Daniel: Every business unit, even if they’re unknown, and even if they only have website — faces cyber exposure. So a lot of it is basically a misconception that cyber, “There’s nothing to get here from me,” says a small business owner with five people that only has a computer or maybe a point of sale cashier system, but it’s not true. It’s going to hit you as well. Ricky: In today’s conversation, we’re going to be talking all about cyber insurance with Daniel Kasper, who specializes in the field of cyber risk and cyber insurance. While it’s not a pure play in terms of computing technology, cyber insurance is almost something newer, and known less technical, with important financial modeling and math considerations in addition to traditional cyber security. He got involved in cyber security working as an intern for KPMG Germany and has worked as a managing general agent, which is a type of wholesale insurance broker focused solely on cyber security. He has both a Bachelor’s and Master’s in Economics and is currenting pursuing a PhD in cyber risk quantification, and its macroeconomic implications.
He’s the principal behind the website, cyber-economics.com, which aims to bring some of the research and knowledge about quantitative cyber risk management out of academia and into the open. Without further ado, Daniel, welcome to the show! Daniel: Thank you for having me. Ricky: A lot of people have heard of health insurance, car insurance, and words like actuary, broker, agents, let’s just break it down. What goes on behind an insurance plan or a structure? Explain it to me like I’m five. Daniel: So usually, the split you do in insurance is between life and health insurance on the one hand, and property and casualty on the other hand. Now, there’s certainly a difference in modeling and requirements for capital. And cyber is a property and casualty insurance type. So within property and casualty: for example, your car insurance, there are also more or less standardized insurance types, again, car or building insurance. You have like hundreds of years of loss histories. People are very good because they have such rich and structured data to be able to price and to come up with sensible coverage options for everybody. In the insurance business, you basically have primary insurance and reinsurance, and the primary insurer is basically the one you go to. So they’re also working together with brokers. And depending if you’re a private person or small business, for example, you usually have one broker you go to, and they help you to cover your losses against unforeseen incidents.
Cyber is now a new type of insurance, and it covers you against several elements, but mainly against malicious third parties. Ricky: So cyber insurance, you would say, is a form of property insurance then? Daniel: Yes, it’s property insurance, and also liability insurance. Ricky: What is cyber insurance not? So we talked about what it is, but maybe shed some light on some misconceptions that people might think of what isn’t cyber insurance. Daniel: So the term “cyber” in an insurance context, it usually refers to a man-made risk. This is the big distinction that a lot of layman’s don’t make.
They think, matrix type of thing where you have some hackers, or mistakes and errors at the root of cyber insurance. And sometimes, errors and omissions, for example, are included in a cyber policy. Usually, this is a different insurance type, but cyber usually refers to hackers and ransomware. Now, as a small level, for example, take a retail store or something that’s not usually thought of as a tech-field business. So a mom-and-pop store down the road, 10 employees they’re selling, maybe groceries or like antiques or something like that — you wouldn’t think that these kind of businesses actually need cyber insurance, and they don’t have this exposure towards cyber. But this is, well, already a misconception and if not now, it will be coming in next years. Ricky: What are the main selling points or value propositions for having cyber insurance? Because on the first thought, people might say, “Oh, well, obviously, I want to be insured against hackers and ransomware,” but then they might think, I don’t have that much money for my business or…” Why would a larger company want something like that? Daniel: Starting with data privacy laws, everybody is exposed to cyber liability to some extent. So if there’s an antique shop, for example, because it gets hacked, or maybe also have an error or something like that, leaks its customer database, or other personal sensitive information, then they are looking at fines. On the other hand, we have a ransomware wave especially now during COVID-19, accelerated incredibly, so we are looking at three or 400% more attacks with ransomware in the last eight months.
And basically even these small, non-tech businesses also have exposure towards cyber, and they can get coverage to what’s usually covered under cyber insurance. So if this applies to mom-and-pop stores and non-tech businesses, then of course, it also applies to medium-sized companies. And then it also basically goes to large companies who, at the very least when they come to be indexed on the stock exchange, start to face harsh regulatory requirements as well as punishment if they are not fulfilled. So the main proposition is, for small stores, “Look guys, you don’t even have a dedicated IT department. You don’t even know how to handle your own IT in many cases, are you really aware or know what’s going to happen when a breach or something like a hacker attacks you?” And the more you go from medium to large, it is, “Okay, guys, everything you have is sensitive, if one of these databases is set-up wrongly, or you get hacked, or maybe there’s some very sophisticated stuff.”
By the way, I should mention, it’s not just only external parties, but also internal parties. Disgruntled ex-employees, for example, that are the perpetrators in cybercrime. And if you don’t have that, cyber insurance is a very elegant way to not only cover yourself against the financial hardships that might face you, but also to get competent people that basically do nothing else via the insurance company that helps you in the incident case. Ricky: That’s really interesting, where you said everybody is going to start to need cyber insurance. Because you look at businesses, if you are in a brick-and-mortar store, you have real estate property, you’re going to have some kind of fire insurance, flood insurance, something to insure against natural disasters. And when you look at the occurrences of natural disasters, they’re actually much fewer than something like getting hacked, or these man-made cyber occurrences. And especially even if you don’t get hacked, what if your shop is used as a launch point to pivot as a proxy to attack another company? And now you might be on the hook because you didn’t secure your own systems and you were involved in that. Daniel: Exactly. This is the primary split that you also do in cyber insurance coverage. You do it on first-party damages, so basically the damages you suffer as the insured party, and liability, and third-party claims. This is basically when your systems get used to attack somebody else or a worm, or a virus gets spread through your email list to your customers or employees or whatever.
Ricky: What do you think is hindering the more mainstream adoption of cyber insurance because people are talking about it, but you don’t see it as standardized as other forms. Daniel: On the demand side, so basically, the risk owners, the businesses themselves, they’re looking at cyber, “Yes, this could happen to me,” but they usually don’t believe it until it has happened to them or somebody in their immediate circle. There’s this meme of SpongeBob, for example, where they go, “This is the cyber security budget before something happens, and this is the one where after it happens.” And it’s like a wallet full of money getting opened, “Yeah let’s spend everything.” So this sadly, is exactly how it is currently. So the lack of awareness and the lack of the abundance of invincibility, thinking this can’t happen to me, nothing can happen to us. And especially a misconception of what a hacker wants. So you always have this kind of hoodie guy, the stereotypical, Mr. Robot, or somebody plugged-in in the matrix. Most cybercrime doesn’t happen as targeted actions. Now, these are things that are usually those advanced persistent threats are reserved for high-value targets, or a special kind of thing. But every business, even if they’re unknown, and even if they only have website— faces cyber exposure. Be it through ransomware, which in most cases or almost exclusively spreads untargeted, but also being hit by misconfigurations of your website and stuff like this. So a lot of it’s basically a misconception that cyber,
“There’s nothing to get here from me,” says a small business owner with five people that only has a computer or maybe a point of sale cashier system, but it’s not true. It’s going to hit you as well. This has slowly and gradually changed in the last three years. And now in the COVID year 2020, we see a huge spike, not only in ransomware attacks, which by some estimates increased by 400 to 500% now. But also in the awareness that’s basically associated with this ever-increasing hacks, and also the frequency that you see in the media that are covering those high profile cases where the whole company doesn’t work anymore for months sometimes because a ransomware has locked-out their computers. Ricky: That’s a great point you make with the hacking risks and the cyber risks. It’s not like these hit teams, the specialized ninjas that come and steal things or do things, it’s more like a cat burglary, just vandalism, and pickpockets, and this just happening generically. They’re very opportunistic. Daniel: And automatic. Like an automatic opportunism, basically, through most systems. Ricky: Okay. What are some of the factors that go into a cyber insurance plan? Daniel: On the one hand, you have the coverage elements. So basically, what you want to cover under it, or what you don’t cover under it. Again, you split it up between first-party and third-party coverage. Now for first-party coverage, the usual elements are the cost for forensic and cyber security services. You have legal firms that are often involved when you have a data breach.
Sometimes they come in for the client to basically act as a fiduciary, also against the insurance company. You have business interruption, which is one of the most treacherous, of all the cyber risks. It’s basically through a cyber attack, “I’m not able to run my business because my IT is down,” or, “Maybe even the Feds come in and shut down the whole operation because I don’t know everything was leaked.” On the third-party side, you usually have defense costs against not justified claims from a third-party. So when somebody sues you, and let’s say, “Okay, we got our personal information hacked here through your system or through your mistake.” You have media liability, which often is also included, which basically means somebody hacks your Twitter account, or as in your case, your YouTube account. This reputational damages are usually also included in the first-party coverage for the insured party themselves. And the other big part in the third-party liability coverage are fines. Now, US has long history of quite strong regulations concerning data privacy. For example, you have the HIPAA that concerns health-related data. So somebody like a hospital, for example, leaks data, then there’s a huge fine, usually, associated with that. And on the side of normal consumers, you have, for example, in 2003, already, there was a data privacy act in California.
So if through a hack, you have costs that arise from such an incident, then these are usually also covered in the third-party coverage of a cyber insurance policy. Then it comes down to the hard financials. The one hand is the coverage, so basically how much is their given policy payout as a maximum. Then you have the deductible, which is the amount of money that you have to pay for any given damage before the insurance policy starts paying-out. And then usually, you have associated with all of these sub-limits. So for example, media liability might be 1 million, the whole policy might be 10 million, and the costs that are covered for cyber forensics, for example might be 5 million. So these are basically the main factors on a cyber insurance policy. Ricky: That’s interesting because it looks like the structure behind a cyber insurance policy isn’t very much different than something like health or car. It’s kind of inherited those qualities such as if you’re driving a car and you wreck your car, those first-party damage claims that you might be covered like the repair costs at the auto store. So now the people servicing you, or lawyers involved, or the doctors, and medical professionals involved, will get paid out, or you’ll get covered because the insurance company is paying those service providers. And now, if you wreck somebody else’s car or injure someone, I don’t know, a politician or someone who’s well-known, and you’re drunk driving, there would be liability media reputational stuff there. So we talked about the pricing structure where you pay your premiums to the insurer, and for a payout in case you get hacked. And there’s a deductible that you have to co-pay into before you get your payout. So how much does a coverage or a plan actually cost? Like for maybe a small, medium, large, a hundred, a thousand, ten thousand employee, type of firm. Daniel: Usually employees is one of the important factors in pricing, but the most determining one is the coverage limit. If you’re looking for a million in coverage, if you have one hundred, one thousand, or ten thousand employees, might be a difference of, let’s say 20%. So 10,000-employee firm pays 20% more than what 100-employee firm pays. But if you increase the coverage from 1 million to 2 million, for example, then the price might double or go by 50%. So rather than looking at employees, it makes more sense to look at coverage to give you a broad sense of what it costs. And for a coverage of 1 million, and let’s say a deductible of $50,000, they probably are looking at annual premiums of about $1 to $1.5 thousand. And if they want to increase that again, then 2 million, for example, in coverage, then they might be looking at $2.2 thousand to $2.5 thousand. The important metric here is basically the relationship between coverage and the price. And again, this is way more sensitive towards an increase in coverage than in employee size. Now for large firms, and this is effective for all firms, basically which industry you’re in. Now HIPAA, for example, for hospitals, there you’re looking at way higher premiums usually than in a brick-and-mortar store. So for HIPAA, for example, if you have a 10 million coverage with a deductible of maybe $500,000, you’re looking at annual premiums of maybe a quarter of a million dollars, again, depending on several factors as well. But this is basically what you’re paying. Small business pays like 0.1-0.2% maybe 0.5% of the coverage someone wants in cyber insurance. And something like a hospital is looking for larger coverage, like 10 million, is paying 2.5% of that as annual premiums. Ricky: How do you quantify cyber risk in financial and economic terms, such as getting hit by ransomware or getting hacked? For a coffee shop, it’s very different than maybe for a hospital. Daniel: The first thing you mentioned is also very fitting already. And this is the split between economic damages and insurable losses from that. There are some types of losses, basically, associated with every cyber incident, which are not coverable or not covered, at least currently by cyber insurance policies. So you have a split between what’s insurable and what is the total damages. And then the split between a coffee shop, again, as maybe brick-and-mortar kind of business versus something like a hospital, which has a lot of private data, and again, for example, covered under the healthcare data privacy act. So under HIPAA, for example, where you face definitely harsher penalties than the coffee shop. You have to say that the modeling between cyber or for cyber damage is still very nascent. So while insurance have taken on a tremendous amount of risk already in the billions of dollars in premiums written and in bad year. So usually express that in the actuarial sciences as a 1 out of 100 event. So in 1 out of 100 cases, what’s the loss that we’re facing? For example, in 2021, given my cyber portfolio of whatever 100 million in premiums, we’re looking at, like, 50 billion or something. So the whole cyber insurance industry could be looking at 50 billions of damages next year, if it’s the 1 out of 100 event. next year, if it’s the 1 out of 100 event. The question really is, “Okay, how do we model this?” And let’s say, straightforward approach, is that looking, “Okay, what other cyber damages, cyber incidents of the past? What of that can be attributed in terms of damages? So can we quantify what was lost?” And then also in the next step, what of that would have been insured or would have been insurable? Now, this fails to some extent. There are definitely data sets out there and there are vendors that offer data sets for that. And this is basically the baseline that we had in the market for maybe five years now. One of the key characteristics of cyber is that a threat landscape is ever evolving. So, even if we have the perfect estimation for 2019, for example, for any given company, or industry sector, or like the whole world, we would not have like the same predictive value as for car insurance, where if not autonomous driving comes into play. We basically can look at 50 years of loss history. And we also know that the 51st year would have very similar losses to the period before that. So these are basically the challenges. And there are certainly some ways, it’s very similar actually to pandemics when it comes to ransomware attack. It has more characteristics to a pandemic than, for example, to car accidents because the spreads and also the recovers and so on is more similar to how COVID, for example, spreads than how a car accident spreads. We try to model cyber as every other line of insurance. This is not as potent here because the factors that I mentioned, and this is basically ongoing research, which is of great interest for academics as well as to the industry sector. And this basically includes the primary insurance, the reinsurance, capital market, everybody who is a stakeholder into this including, for example, cyber security firms who come in to remedy the claims. Everybody is looking at how to model these damages, and even more important, model the correlation between damages. Ricky: So just to recap, let’s bring it back to cars. You have 50 years, maybe even 80 years worth of history of car accidents, and the amount of damages that each of those have incurred, everything from the little dings or fender benders to total chaotic, multi-chain highway disasters. You have an amplitude in terms of the price differences in the cost for insurance. We could call that one sigma, or two sigma events in terms of the standard deviation. And we know that in the entire existence of the car industry, there’s only been maybe three sigma, or four sigmas in terms of damage. Kind of like if you go to a hiking park or next to a river, the mark the water elevations throughout history, and so you have your 10 year flood, 50 year flood, 100 year flood. And because we don’t have very much history in terms of cyber and the data, you could have a 12 sigma event. Maybe that’s WannaCry that just completely destroys your entire model. And now your insurers are out of money because they didn’t account for that. Daniel: Not only are they out of money but broke in some, like, very bad scenarios. And the requirements for insurance companies, basically don’t allow you to take on that much risk when there’s so much uncertainty involved there. The point you made about the floodings, and the peaks of the floodings is also a very famous problem in actuarial sciences. Let’s say we have 10 years of loss data, or in this case, flooding data. How can we predict a 100 year event, basically? How can we get from a sample of 10 years to what’s the worst case out of 100 years, basically having to take into account 90 years for which we don’t have data? And yeah, this is basically the problem that we have right now. Ricky: So what are some broad categories of cyber risks out there? Maybe ones that are actually insurable, and the ones that are not. Daniel: One of the vectors that is insurable and probably most dangerous in 2020 is ransomware. And for ransomware, what is covered is not only the cleaning of the system, so basically getting rid of the ransomware and unlocking the systems. But also possible payment of ransomware, usually, by a Bitcoin or another cryptocurrency, and even the negotiation process, which, as we’ve seen, is to be honest, quite ridiculous, sometimes. Where basically, the insured party, or the insurer or a third-party that’s tasked with doing the negotiations is basically like in a chat interface. They’re like wiggling for thousands of dollars or something. And the hackers say, “Okay, we need 30K or something to unlock your systems.” And then they go, “Yeah, look, we can only do for 10.” And then they go like, “Okay, do 25,” and so on. So it’s like a silent auction, sometimes, going on, and all these threats are usually covered. And all these costs that are incurred by that are covered by a cyber insurance policy. And when I say “usual” that means like 95% plus of policies, but again, in 2020, this is the most dangerous vector, also the reason why to get cyber insurance in the first place. Besides ransomware, on the first-party side, we also have costs that are associated when a hack occurs So looking basically for a leak that was possible, unpatched server, something like this, maybe Citrix client that wasn’t properly configured. And basically, the reinstatement of systems back to whatever the normal level is, and usually also a small forensic analysis to see if this was the only leak. So to make sure, “Okay, we have patched it, and nobody can enter.” And then what might not be as obvious is the massive legal costs that are usually associated with cyber risk on first-party side as well as on third-party side. But you can see, for example, if you have stakeholders, or if it’s a stock listed exchange, that’s the exchange listed company they are looking at, of course. They have to do a lot of compliance in the aftermath of a cyber attack, to not only inform the stakeholders and shareholders, but also to make sure it’s properly fixed unless you want to face huge liability from shareholders going forward. And on the third-party side, again, liability for every lawsuit basically gets involved, and also the media liability when you’re basically damaging the reputation of somebody else through a hack. And on the stuff that’s not insurable, and here we should say, what’s not usually insurable. So, there’s some policies where you can buy it as an endorsement, basically. So you pay a little bit more, and then you get these inclusions. On the exclusions side, things that are not covered under cyber: war exclusion in many cyber policies. So this came in at NotPetya because the official line now of the United States and United Kingdom that it was Russian hackers that were responsible and NotPetya was mainly used on Ukraine servers. So the theory is that Russia used it against Ukraine to weaken their cyber security and whole economy. And as opposed to like a war-like kind of weapon, these are usually stuff that’s not covered under affirmative cyber insurance policies. And this by the way, is a point of ongoing litigation. There’s a very famous case in the cyber insurance law sector between Mondelēz, they are the producers of Oreo and Toblerone, huge multi-national company, and they’re suing their insurers, Zurich, to the tones of $100 million in a policy that’s in Mondelēz’s eyes should have been triggered by NotPetya. And Zurich claims it’s war-like exclusion, basically saying, “No, we weren’t going to pay because this was like a war-like attack, and therefore we will not pay-out this $100 million.” Besides the exclusion itself, usually what’s also not covered, but is usually available in other lines of insurance is intellectual property. So it’s very hard to quantify how the loss of intellectual property directly hits you. But again, in other standalone insurance types, this is then insurable, but you are out of the box of cyber insurance. Ricky: So essentially, in a cyber insurance plan, there’s certain factors already built into the model, and things that you can’t include or account for, such as getting a bomb dropped on your car, by a foreign actor, that is not insurable. And something like the intellectual property, all of the losses that would have incurred or all of the money that you would have made if you didn’t lose your IP; there’s no real way to determine that. So that’s also not insurable as well. So it’s kind of these trickle or knock-on effect. Daniel: By the way, you find this ripple effect is interdependencies everywhere in the cyber value chain: be it in coverage, be it in potential losses, be it in actual losses, be it in correlation between damages, be it on the modeling side, be it on the insurance sector, between primary and reinsurer is set up. So interdependencies are basically everywhere when it comes to cyber, and really looking at the risk. Ricky: So let’s say I’m McDonald’s, right? I’m some big multinational company, and I want me some cyber insurance. Walk me through the process of what I need to do. Daniel: So if you’re McDonald’s, you’re a huge player. You have a huge exposure to cyber, and you will likely not get as much coverage as you want. From current numbers, basically, the biggest cyber insurance coverages that are out there, between a billion and two billion. Now at these sums, again, where you have these huge exposures as huge companies, you’re not going to your local agent or broker. These are usually specialty insurance products. And the biggest marketplace for that is Lloyds in London, which has about 10% of the global insurance premiums overall. And it’s especially focused on these risks that are not insurable anywhere else be it because it’s hard to price. For example, like the voice of a singer, or the legs of a football player, which by the way, all happened in London, or be it because the coverage amount is not large enough, so that a normal insurance company would be comfortable taking it on. So McDonald’s, probably, directly or indirectly goes to Lloyds and says, “Okay, we have such and such exposure to cyber, and we want to buy a billion in coverage,” then you go through all the coverage elements that you want to have covered. Now, in the case of McDonald’s, you have a lot of employees on your payroll, also I would imagine a high turnover. So you’re very liable against third-party losses there. And data privacy is probably, most likely the most important risk that you want to have covered. At Lloyds, they have so-called, “syndicates,” which are like more or less small insurance companies, but they’re usually all sitting in the Lloyds building in London. So probably what’s going to happen there is that you have like 10 syndicates, they’re going to slice it up, and they go like, “Okay, I take 5% of this, and syndicate B is taking 10% of this, and syndicate C is taking 20% of this.” And, again, this will be not a straightforward process, so it’s not as easy as getting car insurance as this. Besides the audit, you have a lot of negotiations as well, not only in the price you pay the premiums, but also in what is covered and what is not covered. I would imagine within like two to three months for McDonald’s. Ricky: Okay, so let’s scale it down just a little bit. What if it’s just some local, very local credit union or some very tiny boutique bank with maybe under $100 million in assets, and maybe under 100 employees? Daniel: This gets a lot easier and more straightforward at this point. So as a small retail, for example, a bank, the two possible channels is either through your broker or agent that you have all your other insurance policies. This usually then is the so called “add-on policy” or an endorsement of cyber. Now, this basically is in your fire insurance, they ask you, “Okay, now this new fire insurance type that you made doesn’t include cyber, do you want to include cyber?” And then you can book it on top of the fire insurance, of your property insurance, of every other insurance that has it. So this is basically having this as an add-on, and the easiest way to do this is go to your broker or whoever is your channel to get all your other insurance products. Now the other way, which is also very similar, actually, is to go into the Internet, this would be more like direct insurance sales. And then you contract directly through a website, or a phone number. One of the carriers, they usually give you more likely a standalone cyber policy. They’re just in, “Okay, we have here cyber standalone insurance for you, which covers, for example, the mentioned first-party losses like breaches and ransomware and so on.” Ricky: So broad brushstrokes, what are the number of players, brokers, customers, dollars – how do you measure the overall scale of the cyber insurance market? What does that look like? Daniel: So there’s some regulatory filings that have to be made in the US, for example. And as the US is probably, somewhere between 60% and 80% of the overall cyber insurance market in the world. Now, the best estimate that is currently out that peg the whole cyber insurance market worldwide at $5 to $6 billion. And the growth rate in the last year was about 30% annually. And other important metrics, of course, the number of carriers that covers that offer cyber insurance, which currently is about, in the US 160 providers, as far as I know. And the other important metric is, how the cyber insurance market is performing. So, the general property and casualty market, so all your car insurance, building insurance, your home insurance, everything like this: if you take together all the premiums that the insurance sector is taking in, and you basically look at it against all the claims that are made, basically everything that’s paid out, the whole P&C industry makes about 1-2%, call it net margin. So in $100 billion, that’s the insurance sector and the P&C niche takes in. They’re making about one to two billion in profit. But the whole P&C market has about $3 trillion in outstanding premiums currently, 2019. For cyber, in the US market in the last three years, the margin, was more like 20%. So the last five years, and again, the market is growing by 30%. So in 2020, the market, it’s like compounded interest, right? So the market in 2020, if it grows by 30% every time, was I think, like six times bigger than it was five years ago. In all those years, on average, the cyber insurance carriers, insurance sector makes 20%, roughly speaking, as a net margin on every dollar they’ve taken in premium. So the cyber insurance market has made 10 times as much profit on the same number of premiums taken as the whole P&C industry. And this is the very surprising fact because we know that the underlying risk of cyber is ever increasing. And this will be very interesting to see because through COVID, basically, the risk itself, most insurance policies, they are like 80% or 90% of insurance policies entered in at the first of January. So on first of January 2021, we will see how the market reacts. But we already know from, basically, industry sources and what the big insurers are putting out there, that the damages of course have increased, as I said, the ransomware claims have increased by 500%, 600%, and therefore also the price, and also the willingness to provide capacity by reinsurers is decreasing in terms of capacity and the price is increasing. So we’re also in a very interesting phase right now, and in the next few months, we will see how exactly COVID also impacted cyber in quantitative terms. Qualitatively, we already know, it has been a huge hit and cyber damages are increasing. Ricky: Wow, that is fascinating. So as a recap, the traditional insurance industries, non-cyber insurance, are making almost 10 to 20 times less in profit than cyber insurance. even though the cyber insurance, you would expect them to be riskier, and newer, and have to pay out more payouts than the traditional ones. And 30% year over, annually, means it doubles every little over two years. So two years from now, you would see a $5 billion market become over a $10 billion market which is quite large. Ricky: So what are some of the biggest players in the cyber insurance field that actually offer coverage and plans? Like who are the big name, marquee guys, and maybe versus some of the smaller players that will provide it. Daniel: Looking at the market, the US market is by far the largest one, probably, accounting for 60 to 70% of global premiums, maybe even a little bit more than that. And they’re about 160 US carriers who are offering cyber insurance. And this has tremendously risen in the last years. So basically, every medium to major insurance company in the US will likely have a cyber insurance policy. Now, the actually five biggest players, and we know that because the National Association of Insurance Commissioners, I think it’s called, they let every insurance company that’s licensed in the US file out a so-called cyber supplement, but they really have to give concrete numbers to how much their portfolio is, how much policies they have enforced, and so on. Currently, biggest insurer for cyber after portfolio size is: Chubb, then followed by AXA US, AIG, Beazley, and Traveler’s Insurance. Ricky: So you mentioned the audit for the large players with the smaller players going through the add-on or endorsement, have to go through audit and negotiation as well of their own like computer systems and their processes? Daniel: That depends on the size and also on factors like loss history. So if you’re like, businesses that has been hacked like two years ago, then this will likely trigger an audit, if you’re not super small. So if you’re not making like less than 100K in turnover a year, usually the loss history itself will trigger an audit. But this barrier is very flexible, basically, for non-affected businesses so far. So in Germany, it again depends on industry. So which industry the business is in, also on some other factors. The bank with $100 million turnover, for example, they would likely face an audit. And if they slim down to like, I don’t know, $30-40 million, you probably don’t have an audit. But again, this is very jurisdiction and country dependent. So McDonald’s would have like a more or less standardized audit after ISO 27001, for example. So in terms of effort, would be like a 30-person a day, for example, that are required for this audit. If it’s like a smaller company, again, maybe on the fringe of this barrier to get an audit or not, it might be like a one or two-day-job where you have remotely people looking in there, “Please show us your policies. Please show us your backup management.” Some of them also self-assessments and self-questionnaires. For very small companies without audit, basically, everything is a self-assessment because you have to check these 10 security boxes, for example. And it’s a very fluid, basically, process. And some of them are like mini-audits, basically, just for cyber insurance. And some of them are more standardized audits. Pentesting, usually, is not part of it, at least, if it’s not a huge company like McDonald’s. And the business continuity plan, for example, at some size. So if you have like $50 million turnover in the financial field, it’s like 200 employees, I would imagine, then you also would have an audit going for, if you have a business continuity or IT system services continuity plan in place. But these would be part of an audit, but pentesting and all this technical stuff. And the gist of it is, yes. It’s still more primitive and non-technical than a cyber security professional would think currently. But as mentioned, the market is hardening, security standards are going up, and the price as well as going up, so this is likely not to continue in the next two to three years. Ricky: So let’s say, I get hacked, and now I need to file a claim. What’s the process for doing that once I already do have cyber insurance? Daniel: Most carriers offer a 24/7 hotline, depending on which jurisdiction you’re in. So in Germany, there’s some players, basically, that offer you to do all the claims management themselves. So you call them and then they contact you and see, “Okay, what’s the problem?” And then they either have in-house teams to do the ramification, or they get third-party vendors and service providers to help with you and they do like the management and so on. Now, the US way for compliance reasons seems to be that the US insured party usually contacts from a list of suppliers and vendors, and basically does the contact, and so on on their own. So in this case, you basically have this list when you start a cyber insurance policy, then you have all the players: KPMG, for example, more technical, smaller boutique kind of cybersecurity firms, and you contact them yourself. And they go like, “Hey, guys, I’m insured with, for example, Chubb, the biggest insurer currently, and I need to have somebody look at this. I’m pretty sure we have a ransomware case here.” And then basically, the supplier contacts you or sends maybe the bill to you, maybe to the insurance company, and then the claim gets paid as well. Ricky: So, do your actuaries who have their math models and you actually go in and determine the level of risk to provide you insurance? How specialized in cyber expertise do they actually need, or are they working maybe in tandem with a customer’s own in-house IT and security staff? Daniel: You’re seeing now cyber teams that are consisting of cyber actuaries. So these are basically people who only do modeling of cyber. They definitely have a lot of cyber expertise. I have six people, some of them are cyber risk engineers, cyber risk professionals, and some of them are more or less traditional actuaries that also might be modeling other than cyber damages. And you mentioned the IT personnel of the affected party, these are usually not involved in the modeling, but maybe in the underwriting process. So the underwriter who makes the decision to insure Company A or do we not insure it. And if so, to which conditions. And so the actuary usually doesn’t have the direct link to a customer’s IT personnel. And on the other hand, of course, they try to gain from the claims and like a second hand kind of information through that. But it’s not like they’re usually in contact between each other. But your own cyber risk engineers, and especially on the claim sides within the company, they are definitely in talks. And generally speaking, cyber is like a very collaborative topic. And it’s a little bit like mixed martial arts, for example. That’s the way I think about it. So in the 1990s, for example, when mixed martial arts was born, and quickly it was clear that jiu jitsu, and like wrestling, and going for the jugular like the weak points of the human body is better than boxing and taekwondo and so on. Then, it was like the pure mixed martial arts in the beginning, but then it converged. So then, it wasn’t like a unified karate, jiu-jitsu against wrestling, then it became just mixed martial arts. And this is basically the process that I’m seeing right now. We have really dedicated cyber professionals, most of them have like industry experience and other insurance types, and cyber security lines. But I’m pretty sure we will come quickly to a point where people might right off the university, for example, start to only do cyber risk modeling, cyber risk engineering, really looking at this thing as a whole. Ricky: So do you ever see cyber insurance becoming available for maybe individuals? Because a lot of times people themselves are subject to maybe ransomware, or getting phished. Daniel: Yes, there are already some personal cyber products out in the market. This market is definitely way smaller than the corporate cyber insurance market. And the similarities between personal cyber insurance in terms of what they cover to corporate cyber insurance are very… there’s not that big of a difference between them. So for example, reputational harm, of course, makes for person, for private persons, natural persons, as much sense as well cooperation. The same goes for data recovery. For example, if my MacBook, which I maybe I’m a student, right? I saved a lot of money to have a MacBook, if that gets bricked or unusable, of course, I want to have this insured as well, if it’s like the result of a ransomware attack, or a breach, or something like this. And then liability maybe, of course, you can still be held liable in cyber terms. Again, your Twitter account is perjuring, maybe your current firm you’re working for, and then you lose a job, for example, as a result of a cyber attack, or something like this. So the coverage is very similar to corporate coverage. The market is definitely there, as you mentioned, tech not-affine people also have the same or almost the same exposure as more tech-related people, and the market of personal cyber insurance is certainly behind the corporate one, but it’s likely to also pick-up steam, maybe in tandem with the corporate sector in the next years. Ricky: So, you’re an economist, or in German they call it a Wirtschaftswissenschaftler, What got you into cybersecurity in the first place? Daniel: So as you mentioned, I have a bachelor’s and master’s degree in economics. During my master’s, I was basically a working student for a small consultancy. They were focused more on small businesses, small business administration, and I wanted to definitely do something with computers. And a school friend of mine, he was a very good friend of the manager at KPMG in my local town of Cologne. And basically, I mentioned that to him, we set up the interview that went well, and I basically became an intern and then a working student for the cyber security service of KPMG in Cologne, Germany. Ricky: What was your experience like working at KPMG doing cyber risk consulting? Daniel: it was amazing, certainly. The intern, working-studentship, it lasted like one and a half years. And during the internship, which was full-time, I was on a project for a big financial corporation here in Germany. And the cool thing about that was, it was a huge project, I think, like 18 distinctive working streams, and I was working in the business continuity working team of that. And business continuity management basically looks at recovery plans, what happens in a disaster case when your IT falls out, or other perils that impact your business. And the insights, again, they were very valuable. Ricky: So your latest project is a website called, cyber-economics.com. So can people find you there, right? And maybe, tell us a little bit about that project you’re working on. Daniel: When it goes live, cyber-economics.com, will be up and running. And if you’re interested in some of the topics that we’ve discussed today, starting from what is cyber insurance, to the academic research into cyber insurance, and especially how the current hurdles that we can work together as academia, and the industry to work on this kind of thing, then cyber-economics.com is certainly the right place for you. And we have a lot of resources, so we first and foremost see ourselves as a top-level summary for all topics cyber-related. So essentially, we touched on so many topics today like, what is in a cyber insurance policy, how does the market look like, what are common exclusions, how is silent cyber affecting the market, and so on. So there are so many topics today that actually could be their own video. And cyber-economics.com, if you’re interested in that, regardless of your background, it’s the first place to give you a broad overview, and also all the information and keep you up-to-date with developments in the cyber market. And also, basically make sure that you’re at the pulse of the whole development. there are so many stakeholders, basically, in this whole thing, it’s so complicated. So many questions are still unanswered. And so many are actually unasked that we really need a way to get every interested party or people who might get interested in them together. And this is basically what cyber-economics.com strives to be. And I hope that in the future, we can also do further videos on the topics that I cover in cybere-conomics.com. So, guys if you want to see that, don’t forget to like and subscribe, as it’s usually on YouTube. as it’s usually on YouTube. And yeah, so thank you very much Ricky for having me today. It was a really pleasure. Ricky: Yeah. So, I love to do something, talk about cyber risk more. I certainly learned a lot talking with you, and hope to see you soon! Daniel: Thanks Ricky Have a good day.
Tham khao ngay cac mang xa hoi cua chung toi tai day