About this Episode
How can you insure against human ingenuity? Joshua Motta of Coalition and Simon Ashworth of S&P Global Ratings join the Essential Podcast to discuss the challenges and rewards of cyber risk and cyber insurance.
The Essential Podcast from S&P Global is dedicated to sharing essential intelligence with those working in and affected by financial markets. Host Nathan Hunt focuses on those issues of immediate importance to global financial markets – macroeconomic trends, the credit cycle, climate risk, energy transition, and global trade – in interviews with subject matter experts from around the world.
Listen and subscribe to this podcast on our podcast page, Apple Podcasts, Google Podcasts, Deezer, and Spotify.
Show Notes
- The rising number of cyberattacks during the pandemic, coupled with the additional security risks of remote work, has forced almost all organizations to speed up their digital transformation plans. New security technologies are coming to the forefront, as the latest defenses for corporate cybersecurity. Read our "Cyber Risk: The Other Virus Threat" special report.
Transcript
Nathan Hunt: This is the Essential Podcast from S&P Global. My name is Nathan Hunt. The pandemic has accelerated a process that has been developing for decades. Our business lives have become fully digitized. Our words, our actions, our plans, everything is logged and stored as bytes of data. So how can a business protect itself from cyber risk when the risk appears to be ubiquitous. Today, I am joined by two guests, Joshua Motto of Coalition and Simon Ashworth of S&P Global Ratings, to discuss cyber insurance, cyber risk, and cybersecurity. My first guest Joshua Motta is the CEO and co-founder of Coalition. The leading provider of cyber insurance and security with over 25-thousand-customers ranging from small and midsize businesses to Fortune 500 companies. Joshua, welcome to the podcast.
Joshua Motta: Thank you for having me.
Nathan Hunt: Joshua. Why you, and why coalition? Why should I trust you on cyber risk? Why should I trust the coalition for cyber insurance?
Joshua Motta: When it comes to eliminating cyber risk, I'm not sure you should trust me or, or anyone for that matter. And, and I suppose that's precisely the point you can't eliminate cyber risk, and anyone who tells you otherwise shouldn't be trusted. Um, that would be my point of view. You know nothing is a hundred percent secure. No one can defend an organization a hundred percent of the time with 100% success. And I say that irrespective of how much machine learning or artificial intelligence or blockchain they're using. Um, so, so you know why me and why coalition? The two are, of course, intertwined. Uh, I actually started my career as an entrepreneur, a software engineer at quite a young age, writing the most horribly insecure code you could imagine. And, and without a second thought about security, to be honest, I took a detour during college to work at a U.S. intelligence agency where I got to see the offensive side of the cyber risk equation. And, and wow. Was that eye-opening. Um, and then I took another detour into the financial services industry before returning to my entrepreneurial roots. Um, first helped me build a cybersecurity startup in 2010, and that's today a $10 billion publicly-traded company on the New York stock exchange. And, and now coalition and, and so coalition really is the culmination of my life's experiences. It's what would happen if you combined a technology company with a cybersecurity company with a financial service, in this case, insurance. And, and of course, the data collection mindset of an intelligence agency. And so why did I found coalition? I like to say that I came up with the idea overnight after thinking about it for 25 years. And you know, the epiphany for me was that cybersecurity. Isn't really a technology problem. It's a risk management problem, right? No matter what, how much do you invest in cybersecurity? Um, no matter how many people you hire, there's always the risk that your security will fail, that your technology will fail, or it won't work as intended that the software engineer you hired. Isn't thinking about security when writing code? Hopefully, hopefully, companies are hiring individuals more talented than I was back in the day. But, um, but while you can't eliminate the risk, you can't eliminate the cost of it. By transferring it. And that's the domain of insurance, right? Insurance is, is a risk transfer mechanism, and that's, by extension, the domain of coalition. Um, that's something we're extremely good at, and we're fortunate to be trusted by tens of thousands of businesses across the country. So don't trust me, trust them. And by extension, trust, everyone at coalition as our customers do, because we are quite possibly the only cybersecurity insurance firm that actually shares the same incentives as our customers to prevent incidents from happening. Um, but of course, we're also there as a backstop, should the worst come to pass. And that's, that's sort of what really strikes me when I, when I think about the cybersecurity industry at large, um, you know, they're selling all these things to help companies try and mitigate risk and many do work reasonably well, but nothing is full proof. But at the end of the day, like they don't actually share the incentives of the clients that they serve. You know, if, if there is a cyber-attack or ransomware event or whatnot, it's not the technology company that provided the, you know, the technology to defend you. That's going to pay the claim. They're not going to pay for your lost income. They're not going to pay for the ransomware extortion. And so that's something that I think companies like the coalition, cyber insurance providers are uniquely positioned to do, and I think that that is one of the reasons why you should trust them because, at the end of the day, our financial incentives are very well aligned.
Nathan Hunt: So the coalition is not just an insurance company. Why not? Insurance is good business. Collect your premiums, invest wisely, and pay out when there's a legitimate claim. Why complicate this?
Joshua Motta: Yeah, that's a good question. Look, the problem with insurance is that you only get value out of it after something bad happens, right? Now, what you do get, of course, is extremely valuable, particularly at that moment, but that can be difficult to assess upfront. Right? Good humans, we have these cognitive biases that lead us to believe that, you know, even though we know a risk exists, like even though we can accept that there is cyber risk. It's not going to happen to me. Right? My emails are secure. It's only Hillary Clinton. That seems to have a problem with that. Right? Or, um, where they believe that it's sufficiently far out on the horizon, that they don't have to address it right this instant. Right? So I can adopt this technology. I can get all the productivity benefits, and I get them upfront. And meanwhile, all of those risks that come along with it, there's somewhere over the horizon. Right? Or they only happen to large organizations like Equifax or you know, Marriott. It's never going to happen to my small business. Um, and so that's why we aren't just an insurance company. We think that we can solve this timing problem and deliver value to policyholders even before the bad thing happens. And of course, that's precisely the point to prevent it from happening. And so to my knowledge, we're the only insurance provider in the world too, you know, quote-unquote underwrites, our clients continuously. We don't ever stop. It's not a once a year process when you buy the policy and when you renew it, we're scanning our customer's networks. We're scanning the internet. We're notifying our customers in very close to real-time risk exposures to their organization. So one of our policyholders, employees, downloads malware. We notify them. The company's enabled the insecure remote access to their network on the internet. We notify them. They're running unpatched software. We notify them. So we have the data, the insurance industry has the data, and in many respects, they have more data than anyone else on the loss exposures that businesses are facing. And the same is true when it comes to cyber risk. And yet most don't deliver any value until after you filed a claim. I've always believed that insurance companies can do a lot more. And so while yes, we collect premiums and we pay out our fair share of claims, why stop there? Right. We can do more for our clients. And it's one of the reasons our policyholders report one-quarter of the frequency of claims as to the U.S. Cyber insurance market average. Um, and so it's good business for us as well. I mean, if you've built an insurance company where your customers report one-quarter of the claims as they do to the market average, um, that's an even better insurance business. And so that's, uh, that's frankly why we view ourselves as more than just an insurance company.
Nathan Hunt: Cyber risk always seems to be evolving. Sometimes it feels like we're in flat land trying to anticipate three-dimensional threats. How do you anticipate and cover the risk? That is by its very nature, human, and innovative.
Joshua Motta: Yeah, it's, it's a great question. Um, and for multiple reasons, and it it's, it's where I see a lot of cyber insurance policies going wrong, but, but before I dive into that, I should note that many people think of cyber insurance and I'm, I'm using air quotes here. And, you know, people can't see me on a podcast, but they think of cyber insurance as this standardized and consistent insurance policy. Only it is not, um, it's nothing like auto insurance or homeowners insurance, where no matter which insurance company you purchase from, you're buying a standardized policy wording, right? Cyber insurance, on the other hand, is a specialty insurance product. And every single insurance provider, including the coalition, has its own policy, it's own policy wording that covers different things. And I'll give you an example. Um, you know, to my knowledge, the coalition is the only cyber insurance provider that provides coverage for property damage, bodily injury, and even pollution exposures resulting from a computer security failure. Right? So if you're a manufacturer and someone hacks your industrial control system, um, depending on whom you buy insurance from, you may not have coverage for that. Um, and you may be surprised to discover that that isn't covered. And so that's that kind of brings me back to where do many go wrong. They start with these three-dimensional threats, as you mentioned, right? Or, or their assessment of them at the time that they're forming the policy and they work forwards specifically covering that particular threat. Right. They're out studying the threat landscape and trying to write a policy form that responds to each of those only the threat landscape changes, and a new threat comes about like you've said like the cyber risk is very innovative. It's dynamic. And it wasn't anticipated, you know, we've attempted to do the opposite. And so I think the key for us is to really think about cyber as a form of peril. And the peril is a specific word that they use in the insurance industry, but think of apparel as something that can cause a loss. And so a fire is a, is a form of peril as an example. And maybe most obviously, it can cause property damage, but it can also lead to bodily entry. Or depending on what is burning pollution. And I'm sitting in San Francisco with some of the worst air quality in the country. That's something that I'm very pressingly aware of right now. Well, cyber is no different. If you think about cyber as a form of peril, um, cyber risk quite literally encompasses the entire known spectrum of risk. It can lead to the obvious things that you read about in the paper every day, you know, data breaches and privacy violations, supply chain, interruptions, um, things of this nature. But it can also lead to bodily injury, property damage, um, pollution, right? So practically everything these days is run by a computer, whether you're pressing the brakes in your car, or whether, you know, someone is running a manufacturing line, those things are run by computers. When you press your brakes, there is no mechanical process that, you know, that slows your car down. It's sending an electrical signal to the onboard computer of the car to then tell the car to slow down. And so when these things fail, we want to make sure that all the different types of exposures that can result from a cyber peril are covered. And so we work from the exposures that a company has, and we work backward, and we're agnostic as to the threat. You know, we don't care how the threat happened. We only care that there was a technology failure or a computer security failure that led to this particular outcome, whether again, it's bodily injury, property, damage, et cetera, it's covered. And so in that respect, it's like we don't have to constantly keep up with all the innovations in cybercrime. We simply have to write an insurance policy that is broad enough, and that considers the range of loss exposures that organizations face as a result of adopting the technology. Um, so that's how we go about it. But mileage may vary depending on who you purchase from. And that's, that's where, you know, cyber insurance and cyber risk. It's, it's complicated. It's a complex subject.
Nathan Hunt: Joshua. I, I think there's a clause in my contract that requires me to bring up COVID in every podcast. So, the pandemic and the associated lockdowns have forced businesses to depend on digital tech for almost all of their basic functions. So my question is in the era of COVID, has cyber risk increased. And if so, are you seeing more interest in it? Cyber insurance from the market?
Joshua Motta: Yeah. You know, if, if you'd asked me this at the start of the shelter and place orders, maybe I would have had a different answer. Right. It made me it didn't initially strike me that a biological pandemic would be correlated in the least to, to cyber risk. But, um, you know, now that we're months this, I think you've, you've hit on a prescient point, which is that the pandemic has really laid bare how dependent organizations are on technology. I would argue that today. We are more reliant on technology than we ever have been before in human history. We would not be having this podcast if not for technology. And, you know, tomorrow we'll be even more dependent. So, you know, technological adoption and creation at some level is one of the things that differentiates our species from every other species. And it is the story of human progress. And that's, that's only marching in one direction, which is forward. And so absolutely the pandemic has increased cyber risk. Why? Because it's, it's led organizations to dramatically increase the velocity of their technological transformation. Um, it's, and it's forced them to do it in record time. Right. And without necessarily the luxury of being able to think through all the risks, because once again, we need to facilitate remote work to keep our business running. We'll worry about security. We'll worry about the risks that that remote access brings at some point in the future. And, and so as a result, like we absolutely do see an increase in cyber insurance claims and increase, uh, in the success of attacks. Like I'm not necessarily certain that the number of cyber-attacks has increased. I mean, it's, it's always been at a generally high level. And I don't think that just because the pandemic came around, all of a sudden it's skyrocketed. What has changed is that the efficacy of those attacks. Has gone dramatically up. Um, the, you know, the changes that organizations are making, you know, as I mentioned, remote access to facilitate employees working from anywhere. Well, those that remote access is the same thing that allows hackers to access your network from anywhere, be that, you know, Russia, North Korea, Eastern Europe, or in our own backyard in the United States, um, because business behaviors have changed, criminals are taking advantage of that. Um, particularly when it comes to social engineering. So social engineering is one of the greatest threats that businesses face, and criminals are taking advantage of these, changing the changing nature of businesses to trick people. And I'll give you an example, um, you know, there now once they compromised an email account, they'll look through for partners, vendors, anyone providing invoices, and they'll email those partners and tell them, Hey, as a result of COVID-19. We're no longer accepting checks in the mail. Um, here's our new wiring instructions. Please pay this invoice with an ACH transfer. Only those wire instructions are the criminal's wire instructions. And, you know, that's perfectly plausible. The person on the other end of that email would rightly reason that that makes sense. You know, no one's in the office. Of course, they're not accepting checks, and without blinking an eye, they've just wired their funds off to a criminal. So. The pandemic, the, you know, COVID-19, it's, it's absolutely challenging for businesses. It is leading to greater losses. And as a result, it's leading to a greater interest in insurance. And those two things sort of go hand in hand, right? Like the size of an insurance market should at some level be correlated with the amount of risk that organizations face in particular the amount of risk that they don't want to accept themselves and that they want to transfer to a third party.
Nathan Hunt: To that point. The recurring question around cyber insurance seems to be some variant on why isn't this market bigger. So let me ask why isn't this market bigger?
Joshua Motta: Yeah, I'm sure there's a lot of reasons, but I think the main one it's education, um, you know, most businesses again. Still think of cybersecurity as a technology problem. It's as something that technical people worry about. It's their I.T. person or whatnot. They don't truly understand, uh, that it is a risk to their business, to their organization. And they don't really think about it as a risk management problem. So I think that's, that's one issue. There's a lot of business owners that don't even know that cyber insurance exists. And when you think about cyber insurance is a line of insurance versus auto or homeowners or whatnot, It's brand new, right? It's in its infancy. And you know, of course, people have been buying cyber insurance for decades. It's a compulsory purchase. If you want to drive a car on the road, you must purchase it. Um, cyber insurance isn't there yet. It's brand new. It's not yet compulsory. Um, although I think it's moving in that direction. Um, And, and so there's a lot of business owners. I meet them every day. And when I share what it is, we do, the common refrain is just like, Oh wow. I didn't even know that that existed. Um, that educational issue also extends to insurance brokers. There are many insurance brokers who don't understand what the product covers. I mean, maybe a few don't believe it exists or, or realize that I think most do, but a lot of them don't know what it covers and, and for a good reason, you know, as again, as I mentioned, every single cyber insurance product is different. They cover different things, and it's very complex. So I would just say by and large, that one of the reasons that it's not bigger is it comes down to education in every way, shape or form, you know, I'd say like maybe a close second, um, reason would, would simply be friction. You have to really want to purchase cyber insurance. You have to jump through a number of hoops to get it. Um, you know, it's, it's not uncommon to see eight to 12-page application forms that have to be filled out to even be considered for it. And it's cumbersome. It takes time. It can take several weeks to put a policy in place. It's certainly not as easy as just going on the internet, filling out a couple of questions, and buying a policy. And again, that's something that we're attempting to change. We're attempting to use data to massively simplify the application process. Um, our application form is five questions that any business can easily answer, and you can purchase coverage directly on the internet or through your insurance broker. And so we're trying to radically simple, we'll find it, but, but friction, you know, it is something that stands out the way, many organizations just aren't willing to kind of jump through all the hoops to purchase a product that they may not fully understand. So I think those are the biggest things, but at the end of the day, Mark my words. It is going to be a very large industry. It's growing very quickly. It's the fastest-growing line of commercial insurance. Um, and again, at some level, it should be correlated to the number of economic losses from side perils that businesses want to ensure. And as they become more aware of those as they're educated, I think you're going to see an explosion the, in the cyber insurance market. And that's certainly what most market participants are forecasting with. You know, double-digit compounded growth for the next several years.
Nathan Hunt: There's a lot of investment in cybersecurity, significantly less in cyber insurance. Why do you think companies have chosen to invest in asbestos walls rather than fire insurance? Metaphorically speaking?
Joshua Motta: Yeah, I like the metaphor. Um, You know it again, I think it has to do with how the problem is framed. Um, most organizations think of it as a technology problem, and they, you know, they're entrusting the solution with it personnel or the managed services provider. You know, they believe that if they invest in antivirus or firewalls or things of this nature that they're secure. Um, and of course that couldn't be further from the truth because. You know, at the end of the day, it is a risk management problem in any organization. When they're facing a risk, they have really three options. They can accept that risk knowingly or unknowingly. And of course, the latter is more often the case when it comes to cyber risk. They can mitigate the risk in which case technology and firewalls and antivirus, and so on and so forth, can be effective. Um, they can implement controls and protective actions across their company. You know, they can do things to try. And like I said, mitigate risks, historically, though. The problem is, is that most organizations think of that as a clinic or line that goes to zero, right? So the more money we invest, the we can actually bring our risk to zero. In reality, it looks more like a diminishing returns curve, which is to say that the more money we invest, you know? Yes. If we're doing it well, it gets bringing our risks down the curve. But every dollar we invest buys us less and less risk reduction until it just tails out. Um, And that's to say that, you know, you could have an infinite security budget, you could be a highly sophisticated organization. You could hire lots of cybersecurity folks. And yet a 17-year-old in Tampa can hack you and your high profile users. Um, right. So, you know, very large and sophisticated technology companies are, are still being impacted by this. And so that's where the third component of risk management strategy comes in and that's risk transfer. That's that insurance piece, which is okay, I've done what I can to mitigate it. I still have this latent tail risk. And so now I'm going to transfer that to a third party because if I don't, I'm insuring myself. And so I once had someone asked me how many businesses have cyber insurance. And I said all of them and the person looked puzzled. And then I, you know, if you asked me how many purchase cyber insurance? Well, yes, it's not that many. Um, I'd say it's probably around 20 to 30%, but if you ask how many habits they all do, because if you're not—transferring it to a third party. You are insuring yourself. You're self-insuring. And so while this investment in cybersecurity, I think it's, it comes down to, again, it's buying peace of mind. Um, it's buying a piece of mind, for what many think of as a technical problem as a technology problem, when in some respects it is, there's a true statement, but more broadly, it is a risk management problem. And I think that they absolutely do need to be thinking. Not just about, you know, the walls that they put up, but what insurance, what's their backstop. If the worst comes to pass, because no matter how much you invest, no matter how high you build the wall, people still get over it or around it or whatnot. And that's really where insurance comes into play.
Nathan Hunt: Do you worry at all about the big insurance companies using their size and spending power to take this market from you?
Joshua Motta: No, I, I don't, um, you know, one of the things that I love about the insurance market is that there's a far more level playing field between businesses, particularly when, when you have an underwriting advantage. And so by that, I mean, you know, there's the traditional refrain that whoever's the biggest, they can operate at the lowest margin, you know, that the Amazon effect, if you will, and they just, they crushed your margins because they have better margins than you do. Um, and they effectively drive you out of business because you can't compete on costs. Well, in insurance, um, we sell risk, right? And, um, at some level, you know, the loss ratio of an insurance company is, is really the product of three things that determine risk. It's the frequency of claims that they get. It's the severity of those claims on average when, when they're filed. And then, of course, it's how they price the claims. Well, in many lines of insurance, the only variable that an insurance company can play with is the price. And, you know, many, many of the largest insurance companies or the most successful ones are really, really, really good at pricing risk. Um, when it comes to cyber risk, that's where we felt like we have a very clear advantage. We have more data and more capabilities than even the largest of insurance companies to be able to not only price the risk. But also to be able to change the frequency, to tune the frequency of claims, or to change the severity of the claims. And so, again, where we're very different is we provide a cybersecurity platform. We're continuously scanning our customer's assets, and we're alerting them, uh, when risk exposures pop up. And as a result of that, we have a fraction of the claims frequency that other much larger insurance companies have. We also have our own instant response, uh, service. So we have a team of forensics and instant responders that do nothing but help our customers recover operationally. Um, I kind of think about that. Like it's as if we own the repair shop. So imagine if you know, car insurance company A, could fix your car for half the cost of car insurance company B, um, that would be one heck of competitive advantage. Right? All else being equal, they could charge half the price, and they would have the same loss ratio. Well, we own the repair shop. We control the cost of those repairs. And so when we get claims, they tend to be, on average, less severe than even the largest of insurance companies. And so that's a way of saying that we actually have a better margin, a lower margin than much larger companies. So it's actually us who have the ability two more competitively price, um, versus our competitors. And so. You know, certainly having resources, being able to spend to solve that educational problem, the branding, the awareness, that is an advantage that large insurance companies have. But at the end of the day, those firms, no matter how large or small that have a true durable underwriting advantage, I think are poised to win in this market.
Nathan Hunt: You've described cyber insurance as an incentive mechanism. What behavior are you trying to insert through insurance premiums?
Joshua Motta: Yeah, it absolutely is an incentive mechanism. And I kind of think of it as, you know, the proverbial carrots and sticks. Um, but it's not just premiums. Premiums are an important component of the equation. And obviously, if you lower the premium, you can give carrots to people if you will, for, for implementing protective actions and controls for, for doing things that, you know, we, as an industry or as a coalition as a company that we know reduce the likelihood that they file a claim with us or reduce the severity of that claim. Um, if, and when it happens. So for example, if we know that you backup your data, Uh, well, that's considerably easier to recover from a cyber incident than if you don't. Um, however, we can also of course, use the stick. And so your premiums can be increased dramatically. If you're doing things that increase your risk or conversely, you're not doing the things that decrease it, but there are many other mechanisms that we have as well. And that's whether you provide coverage at all, um, or what are the conditions of placing that coverage? And frankly, that's really what we prefer to do. And so, you know, if someone is applying for insurance with us and we see, uh, a significant material issue, we want to quote them a low cost, the lowest cost we're possibly able to, provided that they address the issues we've identified. And so, um, we try and really go a step before getting to pricing, which is just simply, we're willing to provide you a quote if you address these particular issues. Um, and if you don't then, you know, we may not be willing to provide insurance at all. So there are lots of ways in which insurance companies, uh, whether it's, whether they offer coverage, what coverage they offer under what terms much less the pricing, which can be used to try and change the behaviors of companies. Another sort of novel thing that we've done. And in which I hadn't seen done before was. One day, we came up with the idea that it's like, wow. If our policyholders had simply implemented multifactor authentication, which I would describe as probably one of the most effective controls to prevent cybersecurity incidents, have they done that? We would have had dramatically fewer claims than we have. So how do we incentivize people to do that? Um, you know, recognizing that there's many who don't implement that who never have claims, but it's, it's a mechanism that time and time again, as has made it more difficult for criminal hackers to be successful. So we actually gave all of our policyholders a brand new coverage. They woke up the next day, and we said, look, we've just endorsed your policy. We've given you this new coverage. And it, if at the time you file a claim with a coalition, you have enabled multi-factor authentication in front of your email or other business systems, then we will actually reduce your deductible or your retention, the amount of the amount that you're responsible for before the insurance kicks in. We'll reduce that by 50%, right up to a $10,000 benefit. And so that's like a simple policy change that allows us to financially incentivize people to adopt a control that we know from our claims data is highly effective at preventing losses. So again, I think that insurance companies are in just this incredible position to use data, um, to help companies make better decisions. And it's unfortunate that you know, as an industry, you know, by and large, I don't think that we've done a great job at that. And so that is very much, uh, an undertaking that we're taking on, um, frankly, which is how can we in our position change incentives and not necessarily just for policyholders, even across the entire industry. Uh, security vendors, right? How can we help them build more secure software? Uh, these are all things that, uh, everything's on the table. And I, I, I believe that again, the insurance industry acting really as a private regulator, one that can move much faster than the government can do a lot to drive forward cybersecurity standards and, and, uh, encourage controls that will actually make the world a safer place. Um, maybe that's a bit utopian. But, uh, I think it's certainly something that, that can be done.
Nathan Hunt: One final question. Joshua, what is the password on your work email?
Joshua Motta: What's the password to my work email? The best part is I could actually tell you the password of my work email, and you still wouldn't be able to access my account. And why? Because I have multifactor authentication. Um, in fact, I have a physical dongle that has to be plugged into my computer. And accessible to a Bluetooth connection before anyone can log into my email. So, you know, if, if I remembered my password and of course I use a unique one, so I don't, and I use a password manager, so I don't have to remember it. I would be happy to list out all 130 characters on this pod. Um, at the end of the day, no one should be relying on a password. Uh, as the only line of defense. Um, so that's my, that's my last and final plug for multifactor authentication—what a great question.
Nathan Hunt: Joshua, I guess you've spoiled my dreams of a cyber life of crime, but I appreciate you coming on the podcast.
Joshua Motta: My pleasure. Thank you again for having me.
Nathan Hunt: My next guest is Simon Ashworth. Head of analytics and research for insurance at S&P Global Ratings and the co-author of a recent article entitled "Cyber Risk in a New Era, Insurers Can Be Part of the Solution." Simon, welcome to the podcast.
Simon Ashworth: Thanks for the invitation. Nathan
Nathan Hunt: Simon, I remember a day from early March of this year, my boss and I took a walk to a coffee shop, she got ice tea, and I had my normal black coffee on the way there and back, we talked over strategic priorities for the first half of the year. That simply isn't possible right now. All of our discussions happen virtually dependent on digital technology. Has the pandemic accelerated cyber risk?
Simon Ashworth: Okay, so I'm going to give a two-word answer to that first off. And the answer is undoubtedly, and maybe to expand a little bit more than two words. I mean, you only have to look at the, uh, tech parts of the market, really to see the market expectations of the shift to digital. And we think this is a genuine, long-lasting shift. That's here to stay even some of the tech-unsavvy of individuals like myself need to accept that in their personal lives and really move on. I'm going to give a shameless plug and heads up for a new series of research from S&P Global Ratings, which is defined as a cyber risk in a new era. We kicked this off a couple of weeks ago with the future of insurance. And there's plenty more to come in that, in that sphere, but really just to go back to the, um, to your first question, we do see this indeed as an acceleration of a trend that was already present, but as clearly, um, gain traction more than ever before. And so really going back to the scenario that you presented, uh, I'm sure you'll be ordering that ice tea and black coffee, uh, using the relevant app on your phone in future before long and you know, that's, uh, indeed, if you've not been doing that already.
Nathan Hunt: Do you believe we understand cyber risk? Do we essentially know all the forms this risk can take?
Simon Ashworth: Sure, really good question. I think the best thing from an insurance perspective as insurers are underwriting cyber is, is really the plan for the unknown unknowns. And I know we've talked about different types of, uh, of swans, uh, in the mainstream media, but currently planning for the unknown unknowns is the, uh, is really the best approach. I think the unique aspect of cyber risk, which really defines this type of peril versus many other perils that are are indeed also insured, is that cyber is, is, you know, almost exclusively lovely manmade. And that really brings its own challenges in terms of risk modeling. And there's really very much less reliance on historical data sets. When estimating cyber risk. And even if you think you understand the risk today, that can evolve rapidly and actually become obsolete within weeks or certainly within months. So staying ahead of the curve is an ongoing part of all prudent risk management, but we think it's particularly the case for cyber. And we really cite accumulation risk as a key factor too. And what that means is that cyber is really not restricted to particular geographies and can really spread across the globe in seconds, even more quickly than pandemics. And we also think that governance and risk management is key to identify, monitor, measure, detect, and learn from cyber attacks and cyber risks. But interestingly, uh, ex-post after an attack, it's actually even more important to take swift, decisive action and respond to remediate such attacks.
Nathan Hunt: The cyber insurance market has been growing over time, but is the current size of the market commensurate with the current risk in the market?
Simon Ashworth: You're right. It's a. It's growing. It's growing rapidly, but only from a small base. And actually, it's only a fraction of the potential economic losses are indeed covered by the, uh, cyber insurance provisions and the insurance market to date. So what that means is that there's huge potential for insurers and reinsurers to step in to fill that gap. Now there may not be an appetite to fully cover all of those economic losses. And there are many estimations of that. And we think that approximately the economic losses from cyber insurance on an annual basis, or even now three to four times more than natural catastrophes. So three to four times more economic losses happen, uh, almost every year, even pre-pandemic than there are economic losses from natural catastrophes. And even the natural catastrophe space losses are only partly covered, but there's still huge untapped potential within the cyber insurance market for that to grow. And for that to grow compound year on year on year for many, many years and decades to come, we published some new research recently that said insurers could be part of the solution to the growth of the cyber insurance market. And at the time when insurers are really under the microscope from a reputational perspective, given the pandemic, they really do hold the key for even more appropriate insurance solutions to also play their role in facilitating a step-change in the growth of the insurance market for cyber risk.
Nathan Hunt: This sounds like a huge opportunity, but what are the challenges involved in providing cyber insurance?
Simon Ashworth: Yeah, sure. There's plenty of challenges—a long, long list. I'll try and focus on, on really the key ones. So estimation of the risk, given the evolving nature of the, um, of the peril itself and really the infancy of cyber risk compared to, you know, many long-standing, uh, risks that the insurance market has plenty of data from, uh, from historical events to, to models. So that's, that's one. So estimation of the risk is, um, is something that evolves. That's a big challenge. And with that, there's something that we call the uncertainty premium that exists, and actually cyber is a at the moment, a very profitable product. Um, for insurance companies to sell. And part of that is because they're, they're charging a reasonably high uncertainty premium, given some of those factors that I spoke about earlier. So there are question marks linked to that, you know, do the products meet the needs of the insurers. And indeed is that insurance premium charging a higher premium than is otherwise necessary. And then what the case for, you know, for insurers to take advantage of passing a lower insurance premium onto their clients. Some other challenges that we think are noteworthy clear policy wording, and obviously, there's a lot that the insurance market can learn from the recent pandemic and ensuring its customers, its policyholders have very clearly aware of the particular coverage of any particular policy. And also correlations. Now we've not spoken much about that so far, but the relative correlations of cyber relative to other types of perils, whether it's financial market dislocation. Or other aspects that an insurance company and that insurance company needs to be aware of and is exposed to. I think that's a really interesting one to understand and model the correlation of cyber risk with, uh, with the interplay with financial markets, for instance, and maybe finally with any relatively new product launch or launch into a new business line. There always a balance of strategic priorities that any insurer is is looking to balance as they enter that market. Do they want to be really a front runner in, in, um, the development of that market and get a, get a foothold very, very early on to stamp their dominance on that sector for many, many years to come or would they, would they rather take a more cautious approach? And see the development, um, the market for the first few years, and maybe only play, um, you know, intermittently or to a lower scale within that market. So I think, uh, the strategic challenge of how far, how deep an insurer positions themselves I think will become, uh, certainly in 2021, a, a key question that insurers and, uh, and boards within insurance companies will be asking themselves.
Nathan Hunt: When you look at the larger insurance companies, do you think they're doing a good job with cyber risks?
Simon Ashworth: Yeah, I think we do a range of companies that are in the market. Clearly, large ones are extremely well-positioned, given this ending. We do see a number of specialists, insurance companies as well, and we think those insurers that will do that will be those that can, over time, really provide an analytic ecosystem to support their customers and policyholders. So what do we mean by a holistic ecosystem? That's really providing some of them, or helping to provide some of the wraparound services that a customer may need in its day to day business activities, either pre or post a cyber attack. So some of that could be legal advice, legal expertise in the wake of an attack. Some of that could be advice, some crisis communication, which is really, really key to ensuring an appropriate, um, customer outcome. And then finally, they're really technical I.T. expertise in terms of the remediation of the cyber attack itself. So those are, those are things that we think are, you know, our key differentiating factors for insurers, um, in the future and how products and services to meet the acceleration of demand that we spoke about at the top of the call will just be vital for an insurer to evolve its own products and services, to, you know, to meet and generate more demand than is there at the moment—and going back to that uncertainty premium. So really how much almost how much excess profits and insurers looking to, to earn too, um, you know, to say for that unknown, unknown, I think will be, will be really interesting to see and then in more mature markets that uncertainty premium is really bidded away as demand and supply for insurance intersect and new entrance come in and, uh, an attempt to make their mark. So really the lower over time, the lower that uncertainty premium becomes, uh, will really be a validation for the insurance market functioning in a way, which I guess, um, meets the needs of all stakeholders.
Nathan Hunt: Simon is cyber insurance, a standalone product? It feels like you would want a company practicing a basic level of cybersecurity before you offer them insurance. So will all insurance companies get in the business of managing cybersecurity?
Simon Ashworth: It's an excellent question. I think they certainly will need to now more than ever before, if nothing else, for the sustainability of their business models. I think as long as insurers can still assess the risk and attempt to assess that risk, they will still look to provide insurance almost regardless of the risk management standards at their particular customer. They may indeed charger an own high certainty premium that we, um, that we spoke about before. But I think insurers will still look to be in that market. At least those that are keen to provide insurance in this space in the first place. We do think that policies that currently are in place that bundle cyber into, um, into other types of, of products, which are the more common type of approach at the moment, we do think that that will have evolved into something which is more standalone in time as the demand increases. Um, we think there's many benefits of those standalone type insurance products that are indeed out there at the moment, but those standalone products will offer much more transparency, um, than is otherwise the case. Uh, you know, in particular, in terms of the coverage, the terms and conditions and, and ultimately lead to better cyber outcomes.
Nathan Hunt: Is there anything specific to cyber insurance that worries you from a credit rating perspective?
Simon Ashworth: Yes. If we look at insurance themselves, as they are looking to provide cyber insurance, I think accumulation risk is, is a key one. Do, in short, really understand the accumulated patient risk. And that's again, that's, that's going back to what we mentioned before specifically is the fact is that risk or a cyber attack could happen at anywhere in the world. There are no boundaries, um, geography is not, um, is not a boundary in the, uh, in the cyber and digital world. So accumulation risk, do insurers understand their exposures? And perhaps the interrelationship of all of their exposures post a cyber attack. Silent cyber. That's certainly been a buzzword for a number of years and has got a lot of attention. And silent cyber is really looking at whether insurance companies understand all of their embedded risks from previous insurance policy fails. So whether there are perhaps terms and conditions, ambiguity. Are insurers actively seeking to close that the silent cyber is down as they renew policies? And perhaps still provide that coverage but at a different price point. And, um, we mentioned before from a, from an overall perspective, corporations in general. So those customers have cyber insurance. So if we go a bit wider here and look at corporations and how they perhaps can use cyber insurance as a mechanism to protect their creditworthiness, um, pre and post-attack, we think that's, that's certainly something that corporations as a whole are looking into. Um, and as we mentioned, that could help both pre and post-attack in terms of risk management, frameworks, and communications. Back in 2017, we participated in a London Market Study, and this was, um, you know, a really interesting dry run simulation were um, across the, um, across the globe, specifically in, in North America at first, there was a simulated cyber attack. Followed by a financial market. Yeah. A relative crash followed by a hurricane. It was almost, um, a company nation of a number of, uh, scenarios that happened at once. And it was a $200 billion loss over two weeks period, and S&P participated within that simulation. And we learned a lot of things off the back of that simulated stress test. We learned the types of information that we would need from insurers to really assess some of that accumulation risk. And we learned operationally, we learned more about how we would stress test on mass or insurance and reinsurance portfolios, really to get us or a potential future, large scale cyber-attack and how we ourselves would respond to that from a, from a credit rating perspective.
Nathan Hunt: Thank you for listening to The Essential Podcast from S&P Global. For more insight from Simon and his team, please visit spglobal.com/ratings.
The Essential Podcast is edited and produced by Molly Mintz.