Eric Hanselman

Welcome to Next in Tech, an S&P Global Market Intelligence podcast where the world of Emerging Tech lives. I'm your host, Eric Ansel, Chief Analyst for Technology, Media and Telecom, at S&P Global Market Intelligence. And today, we're going to be discussing cyber insurance, an interesting angle that brings together some of the financial perspectives, some of the technology perspectives, a range of different aspects that all come together in this interesting conjunction. And to discuss it with me today, I've got 3 of the analyst team with me, Dan Kennedy, Tom Mason and Scott Crawford. Welcome back to Dan and Scott and Tom. Welcome to the podcast.

Scott Crawford

Thanks for having me back.

Dan Kennedy

Good to be here. Thank you.

Tom Mason

Thanks, Eric.

Eric Hanselman

Well, it's great to have you all here, and this is an area that we've really done some interesting collaboration because we think about some of the pieces that we typically cover in security. The fundamental aspect of security is all about managing risk. And I think we often focus on the technology piece of this.

But in point of fact, if you're thinking about mitigating risk, of course, one critical component of risk mitigation is to be able to transfer risk with things like insurance. Now this has been a really lively market. There's been a lot that's been going on and the technology pieces have also had such a big impact on this in that the technology that the attacker communities are using have evolved pretty dramatically.

And so we've got both a technology race and also a situation where the insurance markets are trying to make sense of what this looks like, which has led to all sorts of back-and-forth, changes in rates and a lot of different things. But Tom, I wanted to start maybe from the insurance side perspective. You cover insurance for Standard & Poor's PMI. And really, you've seen some pretty telling numbers in terms of loss ratios and premium increases and, really, from the insurance side. Can you give us a background on what you've seen in the recent past?

Tom Mason

Yes. So since the start of the pandemic, cyber insurance has just been an exceptional source of premium growth. So in the insurance world, we generally look at premiums as the size of the market. And premiums written grew 21% in 2020, as the pandemic kicked off 61% in 2021 and 48% in 2022. And that data comes from the NAIC, which is the insurance industry regulator.

And to put that in context, the entire property casualty industry, so that includes auto, home businesses, airplanes, what have you, only grew 2% in 2020, 10% in 2021 and another 10% in 2022. So as you could see, cyber just exploded, particularly, yes, due to the pandemic. But there are a few caveats to those numbers.

I would say, one is that cyber is a relatively small line of business. So if you look at cyber in relation to that entire industry, it's only about 1% of premiums written. The other is that premiums are the dollar amount of the policies sold. So if you look at the number of policies that are written by U.S. insurers, what we call policies in-force, there's definitely an uptick in demand in 2020 as ransomware attacks really started to pick up and policies in-force rose 21% that year. But they're actually down 7% in 2021 and up only 4% in 2022.

So what does that mean? The premium increases for the past few years have been largely driven by higher prices, which is what -- we call those rate increases in the insurance world. And if you look at data from insurance brokerage, Marsh, which is one of the giants in the industry, they said that prices more than doubled on average in 2021, but we have started to see that come down in 2023.

Insurance markets are cyclical. And as more competitors come into the space and write more business, we're starting to see rates -- Marsh said that pricing declined 4% in the second quarter of 2023, 6% in the third quarter.

Eric Hanselman

Wow. But nonetheless, those are some really wild swings in a business that doesn't typically see those kinds of gyrations.

Tom Mason

Yes, definitely. I could see why insurance were quick to want to get into that market, but it is a really tricky one. Relative to other lines, it's pretty hard to write because there's just not as much data on the losses. So I think the easiest thing to do is just, well, let's just price that in, make sure that we cover ourselves, and have been a bit of a huge loss.

Eric Hanselman

Well, it sounds like -- and I guess, we'll dive into some of the tech specifics around this, but this, of course, is one of those things that we think about what this back-and-forth really looks like. That's an area that we see from the technology side as well and some concerns with rates having those kinds of swings. I mean, there's a lot that's going on there.

And Dan, for some of the 451 Research's, Voice of the Enterprise survey data, you've been looking at expectations around cyber insurance and, really, what security professionals are looking at that. What are you seeing in that end user data about what's actually taking place?

Dan Kennedy

Yes, it's interesting. On LinkedIn a while back, I saw a CISO kind of humble-bragging that he managed to keep rates in the same place, year-over-year, in a cyber insurance policy. And I thought my goodness, is this emerging as a security leadership skill set, keeping premiums at a minimum.

And it is interesting to look at how is it actually affecting programs in place. Is it raising a baseline. Is it leading the programs. Is it causing a case where they're starting to pick winners and losers in the cybersecurity product categories. Something like 77% say that their cybersecurity policies require specific tools. You can see it in questionnaires, do you have a SIEM, do you have phishing protection, so on and so forth.

It's interesting to see and does it affect procurement? 15% say yes, if the security product will affect our insurance premiums. Those things are already happening at 15%. 40% saying, yes, definitely. It has an effect. 37% saying it somewhat has an effect. So now you're looking at a situation where one security vendor over another, let's say, EDR, they can make a compelling case around minimizing insurance premium raises that Tom was talking about. That puts their product ahead of another one.

So it's a little unclear if that's the right way things should be happening, but at the same time, a number of these companies, these end-user enterprises, and Tom mentioned, in the face of ransomware, are asking what should we have in place. And a lot of insurance companies are involved with the cleanup after an attack. So instead of a natural extension that technology recommendations were going to be on the way.

Eric Hanselman

Wow. So we are getting into very different territory than we would have been even just a few years ago in terms of what that expectation is. Well, and I guess, one, we're in different territory in the extent to which insurance is being leveraged as a means of transferring risk. There are so many different dynamics that start to come into this.

We think about what that starts to drive and how those potential impacts start to really be felt, I guess it's that question of around the impact of the tooling that you've got, where that happens to come in and the integration around that. And I guess a lot of this is now not necessarily proving the effication or the efficacy of the tools necessarily to your environments, but now it's actually managing that with the insurers that you're working with.

Scott, you've been writing a lot of research around this and looking into some of how this starts to manage this. But how do you see this as really shaping the extension of technology into these intersections?

Scott Crawford

Well, yes, you've put a finger on -- Tom and Dan both put a finger on a couple of things that have really driven this market. And one of the things that's just unmistakable is the rise of ransomware and the impact of ransomware is probably the most visible example of what's changed the landscape with respect to risk resilience, risk posture, in terms of cyber risk posture for organizations and how organizations measure their exposure through the impact of actual incidents.

And from the insurers' point of view, their exposure to their insureds as far as their posture, what they've done to protect their environment and so on. So this has given rise to an intersection of on the one hand, the interest of the insured, the organization seeking cyber insurance who has to build a resilient risk posture and the insurer who is accepting that risk transfer and what kind of fences do you either of them put around as far as the assessment of exposure, limits on risk, when it's appropriate to transfer, as Dan alluded, and actually measuring those kind of things on behalf of the enterprise.

And for the insurer, having visibility into the insured's posture, enough detail to confidently say, "Yes, this looks like an acceptable risk." So all of these things have come together to drive greater visibility into the risk posture of an organization, for the insured's sake as well as for the sake of that organization qualifying and being able to afford cyber insurance.

And for the insurer, the visibility in detail into that risk posture, not only at the time of qualifying for coverage, but over time, so the insurer can maintain that visibility into the adequacy of the posture to -- for the sake of continued coverage. So we've seen these drive a number of technology trends. And one of them is the intersection of these interests in a field that is generally and broadly referred to as cyber insurtech.

There are some variations around how it's referred to. But that's the general umbrella that we've seen this convergence between cyber technology and the interest of cyber insurance. And it covers some key areas. And among those are that sort of visibility into an organization's risk posture. How do you get that detail? Historically, that's been handled largely through questionnaires.

But the ability to gain that telemetry through automated reports, automated assessment that's readily obtained and able to be handed over effectively to the insurer, that's a rising area of the sort of convergence of cyber insurance technology. And another is the ability to partner with the technology providers that provide that telemetry on the one hand.

And on the other hand, partner with insurance providers, and in some case, for these providers of cyber insurtech to become carriers themselves. In fact, Tom, you've seen a number of these companies that have made acquisitions of carriers in their own right over the last couple of years. We've seen companies like -- some top of mind names probably would include the likes of Coalition, At-Bay, Corvus, Cowbell Cyber, Resilience, which is the DBA for Ocrea Risk Services, BOXX Insurance and so on.

And this field, the second with over $1 billion in venture funding alone when we looked at this last year. So it's a rising area of convergence between the cyber insurers and the technologies that give us telemetry that are the controls that assure this resilience against these more common and widespread attacks like ransomware, and to give insurers and enterprises a footing going forward into how do they measure this.

And this, again, is a growing area for another set of tools for cyber risk quantification. How does an organization actually measure its exposure. How does it apply to practices of cyber risk assessment and measurement in order, not only to measure exposure but to know where to make the right investments for minimized exposure.

So getting back to what Dan was saying as far as CISOs becoming businesses -- something of an area of expertise, I saved the company this much in 15 minutes with your cyber insurance technology, we'll save you I don't know how much a premium.

Eric Hanselman

There's an advertisement in there somewhere.

Scott Crawford

There is. There is.

Eric Hanselman

Well, but it gets into what, I think, is one of the -- well, a couple of different challenges. One, you've got to get to a point at which you can prove to your insurer that you are reasonably protected. But I think there's a point that we need to emphasize in the middle of this, which Scott you've mentioned, which is that these are risk levels that evolve over time.

And that cyber insurance was something that people were writing years back, but that a change in the attack profiles that are out there and the severity of the attacks shifted from what had been sort of the original malware version of what I like to refer to as sort of the janitorial security approach, which is, oops, malware and aisle 3.

Get somebody out there with a mop and a bucket. Let's clean it up. We'll reimage a few systems, and we'll get it fixed to the shift to what more effective ransomware attacks are doing, which is really creating an existential business risk that a successful attack can put you out of business and that, that has so dramatically changed this, and I'll make the case, will continue to change as the nature of attacks continue to evolve.

And that, that's something the insurance industry is really having a hard time reacting to because if you take a look at most insurance, the insurance environments, you're working on actuarial tables that are expecting probabilities of risk, percentage loss, those kinds of things. I mean, Tom, you've seen this swing really dramatically in terms of what insurers are actually -- how they're managing this and what they've had to do to account for this, right?

Tom Mason

Yes. Loss ratios are all over the place, depending on the insurer that you look at, it's just a really hard business to predict, like, I would say, you might have -- so typically, in the insurance industry, you talk about frequency and severity. And both of those can just be unpredictable in cyber. So as much as hurricanes damage things, they are very predictable.

We know they happen at this time of the year and they tend to happen every year. You can actually plan for how much you think you're going to lose each year. But with cyber, it's just -- it could be a gigantic attacker. It could be a small one. A lot of companies have stopped paying ransoms now. So it's -- as you said, the market just evolves really quickly, and it's really hard to plan for.

Dan Kennedy

Tom raised a great point there, and that's one of the interesting pieces of data of the folks who have had incidents, 54% were sort of covered for the incident in terms of its total cost or their estimation of its total cost, which unfortunately means that 46% of folks who had incidents were partially covered or not covered.

And that's something that enterprise security folks need to be highly aware of, the expectation to be able to transfer the risk may not be there depending on the way the policy is written, what's covered. You don't want a nasty surprise what your ransomware payment is not, in fact, covered.

Eric Ansel

Well, I mean, we went through some of these initial challenges with things like NotPetya in which you had insurers initially identifying that this was an act of war. That, in fact, this was a breakout of an attack tool that was targeted at Ukrainian infrastructure or Ukrainian economic interests and basically then pulling back.

And you get into this question of, is cyber insurance now an effective means to transfer risk. And if then, to your point, there's an expectation that you're really not going to get significant coverage, then that starts to really shift the extent to which an organization can rely on it.

Dan Kennedy

Yes. I mean, they defined it -- potentially defined as an act of war and we've seen evidence in the industry that insurers will attempt to have you prove that it's not a country-level attack, so it doesn't fit in that category and most enterprises are not equipped to do that level of attribution. So it gets into some very strange places.

And yes, we're a long way from WannaCry and NotPetya. I mean, the entire ransomware space has moved from smash-and-grab or opportunistic to pretty targeted monetized intrusions with some eye-popping ransomware payments. And think back a couple of years to Colonial and CNA Financial, JBS Holdings, those are some very large payments that were involved in those attacks.

Scott Crawford

It's been one of those kind of fields that there's been some precedent setting and caselaw has helped define the nature of cyber risk exposure and insurance along the way as well, too. One of the things with respect to the exposure to things like ransomware, one of the brokers mentioned to me that we don't have the ability to predict the future, but looking backward, we do a pretty good job of ruling out the stupid when it comes to some consistent exposures.

And that's a lot of what's been exploited in terms of ransomware. That's one of the things that they're pretty consistently focused on. Are there things that can be done to improve cyber hygiene that we talk about a lot. But organizations have ongoing struggles with things like you hear a lot, "Well, just patch."

That is a lot -- that is way oversimplified in the case of a lot of organizations. But still, there's a middle ground to which the insurers would like organizations towards with greater consistency, things like that. And organizations are getting to the point where they can begin to competently embrace some techniques for measuring their risk and exposure and those kind of ways and exposure to active real-world attacks.

But when it comes to coverage aspect that you mentioned and exposure to things like cyber warfare and is this actually an act of war, there have been some court cases already that have actually ruled against the insurer saying, "You can't really claim that." And in response, some of the insurers have started to curtail their coverage with respect to acts of war.

You mentioned the situation, Ukraine. Lloyd's made a move in that direction. They clarified their position on what constitutes an act of war in the cyber realm early in 2023. So the insurance industry is responding to these events, responding to the insurance industry's response to these events in a lot of cases. It's an evolving landscape and will continue to be going forward.

Eric Hanselman

Well, it's something where, I guess, -- I know I personally, my initial reaction is, wow, the idea that insurance perspectives are now going to drive security investments is -- I had this moment where I was like, whoa, we're in a very different world. But in reality, that's actually the way that a lot of the world outside of security works, that insurance concerns drive building codes. They drive a whole range of different aspects of how industries operate. And I guess I wonder, is this an indication of the maturing of the market? AND is this just inevitable? Or are we going through a phase of adjustment?

Dan Kennedy

Depends on the direction it takes. I always go back to the -- as an application security analyst, I always go back to PCIs original somewhat clumsy implementation of the application security standard, where, essentially, it said you can have a WAF or you can implement a comprehensive code validation and then testing program.

So unsurprisingly, a number of folks went with the WAF option, and it drove an industry of network device WAFs that had a mixed level of success. So to me, is the pseudoregulatory control, creating a more effective baseline? Or is it attempting to lead the market? And the first one is probably appropriate and the second one probably isn't.

You don't necessarily want an innovative -- you don't want to create winners and losers in an innovative space based on sort of what's happened already. So as Scott said, hygiene is effective, creating a better baseline is effective. But when you start to recommend specific vendors or very specific product categories, you can sort of get into trouble a little bit.

Eric Hanselman

Well, and all for those who listen to aren't familiar with it, to clarify, PCI is the payment card industry and the PCI DSS standards came out, geez, I don't know when was the first version was at least a decade or so ago maybe. But the idea was that the payment card industry was driving security standards because the concerns were that there were significant losses of payment cards.

Basic credit card numbers were getting exposed and they set a bar for the kinds of security capabilities that you had to have in place and a process whereby you got audited. And if you didn't pass your PCI DSS audit, you weren't able to handle credit cards and or are there various strictures on what you could do in terms of handling credit card information.

And that really was transformational, but it's -- that -- here, you had, Dan, to your point, a semi-regulatory environment that is looking to go drive these capabilities. And the shift -- and I guess, I don't know, I look back at the origin of Underwriters Labs, most of us sort of look at UL sticker on all sorts of odds and ends of things and saying it's a seal approval on whatever it happens to be.

But the thing I've always found fascinating is that Underwriters Labs originally was founded to rate the resistance of safes to attack. And there were various Underwriters Labs ratings for the safe that you'd have in your bank or your business as to how long it would withstand various types of attack.

And if it was a brute-force attack with tools, crowbars and hammers, a skilled attacker with torches or dynamite, all sort of these classifications, which were used there, it seems like we're kind of getting into that same environment with overall security standards in that the -- our insurers are looking to start to evaluate the efficacy of various products and how long they will resist various types of attacks. Are we headed in that direction?

Scott Crawford

Good luck with that. I mean, we know ourselves. We track -- we don't exactly track, but we do see over 3,000 vendors in various aspects of cybersecurity, more or less, depending on whose number you're looking at there. But it's a really complex environment. So when someone like the broker who says that we rule out the stupid says that we have eyes on things that are pretty consistent, that's really what they're looking for at this point.

What are the consistent exposures that can be mitigated with some reasonable level of effort to reduce overall exposure for all concerned, for enterprises and insurance as well. But the level of detail they have to get into for that visibility, that posture, that's the tricky part because of that growing complexity of the cyber technology environment and the need to have that telemetry consistently available without so much overhead and human effort that it becomes basically just an untenable and much too general summary of, yes, we have this. We have that, so we're fairly well mitigated against this type of exposure.

So that aspect of cyber insurance and technology convergence is still progressing. But yes, it's a very complex space. And to kind of illustrate that. I mentioned earlier that a lot of people say, "Well, just patch." And one of the -- even if you had a very good sophisticated patching system in place, we saw with the SolarWinds breach that those trusted systems can themselves be exploited to deliver malicious content in the form of what appears to be a legitimate software updates.

So simplistic answers generally aren't going to carry the day, and the adversary knows that. They have the ability to focus on the opportunities that will yield the greatest reward for them with minimal risk exposure on their part, and they'll target the exposures that are the most fruitful for them. And with ransomware, we had seen that pretty consistent for some years.

Dan Kennedy

Well, I was going to say -- it's interesting. I'm just looking at an insurance questionnaire before the call, and one of the questions is applicant has a SIEM. This is close to Scott's world, and it correlates the output of multiple security tools. And if you think through that question, it's like, all right, what does that actually tell me.

Yes, you have a SIEM, okay. How many systems in the enterprise are sending data. Is the SIEM ingesting data from 50% of systems, 80% of systems. Is someone looking at the results of the SIEM. Is it monitored 24 by 7. So do I have something in place that's not a SIEM like an XDR, but it acts like a SIEM, but it's not called a SIEM.

And so for someone even filling out the questionnaire, which is still the most common instrument for insurance procurement, and as Scott mentioned before, 39% are now using telemetry as well. So that's significant and continuing to become more significant. But even a simple question sets you off in about 5 different directions in terms of, okay, what's the real efficacy here.

Eric Hanselman

So are we heading towards an audit? Are we heading towards -- I wonder -- we're living in a day and an age in which car insurance, you can get discounts if you've got an onboard data port telemetry device. Are we getting towards a situation in which my insurer from a cyber insurance perspective is going to want some kind of real-time telemetry about what my security posture looks like?

Scott Crawford

Real-time, I don't know how sophisticated that sort of telemetry and visibility would necessarily have to be in real-time, but something that's reasonably current, I think, is probably enough wiggle room for the industry to have some sense of ability to validate the controls in place. Do they line up with the insurer's expectations, and more importantly, the insurers' recent past experience with losses and claims.

But yes, the parallel that you draw is very apt. That world of telematics, which Tom is familiar with in terms of sort of ongoing monitoring exposure like from driving habits based on the monitoring of an onboard diagnostic board in the car, for example. We've seen that pretty readily applied already in those fields.

And there is a direct parallel. In fact, one of the insurers, AIG had put forward its program very similarly named Tele -- CyberMatics for that similar sort of visibility into telemetry in the environment. So that's an objective with the level of detail that real-time currency has to line up with the claims and the loss data that's meaningful to the insurer, and that is going to be somewhat lagging for the insurer.

But as that one broker said, our ability to look backwards and rule out things that are common exposures, that's really kind of what they're looking for. And I expect that to pretty much remain consistent going forward, barring any major incidents that would change that perspective on their part.

Eric Hanselman

Well, Mr. Crawford, you had a whole set of phishing attacks. So your phishing attacks were up. I saw the middle of last year, so I don't know. We're going to have to do with your rates, so.

Tom Mason

I don't think insurers have to be the bad guys. Telematics freaks some people up in auto, but as Scott said, in auto, too, some insurers, they'll just monitor you for a period of time, and then they're like, okay, we think we know what kind of driver you are from here on out.

But I also like how a lot of start-ups have kind of taken the good neighbor approach. So when you get into a car accident, you might just want to call your insurance company because you're freaked out and that's a lot of these cyber insurtechs have started doing, too, particularly in the middle market.

Scott Crawford

Yes. The middle market...

Eric Hanselman

Like a good neighbor when ransomware hits.

Tom Mason

Exactly.             What do we do.

Scott Crawford

Well, that expertise aspect is not to be overlooked. I mean, it's not just about technology, not just about insurance, it's also about how do you get there. So expertise on the part of the providers, particularly in that evolving cyber insurtech space, but also partnership with managed and professional security services providers, to offer that guidance and be available to help organizations guide their efforts and offload the functionality for monitoring and telemetry to the extent that it's useful for the organization.

Eric Hanselman

Yes, basically being able to do the -- if you're in an accident, call us. We've got the ransomware response capabilities. We know how to manage this. That's interesting. It seems to be really sort of wrapping that in very similar models in terms of where that goes.

Scott Crawford

Yes. Looks very familiar.

Eric Hanselman

Well, fascinating discussions. And there are so many other things that I'd love to dig into, but we are unfortunately at time. Thank you, all of you, for all of these perspectives. I will point our listeners to a lot of the research that's going on in -- across this area as well. And clearly, this is something that will be evolving, so a conversation that's certainly going to continue. But thank you all for being here.

Scott Crawford

Thank you, Eric, for having us.

Tom Mason

Yes. Thanks, Eric.

Dan Kennedy

Yes, thanks again. Glad to be back.

Eric Hanselman

And that is it for this episode of Next in Tech. Thanks to our audience for staying with us. And thanks to our production team, including Caroline Wright and Kaitlin Buckley on the Marketing and Events team and our agency partner, the One Nine Nine.

I hope you'll join us for our next episode where we're going to be talking about smart cities and the technology that's driving I hope you'll join us then because there is always something Next in Tech.