In the age where knowledge and information is currency, where organisations will soon be subject to regulations such as the Protection of Private Information Act in South Africa, General Data Protection Regulation in Europe, and where organisations are collecting huge amounts of data that assist them to serve their clients better, cyber risk insurance is becoming integral not only for risk management but also for good corporate governance.

Exponential Ventures, MMI Holdings’ innovation unit, which was formed in 2016, notes that the King 4 report on corporate governance has also recognised the advent of the fourth industrial revolution and the central role that technology plays in revolutionising businesses, societies, and transforming products, services and business models. There is no doubt that all reasonable and appropriate steps should be taken to protect the information and technology in a business. But what happens when there is a breach and the organisation is exposed to physical and financial damage as well as business interruption that threaten business continuity?

According to a report produced by UK-based cultivators of change Anthemis Group, cyber risk insurance is relatively new compared to other insurance sectors. Vica Manos, director at Anthemis Group, says “the cyber insurance space is now evolving rapidly driven by the advent of data science and technology, and the resulting emergence of specialist cyber technology companies that focus on the SME market.” In fact, with annual premium growth expected to remain at 15% over the next 5 to 10 years, cyber risk is one of the few insurance markets not challenged by stagnant or decreasing premiums, attracting the attention of insurers and reinsurers alike.

Who is using cyber risk insurance?

Anthemis Group reports that comprehensive cyber risk insurance policies are currently mostly used by big corporations. The current process of using a consultancy firm to perform a security benchmarking process from an insurance perspective and to understand the corporation needs in terms of protection is a costly exercise which also requires extensive internal cyber knowledge. This is prohibitive for smaller organisations.

“Startups that are working on filling this very gap have started to emerge. Propositions such as ThreatInformer and Zeguro help the small and medium sized enterprise market to access much needed cyber risk insurance policies. They are able to conduct automated comprehensive security assessments, providing an unprecedented level of detail to insurers and brokers in a cost-efficient manner, helping them better understand the risk and serve a segment that was previously priced out of the market,” says Manos.

How is cyber risk insurance provided?

Carlo Biggio, Associate at Anthemis Group, splits the cyber risk insurance sector because of its intertwined nature in the following three categories:  cyber risk modelling platforms; cyber risk assessment with insurance applications and cyber risk assessment.

·         Cyber risk modelling platforms are those companies that use tools to model and price cyber insurance policies, these tools require an adequate record of previous cyber-related losses and significant mathematical capabilities to develop them

·         Cyber risk assessment with insurance applications are companies who run assessments for organisations and produce reports in a digestible format for insurance brokers/ companies, helping the latter underwrite cyber risks better

·         Cyber risk assessment are companies that use platforms which identify the various information assets that could be affected by a cyberattack (such as hardware, systems, laptops, customer data, intellectual property, etc.), together with assessing the various risks that could affect those assets

What does the future look like?

Manos says, “The holy grail of insurance is quantifying the extent of potential losses and estimating the probability of those occurring. In cyber insurance, this is far more complex than it sounds, as the very nature of the risk keeps evolving at speed. New ways of thinking are needed in two areas: First, probabilistic and adaptive AI-driven cyber risk models are required. Second, these models demand appropriate datasets to be chosen, collected and presented in a consistent and reliable manner. This, today, remains a challenge.”

Exponential Ventures has been in extensive discussions with Anthemis to find solutions not only for the South African market (identified as one of the most vulnerable countries) but for the 15 other countries, and the broader global market. Financial Wellness drives us to invest in startups that have the potential to help us achieve this for our clients and stakeholders and cyber risk insurance is becoming an important component in this journey.