What next in cyber analytics for insurers?

You can’t touch, feel or see it but one thing that is certain is cyber risk for insurers is increasing in scale and complexity. It’s also one of the few areas offering premium growth, and potentially high returns so it was no surprise that there were a lot more suits in the audience at the Cyber Analytics Instech London meetup recently.

In a hard hitting letter sent in November last year the PRA (Prudential Regulatory Authority of the Bank of England) wrapped the knuckles of UK insurers (and Lloyd’s of London) for a number of deficiencies it saw in the understanding and managing of cyber risk. Shortcomings included a significant and poorly understood exposure to silent cyber, a lack of clear strategies and risk appetites for managing cyber risk and insufficient investment in cyber expertise. Furthermore, the PRA felt that “effective tools for managing cyber are years away and the market has much work to do before it can capture and manage cyber exposures effectively”.

Helping established companies in the financial markets satisfy the demands of regulators has proved to be lucrative for both start-ups and mature companies in the past.  Although there are hundreds of emerging companies building products to help businesses manage their own cyber risk, very few are focussed on delivering analytics to insurers to enable them to systematically select and manage this fast growing opportunity. Startup Cyence’s success in selling its products to major reinsurers, and $40m funding raising last year is one of the few examples of new companies to emerge with viable commercial products so far. But things could be about to change.

We found nine companies based in London, or with a significant presence here, that are building applications for insurers. These ranged from start-ups still fresh from incubators (such as Cylon) through to well-established global organisations turning their attention to the cyber insurance market. With another full capacity event at the Steelyard, the companies represented ranged across the full cycle of risk selection and management. We were also delighted to welcome our first sponsor for 2017, TigerRisk Partners. TigerRisk is one of the more innovative reinsurance brokers, building its own analytical tools and showing leadership across many major risk areas including cyber reinsurance.

Advisen: learning from the industry’s loss data

Whilst the past is not always a guide to the future, understanding claims is an important starting point for any risk assessment product.  Alyosius Tan, product manager for Advisen led off the event describing the company’s growing loss database, now with 38,000 records across multiple lines. Advisen has one of the largest databases of cyber claims. It’s building out it’s meta data,  increasing granularity with details of up to 50 different attributes for each claims record. Advisen has two main sources for its information: aggregating data sourced from its clients claims records and subscription to services such as tort and litigation databases and governmental and regulatory indices. The company carries out its own research using webcrawlers and tracking reported events as they progress.

Insurers are using the data to help get more robust about defining events, understand clash potential and create loss benchmarks. The Advisen database is also widely used by other vendors to validate their own tools and models. The company is now working on a more interactive means of assessing the data to investigate themes across the different attributes it scores. Advisen is also widely known for its cyber conferences in New York and London, with their next event in London on 7th March and we are grateful to Advisen for sponsoring the videos for this event.

Sciemus: underwriting that combines analytics and experience

Rick Welsh is at the sharp end of the cyber insurance opportunity, as CEO of London MGA Sciemus. He believes gaining an understanding of cyber risk is more than just accessing more data, and as an insurance class it’s been around for a while. Insurers first identified an opportunity for insurance for e-commerce back in 1999. Rick believes that insurers in the UK have a lot to teach the world about Cyber.  The UK Government has for some time been working on a standards-based identity verification and authentication programme which involves UK industry, a notable global charity and other governments. Sciemus has been asked to help with the liability and indemnity model, given its knowledge of cybersecurity, cyber insurance and links within the cybersecurity community.

According to Welsh, the majority of losses from cyber to date have been from data breach and it’s mostly the service industries that have been affected, but there is a lot of physical damage potential from cyber. Industries such as nuclear, which may think they have sufficient safeguards in place to make them immune to cyber attacks can be more vulnerable than they realise.

4iQ: protecting national insurance agencies

4iQ powers cyber risk intelligence centres for defence departments, law enforcement agencies, physical security service providers, managed security service providers and critical infrastructure companies. Richard Kirk has been with 4iQ for only two weeks, but has a longstanding association with Instech London. “Has anyone here had their credentials stolen?” Richard asked the audience. Only five people raised their hand. Statistically, from this audience of 200 people, another 95 have probably had some of their personal details stolen.  In the last year 1bn personal records have been stolen through a series of breaches. 4iQ has found a way to collect the data that we are losing - legally Richard assured us - our user ids, passwords, copies of documents, confidential letters from banks. Understanding who is losing key information is potentially very valuable to the insurance industry but such information is not yet commonly used today. Most insurers are focusing on building stronger security, but once a thief has got hold of someone’s id and password the security becomes irrelevant. The theft of personal ids - or “credential stuffing” as it’s known - is growing. For the industry to protect itself it must, according to Kirk, start to think like a criminal.

Cynation: creating an enterprise wide culture and processes to build cyber resilience

Shadi Razak, the co-founder and CTO of Cynation is concerned by what he sees as a lack of true appreciation for cyber risk across businesses. Companies are buying insurance as a replacement for protection rather than tackling the fundamental issues. And it’s not just about how a company understands it’s own risk, but also quantifying the risk from third parties. Many companies are outsourcing key services today, potentially increasing exposure to attacks via a third party with lower security standards. A traditional “cyber risk audit” can be expensive and may not always be comprehensive. Cynation believes it has identified the 10 key factors that determine a company’s cyber risk and is creating assessment tools around these factors. Above all though, Razak noted, there needs to be full collaboration between companies and insurers; it’s hard to clap with one hand.  

Dynarisk: Protecting your digital life

Andrew Martin from DynaRisk was the first former hacker up on stage - or at least the first to admit it. Realising that he would get caught at some point, Martin has shifted his attention to building a platform that measures the vulnerability of a cyber attack on individuals. Similar to a finance credit rating, he is creating a personal cyber score. The system simulates attacks on participants and measures individual’s resilience. Whilst many companies are now introducing mandatory “best practice” training, it’s very hard to get people to change behaviours in a meaningful way unless they are actively engaged in the learning process. Dynarisk’s scores can be used to track people’s improvements over time, and identify those that are practicing good behaviours vs those that are not. This is one of the first examples of gamification for cyber risk and Martin is hoping that our competitive nature and desire for measurement will encourage us to make real changes to our behaviour, frequently checking in on our Dynarisk scores to see how well we have improved.

Foregenix: your digital canary

Foregenix  was founded 9 years ago. Richard Jones, responsible for business development, is a veteran of the cyber security industry having been involved since 2000. One of the biggest problems for data theft is that it can be a long time before it’s discovered: the mean time to detection is 6 months. To identify attacks more quickly Foregenix has developed its canary,  a device that sends out an alert at the first signs of an attack . It’s simple in concept and aims to do just one thing: attract a hit from a hacker.  When it is attacked it sends out a signal identifying the id and the device from where the attack came from.

Hook: finding your weakest links

Oliver Rees co-founded Hook last year to help solve the really big problem in cyber - what he called the squidgy bits - the people that do things they are not supposed to do. According to Olly, 90% of breaches are from someone clicking on a malicious email. Hook provides the tools to enable companies to test themselves to see how susceptible they are to such email attacks. A company CSO can use Hook to send out fake phishing emails (i.e. fake fake emails) to staff and record who opens them. The number of people that click on the email is a good indication of the cyber resilience of a company’s staff. Achieving a score of 10% or less of emails opened suggests a well behaved company. There have been cases were over 60% of staff have opened the phishing emails - definitely a sign of a need for more training. There isn’t an explicit insurance solution yet. “And yhy stop at cyber?” asked one of the industry veterans in the audience. “Maybe Lloyd’s could send out fake phishing emails to see which employees would take up an offer of a drink at lunchtime”.

Telstra

Mike O’Keefe spoke on behalf of Telstra - the large Australian technology company. It’s amongst the top 10 globally in telecoms with 40,000 people and so pays a lot of attention to cybersecurity - its own and its clients. The cost of the average data breach increased to $4m in 2016, up from $3.7m the year before. Typical costs are around $158 per record which increases to $355 per record for healthcare and insurance. These have the potential to increase massively in Europe with the introduction of GDPR, and its related fines, next year. The hardest cyber attacks to prevent are the unknown unknowns. A catastrophic cyber attach is definitely possible, but it’s not clear what it will be and where it will come from. When history is no guide to the future a different approach is required, and Telstra is shifting towards behavioural analytics in an attempt to identify the emerging threats. By creating a profile of everyone that touches a company’s network there is an increased probability of identifying rogue actors doing bad things:  state sponsored espionage, mobile phones pushing out customer records or third party vendors with compromised systems.

Threatinformer: matching risks to policy coverage

Threatinformer is another recent graduate of the London Cyber incubator Cylon, part of the fourth cohort. (Other alumni from the evening included DynaRisk and Hook). The company was born out of the frustrations of the underwriters that CEO Ryan Jones had seen in his time working with KPMG.  Industry consultants gave a good service, but could be inconsistent and expensive. The automated tools available were not targeted at insurers and so tended to provide too much unstructured information, or reduce the issue down to single cyber risk scores, so broad as not to be useful. Threatinformer is developing an automated cyber risk platform specifically for all three main players in insurance: brokers, insurers and reinsurers. Jones described three key challenges for brokers looking to place cyber risk that can be helped by Threatinformer. The first task is to understand what type of cover is required, the second is to identify risk management opportunities and reduce risk.  The major brokers are looking for opportunities to grow revenue, not just by placing risk but through providing services to actively manage it. Each of the major reinsurance brokers has been developing relationships with cyber analytics providers in recent years, and the acquisition of cyber risk management company Stroz Freidberg by Aon last year is probably not the last strategic acquisition we’ll see in this space.  The third, and more fundamental challenge for brokers according to Jones, is for brokers to convince all of their clients of the need to buy comprehensive cyber cover at all. It’s not mandatory, can be expensive and limits are rarely given above $500m. Threatinformer will be providing tools to identify risks across a range of areas, suggest coverage explicit to individual companies, assist with risk management and provide evidence based examples of where insurance can be used to complement risk reduction activities.

AIR and RMS: Scenario modelling for unnatural perils

AIR is better known for its natural peril catastrophe models. Mark Banks explained that the biggest challenge they have seen is insurers understanding the specific risks related to each of their insureds. Aggregation of risks, based on industry averages is too uncertain to be meaningful. AIR has been working on a probabilistic model for a couple of years, but has shifted its short-term focus to scenario-based events, consistent with the Lloyd’s Realistic Disaster Scenarios.

RMS and AIR collaborated last year in a project led by Cambridge University to develop standard industry schemas, leading to the publication of an excellent primer on Cyber risk. Tom Harvey from RMS was the final speaker for the evening. RMS is providing its cyber tools to 20 insurers today and is about to release it’s second version of its “Cyber Accumulation Management Systems”. The RMS approach, explained Harvey, is focussed on helping insurers understand the major catastrophic loss that could be a balance sheet event for an insurer or reinsurer, potentially occurring from a combination of multiple events across multiple lines of business.

In conclusion

Whilst some may argue the PRA’s observations about the state of the cyber insurance market are too harsh, there is no doubt that cyber analytics for insurers will remain a fertile spot for innovation and opportunity for many years to come. Despite the increasing number of losses from data breach, denial-of-service or ransom ware, we have yet to experience a truly catastrophic cyber loss, or even a significant physical loss triggered by a cyber attack.  Yet we are increasingly more connected and our reliance on intangible networks is becoming as great as our reliance on tangible physical assets.  Competitive pressures mean embracing the latest technological innovations, offering fresh opportunities for malicious attacks. We will definitely see more active risk management for cyber. Will this be supported by more comprehensive insurance for cyber, offering large lines and broader coverage, or will the industry seek to exclude a risk it can’t quantify by pushing it back on its clients? Either way, regulatory pressure and commercial drivers will create a large appetite amongst insurers for the best measuring, monitoring and management tools. Definitely a space to watch.

The next Instech London event is on 20 March, with 9 Angel Investors presenting.