In the latest wrinkle in the fast-growing cyber insurance industry, some of the leading insurance companies are now incentivizing clients to buy from specific IT security vendors. In some cases, they are lowering premiums that clients have to pay; and in other cases, they are adding in discounted services or raising the total coverage value of a cyber insurance policy at no additional price. The goal, say top insurance providers, is to steer clients in the direction of the most effective security solutions in the IT security marketplace, while giving clients plenty of reasons to adopt risk-reducing behavior.
The new Marsh Cyber Catalyst program for cyber insurance
At the core of this new shift towards incentivizing clients to adopt specific IT security solutions is the creation of the new Marsh Cyber Catalyst program. Marsh, a subsidiary of insurance giant Marsh & McLennan, has essentially created an alliance of the top cyber insurance providers, including Allianz, AXIS, AXA, Beazley, CFC, Munich Re and Zurich North America, all of which agree on the “top” cybersecurity products and services. Any service or product offering that meets a certain threshold for quality is added to the Cyber Catalyst program. In September 2019, Cyber Catalyst announced the first group of 17 services added to the program. On a regular basis, Marsh will add new services to the collection, with the next intake period planned for Spring 2020.
Once an insurance product or service gets the Cyber Catalyst designation, that’s when cyber insurance providers can start to offer incentives to clients to use one or more of these specifically designated services as part of their overall risk management approach. Presumably, the more of these services that a client uses, the greater will be the total incentive package. As the insurance providers see it, all of these Cyber Catalyst products are best of breed, and the most proven and effective in reducing cyber risk. All of the products are carefully and independently vetted, and so Cyber Catalyst acts as a sort of seal of approval for any product. This is especially helpful for smaller and mid-sized companies, which may not have the types of extensive resources needed to study, vet and analyze a confusing mix of products in the marketplace.
The case for offering cyber insurance incentives
Thus, from the perspective of the cybersecurity insurance companies participating in the program, they are providing a real value-added service to clients. They are not doing this from an altruistic perspective, though. Their sole goal is to reduce risk (and, thus, their overall payouts). Based on their risk models and analysis, the products that are part of the Cyber Catalyst program are the very best options available for reducing the risk profile of client companies.
Right now, the cyber security marketplace is a confusing jumble of vendors, products and services, all of them making claims that their products are the very best. By some estimates, there are more than 1,000 different cyber security offerings now available, and the total size of the cyber security market has ballooned to $125 billion. Even IT security experts will acknowledge that many of the claims made from security vendors are really a lot of “smoke and mirrors,” and that some solutions designed for larger enterprises might not be the best fit for smaller companies, or companies within a certain industry. Thus, an independent seal of approval can help clients choose the “best” products, based on their ability to reduce risk, protect personal data and prevent data breaches.
The case against offering cyber insurance incentives
Of course, there are skeptics about the Cyber Catalyst program. with some claiming that the cyber risk insurance providers are really just running a promotional campaign for their partners and vendors. The Cyber Catalyst program, these skeptics say, is really just a private club created by the biggest insurance providers and cybersecurity vendors. Add in the fact that Microsoft is a technical partner of the alliance, and it’s easy to see why some people see the whole program of Cyber Catalyst designated products as nothing more than a way to steer business to certain companies that are part of the club.
Moreover, these skeptics maintain, the big insurance companies have a vested interest in selling as many cyber insurance policies as they can, and the Cyber Catalyst program is really just a marketing tool to help them do this. They may be unfairly raising the expectations of clients that a specific solution is a “magic bullet” that will solve all of their problems and have a positive impact on cyber risk. After all, cyber security is really a team sport, in which all employees must play a role in protecting the enterprise. If employees are not well trained to recognize phishing scams, for example, then it really doesn’t matter how great your email security program is, right?
Cost-benefit analysis for cyber insurance
In general, companies should be running some cost-benefit analysis of their own, to help them decide on how to allocate their cyber security dollars. Is it better, for example, to spend $10,000 on a bright, shiny new cyber insurance policy or to spend that same money on staff training or on beefing up security measures already in place? Cyber insurers have one goal in mind – to sell as many policies as they can, while minimizing the amount that they will have to pay out if bad things happen. Thus, cyber insurance companies are understandably excited about being able to offer plenty of incentives to get clients to buy more insurance.
Ultimately, the real question might be whether insurance companies – backed by technical partners like Microsoft – can do a better job of allocating corporate IT security dollars than specialized professionals. In short, does a corporate Chief Information Security Officer (CISO) know more about the security program needs of an organization than an insurance executive with much less IT expertise? Are there really any solutions that are 99% effective in blocking cyber threats – or are clients being lulled into a false sense of complacency by installing a hodgepodge of different cybersecurity solutions, many of which may not be compatible with each other?
One thing is certain – the cyber insurance industry is doing its best to go mainstream and sign up more companies as clients. By some estimates, just 15 percent of U.S. companies have any sort of cyber insurance policy in place, so there is plenty of room for future growth. Industry analysts now predict that the cyber insurance industry will triple in size between now and 2023, creating a $17 billion behemoth. For that to happen, insurance companies will have to prove that they will actually pay out claims, and that their preferred, best-of-breed solutions actually work as claimed.