Insurers tap cyber security ratings to limit liabilities

By Hannah Kuchler for Financial Times

New breed of start-ups aims to assess strength of companies’ defences against hackers.

When a single cyber attack brought down several major sites including Spotify, Twitter and the New York Times, it highlighted a problem insurers have been puzzling over: how do you predict whether large companies will fall victim to a cyber attack all at once, like houses in a hurricane?

The distributed denial of service attack on Dyn, a provider of domain name services to large companies across the world, showed how companies in different industries and different parts of the world can be reliant on the same infrastructure.

A new generation of cyber security start-ups is trying to solve this problem of a widespread attack, helping insurers analyse the risk of writing cyber security policies for individual companies, how to price them and how to balance their portfolio so they do not accidentally insure the cyber equivalent of all the houses in Florida. With the market for cyber insurance forecast to grow to more than $20bn by 2025, according to forecasts by Allianz, insurers are looking for help to understand the fast-changing threat from hackers.

Stephen Boyer, co-founder of Bitsight, a ratings firm for cyber security, counts seven of the top 10 global cyber security companies among his clients. “I think cyber insurance is probably the most important thing to happen in the cyber security world ever,” he said. “It will be transformational in the way that insurance has transformed building codes and car safety.”

Bitsight recently announced a fundraising of $40m, led by GGV Capital, as it expands to cater for insurers’ desire to know more about the security weaknesses of their potential — and existing — customers.

It collects data on whether companies appear already to be compromised or it can monitor user behaviour, such as an employee found to be downloading from peer-to-peer websites. It also collects information on breaches from freedom of information requests.

Then, it creates a model that rates companies on a scale and insurers use the rating to decide if applicants get coverage. A healthcare company was recently turned down for cyber insurance because Bitsight found it had an X-ray machine compromised by malicious software, according to Mr Boyer. Its analytics help insurers diversify their portfolio by highlighting aggregations of risk — for example, if all the companies depend on one cloud service provider, or on a domain name services provider such as Dyn.

“In cyber insurance, [website] down time is an event you can claim on that lost revenue, so if something goes out that widely across the book, they will have to pay out,” Mr Boyer said.

Bitsight is also working with insurers to monitor insured clients’ security in the same way car insurers put devices in cars to track whether the driver is careful.

Symantec is taking this one step further with its security software. It has been experimenting with insurers to bundle it with their cyber security insurance. The real change could be for small businesses, which have increasingly been targeted by hackers as the most vulnerable.

Roxane Divol, senior vice-president and general manager of website security, said Symantec is now piloting bundling its Norton product with small business cyber insurance in Japan and Europe.

“Every single insurer we have spoken to, most of the top 20, sees cyber insurance as their next big opportunity,” Ms Divol said, adding that a couple of years ago they started with very large companies. “They see it as a new opening to expand the offering to the lower end of the market, to small and medium-sized businesses.”

High-profile attacks such as the breach of US retailer Target, where hackers entered through a smaller supplier, has led many larger companies to demand their partners have robust cyber security and their own insurance.

SecurityScorecard, a start-up backed by Sequoia Capital and Google’s venture capital arm GV, has developed a letter score rating for every company in the world.

Sam Kassoumeh, co-founder and chief operating officer, said that as well as catering for insurers, it has seen large companies putting clauses into contracts with suppliers indicating that they must keep up their SecurityScorecard score.

“Essentially, you’re told you have to maintain at least an 80 per cent rating or better, so if you go below 80 per cent for more than two weeks, it could be audited or the contract cancelled,” he said.

Arvind Parthasarathi, chief executive of Cyence, whose investors include IVP and insurance-focused private equity firm Dowling Capital, said he built his company to bridge two worlds: the world of risk, where business people at gatherings like the World Economic Forum fret about cyber security as an existential threat, and the IT industry, gathering at events like RSA and Def Con, talking about the new technologies.

“The whole idea is we want to quantify risk in dollars, not firewalls,” he said.

Mr Parthasarathi also sees the focus in 2017 switching to how to insure smaller companies, with the US National Cyber Security Alliance reporting that up to 60 per cent of hacked small and medium-sized businesses go out of business six months after a cyber attack.

“They face one of the biggest challenges, without the budget, the technology and the services.”

First appeared at FT