How would you best describe the current state of the cybersecurity insurance market?
We think there’s a perfect storm brewing for cyber insurers.
Cyber insurance covers a risk that is as near 100% digital as is possible. Surprisingly, much of the $7.8bn cyber insurance market is still analogue. But the greatest danger is that underwriters price policies blind to the underlying risks. Unlike other sectors, cyber insurers lack the data to accurately measure the value at risk for an individual policy let alone across their portfolio. Making matters worse, cyber criminals are constantly innovating and exploiting opportunities most recently those created by the mass exodus to home working.
In recent years, how has artificial intelligence helped evolve cyber risk prediction in the insurance sector?
AI has transformed other insurance sectors dramatically. Data about individual behaviours enables usage-based insurance for auto and health policies and better premiums for individuals who are careful drivers or regular exercisers. AI supports on-demand insurance for specific items and events and enables faster, customised claims settlement. In cyber, AI is typically used on aggregated data gathered from external sources. Risks are priced at the generic level and black boxed; something the insurers dislike as they see their core competence as pricing risk. As such, there is no ability for individual (usage-based) pricing.
In what ways are Insurtechnix “disrupting” the marketplace today?
We are the only company that can provide insurers with a complete ‘inside-out’ view of each individual policy holder risk and the key risk areas across their portfolio. A key objective is to improve our client’s loss ratios relative to the industry average. It’s relatively easy to write insurance, it’s far more difficult writing profitable business in cyber where risks are continually changing.
Our ultimate vision is to combine AI, advanced analytics and automation to drive material uplifts in profitable revenues for cyber insurers. As far as policyholders are concerned, cyber insurance applications and renewals become completely pain free – there’s minimal paperwork as all the data collection is automated. They also get a free risk management tool that’s been developed specifically for n non-technical business users. And because policyholders are actively managing risks, they can drive down their insurance costs.
How exactly does the Insurtechnix Limited project assist insurers in better pricing cyber risk premiums?
Quite simply, we enable cyber insurers to write the right policies at the right price.
Our technology developed through funding from Innovate UK constantly collects and measures the value at risk and the key risk factors on every device in an organisation and then calculated the value at risk for the organisation as a whole. We alert the organisation to threats and prompt remedial action. This enables organisations to actively manage and report on their cyber risk exposure.
The aggregated data is continually fed through to the insurer providing a real-time measure of the value at risk and potential exposures of policyholders. Because we collect data at the device level, we provide the insurer information about their exposure to specific risk categories across the insurer’s entire portfolio.
The SolarWinds breach is a highly topical example. While only the US Treasury is confirmed as a target, 18,000 companies are known to have installed the poisoned Orion software. On the same day the breach was announced, InsurTechnix instantly audited all our users’ devices for the affected software and send alerts where necessary. And any cyber insurers would get an immediate update on the risk status of their portfolio.
What is the purpose of this project
The primary purpose of the Innovate UK project is to transform the cyber insurance market, so that British insurers lead the world in the high-growth global cyber insurance market. Furthermore, we want insurers to have instant access to aggregated and evolving data to better price cyber risks; improve their profitability and reduce earnings volatility.
The project will also allow UK businesses to better manage their cyber risks and reduce vulnerability to cyber-attack and/or data breech at much lower cost. Through Innovate UK, good risk management is rewarded through reduced cyber insurance premiums.
What has been the response from insurers to this project?
The project completed in February 2020. There was strong and immediate interest from innovative cyber insurers but follow-on proof of concepts were put hold during the pandemic. We are planning to restart these in early 2021.
Can you give some real-life examples of how this system has been put into practice?
Over the summer, we conducted a study with a large financial services organisation. The primary purpose was to quantify the value of their at risk data on PCs which were being used for home working. This organisation had good cybersecurity systems and practices, all their operating systems were patched and up-to-date, all their devices had antivirus installed and on and all devices were on networks that blocked RPD access.
However, we established that their potential exposure to a cyber attack was 100x greater than what we had been expecting. We were expecting a probable value at risk of between £1.6m and £16m. What we found was that their maximum potential exposure was ~£7bn with a probable value at risk of between £160m and £1.6bn.
The reason for this was that five of their senior executives had downloaded their entire customer data (including sensitive personal data) onto their home devices. We also identified a number of vulnerabilities to current exploit kits for ransomware. We immediately removed the vulnerabilities and the CISO was able to persuade the five execs to remove 90% of the data from their devices.
Insurtechnix’s research is funded by UK Research & Innovation (UKRI), which is focused on innovating the UK by developing Next Generation Services within professional services.
UKRI aims to advance AI’s role in the insurance sector by commissioning research and funding projects that will ultimately help achieve this goal.