025 (compared to 16 trillion gigabytes in 2017) out of which 60% will be created or managed by businesses. In Europe, the GDPR will be live in several days and define do’s & don’ts for companies using personal data. As companies have to ensure this data isn’t compromised, cyber insurance will increasingly be a challenge and a requirement for these businesses. And we start seeing startups offering companies a service to better comply with regulation by leveraging technology. In Ireland, ShhSystems offers to drive companies through the process of being GDPR-compliant and more generally to put security at the heart of any business managing data. In France, TwinPeek is focusing on data privacy for both customers that could get back control on their data, and companies that could develop privacy-by-design features directly into their products, applications or services.

//Florian Graillot is a Partner at astorya.vc.