GVA © 2017

29 July, Fri
Can startups disrupt the $20 billion cyber insurance market?

Over the past few years, cyber insurancemarkets have been growing at between 25-50 percent CAGR each year. According to The Betterley Report 2015, annual policy premiums are approaching $2.75 billion. The ecosystem ofinsurance underwriters, intermediaries/brokers, analysts/management consultants and compilers of insurance market information is evolving rapidly, trying to make the most of this rising tide. As large insurance underwriters try to grapple with cyber insurance, newcomers aim todisrupt this ecosystem. And the battle has just begun.

Opportunities galore: Risk metrics / analytics

Enterprise risk management is a pressing issue at the C and board levels. Risks of business disruption rank the highest on charts. While natural catastrophes and political issues cancause disruption, these are relatively better understood than cyber risk. According to Allianz 2016 Risk Barometer, cyber incidents are considered the No. 1 emerging risk for the long-term future.

(Source: Allianz 2016 survey of top business perils; 800 risk managers from 40 countries).

With the growth of intruders and malicious actors, corporate risk managers are being pushed to adopt a better risk posture. Purchasing insurance often is the first step. When you have many eager buyers, a willing seller often emerges quickly to oblige such enthusiasm.

According to AIG, insurance underwriters collected $1.6 billion in premium income in 2015. Allianz projects premium income to grow to $20 billion by 2025. The average take-up rate for cyber insurance is 24 percent across U.S. businesses. (Source: Council of InsuranceAgents & Brokers  survey of 75 brokers, September 2015).

Only ~40 percent of Fortune 500 companies have procured insurance against cyberincidents, and those with insurance typically purchase limits that do not cover the full extent of their cyber exposure. There are more than 18,000 mid-market companies with revenues from $250 million upwards in professional services, retail and manufacturing verticals that will need insurance coverage.

It is evident that the forces of “market pull” are driving rapid growth in insurance markets, even when entrants are relatively unsophisticated. Some water-cooler conversations around cybersecurity insurance include statements like “nobody knows anything — but wow — it’s already a billion-dollar market” and “this is the best thing for our industry since fire.”

Enterprise customers are eager to buy coverage, but struggle with understanding their risk factors. According to a NetDiligence 2015 Cyber Claims Study, 48 percent confessed to a lack of understanding of complexity of risks, preventing them to be better prepared against such risks.

And as much as 46 percent did not have concrete assessment of costs of risks involved. The key questions enterprises struggle with are: (a) What is at risk for our enterprise — is it business continuity? Will we be DDOS’ed? Or experience intellectual property theft? Do we hold consumer/financial/patient data?; (b) What is the probability of an event occurring?; and (c) What are the estimated damages?

Like most nascent arenas, development of a common taxonomy and risk assessment framework is much needed. The U.S. government’s NIST framework is a starting point, but more needs to be done. Within such a framework, various tools, technologies and practicescan be optimized to measure and assess cyber risk. The first wave of innovation is to offer risk metrics and aspire to become the “FICO Score” provider. Startups that have leaped in to address risk metrics include Security ScorecardBitSight and Cyence. Governance Risk and Compliance (GRC) Vendors have pivoted into the space and offer vendor risk-management tools. The gold rush has just begun.

Opportunity: Insurance purchasing engine

Despite strong demand, the challenge for insurers is how to craft their offerings and how much to offer. Forecasting loss ratios and product profitability in such a nascent market is a challenge, not to mention allocating appropriate risk capital for long-tail cyber catastrophe events. Actuarial tables based on 100 years of historic data can be used to build premiums models, and predict earthquake and flood risk. But do the likes of AIG and Allianz have such data for cyber risk? Not quite.

Symantec has leaped into this space and aims to be a formidable player. “We track 800K security events every second” says Roxane Divol, SVP/GM, Trust Services Website Security, and Executive Sponsor for CyberInsurance, Symantec. The company has hired actuaries who are blending historical and real-time data and creating new products for the cyberinsurance community to address this specific challenge.

The timing, scale and nature of cyber risk is uncertain and dynamic. How will this impact premiums as risks fall or evolve over time? And in many cases, we don’t even know what’s going on — take a look at the patterns of incidences for 2016. “Miscellaneous Errors” and “Everything Else” are almost 30 percent of the incidents.  


(The dynamic nature of threats over time. Source: Verizon DBIR 2016)

At the macro level, how do insurance providers estimate their “probable maximum loss” (PML) in cyber incidents? And when several parties get impacted, how is first-party/third-party liability assessed? If I unknowingly forward a malicious file to another party, am I at risk? The timing of claims can also be a pain point for the insured. As one expert bemoaned, we know there is fire when we see smoke. What about cyber issues? Intrusions go can undetected for 300 days or more.

So how does an enterprise risk officer apply this logic to selecting the right coverage, negotiating premium amounts and exclusions? What claims can be denied? How does a nation-state attack (North Korea/Sony) come into play? According to a Hanover ResearchCyber Insurance Survey (November 2014), more than 50 percent of insurance underwriters do not have dedicated people for cyber insurance.

Even the intermediaries/brokers struggle. In a cyber insurance market watch survey, the Council of Insurance Agents & Brokers found that 71 percent of brokers believed there was little to no clarity about what is covered. Which means the brokers are more or less operating in the dark.

The Council further reports, “Much rests with the individual broker’s ability to grasp exposures and coverage nuances and be able to intelligently discuss these with individual clients whose interest levels vary greatly. The two major points of contention are lack of a standard terminology and difficulty in spotting exclusions.”

If we assume our CGL (Commercial General Liability) or D & O (Directors and Officers) policy coverage is sufficient, we may be in for a rude shock. When DSW, a shoe retailer, got hacked, AIG attempted to deny coverage and argued the loss was excluded. The court disagreed and DSW was entitled to coverage, but not without a legal battle.

In summary, enterprise America will soon need a simpler way to identify the nuances of: (a) what does my policy cover, its relevance to my business-risk and exclusions; (b) which underwriter is the most sophisticated; and (c) and how can I identify ways to reduce premium costs? Over time, an online insurance marketplace may evolve.

Opportunity: Emphasize the importance of tools and technologies

Underwriters do not put much value on usage of security products/tools. A Hanover CyberInsurance survey from November 2014 shows an interesting pattern — the most important information is risk management philosophy, closely followed by nature of data stored.

The “Updated Network Security/Firewall” seems somewhat laughable and, unfortunately, “Encryption” has very little importance. This needs to change.

As insurance companies become better informed about the importance of various security technologies, the criteria for underwriting could become more relevant. Silicon Valley cancreate not one but many disruptors in the cyber insurance space. Yet Silicon Valley should know that technology alone cannot solve all problems. People, practices and policies matter.

It may be a while before we realize that Utopian dream of security working silently, automagically to protect us despite our follies, foibles and idiosyncrasies. When that happens, we will not need cyber insurance. For now, this $20 billion market is waiting to be disrupted by some 19-year-old wunderkind.

17 March, Friday

There is one question that comes up every time I talk about the accelerator program we run at Microsoft. Once people realize we don’t take equity from the startups participating in the accelerator program (which basically means it’s free), they immediately raise the question “so what’s in it for you?”

01 February, Wednesday

Tessa Court, CEO of IntelligenceBank, shares the issues to address before taking your company global.

25 January, Wednesday

It seems the entire world of people and things are connecting to the internet, with projections of 6 billion active smartphones and 50 billion connected things in use by 2020.

27 December, Tuesday

Much as they are today, people were enthralled by artificial intelligence in 1973 — the year Michael Crichton released the film Westworld. The film became MGM’s biggest box office hit of the year, yet launched the same year as the first AI winter: a massive event of depleted AI resources, dashed expectations, and dwindling interest over the ensuing decades.

13 December, Tuesday

For us to make an investment, not every question has to be answered affirmatively. But every question has to be asked. This allows us to proactively identify the risks in a company, and be self-aware of the blind spots in our decision. Very purposefully, the checklist is not a litany of metrics that a company must achieve in order to raise a round, rather it is a tool to invite both imaginative and critical thinking.

09 December, Friday

Sometimes it makes sense to take a step back and ask big picture questions. For example, if you are a VC, could you provide better returns by investing in only enterprise or consumer companies, or a mix of both enterprise and consumer? How should investment and exit trends over the last five years influence your fund size and strategy?

30 November, Wednesday

Now, I admit to being kind of old school in European venture. I first became a VC analyst at Atlas almost a decade ago. My early venture education came from Fred Destin and Sonali de Rycker, now both at Accel Partners. Much of their teaching mirrored Mark’s advice: you want to invest in traction, ideally accelerating growth where you understand the underlying drivers, understand how the team works, understand the economics of the industry.

25 November, Friday

If you’re a fan of the "Black Mirror", you might think it’s an interesting glimpse into the future. But, some of the technology you see throughout the series already exists in nascent stages. The six products below will give you a taste of a future that’s already here.

13 October, Thursday

I live a pretty cosmopolitan futuristic life atop a glass skyscraper in New York City, but I’ve yet to get a pizza delivered by drone, order a taxi from Alexa or open a hotel door with my smartwatch. I’ve also not booked a hotel from a bot (because trying that drove me crazy) nor consumed news from one, because that’s a terrible way to do it.

03 October, Monday

Ransomware has already managed to carve itself a niche as one of the main cybersecurity threats of 2016. As individuals, organizations and government agencies, we’re taking precautionary steps to protect ourselves against malware that can encrypt files beyond our reach.

28 September, Wednesday

The numbers speak for themselves. With over 4,200 startups, India is the world’s third largest startup ecosystem. According to a Nasscom report, Indian startups have risen to the next level with 100% growth in the number of private equity, angel investors and venture capitalists. Moreover, a 125% growth in funding was also recorded over the last year. While this is a welcome news for startups, it also brings with it the responsibility of sharing equity with the stakeholders and determining how much equity you should allocate to the co-founders, investors, employees, and advisors.

16 September, Friday

The success of high-tech accelerators has ignited the creation of similar models around the country hoping to replicate their accomplishments. But their achievements have not come without criticism.

05 September, Monday

You can’t swing a lightly inebriated jaguar by its tail without hitting half a dozen crowdfunding campaigns these days. Looking at some campaigns, it seems like it could be the ultimate get rich quick scheme: you dream up a harebrained idea, create a pretty video and BOOM. Make it rain. Except running a successful Kickstarter or Indiegogo campaign is a lot more complicated than that. In this video, we take a closer look at some of the common pitfalls.

29 July, Friday

Over the past few years, cyber insurance markets have been growing at between 25-50 percent CAGR each year. According to The Betterley Report 2015, annual policy premiums are approaching $2.75 billion. The ecosystem of insurance underwriters, intermediaries/brokers, analysts/management consultants and compilers of insurance market information is evolving rapidly, trying to make the most of this rising tide. As large insurance underwriters try to grapple with cyber insurance, newcomers aim to disrupt this ecosystem. And the battle has just begun.

27 April, Wednesday

In early February 2016, a study of financing deals reported by The Wall Street Journal found that investors are increasingly protecting themselves from IPOs that don’t perform as expected. This fallout is a continuation of the demise of the so-called “unicorn,” a tech startup with a pre-IPO valuation of over one billion dollars.

18 March, Friday

The number of corporate accelerators is on the rise. More and more large corporations are investing, directly or indirectly, in the establishment of accelerator programs. Orange Fab, Microsoft Ventures, Hub: Raum and Wayra are just few examples of a wider trend that has been shaping the industry in the last years. 

25 January, Monday

Devin Wenig, president and CEO eBay, participated in the World Economic Forum’s Annual Meeting in Davos. The post is about how how interwoven technology and commerce have become. But what we’ve seen is only the beginning.

19 January, Tuesday

Silicon Valley's pursuit of diversity is skin-tone distracted and gender confused. Diversity is more than a ratio — it's urban and never suburban... Silicon Valley's leadership in sourcing innovative ideas is slipping and its feeble pursuit of diversity isn't helping. Original ideas come from original experiences — an environment that brims with a diversity of genders, skin colors, ages, economic backgrounds, national cultures, and artistic expression.

12 January, Tuesday

The Entrepreneur Insider network is an online community where the most thoughtful and influential people in America’s startup scene contribute answers to timely questions about entrepreneurship and careers. Today’s answer to the question “How do you know it’s time to drop your startup idea?” is written by Linda Darragh, professor of entrepreneurial practice at the Kellogg School of Management at Northwestern University.

12 January, Tuesday

One of my investors candidly asked me recently, “Shelly, if I have an opportunity to invest with people I’ve just met, how do I avoid getting screwed over?” This is a good question; for most investors interested in startups, co-investing is the de facto way to invest.