Cyber insurance is a specialty insurance product that protects organizations from liabilities arising from cybersecurity incidents. General liability insurance policies provide very limited coverage for such events, giving rise to specialized products to cover both first- and third-party liabilities arising from cyber incidents.
AI and machine learning are helping insurers better assess and quantify risk across an ever-evolving threat landscape. These tools assist in pricing and underwriting while helping insurers continuously monitor client systems (and by extension, their portfolio risk) and obtain insights to improve security posture.
Data breaches and ransomware extortions can potentially cost a company millions, making cyber insurance an attractive investment at just a fraction of the cost. Such policies are particularly helpful for smaller businesses, which often lack adequate resources for strong cyber defense, as an attack can threaten their existence in most cases. While not a complete replacement for standalone cybersecurity solutions, the insurance policy and its bundled value-additions help companies by cushioning the financial impact, helping with incident response, and improving their overall security health.
The cyber insurance industry features companies that provide cyber insurance (either as a pure play startup or as part of a wider commercial offering) as well as companies that offer risk assessment, rating, and modelling services. Most disruptors in this space are pure play insurance providers—a segment that also accounts for the highest funding, with companies such as Coalition and At-Bay being among the highest funded.
Companies in the commercial insurance segment mainly offer commercial property and casualty insurance policies and have introduced cyber insurance to complement their existing product portfolio. Most incumbents, being larger commercial insurers (such as Allianz, AIG, AXA), fall under this segment.
Both pure play players and commercial insurers follow a hybrid model, where cyber insurance policies are bundled with value-added services such as technologies and human experts to help policyholders manage cyber risks and post-incident response.
Companies that offer risk assessment, rating, and cyber risk modelling solutions, help cyber insurance brokers and underwriters to assess and quantify risks of both potential and existing clients. These services help with underwriting and ongoing portfolio management decisions. Incumbents in these segments have entered this industry mainly through acquisitions.
The incumbents in the cyber insurance industry mostly consist of large, established commercial insurers who offer cyber insurance to complement their existing commercial insurance products. Similar to disruptors, the incumbents also follow a preventative approach to cyber insurance by bundling value-added services such as tools to identify threats and manage risks, along with access to cybersecurity professionals to assist in response strategies.
Incumbents such as Aon and Brown & Brown have acquired smaller commercial insurtech startups to absorb technologies and accelerate their entry into the cyber insurance market. Additionally, partnerships have also been prevalent, with the most common partnerships being with 1) other insurers— to share capacity and best practices (Liberty Mutual and AIG), 2) technology companies— to offer insurance as a combined offering (Allianz and Apple, Munich Re and Google), and 3) cybersecurity providers— to provide bundled solutions (Allianz and Check Point Software).
Incumbents in the risk-related segments of risk rating, assessment, and modeling have entered the industry through acquisitions, in a bid to launch cyber risk services, on top of their existing product offerings.