Cyber insurance is quickly becoming a must-have amid cybercrime, ransomware, and daily threats. The problem is that wading through insurers is a bit daunting. With that in mind, I went shopping.
For large enterprises, cyber policies are increasing the cost of doing business. Large firms such as Equifax, Marriott, and SolarWinds all had coverage to cushion the hit from high-profile data breaches. Smaller enterprises may not have the coverage.
Also: What is cyber insurance? Everything you need to know | Cyber insurance roundtable: Why cyber insurance has a supply issue
I have a few working theories about the cyber insurance market.
- This year — 2021 — will be the year that cyber insurance evolves significantly. It’s possible that cyber insurance will be required for businesses much like home and auto.
- The market is dominated by massive insurers targeting large enterprises, but there will be segments of the marketing targeting mid-sized and smaller businesses.
- Cyber insurance could be part of a cloud services stack. For instance, Google Cloud’s partnership with Munich Re and Allianz is a start, but cyber insurance could be resold by cloud providers, web hosting, and other parts of the business technology stack.
- While cyber insurance may become part of a tech bundle or at least easier to acquire, there will be multiple players gunning for policies in a fragmented market. Reportlinker projects that cyber insurance will be a $70.6 billion global market in 2030, up $5.6 billion in 2019.
In any case, cyber insurance scouting needs to commence for businesses. According to the National Association of Insurance Commissioners (NAIC), the top 20 cyber insurance providers accounted for 92% of the market in the US.
According to NAIC, AXA is the cyber insurance market share leader based on standalone policies. AXA’s cyber insurance covers North America and writes policies for data breach response and crisis management, privacy and security liability, business interruption, data recovery, cyber extortion and ransomware, and PCI among others.
AXA also provides risk mitigation resources via partners and an online service called CyberRiskConnect. Here’s a sample policy.
AIG’s cyber insurance can be standalone or added to an existing policy as an endorsement. AIG also offers three cyber insurance products.
- CyberEdge, which covers the financial costs due to a breach as well as first-party costs.
- CyberEdge Plus to cover physical world losses caused by a cyber event including business interruption and property damages.
- CyberEdge PC, which can be added to traditional property and casualty policies.
AIG also offers threat scoring and analytics as well as tools to prevent attacks. AIG has a network of vendors to restore and recover, too.
Cowbell Cyber aims to automate data collection with its cloud platform, provide observability and monitoring, and then combine it with risk scoring, actuarial science, and underwriting. The company recently raised $20 million in venture funding.
The company’s portfolio includes cybersecurity awareness training, continuous risk assessment, and pre- and post-breach risk improvement services. Cowbell Cyber also has a free risk assessment service called Cowbell Factors, which adds a freemium element to selling cyber policies.
Corvus has a host of business insurance products but has a bevy of first-party cyber insurance offerings for business interruption, system failure, cyber extortion and ransomware, and breach response and remediation to name a few.
The company, which recently raised $100 million in venture funding, uses a broker-focused approach to use AI to analyze data to predict and prevent loss. The data Corvus brings together helps policyholders, underwriters, brokers, and reinsurers address market requirements. Phil Edmundson, CEO of Corvus, said that artificial intelligence and data science can simplify the cyber insurance workflow. “If you try to read a cyber policy even knowledgeable people would find it challenging,” he said.
Travelers takes a broader approach to cyber insurance, with plans designed to mitigate risks for companies of all sizes. The insurer has cyber insurance plans for technology companies, public entities, and SMBs.
The company bundles pre- and post-breach services provided by Symantec and a hub to evaluate risks.
Travelers policies fall into these categories:
Compared to the big insurers, Beazley isn’t a household name, but NAIC rates the firm No. 4 with 11.2% market share just behind Travelers.
Beazley’s headliner is Beazley Breach Response, which is a customized policy based on a company’s situation. Beazley claims to be the “world’s best designed cyber insurance solution.” Beazley also covers breach response services for up to five million people.
For companies in specific industries, Beazley looks like an option. Beazley counts healthcare, higher education, hospitality, financial services, and retail as target industries.
Allianz provides cyber insurance on a standalone basis but is now partnered with Google Cloud along with Munich Re under a program called Cloud Protection +. The pairing is likely to move Allianz as well as partner Munich Re up the cyber insurance rankings.
While the big-name insurers are going after the large enterprises, midmarket companies may gravitate toward a specialist. Midmarket companies often have their own tech providers since they are often ignored by large enterprise vendors.
Cyber insurance companies may also shortchange the midmarket. Resilience offers cyber insurance with a few interesting perks. First, it combines insurance and expertise like the large players. And, second, Resilience includes a program where customers can earn credit to put toward security services and products.
Hiscox specializes in cyber insurance for small businesses. The firm is also spending heavily on marketing but is worth a look. The company offers a training academy to shore up small business defenses, or what it calls the “human firewall.”
According to Hiscox, its cyber insurance covers lost business revenue and data recovery costs, money lost to phishing, defense against fines and privacy lawsuits, and breach response. The Hiscox policies also include digital media upgrades. It doesn’t cover criminal action, fund transfer, infrastructure interruption, and prior acts of knowledge.
More notable providers
There is a bevy of other providers — and many insurers offer cyber insurance as part of a broader package of business offerings. Among those that looked interesting: