Monthly Archives: March 2018

Cyberwrite won the UK TexChange Award for Cyber Innovation

  • imgSat, 24 Mar 2018
  • imgCyberwrite

Cyberwrite is among few Israeli companies selected to join an exclusive delegation to London, for an immersive delegation to the UK including vast networking, business and investment opportunities and access to top industry leaders in London.

According to the UK embassy in Israel: “…only the top 12 startups who applied were selected to join our exclusive delegation to London this September and enjoy an immersive three-day programme including vast networking, business and investment opportunities and access to top industry leaders in the UK from companies and organizations including the National Cyber Security Center, Aviva Insurance, BT, K&L Gates, Taylor Wessing, Goldman Sachs, RBS and Visa.

Nir Perry and Inbar Raz on Cyber Insurance Challenges and Solutions

  • imgFri, 23 Mar 2018
  • imgCyberwrite

Cyber Insurance for SME’s – Challenges and Solutions

By: Nir Perry, CEO of CyberWrite, Cyber Insurance Technologies, and Inbar Raz, Advisor to Cyberwrite.

Inbar is a leader in cyber intelligence research, worked in cyber intelligence for Israeli Defence Forces for over 15 years and lead CheckPoint’s (Nasdaq: CHKP) cyber research division.

Inbar Raz – Advisor to Cyberwrite

The impact of Cyber-attacks on small and medium businesses and enterprises.


Small and Medium Enterprises are the backbone of our economy, yet they are mostly unprepared to face modern cyber threats. Tailor-made Cyber insurance could help this huge market to mitigate some of the inherent risks in doing business in the digital world, but only if certain challenges are resolved.

Looking at the latest cyber-related headlines, one might mistakenly think that cyber-attacks only target enterprises such as Equifax ,Yahoo, and recently Alteryx, a marketing analytics firm, whose breach exposed sensitive information on over 120 million U.S. households. But in reality, smaller businesses are being targeted in increasing numbers, and with growing impact. They are not big or famous enough to make the headlines, but they sure do end up in the statistics.

In recent years 43% of all Cyber attacks targeted small businesses. 51% of small businesses had sensitive information exposed or stolen according to Symantec and 60% of small companies that suffer a cyber-attack are out of business within six months. SMBs are targeted as much as bigger enterprises but are less prepared to deal with this menacing threat. Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as “highly effective”.It is therefore not surprising that SMEs have become the focus of cyber criminals, since these businesses are less prepared for preventing attacks and responding to them. 

During the last year, we’ve witnessed a new global phenomenon: Ransomware,  a malware that encrypts data on infected devices and promises to release it in exchange for ransom – usually in Bitcoin. These attacks have been hurtful for SMEs, with more than one-third of businesses suffering a ransomware attack in the last year, and more than one in five (22%) of these impacted businesses had to cease operations immediately, according to Malwarebytes.


The reasons for SMEs high exposure


SMEs are a preferred target by cyber criminals as they are less secured by nature. Various surveys show that cybersecurity maturity among SMEs is still fairly low compared to that of larger enterprises – although this situation is slowly improving. Even when  SMEs acknowledge cyber risks, they still face serious challenges which set them apart from enterprises and impairs their ability to properly mitigate cyber risks:

  1. Costly Investment: Enterprise-grade cybersecurity solutions involve costly licensing, substantial setup investment and high maintenance costs, that are usually outside the reach of SMEs.
  2. Lack of skilled manpower and Technical Expertise: Sophisticated security systems require skilled and experienced IT experts, who are difficult to recruit and place a heavy burden on payroll expenses.
  3. Minimal protection capabilities offered to SMEs: Security solutions tailored for SMEs (some of the free version of security tools) simply do not offer the same level of protection as High-end solutions.
  4. Lack of guidance and standards: In some areas, clear standard are available (such PCI-DSS compliance), but hardly any industry-wide standards are available, at least not such that SMEs can interpret by themselves.


With ever-growing sophistication of cyber criminals and businesses adopting new technologies, the small and medium companies will continue to be an easy target for the foreseeable future.


How can cyber insurance help SMEs mitigate the risk


According to a recent article, Cyber Insurance is one of the fastest growing coverage for U.S. companies. In fact, according to Fitch Ratings, one of the world’s largest credit rating agencies, the market for cyber insurance grew thirty-five percent. The cost of a potential breach and the need for insurance coverage are some of the factors impacting purchasing decision as illustrated by Hiscox, a large insurance provider:

And yet, adoption of Cyber insurance among SMEs is low, with some estimates of a penetration rate as low as 5 percent or less. Below are some of the reasons for current low adoption rate:


According to a recent survey by Hiscox – trust in cyber insurance policies and underwriters is currently low with almost a third of responders say they are not sure they will be paid in the event of a cyber breach. Some industry statistics do show discrepancies between the direct costs and insurance payouts.  Another factor hampering trust is that insurance policies are perceived as too complicated for the customers. More than one in six (17%) of those who have no plans to take out cyber insurance stated this as the main reason. Many cyber insurance policies include multiple exclusions that reduce the value of the policy and deter potential clients from purchasing these policies, as these reduce the trust that underwriters will actually pay when a breach occurs.


Cyber insurance policies are complex and include many exclusions. They are hard to understand for non-technical readers and even worse – the agents who sell them lack, in most cases, the know-how on how to sell the product to customers. In addition – different types of customers have different coverage needs. Current policies are usually a “one size fits all” and are not tailored to each business, with standard sub-limits offered to all customers. This is a problem since for some customers, for instance, confidentiality is more important than availability due to possible business impact. This is not currently addressed well.

Lack of regulation

Cyber insurance is not mandatory. Many business owners who don’t see the value will rather invest elsewhere until required to by law or regulation. In addition, cyber insurance is a fairly new product in its current version, and is not fully understood by many business owners. Following the same mentality as other non-mandatory insurance policies, many will only purchase it after the first breach or incident they suffer.

Perceived risk vs. Cost of insurance

Perhaps one of the bigger hurdles on the way to mass adoption of such policies is the fact that ordinary people know very little about cybersecurity, and cannot estimate the actual risk (or exposure) they face from cyber activities. When the risk is not fully understood or is not tangible enough (at least not when compared to everyday insurance like car and health), the value of the insurance meant to offset it is harder to quantify, thus making the insurance seem expensive.   


Some of these reasons, such as trust and complexity, can be addressed by a tailor-made underwriting process which will take into consideration the customer’s needs and adapt the coverages, exclusions, and sub-limits to fit the customer. Such policy offering will improve customer satisfaction and will also enable better control of risk levels for the insurer.

CyberWrite has set out to solve the underwriting and digital customer engagement challenges related to SME’s.

Challenges for engaging business owners and managing the underwriting process are a barrier to win the market. CyberWrite – a company dedicated to the creation of cyber insurance technologies is offering a solution for SME underwriting. Here are some of the challenges:

Classic risk assessment process is old-fashioned and non-scalable.

Most client risk assessments are conducted in an old-fashioned manner. On-site evaluations conducted by expert teams are a reasonable approach when assessing large enterprises with big IT departments and multiple assets, but are impractical when aiming at smaller clients. SMEs are interviewed over the phone or answer questionnaires over email, in a process conducted by insurances agents that are not cyber experts. Both methods have their downsides – the need to send a team of experts impacts the cost of the underwriting process, the time it requires and the burden on the client. Sending a questionnaire over email is cheap but results in an inherently inaccurate and qualitative assessment which is hard to benchmark. Both are human-centric and suffer from inherent biases and inaccuracies.

Risk assessment process is too generic and lacks historical data analysis process suited for cyber.

In addition to being conducted manually, the assessment process is generic and does not take into consideration important factors that affect the clients’ exposure.

Research shows that many carriers lack sufficient historic or credible data. This results in a “flat rate” used by many insurers, use a Base Rate with Modifications (client size, turnover, etc.) or use Industry Classification (in an attempt to control for risks to the insured based on the industry in which the client operates).

Risk score presented to the client is a generic cyber-risk score, not a cyber insurance-centric one

The would-be clients are presented with a cyber risk score, but that is not an easily understandable tool for explaining their exposure, nor do they understand how it is tied to the proposed policy. It is a cyber security score and as such uses cyber terminology and data they can’t understand or relate to, and certainly not make an educated decision regarding the required cyber insurance to match the risk score.

The Cyberwrite solution:

Cyberwrite tackles the issues above using a combination of cutting-edge technology and business model. The platform Cyberwrite developed allows underwriters to conduct very quick, accurate assessments, with little to no input required from the client. This frictionless, scalable approach is quite the opposite of sending a team of experts and interviewing the client’s IT manager. In a nutshell, Cyberwrite’s system collects open-source information available on the client, cross-references it with the clients’ geography and business sector and rapidly arrives at the following:

  1. Coverage scores
    An accurate benchmarked cyber insurance score (as opposed to a generic cyber-risk score). This coverage score is presented to the client, showing it the areas where exposure is more likely to occur, and therefore should be offset by adequate insurance coverage per that business-risk. This tailor-made approach provides the insurer with an analytic tool to match the coverage to the risk, using machine learning algorithms to connect cyber-risk parameters to insurance coverages. 
  2. Expected monetary damage
    The system calculates the expected damages for the company in the event of a breach, enabling to set sub-limits according to client size, business area, and perceived risk.
  3. Fine-tuned coverage
    By scoring the coverage and calculating the expected monetary damage – both the client and the underwriter can adjust the policy to best suit their needs.

This data-driven approach provides a granular assessment, which in turn translates into a tailor-made policy and reduces the need for exclusions. Fewer exclusions mean that the client is more confident and will be more likely to purchase the policy.

The Cyberwrite technology allows to conduct numerous concurrent assessments and quickly map clients on a risk scale.

Another benefit of the system is that it creates Standardization across all business types and sectors- inaccurate assessments (due to missing client information, insufficient time to assess, human biases, etc.) are a thing of the past, and both underwriters and clients can feel confident that the policy fits the actual exposure of the client, is properly quantified and will provide the needed coverage in times of need.


Cyber insurance is a growing market with a huge potential. To date, underwriters have not been able to achieve significant traction within the largest segment of the commercial sector- the Small and Medium Enterprises, mainly due to their reliance on outdated evaluation techniques which led them to offer “cookie cutter” policies that are not considered comprehensive or valuable enough for the end clients. By using data-driven approach and utilizing the latest in machine-learning and big data technologies, underwriters can improve their evaluation process, offer tailored policies to a much larger audience and grab a larger share of this huge, underserved market.  

Interview with Nir Perry on on Cyberwrite

  • imgFri, 23 Mar 2018
  • imgCyberwrite

This interview with Nir Perry, CEO of Cyberwrite was published on on cyberwrite and cyber insurance

Cyber Insurance is among my InsurTech trends predictions for 2018. The attention Cyber insurance receives has increased in the past year in the wake of media coverage of cyber attacks and Trump administration. Business owners may not have noticed that Cyber attacks and (black hat) hackers have been around for many years and neither have cyber insurance policies. However, until recently, cyber insurance standalone products were tailored mainly for large corporate and were not adapted to the needs of small and medium-size businesses.

According to an article, a research conducted by the National Cyber Security Alliance found that almost 50 percent of small businesses have experienced a cyber attack and that more than 70 percent of attacks target small businesses. As much as 60 percent of hacked small and medium-sized businesses go out of business after six months. The high percentage number is the reason that cyber insurance is critical for companies of all size.

To better understand the opportunity in the Cyber insurance products I would like to share with you an interview with Nir Perry, the CEO and founder of CyberWrite, a company dedicated for the development of cyber insurance technologies.

[G] Let’s start with your background. Can you share your journey to cyber and cyber insurance?[N] I have been working in Cyber risk management since 2001. I started my career in the Israeli Air Force information security unit. I worked for PwC and Accenture in Italy and consulted on risk management and security strategy to clients like Deutsche Bank, UniCredit, Allianz and similar high profile companies. In 2015I started noticing a spike cyber insurance purchasing by enterprises and anticipated the need by SMB’s which do not have the financial resources to deal with cyber threats. Due to the spike in cyber attacks in recent years with victims like Sony and Target, an increasing number of insurers stated offering cyber insurance policies for both enterprises SMB’s (Small-medium Businesses).

I gained a lot of experience and knowledge and decided to translate that into technology for cyber insurance underwriting and to build a tool that will enable customers to select a policy that fits their business’ cyber risk.

I was always eager to be a part of the innovation eco-system. Insurance for me is especially interesting since my father and brother work in the field, so I founded CyberWrite to solve some of the existing gaps in the market.

The Market

[G] Where was the turning point for this market?
[N] I think that the Target breach in 2013 was a turning point for the cyber insurance industry. The hack to Sony and the nearly devastating result motivated the market to demand more coverage and the insurance companies to offer cyber insurance policies with better coverage, and related services such as PR, Incident response, credit monitoring and disaster recovery teams to join the eco-system as well.

[G] What’s the challenge insurance companies are facing which you are solving?
[N] To underwrite an enterprise client that is looking for a $50mm to $500mm coverage, the underwriter needs to send a team to audit and to evaluate the client. It is expensive to send a team to a client’s site, but that expense is worthwhile because of the high premium that reaches hundreds of thousands of USD. On the other hand, SMB policy premium will be anywhere from $100 to $50,000, and it doesn’t make economic sense for the insurance company to send a team of cyber experts since it would kill the profitability of the whole product. There was a need for a scalable platform to serve the SMBs.

The platform can do two things. The first is to profile and provide underwriting recommendations based on a specific client based on data and limited breach historical data. The second is to enable an agent to sell a cyber policy. The agent can provide his customer with an “easy to read” report that estimates monetary damage in case of an attack or a breach. The overall goal is to enable small and medium businesses to purchase the right coverage for them. Without such tool, the insurance company does not feel comfortable providing the policy and the agent lacks the means to service the customer.

This type of insurance product wasn’t common 2-3 years ago. Today, there are new products. Insurers are making a great effort to offer new exciting products to customers to win this great opportunity. Cyberwrite is here to provide technologies to enable them to gain this market.


[G] Tell me a little bit about the leadership of CyberWrite?
[N] Besides me, the company is led by Mr. Rami Parient who brings extensive knowledge and experience as a P&C chief actuary and Chief Risk Officer with over 20 years of experience in the market. We are a great match as I bring cyber risk management experience and Rami brings decades of experience in the insurance industry. Our combined knowledge and expertise are fundamental to the success of the company because CyberWrite delivers a platform that collects relevant data in real time and translates it from cyber data to insurance coverage score dedicated to the policy of our customers. We are proud to have a team of amazing engineers in Israel and Europe, and we have an active advisory board including insurance and cyber security executives from Silicon Valley and Israel.

[G] What is your advantage and uniqueness?
[N] Our platform collects the much-needed data on the fly, analyzes it using machine-learning techniques, and provides a benchmark of the insured to over 50,000 other similar companies and a financial impact assessment in several minutes. One of our unique characteristics is that our platform conducts risk profiling and scoring for each coverage of the insurance policy! Not one score. Both insurers and broker love our concept and product for our scoring capabilities.

Also, we offer a dedicated, tailored algorithm to each insurance company implemented into our system. We developed a unique methodology and workshop to assess a cyber insurance policy of a company, and then we develop the analytics needed to adapt our system to that specific policy. No two insurance companies will get the same report.

Eventually, our capability to provide analytics in minutes enables insurers to sell more while keeping the risk under control.

“If you have customer data, or your business depends on internet services, you should consider buying cyber insurance.”

[G] What do you think about Cyence acquisition by Guidewire for $300mm after just two years of activity in the cyber insurance market?
[N] It is a validation for us that the market needs cyber technologies. It is a great motivator for us because we recognize the acquisition as a very positive signal of the need for the technology that we provide.

[G] How complicated is your product to use?
[N] Using the platform is straightforward and the best part is — you do not need to be a cyber expert to use it. The insurance agent enters the company’s name, website, and a couple of other inputs and within several minutes, the platform presents the report.

Our report has three parts. The first section of the report displays the insurer’s policy coverages, and it breaks them down to the coverage level, and a calculated cyber risk score. We add a graph to visualize the comparison between the customer and the average. It is easy to identify for which coverage the customer is riskier than the market and vice-versa.

The second section provides a more detailed risk domains analysis. For example, social exposure and security patching or regulatory risks level. In essence, our product is a benchmark platform. The third section is financial impact estimator. In this section, the agent can help the customer to digest the risk report and apply the coverage that she is looking for based on her business goals. Furthermore, the agent can present market insights and recommend coverage to meet the customer’s business risk and objectives.

All of the data we collect is public data. We do not have access to internal networks. However, because of the nature of security level in SMB’s which lacks the budget to implement an effective cybersecurity defense, this data is sufficient for us to assume the risk levels of the reviewed customers.

[G] Who is your target audience? Who is going to use CyberWrite?
[N] It varies. Our potential clients are with carriers, MGA’s, agents and even re-insurance companies.

Cyber Insurance

[G] Can you talk about your current customers?
[N] We made a soft launch two months ago (December 2017), and we are working with several large carriers. We founded the company in January 2017 and are very satisfied to see this adoption of our solutions

[G] How businesses purchase cyber insurance?
[N] There are different types of Cyber insurance customers. The enterprises would use one channel which the SMB’s would probably use another. The small business owners usually approach an insurance agent who sold them their business owner insurance for example. The problem is knowledge and data. Most agents want to provide excellent service to their clients but don’t know cyber risk and cybersecurity. We recognized this issue and made sure that our report is readable and understandable by everyone, agent and customer alike. Both can use the report as a base for discussion. As I mentioned earlier, our technological advantage is that we can “translate” cyber data into insurance coverages and map it to a policy.

[G] What does it mean?
[N] We developed algorithms that analyze which cyber data impacts which coverages and in what way based on machine learning and actuarial science. We collect cyber data and translate it into insurance policy meaningful insights that the agent, their customers, and the underwriters can use. It is a capability that currently doesn’t exist in the market. It is important to understand however that we benchmark the risk. We don’t know who will get breached; no one can provide that.

[G] There is very little information or historical actuarial tables for cyber insurance. What type of other cyber insurance products did the insurance companies use?
[N] So far, the focus in the Insurtech innovation was on large companies. Several firms provide a cyber score report such as Security Scorecard, BitSight, and Guidewire. These firms generate a very detailed report on a large company with detailed cyber data. We created something agile, on-demand which does not require you to be an expert to use. We did this based on interviews with potential clients and mapping their needs.

Regarding the historical data, the more we collect data, the more we can bridge this gap.

[G] At what stage, do you think, a business should buy cyber insurance?
[N] I believe that every business that stores his customers’ data, or any company that relies on the internet to sell or makes transactions,  needs to hedge the risk and buy a cyber risk coverage. Even a coffee shop that has a website needs one. It can be for coverage of $100,000 that will cost them $500 a year and if it is a chain of coffee shops that need coverage of $3mm what will cost about $3,000 a year. The bottom line is that every company that has customer data and do business on the internet should buy cyber insurance.

It is the only solution that would pay back damages – your anti-virus and firewall are important, but will not pay you back in case of a breach.

[G] National Institute of Standards and Technology (NIST) and the Federal Financial Institutions Examination Council (FFIEC) released guidelines and tools Cybersecurity Assessment Tool (CAT) do companies use them?
[N] Enterprise most certainly do, and they use compliance and consulting services from big4 and other consulting companies to implement such frameworks into their operations. For small businesses, well… if they use anti-virus and a firewall and have a backup that’s great. But nothing near the NIST framework to the best of my knowledge. They can use the guidelines in the limitations of their budget and actual needs.

[G] What do you think about the risks that mobile devices and IoT introduce?
[N] Mobile is not a new issue. There are many cybersecurity solutions available to deal with mobile related threats for about ten years now. Companies such as Good and other Mobile Device Management (MDM) and Mobile Application Management (MAM) tools cover most of the risks and enable, for example, BYOD programs for enterprises. I rarely see this with SMB’s.
IoT is a different story. It is still an iceberg. I don’t think that we know the depth of the risk that the “IoT” is going to present. Think about a smart house that contains a smart refrigerator, a smart A/C, and a smart dog.

Our dependency as humans on these devices increases year by year. The ability of attackers, whether those who want to gain economic value or state-sponsored attackers with a goal is to cause harm to another country, to use IoT as an attack vector, increases with direct correlation to our dependency. There is still many places for improvement regarding standards business owners should be concerned about how this might impact their businesses.

I assume we will see in the next couple of years additional security solutions to deal with IoT and Personal Cyber Insurance policies to cover the risk to the household and smart-home.

[G] Thank you very much for your time, Nir.
[N] Thank you.



Nir Perry, CEO of Cyberwrite participated in a Cyber Insurance panel at Advisen

  • imgFri, 23 Mar 2018
  • imgCyberwrite

The panel which was discussing the impact of malware on cyber insurance policies was held during the Advisen Cyber Insurance conference in San Francisco, CA.

Nir Perry, Speaker at Advisen Cyber Insurance conference on the impact of malware on Cyber Policies in 2018

The panel was chaired by Florence Levy which provides consulting on cyber insurance policies to corporates and Kevin Kirst from Charles River Associates which leaders cyber investigation for fortune 500 companies.

About the Advisen cyber insurance event:

Cyber exposures are expanding at a rapid pace, with a more connected business landscape introducing fundamental threats to businesses of all sizes and shapes. This day and a half conference will outline some of these threats, using recent examples, and ask how businesses should address them, with technology and human capital solutions. How is the insurance market responding? Is there enough cover available in these developing areas of business interruption, contingent business interruption, third-party lawsuits, and systems fail to adequately address buyer’s needs?

Cyberwrite appreciates the invitation by Advisen to speak at the event.