This position was supported by the data. He proposed that based on current information under one million organisations have a standalone cyber insurance policy of a possible market of approximately 60 million companies across the US and EU.
Drawing attention to rollercoaster rate fluctuations in the cyber market in recent years, he said: “Typically, when we see rollercoasters like this in insurance, it suggests that the participants don't know what they're doing – which might actually be a valid criticism.”
So, with the US cyber insurance market forecast to reach USD 50 billion in the next few years, Motta posed a simple question – “How do we get there from where we are today?” His answer? The adoption of an active cyber approach. “We don't want to go on this rollercoaster anymore, and so our vision of the future is active insurance.”
Detailing the immense transformation of the business landscape resulting from the fourth industrial revolution – digital transformation, which he said was still in its relative infancy – he noted how from 1975 to today business assets have switched from being predominantly tangible to almost exclusively intangible.
Despite this, he said: “Most organisations continue to protect themselves the same way they did in 1975.”
Outlining the standard approach to risk management of ‘accept, mitigate or transfer’, he noted that: “The amount of cyber risk organisations today are accepting is enormous. They are almost completely unprepared and do not have the balance sheets, in some cases, to survive a cyber event.”
The insurance sector is also struggling to get to grips with this digital-based business environment, he believed. “Most of the P&C industry is focused on the byproducts of the last industrial revolution. That's how the industry evolved, covering mostly tangible things from fairly well-understood perils.”
Digital transformation, Motta said, “has made the world we once knew completely unrecognizable. And yet the world of insurance remains totally recognisable. In my humble opinion, you can't underwrite much less manage cyber risk in the same way as traditional insurance risk.”
He was quick to refute the widely used argument that there is not enough data to underwrite cyber risk and understand aggregation potential.
He argued: “There has never been more data to interpret cyber risk, to underwrite how it aggregates than there is today. It's just that most insurers don't have it, and certainly don't use it.”
“Cyber risk can be quantified,” he continued, “it can be predicted, and it can be actively managed. We don't have to wait around like a traditional insurance company for a claim to be filed, we can actually go out and do something about it.”
Active insurance Motta described as a process which involves assessing the vulnerability of an organisation to cyber attack and proactively spotting and fixing those vulnerabilities to prevent the risk of digital attacks. Further, through monitoring live data, it ensures that in the event of an incident there is immediate action taken to contain and limit any impact.
Such an approach creates a very different, deeper and more dynamic relationship between insurer and insured.
As Motta explains: “In the case of Coalition, I believe in probably 99% of cases, when a customer applies for cyber insurance with us, we know more about their cyber risk than they do.”
“That’s quite rare in insurance, right?” he continued. “Generally, it's the buyer of insurance that knows more than the seller. The best insurance companies in the world have been those that can avoid being adversely selected against. However, if you can reverse that information asymmetry, you can do something very rare insurance, which is positively select for risk.”
|