Insurance giant Marsh & McLennan is leading a new collaborative effort involving top cyber insurance companies in order to provide a “Cyber Catalyst” seal of approval to the top-rated cybersecurity products in the marketplace. The goal of this new cyber insurance initiative is simple: to make it easier for businesses and consumers to find the very best cybersecurity products that will protect them from data breaches, data theft, and cyber extortion.
Details on the new Marsh program to rate cybersecurity products
According to the Marsh unit of Marsh & McLennan , this new cyber insurance initiative is modeled on similar initiatives that exist in other industries – such as the automotive industry – that seek to reduce the amount of risk faced by businesses and consumers. For example, insurance companies provide ratings of products such as seat belts and air bags, and many consumer review publications publish ratings of the “safest” automobiles. For both consumers and insurers, such arrangements are effective. Consumers are able to benefit by lowering their overall risk profile, and insurance companies benefit by having to pay out fewer claims. As a result, consumers are able to negotiate lower insurance premiums and qualify for enhanced terms if they take steps to minimize risk.
So, the idea is to apply the same business model to the cyber insurance marketplace. Right now, says Marsh, there are more than 3,000 providers in the cybersecurity marketplace, and tens of thousands of potential products and offerings. Making sense of all of these offerings is difficult, and so Marsh has recruited the biggest names within the cyber insurance industry to do all the heavy lifting and provide a seal of approval to the safest products. At launch, the list of leading cyber insurers participating in the project include Allianz, AXA, AXIS, Beazley, CFC, Munich Re, Sompo International, and Zurich North America. Collectively, these cyber insurance companies represent a substantial portion of all policies and premiums in the $4 billion cyber insurance market, and so it is important that they play a leading role in helping to evaluate cybersecurity solutions.
These major cyber insurance companies will then work with Microsoft as a technical advisor to rate and evaluate as many products as possible. The Cyber Catalyst program is designed not as a product review initiative (in which products might receive a score of 0-100 or a grade of A to F), but rather, as a product ratings initiative. A product will either come with the Cyber Catalyst rating (which means that it meets the very highest level of safety), or it will not. Products that do receive this rating would then be eligible to become part of special rates and promotional offers by the largest cyber insurance providers. After all, these cyber insurance companies have a clear incentive to get consumers and businesses to use the very safest products, so why wouldn’t they “reward” customers who are specifically choosing these products? As a result, designated solutions (i.e. cybersecurity products and services with the Cyber Catalyst rating) may qualify for special terms or discounts on premiums.
Pros and cons of the new cyber insurance program
In a best-case scenario, of course, the mass migration of high-net worth individuals and huge corporations to the very safest cybersecurity products would seem to be huge game-changer. Suddenly, businesses would have a way to reduce the likelihood of business interruption or data theft, while very wealthy individuals would have the peace of mind that they would no longer be the victims of costly cyber extortion incidents.
For that reason, initial reviews have been very positive. Matan Or-El, CEO and Co-Founder of Panorays, commented on the new Cyber Catalyst program, “We applaud this new initiative taken by the insurance industry. Such an initiative should be a win-win situation for all. Customers will need to up their cyber security program, thus reducing their cyber risk to attacks while cyber insurers will process less claims due to the higher standard of security.”
But is that really the case? Some cybersecurity experts, for example, says that there are already plenty of reviews in the marketplace for cybersecurity products (e.g. reviews from Gartner and Forrester), and that Marsh creating a brand-new program would just muddy the waters even further. What happens, for example, if Gartner raves about a product as part of its “Magic Quadrant” analysis, but Marsh does not give the product a Cyber Catalyst designation?
Moreover, if you read the fine print, just because a product receives a Cyber Catalyst product receives the special designation, there is no guarantee that it will play any role in reducing cyber risk. What if European companies adopt Cyber Catalyst designated products, but are still the victims of a massive cyber hack? According to the European GDPR, they might still be held accountable for such incidents if they result in economic losses for European data subjects.
“There will undoubtedly be bumps along the way to assess the cyber security technologies, from the time it takes to evaluate the thousands of existing technologies, and new ones as they are introduced to market, to the testing methodology around each technology. To ensure that this initiative takes off the ground and becomes effective, enforcing the collaboration between the insurers is mandatory,” says Matan Or-El of Panorays. “Keeping up to date with the ever evolving threatscape is necessary to determine the efficacy of products against new threats. This means that traditional and well-established technologies must be evaluated in a similar manner as innovative technologies that address the newer challenges. Third, the assessment process must be able to scale to accommodate the evaluation of thousands of cyber security products.”
Impact on the cyber insurance industry
On the whole, Cyber Catalyst designated solutions should have a positive impact on cyber risk. Just as safer air bags and safer seat belts lead to safer automotive experiences, safer cybersecurity products should lead to safer cyber experiences. At the very least, businesses and consumers will be able to make informed choices about cybersecurity products and cybersecurity vendors as a result of this Cyber Catalyst by Marsh program. Moreover, they will be eligible for enhanced terms and conditions from participating insurers, and will have a much easier time trying to manage cyber risk.
Going forward, the new Cyber Catalyst program should have a meaningful impact on cyber risk profiles of corporations. In an era where data breaches are the norm rather than the exception, it is important to have industry consensus about which solutions are most effective in reducing cyber risk. By understanding the economic consequences of using specific solutions, it makes it possible for business leaders and individuals to make much better decisions about how to protect their data online.