In August, Coalition CEO Joshua Motta found himself at a table in Washington, D.C., seated with Apple CEO Tim Cook, IBM CEO Arvind Krishna, JPMorgan Chase CEO Jamie Dimon, and several other technology, financial and infrastructure industry luminaries, discussing how public and private sector could work together to stem the growing tide of high-pact breaches.
Motta had a seat at the table of this high-level cybersecurity summit, hosted by President Joe Biden, because Coalition is one of the largest insurance technology (insurtech) companies in the world, and one of the top providers of cyber liability insurance for businesses in the United States. And, as Motta points out, even among various types of financial firms, insurers arguably have the most to lose when breaches cause major damage.
“There is no industry better positioned to fight cybercrime than the insurance industry,” Motta said. “Insurers have one thing in common that others do not: a direct financial incentive to protect insured clients and prevent financial loss.” Based in San Francisco, Coalition works with a number of reinsurance providers, and insures 130,000 businesses in virtually every sector, from micro-businesses to Fortune 500 companies. All of the insurtech’s commercial clients hold at least a cyber liability policy, although many also hold related cyber-insurance (say, a technology company taking out a policy to cover errors and omissions).
Just last week, Coalition launched two new related insurance products, including a directors and officers (D&O) policy. D&O policies protect the top executives and board members of companies against personal losses when they are implicated or cited directly in lawsuits. As enterprise breaches not only become more pervasive, but rack up increasingly bigger impact and financial damage (witness Colonial Pipeline), Motta points out that even smaller businesses are likely to see more blame and legal claims being directed toward the top brass as well.
Earlier in November, investors in SolarWinds Corp sued board directors of the beleaguered software company, alleging they had foreknowledge of the cybersecurity risks that led to that high-profile breach, and the subsequent spread of vulnerabilities to customers. And the monetary losses could continue to mount.
“The financial impact to SolarWinds was significant, but who knows the actual financial impact," said Kevin Kerr, lead security principal consultant for Trustwave. "Right now, there is no centralized way to measure multi-party breach impact in costs, reputations, contracts. And each affected organization would measure that impact differently.”
According to a recent survey of 1,000 small business senior executives, Coalition discovered that almost one-third of these professionals did not have insurance coverage for their top managers, because they did not know it was available. And, especially for smaller organization, the combination of financial losses that accrue due to a breach or ransomware attack, followed by more losses from lawsuits involving directors can be “catastrophic” — with the average D&O lawsuit costing even a small business more than $120,000, according to Coalition.
“Our belief is that all businesses are becoming digital businesses,” Motta explained, "and more reliant than ever on digital information, and assets [like intellect property]. Most companies’ single biggest asset is their data.” Hence, when hackers steal or ransom or erase that, they are in effect causing more damage than any physical world heist ever could.
“Cyberattacks are on the rise, it's only a question of when and not if,” says Aviad Hasnis, chief technology officer for autonomous breach security firm, Cynet. “As more and more companies are being victimized, the demand for cyber insurance greatens. When the demand gets bigger, so does the offering.”
And, seeing not only the number of attacks but their increasing impact, enterprises are taking notice — and buying insurance. In 2020, premiums for standalone cyber insurance policies leapt nearly 29% over the previous year, to $1.6 billion, according to S&P Global Market Intelligence. And the average cyber insurance premium increasing by more than 25 percent in the second quarter of this year, after already increasing 18% in the first quarter, based on a survey from the Council of Insurance Agents & Brokers (CIAB).
With breaches on the rise, qualified cybersecurity professionals becoming scarce, and the cost of maintaining a more secure IT operation skyrocketing, Hasnis believes we are seeing the emergence of a market “where different types of coverage will be offered to different types of companies, corporations and organizations, including policies that will discuss and put emphasis on liabilities from different aspects including senior management.”
Indeed, it’s with good reason companies are engaging more cyber-coverage, as attacks and ransoms skyrocket. And cyber insurers have their work cut out for them: Last year, the cyber insurance market’s loss ratio increased for the third year in a row, 25% more than 2019, to roughly 73%, according to S&P Global. The average pay-out to insured businesses for a cyber insurance claim more than doubled from $145,000 in 2019 to $358,000 last year, per Fitch Ratings.
But there’s a good reason companies are engaging more cyber-coverage, as attacks and ransoms skyrocket. And cyber insurers have their work cut out for them: Last year, the cyber insurance market’s loss ratio increased for the third year in a row, 25% more than 2019, to roughly 73%, according to S&P Global. The average pay-out to insured businesses for a cyber insurance claim more than doubled from $145,000 in 2019 to $358,000 last year, per Fitch Ratings.
“Insurance companies of the future must be tech companies first,” Motta said. “If you have the tech, you can prevent the incidents from happening in the first place, which will drastically decrease claims. In the next few years, we'll see insurance companies have both insurance and tech offerings.”