Cyber Groundby Jay Cuthrell
This week we take a look at the past, present, and future of cyber insurance and cyber risk marketplaces.
This week’s musical inspiration in title and lyrics:
I would be very grateful if you could vote for my SxSW 2024 proposal. It takes just three (3) quick steps.
Check your email and click the “Confirm my account” link
Thanks in advance! Also, if you are a LinkedIn user and want to see what others are promoting, use this link to search for panel picker sorted by most recent references in the last month:
Oh, and feel free to leave comments. 🤓
Insurance is simply a tool that attempts to protect against risks. In these modern times, the friction and time to acquire productized coverage forms of insurance has drastically reduced as technology from e-commerce to real-time risk ratings become part of end user consumer experiences on the web, via APIs, and increasingly on mobile platforms — truly, there is an app for that. 📲
By prepending the word cyber to insurance, we have a relatively recent modern tool (or at least as old as the web) that is meant to protect against the growing risks to our increasingly data intensive online IT infrastructure. Further, the evolution of quantifying risks of increasingly sensitive online data passing through online IT infrastructure is required as well to account for the when not if scenarios related losses during the data lifecycle — including considerations for companies and their customers as well as third-parties.
Now it’s time for reading 📖, watching 📺, and listening 🎧 suggestions:
- 📖 What makes gambling wrong but insurance right? in which Tim Harford takes an undercover economist inspection of the elephant in the room that provides context for why even mature forms of insurance can be confusing — let alone cyber insurance.
- 📖 Cyber Insurance and the Ransomware Challenge from Royal United Services Institute (RUSI) in which Jamie MacColl, James Sullivan, Dr Jason R. C. Nurse, Gareth Mott, Sarah Turner, Edward Cartwright, and Anna Cartwright spend 25,000 words(!) going into the notion of incentives that can range from evolving to improving to perverse to misaligned depending on your perspective — and this lightweight summary does not begin to do the full paper justice — truly a must read.
- 📖 IBM’s Cost of a Data Breach Report 2023 in which IBM partners with Ponemon Institute to bring methodology, findings, and recommendations into an open conversation around the costs and frequency of the common attacks as well as timelines with containment strategies to understand impact of prioritized investments for improvements.
- 🎧 Navigating the Global Cyber Insurance Landscape in which Anthony Hess interviews Luke Johnson on the dynamics of response choices from a legal perspective.
- 🎧 The Evolving Cyber Insurance Industry
Monday in which Emma Kami interviews Ali Plucinski on recent court rulings on cyber insurance related cases and policy payouts from global fallout associated with cyber warfare that is part of geographical kinetic warfare.
- 📺 The Calculus of Cyber Insurance in which Rafal Los interviews Nate Smolenski on the ins and outs of cyber insurance for everyone that isn’t a massive multi-national corporation.
- 📺 The Whitehouse National Cybersecurity Strategy in which Wes Spencer, Matt Lee, and John Hammond go into a wide ranging conversation — deep linking at the 29 minute mark — on the lessons that cyber insurance marketplaces still need to learn.
If you’ve recently bought an expensive smart phone or even commercial airfare, you know that adding insurance is just a checkbox away — including monthly amortization or a lump sum payment option. Humans can now drop their phones after travel woes and feel economically protected no matter what breaks first — the device or their will — or both. 😩
All that modernity aside, the insurance industry is very very old. Insurance has existed at least as far as the first boats began carrying things of value from shore to shore… and losing those things or sinking of said boats.
Perhaps you’ve shopped for a common insurance policy for your home, rental, or vehicle. You might have noticed the checkbox options that could result in a policy rate reduction for simple things like a fire extinguisher, smoke alarm, or theft deterrence device or security monitoring service.
The question to ask might be as simple as wondering when (not if) a startup or large cloud service provider will make cyber insurance polity rate reduction and the underlying risk quantification a drastically more simplified process. In fact, if you follow Forrester, that cyber insurer M&A driven future is already here and Jeff Pollard believes there is more M&A coming to a cyber insurance firm near you.
Within the range of my 50-something lifetime, The Insurance Services Office (aka _the_ _other_ ISO) was created to provide actuarial support, ratings, and more. Today, ISO is part of Verisk and serves to enable fast-track for mergers and acquisitions (M&A).
As such, the insurance marketplace has some level of maturity to quantify the risks and to influence if not codify much of the language you might have read in your own insurance policy documents over the years. However, cyber insurance and assessment of cyber risk can still cause confusion.
Just consider this… the writers over at Dark Reading have been covering cyber insurance since 2006 to present. If that year sounds familiar, perhaps it is because it is the same year that AWS S3 and EC2 became publicly available.
So, if an answer to better balancing cyber risk and policy rates is to get the proper stack built (or brought / bought) into these cyber insurance companies, where is the deal flow taking place? Or, where is the likely consolidation via M&A as innovative firms spring forth to make dents in the cyber insurance universe?
Today, if you look for funding of startups in the cyber insurance and risk marketplace you’ll find several examples. Some recent VC funding for cyber insurance and risk startups from the past 12 months include:
As for my $0.02 on this topic… I believe that there is going to be time when ONLY machine learning and artificial intelligence real-time risk ratings are trusted to shift the cyber insurance market over time into niche pockets of bundled policies. For example, being able to a la carte the specific coverages will be a maturity not unlike what we see in vehicle coverage today where the app on your phone or an OBD-II device is real-time rating a driver’s driving habits — with some painfully learned lessons along the way.
Or, as I shared in a recent Fudge Sunday issue… in a future world, HAL may not be pleased with your infrastructure as code choices…
So, what will be the next big thing in the cyber insurance and cyber risk marketplaces?
Until then… Place your bets!
I am linking to my disclosure.
✍️ 🤓 Edit on Github 🐙 ✍️
Get Fudge Sunday each week