The cyber insurance market is still in its infancy — and, many say, first-generation solutions are being constrained by tech debt and legacy thinking.
While ransomware and other cyberattacks continue to rise in both frequency and cost, many organizations are underinsured or uninsured altogether against cyberthreats. Not for lack of trying; as underwriting evolves and becomes more complex, technical and time-consuming, many applications are simply denied.
This all requires a whole new approach to risk assessment: Underwriters need mechanisms to measure the true digital risk that “lives within an organization,” said Reuben Vandeventer, CEO of Indiana-based startup SecondSight.
His company aims to provide this: The company today emerged from stealth with $3 million in seed funding, offering what it calls the industry’s first artificial intelligence (AI)-driven platform for “inside-out” underwriting.
“SecondSight recognizes that cybersecurity and true digital risk are really about assets and liabilities,” said Vandeventer. “Digital risk is only meaningful and actionable for business stakeholders when it’s connected to the bottom line.”
Cyber insurance = A hard market
According to a 2021 report from the National Association of Insurance Commissioners (NAIC), the cybersecurity insurance market — including both U.S. domiciled insurers and alien surplus lines insurers writing business in the U.S. — was worth roughly $4.1 billion in direct written premiums in 2020. This reflects a 29.1% jump from the prior year.
Meanwhile, insurers writing standalone cyber insurance products reported approximately $2.58 billion in direct written premiums. Those writing cybersecurity insurance as part of a package policy reported roughly $1.49 billion in direct written premiums.
And, the market is prime for even more growth: According to Markets and Markets, the cyber insurance market size will grow from an estimated $11.9 billion in 2022 to $29.2 billion by 2027, registering a compound annual growth rate (CAGR) of nearly 20%.
The main drivers, according to the firm, are the “rapid surge” of cybersecurity incidents coupled with an increase in mandatory cybersecurity regulations and legislations. However, the firm points out, organizations are restrained by soaring cyber insurance costs.
“The private equity world is really saying that the cyber insurance market is likely a 10-year hard market,” said Vandeventer — meaning it will continue on a path of significant, year-over-year growth.
‘Inside-out’ and ‘outside-in’ combined
The problem, he said, is that existing players in the risk-quantification category — BitSight, Prevalent, RedSeal and SecurityScorecard, for example — model risk from outside the firewall.
With this “outside-in” approach, the primary concern is preventing access at the edge of the network, and it largely involves human-requested input about risk controls.
But, “this stance no longer serves the nature of the market,” said Vandeventer, who previously founded OpenINSIGHTS and Data Clairvoyance Group, and served as chief data officer for Bridgewater Associates and CNO Financial Group.
SecondSight performs what it calls “inside-out” methods, as well as “outside-in.” The company brings telematics to digital risk, taking human observation out of the process by enabling system-to-system communication for direct observation of risk behaviors in real time. It could be compared to Allstate’s Drivewise program, a telematics app that tracks driving habits.
This shows an organization’s “true digital risk” so that cyber insurance providers can quantify risk severity based on an organization’s digital assets and liabilities, said Vandeventer.
“If you’re outside the firewall, you have no mathematical ability to understand digital asset P&L,” he said. Thus, “inside-out and outside-in both need to be used.”
As he explained, the cyber insurance company’s platform doesn’t require a learning cycle; it autonomously discovers, classifies and analyzes an organization’s “entire landscape of digital assets,” the unique risk profile for each asset across thousands of risk factors, and the real business costs that would be incurred if a digital asset was compromised.
AI modeling takes place right next to the data and metadata. More than 287 different models or algorithms — learning-based, deep learning, machine learning (ML) and others topological in nature — identify, classify and map digital assets in the ecosystem, he said.
The platform is directly integrated with SaaS applications and deploys agents and collectors into PaaS, IaaS and on-premise legacy environments. This edge-compute auto-discovery is combined with ongoing auto-correlation of digital assets to the insured’s business model.
What traditionally takes other companies weeks to compile is completed by SecondSight in mere days — with as accurate as 92% accuracy rate, according to Vandeventer.
“Carriers can correlate digital assets to profit and loss, cash flow and balance sheet metrics,” he said.
He pointed out that, in U.S. markets, the average mean time of recovery after a ransomware attack is 28 days. “That’s 28 days that operations are down,” he said. The “double-whammy” is that organizations have 28 days of lost revenue, but 28 days of still paying salaries and other bills.
Using SecondSight metrics, organizations can identify which digital assets are more correlated to production and operations, and focus on optimizing mean time and recovery of those specific assets, Vandeventer explained. They can then add such protections as air-gapped backup, extended detection and response (XDR), endpoint detection and response (EDR), multifactor authentication (MFA) and two-factor authentication.
Cyber insurance market is in its infancy
While with Allstate, Vandeventer’s big observation was that cyber insurance and its current manifestation wasn’t behaving like a mature or real insurance product, he said.
“The insurance industry wasn’t treating it like real insurance,” he said.
This is because the insurance class was brought to market with a bare minimum of underwriting. Its market share grew quickly, allowing carriers to make significant profit.
Now, it’s pure economics: With claims spiking post-pandemic, providers have been binding fewer policies while simultaneously taking action to re-engineer underwriting.
SecondSight is purposely existing stealth as the industry redefines standards, he said. The company is supported by several carriers and MGAs (wholesale brokers) and will soon announce a partnership with the largest cyber insurance wholesale broker in North America.
The seed round, which will be used to advance go-to-market efforts, was led by Tim Crown (cofounder of Insight Enterprises), with participation from Indiana Ventures, Cook Ventures and Flywheel Fund.