As the nascent market for cybersecurity insurance develops and matures, insurance companies think they’ve found a better way to provide coverage and set rates: working directly with cloud providers.
Global insurance giant Munich Re, for instance, has been working with Google Cloud and insurer Allianz on a policy that aims to provide customers with lower costs, coverage for a broader set of cyber risks and greater transparency into the entire process.
Cyber insurance provides financial protection against damages caused by cyberattacks, but the market has been thrown off-kilter by a wave of ransomware attacks that have led insurers to rapidly raise prices and pare back coverage.
“There’s a lot of noise and a lot of misconceptions around cyber insurance — about what it covers, what it doesn’t cover, when it pays, when it doesn’t pay,” said Bob Parisi, Munich Re’s head of cyber solutions for North America. “Transparency hasn’t been our strongest suit in the cyber insurance marketplace up until now. But transparency and being data-driven are probably the way to increase the sustainability of the cyber insurance market.”
The crux of the approaches is the use of a customer’s IT configuration data provided directly from the cloud providers, which can give insurers a degree of certainty they’ve never before had when assessing the cyber risk of potential policyholders.
While a number of startups have championed the idea of using data on customer security posture to inform cyber insurance decisions, the idea of a vendor taking a hands-on role in co-designing a unique policy for customers is newer. Google Cloud and its insurance partners began publicly offering their “Cloud Protection +” policy in mid-2021.
Other major cloud vendors have since launched their own bids to enable a more data-powered cyber insurance market. AWS has partnered with startup Cowbell Cyber and insurer Swiss Re to provide insurance coverage of workloads running in its cloud. And Microsoft has teamed up with another cyber insurance startup, At-Bay, on a policy focused around the use of the cloud-based Microsoft 365 productivity suite.
For Microsoft’s efforts in cyber insurance, “we really wanted to create better access” for customers, said Ann Johnson, corporate vice president of security, compliance and identity at Microsoft. At the same time, the company has sought to give insurers “the confidence that they could accurately assess the risk of an organization,” Johnson said.
In terms of the business case for Google Cloud, Microsoft and AWS getting involved in cyber insurance, the programs each act as an incentive for customers to rely more heavily on their respective cloud-based services.
But at a time of major concern about the sustainability of cyber insurance, the efforts also aim to serve as a model for how to get things back on track, the cloud providers told Protocol.
The power of data
The price of U.S. cyber insurance policies surged 79% in the second quarter from the same period a year ago, though that was actually below the two prior quarters, when prices more than doubled, according to a report from Marsh McLennan.
At the same time, demand for cyber insurance has been increasing and coverage has tightened, especially for higher-risk sectors such as health care, the U.S. Government Accountability Office has reported.
In order to continue providing customers with cyber insurance, and help it to mature as a category of insurance, major cloud platforms are focusing on data collection and using that as the basis for writing more trustworthy cyber insurance policies.
Of the three cloud providers, Google Cloud has acted the most quickly — and its executives would argue, the most aggressively — when it comes to getting involved in cyber insurance. Google Cloud first announced its Risk Protection Program and accompanying Cloud Protection + policy as a private preview in March 2021.
Bolstered by Google’s track record for embedding strong security into its own infrastructure, “our emphasis in this area is unique,” said MK Palmore, director for the office of the CISO at Google Cloud. The company’s adoption more than a decade ago of “zero trust” architecture, which requires a higher level of user verification, is among the key indicators of this long-running focus on security, Palmore said.
The program requires customers to use Google Cloud, though not exclusively; policies written through the program will cover all of a customer’s IT environments.
To participate, customers use Google Cloud’s Risk Manager tool to scan their cloud environment, which picks up the security metrics that inform the underwriting process. Right now, the metrics are based around CIS (Center for Internet Security) benchmarks, which offer guidelines for secure configurations and were developed in part by industry experts and vendors.
After that, customers can choose to share the data from the scan directly with Allianz and Munich Re, which launches the insurance purchasing process.
While the policy does cover a customer’s entire IT footprint, the unique element is that it offers broader coverage for Google Cloud workloads than would be available for insuring assets in any other type of IT environment, as well as potentially lower pricing. “The more Google Cloud that you use, the more the metrics that they’re getting from the report, and the more that impacts the premium,” said Monica Shokrai, head of business risk and insurance at Google Cloud. The pricing savings will vary by customer, according to Google Cloud.
The broader coverage available in Google Cloud compared to other environments includes both enhanced third-party liability along with more coverage for direct losses from a cyberattack incident, according to Munich Re’s Parisi.
Expanded direct loss coverage includes a full year of coverage for business interruption loss, compared to the usual standard of six months, he said.
Another enhancement is coverage for protection against the theft of trade secrets in a Google Cloud environment, which is typically excluded in cyber insurance policies, Parisi said.
To provide that sort of protection, an underwriter would want to know a lot of information about how a customer’s environment is configured, he noted. However, “having a client give us that inside look as to how they’re using Google Cloud gives us the level of comfort to do that,” Parisi said.
There has been some education needed both among brokers and customers about the program since it’s a new concept, he said. But every time the insurer has succeeded at getting a broker to fully understand the program, the interest “snowballs.”
Currently the policy is offered only to U.S. customers that have between $500 million and $5 billion in annual revenue, though the goal is to expand it more widely and cover “as many customers as we can over time,” Shokrai said.
Ultimately, for both insurers and customers, “we’re providing a solution that helps them in an area that is particularly difficult at this point in time,” she said.
For Microsoft’s cyber insurance program with At-Bay, first announced in September 2021, the focus for now is just on Microsoft 365 and does not cover Azure, the cloud platform that competes with Google Cloud and AWS. Crucially though, Microsoft 365 includes applications that are often leveraged by attackers, such as Outlook and Word, in order to spread ransomware and other malware.
According to Microsoft and At-Bay, for customers that implement certain security controls, and opt in to share data showing secure configurations for Microsoft 365, the savings on a cyber insurance policy can reach as high as 15%, compared to At-Bay’s regular pricing. Key security controls include multifactor authentication and Microsoft Defender for Office 365, an email security service.
The policy also covers other parts of a customer’s IT environment, in addition to Microsoft 365. But given how essential Microsoft 365 is to many businesses, just taking additional security measures on that platform can justify the savings for the customer’s entire cyber insurance policy, according to Rotem Iram, founder and CEO at At-Bay.
“By having them strengthen their email environment, by having them deploy MFA — we’re not eliminating the risk, but we move the needle in a very significant way,” Iram said.
While the program is targeted toward midmarket companies, there is no revenue limit for participation. It’s currently only available for U.S. customers.
Helping insurers to scale
The data provided to the insurers is combined with Microsoft threat intelligence and boiled down to a customer’s Secure Score with Microsoft, which the insurer uses to write a policy.
In the future, Microsoft may extend this approach to enabling cyber insurance for the use of Azure as well, Johnson said. The company is also working on partnerships with other cyber insurers, she said, though they haven’t been publicly announced yet.
AWS is also taking a data-driven approach in its partnership with Cowbell Cyber, which was initially announced in November 2021 with a risk assessment tool aimed at helping customers to better secure themselves in order to acquire cyber insurance coverage.
Earlier this month, the partnership expanded with the introduction of cyber insurance coverage for AWS workloads, which includes involvement from insurer Swiss Re. AWS did not make an executive available for comment.
The policy just covers usage of AWS and is most ideal for customers that use the AWS cloud extensively, said Jack Kudale, founder and CEO at Cowbell Cyber. U.S. customers with up to $750 million in annual revenue are eligible.
The program utilizes Cowbell Factors, the startup’s underwriting platform that rates a business on its security risk relative to its peers in the industry. The program derives a premium and coverage limits based on the Cowbell Factors rating, providing lower premiums and higher limits for customers that rate better on configuration, vulnerabilities and compliance measures, Kudale said.
The program stands out by being 100% automated, with the entire insurance process completed based upon the data analysis performed by Cowbell’s software, he said.
For the purpose of insuring against cyberattacks, “you want to be able to underwrite to precision, and not based upon the traditional rating factors” used in other areas of insurance, such as industry and size, Kudale said. “When it comes to cyber risk, it’s not realistic to be able to underwrite a business on those factors.”
Ultimately, in the cyber insurance market, “all the hyperscalers will have the opportunity to participate — and should participate, by the way,” Microsoft’s Johnson said. “I think there’s an obligation there.”
Data and visibility are what the cyber insurers “need desperately,” and the hyperscalers have it, she said.
Providing this visibility to insurers “will help them break through that ceiling they’re facing right now,” Johnson said. “They just can’t scale [without] the data.”