Jun 2, 2023 - Technology

Cyber insurers are leaning more on security vendors to assess risk

A gold medal in cyber training

Illustration: Sarah Grillo / Axios

Insurers are leaning more on security vendors to make sense of what they need to know about cybersecurity programs before approving new customers' policy applications.

Why it matters: Insurance providers have been scrambling to keep up with rapid changes in the threat landscape, such as increased ransomware attacks and nation-state activity, to make sure their policies are keeping pace.

  • In recent years, insurers have been left with massive payouts as companies have increasingly filed claims after an incident.
  • Despite that, demand for cyber insurance has continued to soar alongside premium costs.
  • Partnering with a security vendor can help insurers stay ahead of threats and create more reasonable requirements for customers to meet before approving their applications.

Driving the news: Earlier this week, IT security management provider Kaseya unveiled a partnership with cyber insurer Cysurance to speed up the approval process and provide discounted rates to Kaseya customers.

  • Under that arrangement, Cysurance will preapprove any customer who has Kaseya's IT Complete Security Suite and push them through a shortened vetting procedure.

The big picture: Insurance providers have increasingly turned to security vendors like Kaseya to help them sort out what data and security information they should collect from customers.

  • Most major insurance providers lack the expertise to properly assess cyber risk, prompting them to lean more on security vendors to act as intermediaries, experts told Axios.

Zoom out: Cyber insurance requires a different calculus given the risks to a business are constantly changing as hackers develop new techniques.

  • Compare that to auto insurance, where driving risks have been studied and understood for decades.

Between the lines: Partnerships between insurers and vendors have been taking a few different forms.

  • The most straightforward looks like Kaseya's new program: An insurer preapproves a customer who has purchased and set up a specific product suite.
  • Some others look like what Google Cloud has set up: Google scans customers' security postures and makes recommendations to help reduce insurance risk. Customers also get specialized insurance offerings from Allianz Global and Munich Re, and Google takes care of sending any necessary data to the insurers.
  • Cyber insurers are also starting to bring these risk assessments in-house: Resilience, a cyber insurance provider, has built out a team that engages with customers and ensures they're staying up to date on their security requirements to keep their policies. Resilience instead partners with vendors to investigate insurance claims.

The intrigue: Insurers and financial officers often struggle to communicate with security teams to figure out the best way to assess their risk, Travis Wong, vice president of customer engagement at Resilience, told Axios.

  • When an insurer is relying on a security vendor to vet customers, it's because "insurers themselves haven't built those capabilities to provide insights," Wong added.

What they're saying: "Because you have a security team and a CISO that is so heavily involved in managing cyber risk, they know the risk in a way that the insurance manager might not always be aware of," Monica Shokrai, head of Google Cloud's business risk and insurance program, told Axios.

  • "Insurance mangers are trained in finance and insurance and risk and risk transfer," she added. "That divide is larger within cyber than other lines of business."

Yes, but: Adding a new vendor to the insurance process brings additional risk, Wong said.

  • "You're introducing a third party whose interest might not be as aligned as your insurer or the organization being insured," Wong said. "They're an independent assessor, for all intents and purposes, and they're trying to sell a technology."

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper