A proper cyber solution
Spectra founder Edouard von Herberstein is applying a traditional insurance approach to a non-traditional insurance segment : cyber.
Edouard von Herberstein is quick to say that he is an insurance guy through and through.
He has worked in the industry at Lloyd’s, in Switzerland and most recently, in Bermuda. So it’s not surprising that when he looked at cyber insurance, he looked at it with an insurer’s eye, rather than those of a tech expert.
Perhaps it is even less surprising therefore that von Herberstein identified a problem that is as old as insurance and came up with a solution that has its roots in Lloyd’s coffee house.
The former Hudson Structured Capital Management executive, who now leads his own company, Spectra, says he realised that many medium-sized businesses try to manage their own cybersecurity, but are doomed to fail as cyber threats become more complex. And insurance companies do not have the resources to accurately determine whether self-managing companies are operating secure environments.
“I saw lots of things that I thought were very primitive example of things you can’t do in cyberspace, such as inspections,” he recalled. “You can’t inspect the network, right? If you want to insure a ship, a plane or a commercial building, 100 percent of the time you’re going to have a third party managing the security and the maintenance.
“Not so in cyber insurance—they let people self-manage their security, which is just as silly as allowing any commercial building to be self-managed from the security and maintenance fronts. That is always done by someone whose whole job is to do that.”
Regardless of who manages a company’s security, an insurer still has the problem of having very little historical information from which to assess and price risk.
“There’s no or very limited data on what you can guess from outside of the network, because no-one’s found a way to effectively understand how the insured manages its own security,” he said.
“It’s all done through questionnaires, sometimes very long ones, none of which can be verified. The insurers ask people to complete them, but there’s no way to verify or inspect, and that lack of data is at the core of the systemic risk problem.
“It’s a bit like insuring a building in the US and not knowing whether it is in Wisconsin or in Miami. You don’t know what the datasets are, or what cloud technology they use, and if they tell you, you can’t verify it. More likely than not, the customer doesn’t even know,” he explained.
“The lack of data and the inability to inspect, and the fact that more often than not, the security was not managed but self-managed, made me realise how much the cyber insurance supply chain had to evolve in order to look like any other line of business, where you do inspections and rely on professional management of security.”
Service providers
One of von Herberstein’s friends—now a co-founder of Spectra— introduced him to the idea of managed service providers (MSPs), which provide cybersecurity to businesses.
“It’s a very big industry,” he said, adding that the sector has $250 billion in annual revenues. “It’s growing very fast but it’s a very segmented market. Thousands of businesses manage security for businesses, and they never interact with insurers, which is a huge lost opportunity, because they are the guys who patch and manage the security. They are the ones who have the data that would be useful for insurers to understand.
“The entire industry is slowly coming to terms with the fact that businesses can’t self-manage their security. It doesn’t work. They don’t do a good job of it, there are too many vendors, it’s moving too fast.
“You need to be 24/7—the bad guys don’t do bad things only during opening hours. The majority of businesses cannot afford a 24/7 security team. How do you ensure that your customers have full time professional security? “It doesn’t mean German shepherds and guys and torches, it means the MSPs have teams around the world with 24/7 service.
“When I left Hudson, I went on a mission to build a bridge between the insurance industry and the MSP,” von Herberstein said.
But the problem still remains that, even with MSPs, there is no data on which to assess the risk. Instead, he says, Spectra rates the MSP in the same way a ship inspector certifies that a vessel is seaworthy, or a ratings agency rates the financial strength of an insurer. That creates a bridge between the MSP and the insurer, enabling the insured to get cover.
Until now, that bridge has not existed, he says.
“There is no connection between the team managing the security and the network and the insurer, and that’s a huge lost opportunity which we’re trying to change by creating trust between insurers and MSPs, because they don’t know each other.
“They know of each other, but they don’t trust each other. The insurers tend to think that MSPs are only there to take as much money as they can from the customer and they don’t really do good security. That’s a misperception, but it’s what you hear.
“And on the MSP side, you hear that insurers make money by not paying claims. Another misconception. So how do you bring trust between those two?”
Building trust
“At Spectra the first thing we did was build a certification business. We effectively audit the people, the technology and the software the MSPs use to provide security solutions. We look at how they protect themselves, because if an MSP is compromised, does it mean that all their customers are compromised as well?” von Herberstein explained.
The business has been built over the last 18 months and is operating in the UK, US and Canada. If an MSP passes the audit, it is issued with certification and cyber resilience warranties. In June, Spectra partnered with the leading North American IT distribution channel Ingram Micro to widen the distribution of its certification and warranties. Three months earlier, it joined forces with provider Fulcrum IT to offer the service in the UK.
“We’re effectively warrantying their solution, and if that solution fails to protect the customer, for the specific scenario for which that solution exists, we pay a 12-month refund for it,” he said.
The certification service is offered by a division called Resilient Services, and von Herberstein says its risk also needs to be insured, which the company has successfully done, initially with Lloyd’s syndicates.
Spectra is now moving to the next phase of the business, which is to offer insurance to the customers of the certified MSPs.
“We are planning to set up a managing general agent (MGA) in the US and use that data and those relationship to access more customers with a better security posture,” he said.
“It makes sense. A lot of what we’re doing is trying to recreate what exists in other commercial lines, having a third party of professionals managing security, managing the maintenance of the assets, and collecting data through that to help insurers map concentration of risks.”
He says the MGA will target medium-size enterprises with turnover between $50 million and $1 billion. Larger businesses have the scale to effectively have their own in-house MSPs, he added.
The MGA, which von Herberstein hoped to have up and running by the end of the year, already had its own pricing model which, he said, would be superior to others which were not certifying MSPs.
“Some of it is based on market data, but the other part is based on security performance data,” he said. “If you work with the MSP, you see all the incidents and the near-misses that insurers don’t see. Insurers only see claims, not the near-misses.
“We have access to all the near-misses through the MSP, and then we can start using all that data to infer what the risk of a claim is, because you see what came close. That security performance data allows us to see a lot of data that would be useful for pricing actuaries that insurers don’t have access to.”
Von Herberstein says this approach should remove some of the volatility in pricing to which the segment has been vulnerable because it is linked to what the competition is doing, rather than being linked to the risk itself. Knowing the capability of an MSP means the risk can be more accurately assessed and priced.
Von Herberstein compares the problem to pricing property catastrophe insurance.
“If you have the data in the first place, you’re never going to give a Florida policy for free, as you would in Wisconsin for hurricane. But if you don’t know, you would say: ‘we’ll find out’. Then, sure enough, the hurricane came and it was in Florida. So the idea is that the product should be better and more stable in terms of price,” he concluded.
Did you get value from this story? Sign up to our free daily newsletters and get stories like this sent straight to your inbox.