Cyber Insurance for SME’s – Challenges and Solutions
By: Nir Perry, CEO of CyberWrite, Cyber Insurance Technologies, and Inbar Raz, Advisor to Cyberwrite.
Inbar is a leader in cyber intelligence research, worked in cyber intelligence for Israeli Defence Forces for over 15 years and lead CheckPoint’s (Nasdaq: CHKP) cyber research division.
The impact of Cyber-attacks on small and medium businesses and enterprises.
Small and Medium Enterprises are the backbone of our economy, yet they are mostly unprepared to face modern cyber threats. Tailor-made Cyber insurance could help this huge market to mitigate some of the inherent risks in doing business in the digital world, but only if certain challenges are resolved.
Looking at the latest cyber-related headlines, one might mistakenly think that cyber-attacks only target enterprises such as Equifax ,Yahoo, and recently Alteryx, a marketing analytics firm, whose breach exposed sensitive information on over 120 million U.S. households. But in reality, smaller businesses are being targeted in increasing numbers, and with growing impact. They are not big or famous enough to make the headlines, but they sure do end up in the statistics.
In recent years 43% of all Cyber attacks targeted small businesses. 51% of small businesses had sensitive information exposed or stolen according to Symantec and 60% of small companies that suffer a cyber-attack are out of business within six months. SMBs are targeted as much as bigger enterprises but are less prepared to deal with this menacing threat. Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as “highly effective”.It is therefore not surprising that SMEs have become the focus of cyber criminals, since these businesses are less prepared for preventing attacks and responding to them.
During the last year, we’ve witnessed a new global phenomenon: Ransomware, a malware that encrypts data on infected devices and promises to release it in exchange for ransom – usually in Bitcoin. These attacks have been hurtful for SMEs, with more than one-third of businesses suffering a ransomware attack in the last year, and more than one in five (22%) of these impacted businesses had to cease operations immediately, according to Malwarebytes.
The reasons for SMEs high exposure
SMEs are a preferred target by cyber criminals as they are less secured by nature. Various surveys show that cybersecurity maturity among SMEs is still fairly low compared to that of larger enterprises – although this situation is slowly improving. Even when SMEs acknowledge cyber risks, they still face serious challenges which set them apart from enterprises and impairs their ability to properly mitigate cyber risks:
- Costly Investment: Enterprise-grade cybersecurity solutions involve costly licensing, substantial setup investment and high maintenance costs, that are usually outside the reach of SMEs.
- Lack of skilled manpower and Technical Expertise: Sophisticated security systems require skilled and experienced IT experts, who are difficult to recruit and place a heavy burden on payroll expenses.
- Minimal protection capabilities offered to SMEs: Security solutions tailored for SMEs (some of the free version of security tools) simply do not offer the same level of protection as High-end solutions.
- Lack of guidance and standards: In some areas, clear standard are available (such PCI-DSS compliance), but hardly any industry-wide standards are available, at least not such that SMEs can interpret by themselves.
With ever-growing sophistication of cyber criminals and businesses adopting new technologies, the small and medium companies will continue to be an easy target for the foreseeable future.
How can cyber insurance help SMEs mitigate the risk
According to a recent article, Cyber Insurance is one of the fastest growing coverage for U.S. companies. In fact, according to Fitch Ratings, one of the world’s largest credit rating agencies, the market for cyber insurance grew thirty-five percent. The cost of a potential breach and the need for insurance coverage are some of the factors impacting purchasing decision as illustrated by Hiscox, a large insurance provider:
And yet, adoption of Cyber insurance among SMEs is low, with some estimates of a penetration rate as low as 5 percent or less. Below are some of the reasons for current low adoption rate:
According to a recent survey by Hiscox – trust in cyber insurance policies and underwriters is currently low with almost a third of responders say they are not sure they will be paid in the event of a cyber breach. Some industry statistics do show discrepancies between the direct costs and insurance payouts. Another factor hampering trust is that insurance policies are perceived as too complicated for the customers. More than one in six (17%) of those who have no plans to take out cyber insurance stated this as the main reason. Many cyber insurance policies include multiple exclusions that reduce the value of the policy and deter potential clients from purchasing these policies, as these reduce the trust that underwriters will actually pay when a breach occurs.
Cyber insurance policies are complex and include many exclusions. They are hard to understand for non-technical readers and even worse – the agents who sell them lack, in most cases, the know-how on how to sell the product to customers. In addition – different types of customers have different coverage needs. Current policies are usually a “one size fits all” and are not tailored to each business, with standard sub-limits offered to all customers. This is a problem since for some customers, for instance, confidentiality is more important than availability due to possible business impact. This is not currently addressed well.
Lack of regulation
Cyber insurance is not mandatory. Many business owners who don’t see the value will rather invest elsewhere until required to by law or regulation. In addition, cyber insurance is a fairly new product in its current version, and is not fully understood by many business owners. Following the same mentality as other non-mandatory insurance policies, many will only purchase it after the first breach or incident they suffer.
Perceived risk vs. Cost of insurance
Perhaps one of the bigger hurdles on the way to mass adoption of such policies is the fact that ordinary people know very little about cybersecurity, and cannot estimate the actual risk (or exposure) they face from cyber activities. When the risk is not fully understood or is not tangible enough (at least not when compared to everyday insurance like car and health), the value of the insurance meant to offset it is harder to quantify, thus making the insurance seem expensive.
Some of these reasons, such as trust and complexity, can be addressed by a tailor-made underwriting process which will take into consideration the customer’s needs and adapt the coverages, exclusions, and sub-limits to fit the customer. Such policy offering will improve customer satisfaction and will also enable better control of risk levels for the insurer.
CyberWrite has set out to solve the underwriting and digital customer engagement challenges related to SME’s.
Challenges for engaging business owners and managing the underwriting process are a barrier to win the market. CyberWrite – a company dedicated to the creation of cyber insurance technologies is offering a solution for SME underwriting. Here are some of the challenges:
Classic risk assessment process is old-fashioned and non-scalable.
Most client risk assessments are conducted in an old-fashioned manner. On-site evaluations conducted by expert teams are a reasonable approach when assessing large enterprises with big IT departments and multiple assets, but are impractical when aiming at smaller clients. SMEs are interviewed over the phone or answer questionnaires over email, in a process conducted by insurances agents that are not cyber experts. Both methods have their downsides – the need to send a team of experts impacts the cost of the underwriting process, the time it requires and the burden on the client. Sending a questionnaire over email is cheap but results in an inherently inaccurate and qualitative assessment which is hard to benchmark. Both are human-centric and suffer from inherent biases and inaccuracies.
Risk assessment process is too generic and lacks historical data analysis process suited for cyber.
In addition to being conducted manually, the assessment process is generic and does not take into consideration important factors that affect the clients’ exposure.
Research shows that many carriers lack sufficient historic or credible data. This results in a “flat rate” used by many insurers, use a Base Rate with Modifications (client size, turnover, etc.) or use Industry Classification (in an attempt to control for risks to the insured based on the industry in which the client operates).
Risk score presented to the client is a generic cyber-risk score, not a cyber insurance-centric one
The would-be clients are presented with a cyber risk score, but that is not an easily understandable tool for explaining their exposure, nor do they understand how it is tied to the proposed policy. It is a cyber security score and as such uses cyber terminology and data they can’t understand or relate to, and certainly not make an educated decision regarding the required cyber insurance to match the risk score.
The Cyberwrite solution:
Cyberwrite tackles the issues above using a combination of cutting-edge technology and business model. The platform Cyberwrite developed allows underwriters to conduct very quick, accurate assessments, with little to no input required from the client. This frictionless, scalable approach is quite the opposite of sending a team of experts and interviewing the client’s IT manager. In a nutshell, Cyberwrite’s system collects open-source information available on the client, cross-references it with the clients’ geography and business sector and rapidly arrives at the following:
- Coverage scores
An accurate benchmarked cyber insurance score (as opposed to a generic cyber-risk score). This coverage score is presented to the client, showing it the areas where exposure is more likely to occur, and therefore should be offset by adequate insurance coverage per that business-risk. This tailor-made approach provides the insurer with an analytic tool to match the coverage to the risk, using machine learning algorithms to connect cyber-risk parameters to insurance coverages.
- Expected monetary damage
The system calculates the expected damages for the company in the event of a breach, enabling to set sub-limits according to client size, business area, and perceived risk.
- Fine-tuned coverage
By scoring the coverage and calculating the expected monetary damage – both the client and the underwriter can adjust the policy to best suit their needs.
This data-driven approach provides a granular assessment, which in turn translates into a tailor-made policy and reduces the need for exclusions. Fewer exclusions mean that the client is more confident and will be more likely to purchase the policy.
The Cyberwrite technology allows to conduct numerous concurrent assessments and quickly map clients on a risk scale.
Another benefit of the system is that it creates Standardization across all business types and sectors- inaccurate assessments (due to missing client information, insufficient time to assess, human biases, etc.) are a thing of the past, and both underwriters and clients can feel confident that the policy fits the actual exposure of the client, is properly quantified and will provide the needed coverage in times of need.
Cyber insurance is a growing market with a huge potential. To date, underwriters have not been able to achieve significant traction within the largest segment of the commercial sector- the Small and Medium Enterprises, mainly due to their reliance on outdated evaluation techniques which led them to offer “cookie cutter” policies that are not considered comprehensive or valuable enough for the end clients. By using data-driven approach and utilizing the latest in machine-learning and big data technologies, underwriters can improve their evaluation process, offer tailored policies to a much larger audience and grab a larger share of this huge, underserved market.