The threat of a small business cyberattack has introduced a conundrum for the rising InsurTech market. The demand for cyber insurance is on the rise, with the sector expected to reach a $7.5 billion valuation by the end of the decade, with small businesses a rising customer demographic. Yet those small companies remain one of the largest targets for fraudsters, with nearly half of attacks targeting small to medium-size businesses (SMBs) — making them risky clients for insurance providers.
The cyber insurance market is an emerging sector, Sayata Labs CEO and Co-Founder Asaf Lifshitz explained in a recent interview with PYMNTS, and insurance providers are facing some tough hurdles in underwriting and risk mitigation.
"Insurers lack the legacy experience to thoroughly ascertain the level of cyber threat small and medium-sized businesses face," he explained, adding, "The relative infancy of the industry combined with a lack of data to make smart policy decisions presents a major challenge to insurers and businesses alike."
Understanding a company's cyber risk exposure involves the analysis of troves of data connected to a business's internal systems, historical events, supply chains and business partners' exposures, and more. The industry currently operates without a single source of this kind of data, and providers, forced to analyze clients on an ad hoc basis, end up delivering a wide range of policy coverage and costs.
The lack of standardization stems from limited automated technologies available to the sector today, explained Lifshitz. Questionnaires remain commonplace for insurers to understand client practices and risk exposures, he said, pointing to the "unfortunate irony" of the "fundamentally digital risk" of cyber attacks being analyzed in an analogue, manual fashion. As such, artificial intelligence and Big Data are quickly becoming essential components of the cyber insurance market's underwriting processes.
While analysts could predict five years ago that the cyber insurance market would be a booming one today, the same may not have been said about small businesses. Yet high-profile attacks and data breaches — Lifshitz pointed to the Equifax breach and NotPetya as two prime examples — means many entrepreneurs and executives can no longer ignore the threat as they once did.
Among the biggest realizations that corporates and small businesses can make in the cybersecurity space is that an attack is not a matter of if, but of when. Research from Allianz Global Corporate & Specialty released in February found that while cyberattacks are not yet the biggest cause of financial losses to corporates (that designation goes to fire and explosions), experts predict cyber-related losses to climb toward the top of the list.
Separate analysis found that sales of cyber insurance policies have grown by about 25 percent every year, per reports, but experts warn that disputes between corporates and providers are rising, too. According to Mactavish Technical Director Rob Smart, the disputes stem from misunderstanding and a lack of transparency between what organizations believe they are covered for and what their policy actually contains.
"Most cyber policies are written in a fairly restrictive way and there are points of uncertainty over how far the cover will extend," he said.
The rapid expansion of the cyber insurance market has occurred in spite of ongoing confusion and a lack of clarity among both business policyholders and insurance providers themselves. As the industry continues without a centralized database, standardized underwriting practices and manual risk analysis tools, that confusion will persist.
Technology, Partnerships Address the Gaps
According to Lifshitz, the good news is that in addition to small businesses increasing their awareness of cyber risk and, subsequently, options for cyber insurance, insurance providers are simultaneously embracing technologies to digitize and automate the underwriting process. Electronic data is "key" to adequately analyzing risk, he said, as are open sources of data of businesses, their partners and their supply chains. As the industry continues to grow, artificial intelligence will find a more prominent position in the underwriting process, too.
But as the market evolves, Lifshitz noted that insurers will have to look beyond technology to adequately analyze their customers' risk levels. That could mean collaborating with partners like Sayata, which works with insurers to enhance their risk analysis processes, or other FinTechs that can provide the kinds of technologies needed.
It also means fostering a strategic relationship with small business policyholders, he explained, to not only better understand risk exposure, but to support the development of a holistic cybersecurity strategy. After all, Lifshitz said, it is a win-win for insurers and small businesses alike when policyholders are protected.
"It is mutually beneficial for the businesses to be as secure as possible," he said, adding that it is key for companies like Sayata to both provide insurers with adequate risks assessment capabilities, as well as provide small businesses with "actionable insights to improve their cyber posture and raise cyber-security standards across the industry as a whole."