A Q&A with Ben Beeson of Arceo Analytics
As the cyber insurance industry has grown, so has the need for smarter approaches to risk assessment. I asked Ben Beeson, Head of Insurance at Arceo Analytics, about the role technology can play in better understanding clients’ security risks in real time.
I think there is more that can be done by insurance companies in using technology to make the insured more resilient to cyber incidents pre-breach.
How has technology supported the cyber insurance market thus far?
Cyber insurance has only been around for twenty years or so and the use of technology by insurers to evaluate cyber risk has been limited. The industry has used a similar “question and answer” underwriting approach it uses in other types of risk, seeking to understand the types of controls a company deploys relating to its people, processes and technology. But this approach can only ever be a snapshot and most importantly it does not provide verifiable data. The company may confirm in an application that it has a firewall but how does the insurer know for sure that it has been configured correctly, for example? In terms of cyber insurance, technology has traditionally been an added-value service post-breach in the form of forensics in response to a data loss incident. Yet I think there is more that can be done by insurance companies in using technology to make the insured more resilient to cyber incidents pre-breach.
What are the challenges facing the insurance market that technology can help solve?
First of all, the risk keeps evolving—cyber is not a risk that stands still. A couple of years ago, very few people viewed ransomware as a major concern and the focus continued to be on theft of payment card data. Today, we have seen business interruption claims happen as a result of even these types of low sophistication cyber threats. Because of this shifting risk, the current static approach to underwriting based on historical loss data cannot work when that data set is dynamic.
The second and arguably greater challenge to the industry is risk aggregation. The insurance industry has never seen a risk as interconnected as cyber, with very little visibility into understanding who is connected to whom. Insurers must try to interpret this risk concentration in the context of both the clients and products that they underwrite across their portfolio so that they can accurately predict the consequences from one event that could trigger cascading or multiple losses.
Insurance companies have begun to partner with technology firms to help solve both these problems. However, risk modeling is still driven principally based on a market supply and demand basis. This will begin to change as insurers put greater emphasis on risk data points that were previously not available to them.
What can technology firms offer the cyber insurance industry?
The technology industry has a lot to offer the insurance industry in helping make products more effective at limiting and transferring risk for clients. In cyber, we can provide stronger data points that not only help better evaluate and price a risk, but ultimately are more relevant to the insured in reducing their own risk. Indeed, this is one of the reasons I joined a technology company.
What are the possible outcomes of greater collaboration between technology and insurance firms?
With better knowledge about risk, the industry can create incentives such as lower premiums or broader coverage for insureds whose security programs are stronger or more resilient. We haven’t gotten to that point yet but it’s very exciting to see insurance and technology begin to align. This will not only drive better client solutions, but also help accelerate the growth and sustainability of the marketplace, resulting in a better product for everyone.
We want to thank Ben Beeson for his unique insights into this subject matter. I have personally known Ben for some 15 years and he is a pioneer in the cyber risk insurance space, and always good for thoughtful ideas and solutions in this rapidly changing risk landscape.