In November the Japanese insurer Sompo Holdings announced it was setting up a financial technology hub in Israel, becoming the first Japanese insurer to identify local cybersecurity startups whose products could be marketed in Japan.
Why would an insurance company sell cybersecurity? The rise in cyberattacks has brought with it a rise in the financial damage they can cause. June’s NotPetya ransomware attack caused some $1 billion in damage to publicly traded companies that are required to make such assessments public; the true cost is not known.
The costs come in several forms. These include downtime, lawsuits, the loss of data, ransom payments to hackers and damage to reputations, and even a resultant decline in a corporate victim’s share price. Naturally companies want insurance coverage for all of this. The global accounting firm PwC estimated in 2014 that the value of premiums for cyber insurance would triple, to $7.5 billion, in 2020.
In Israel, companies like Menorah Mivtachim, AIG Israel, Ayalon and others sell policies mainly to the biggest businesses.
“Cyber risk is like any other risk: Either you accept it or you prevent it, or you transfer the risk to someone else with cyber insurance,” said Aviram Gavish, vice president for legal and commercial coverage at AIG.
But cyber insurance is a new field, with its own characteristic. That’s where Israelis startups of the kind that Sompo is looking for come into the picture.
“There are two inherent problems with cyber insurance,” explained Yotam Gutman, marketing vice president for Cyber DB, a Herzilya-based provider of data, news, research and analysis on vendors and solutions of the global cybersecurity industry.
“The first is that insurance companies don’t have actuarial data going back years that they can use to price policies. The second is the insurance companies don’t know what the policyholder has installed [on his network] — in other words how he is protecting himself. With a car, the policyholder passes an annual test, but with cyber if the policyholder says, ‘I have a firewall,’ that’s not enough. Maybe the firewall hasn’t been activated,” said Gutman, referring to a fundamental network cyber-defense technology
To fill this gap between demand for cyber insurance and the lack of good ways for insurers to price the risk, several Israeli companies have emerged. Their goal is to simplify the underwriting process, make it more transparent and one day reach the stage where even small businesses can buy coverage online the way that people buy travel or car insurance today.
One of these companies is Cyberwrite, a startup that conducts risk analyses for insurers that was founded by Nir Perry after stints working at PwC and Accenture.
“Cyber insurance goes back to the early 2000s, but only after 2014 did it really gain momentum after some big events like the breach of the network of [U.S. retail chain] Target,” said Perry. “At the beginning it was only of interest of Fortune 1000 companies, but this has begun to change.”
When an insurer underwrites a policy for a large corporate customer, it will take the trouble to visit the company and gather information. For smaller clients, buying policies of $1,000 to $10,000, it’s not financially feasible to do that kind of due diligence. But the insurer does need to know how much risk the company represents relative to others in the industry and what could be the maximum loss in the event of a cyberattack.
“We’ve developed a system that gathers information automatically and uses statistical analysis models so insurance companies can assess a company’s exposure,” explained Perry. “We examine what publicly available information there is on the company, whether it operates on any dark nets, even the satisfaction level of company employees. Together we determine the required level of coverage for the company, and that information helps the insurance agent and the underwriters.”
Cyberwrite was founded just a year ago and already operates two pilot programs that have generated over 50,000 reports for insurers.
Cyber Observer takes a different approach to the cyber insurance problem. Many corporate users have installed scores of cybersecurity products on their networks, and Cyber Observer does the job of examining them and giving the user a clear picture. One customer base for the company is insurers, including AIG, said company co-founder Shimon Becker.
For insurers, Becker compares his product to an insurance company demanding that a homeowner install window bars. It draws a picture of the status and preparedness of the entire cybersecurity ecosystem in near-real time, alerting the user to breaches and creating a road map for improvements. Both network operators and the insurance company can benefit.
Critics have said systems like these are really insurance for insurers, who can point to weaknesses in a policyholders’ cyber-defense as a way of getting out of paying claims.
“You can look at it that way, but you can also see it as a warning system that tells the organization what isn’t working and what needs to be checked,” said Becker. “We also provide the organization with visibility into how well it’s covered, and that can be translated into the premiums it pays. On the other side, the insurance company can take the right risks.”
At-Bay, a startup that recently raised $6 million from Lightspeed Ventures, isn’t helping cyber insurers but rather offering businesses an alternative to them. Founder and CEO Rotem Iram said from his experience working to help insurers, he came to the realization that they are used to working with “static risk,” that is, risk that doesn’t change from one year to the next.
“In cyber, the risk changes quickly,” he said. “On the one side there’s the human element, which is less predictable than fire, for example, and on the other, there’s a network that is constantly undergoing change. Even upgrading from Version 10 to Version 10.1 changes everything. Old vulnerabilities are fixed and new one emerge.”
At-Bay creates insurance policies, with cybersecurity expertise at its core, backed by a unit of the giant reinsurer Munich Re. It actively monitors clients’ risk year-round and works with them to control it.
“Citibank, which has 400 analysts, doesn’t need us to assess risk,” explained Iram. “We’re for the medium-sized market. Our strength is with companies that employ 100 to 1,000 people, although what’s more important is the level of risk. We sold a policy to a company with 15 employees, but it was an investment fund, and it’s very sensitive to risk.”