Shostack + Friends Blog Archive


"Cyber" Insurance and an Opportunity

There’s a fascinating article on PropertyCasualty360 “
As Cyber Coverage Soars, Opportunity Clicks
” (thanks to Jake Kouns and Chris Walsh for the pointer). I don’t have a huge amount to add, but wanted to draw attention to some excerpts that drew my attention:

Parisi observes that pricing has also become more consistent over the past 12 months. “The delta of the pricing on an individual risk has gotten smaller. We used to see pricing differences that would range anywhere from 50-100 percent among competing carriers in prior years,” he says.

I’m not quite sure how that pricing claim lines up with this:

“The guys that have been in the business the longest—for example, Ace, Beazley, Hiscox and AIG—their books are now so large that they handle several claims a week,” says Mark Greisiger, president of NetDiligence. Their claims-handling history presumably means these veteran players can now apply a lot of data intelligence to their risk selection and pricing.

but the claim that there’s several breaches a week impacting individual insurers gives us a way to put a lower-bound on breaches that are occurring. It’s somewhat dependent on what you mean by several, but generally, I put “several” above “a couple”, which means 3 breaches per week, or 150 per insurer per year, which is 600 between Ace, Beazley, Hiscox and AIG.

Then there’s this:

Despite a competitive market and significant capacity, underwriting appetite for high-risk classes varies widely. For instance, schools have significant PII exposure and are frequent targets of attacks, such as the October 2012 “ProjectWestWind” action by “hacktivist” group Anonymous to release personal records from more than 100 top universities.

So schools can be hard risks to place. While some U.S. carriers—such as Ace, Chartis and CNA—report being a market for this business class, Kiln currently has no appetite for educational institutions, with Randles citing factors such as schools’ lack of technology controls across multiple campuses, lack of IT budgets and extensive population of users who regularly access data.

Lastly, I’ll add that an insurance company that wants to market itself could easily leap to the front of mind for their prospective customers the way Verizon did. Think back 5 years, to when Verizon launched their DBIR. Then, I wrote:

Sharing data gets your voice out there. Verizon has just catapulted themselves into position as a player who can shape security.

That’s because of their willingness to provide data. I was going to say give away, but they’re really not giving the data away. They’re trading it for respect and credibility. (“Can You Hear Me Now?“)

I look forward to seeing which of the big insurance companies, the folks who are handling “several claims a week”, is first to market with good analysis.

One comment on ""Cyber" Insurance and an Opportunity"

  • Chris Hayes says:

    “The study found that personal identification information (PII) was the most typically exposed data type, followed by private health information (PHI). The average claim per breach was $3.7 million; however, large claims of up to $76 million skewed the average. The typical loss cost insurers about $200,000. Third-party damages represented the single largest component of claims.”

    There are details to business / cyber insurance policies that are not listed in this article. For example:

    – Most companies will retain loss amounts up to a certain amount before they leverage risk transfer options. What this implies, is that the numbers listed above make up more of the “unexpected loss” portion of an aggregate loss curve and not reflective of the cost of most operational risk incidents / loss events that occur in organizations.

    – Specialized liability / business insurance products are just one of many risk management tools in an integrated, controlled master risk transfer / management program.

Comments are closed.