From ransomware attacks to the challenges of managing distributed workforces post-pandemic, digital risk is different, which means traditional insurance is no longer enough.
Digital transformation has made all organizations—even small ones—faster, more impactful, and more complex. Simplified e-commerce tools, mobile technology, and cloud-based services have helped many companies not only survive challenging times, but also level the competitive playing field on a global scale.
Unfortunately, this digital shift has had the same effect on the risks businesses face. From ransomware attacks to the challenges of managing distributed workforces post-pandemic, digital risk is different. It's constantly evolving, striking faster and with more severity. It even amplifies other risks.
Unfortunately, while the digital world has changed how we do business, most organizations don't have the protections they need to thrive. Business insurance has been around since the 1700s. It wasn't built for fast-moving digital risks; it was designed to react to risks that occur infrequently. This old model is no longer enough. Simply purchasing coverage cannot fully combat these evolving digital risks.
Active insurance is a new approach to managing digital risk with three layers of protection:
1) Active risk assessment: Using powerful data and artificial intelligence (AI) to provide a near real-time snapshot of an organization's digital risks, this kind of assessment helps streamline the quoting process, provide accurate pricing, and identify potential issues that most traditional insurers and many InsurTechs never see.
2) Active protection: By offering continuous scanning and monitoring of digital assets and other risk factors associated with cyber and executive risks, active insurance provides personalized alerts for critical issues so brokers and policyholders can stay ahead of new risks.
3) Active response: An in-house team of experts delivers support and guidance to help policyholders accelerate their response and claims to help their businesses bounce back quickly if an incident occurs.
Traditional Insurance Is Not Enough
Business owners have long understood the need to protect their property, goods, and even themselves from fire, flooding, accidents, theft, and other losses by transferring that risk to insurers. These physical risks occur infrequently and are reasonably predictable based on historical data. Traditional insurance was built for these physical risks, not the digital age.
In the digital economy, risks constantly evolve day-by-day or minute-by-minute—and can cripple a business just as quickly. Companies are becoming more distributed and changing faster than ever. A boom in mergers & acquisitions and work-from-home and pandemic-related employment issues amplifies liability exposure to executives.
Organizations of all sizes are becoming more data-driven, technology-dependent, and virtually connected. The speed of information and threats has increased exponentially, and the old approach leaves millions of businesses vulnerable to new digital threats.
Insurance that only provides loss protection after the fact does little to prevent severe, recurring, and infectious damage. That critical gap dissolves the key value of insurance: peace of mind. Solving digital risk isn't a destination; it's a continuous journey.
Expanding Digital Risks
The digital economy poses new threats to businesses. Digital threats are more pervasive, amorphous, and hard to predict. The same systems that make today's businesses more efficient also allow new digital risks to move at incredible speeds. From a single click, an attack can spread across an organization in minutes.
Digital risks also amplify traditional risks across the business and impact connected partners and customers, too.
Unfortunately, many organizations accept vast amounts of digital risk—either because they aren't aware of how pervasive the threats have become or because they simply can't afford the technical expertise and tooling. Meanwhile, the digital risks to businesses continue to multiply.
Here are some recent examples:
Ransomware. These attacks are occurring daily, increasing frequency, and becoming more complex. Threat actors are becoming bolder and demanding larger payments, such as the $70 million Kaseya and the $11 million JBS Foods ransoms. In the first half of 2022, the average ransom demand for Coalition policyholders was around $900,000.
Phishing. Nearly one in every 6,000 emails sent contains a suspicious link, according to Fortinet, and a single click can initiate severe damage throughout an organization in a matter of seconds. In the first half of 2022, Coalition found that phishing accounted for around 60% of reported claims—a 32% increase from the second half of 2021. Year after year, phishing remains one of the most common attack vectors.
Supply chain attacks. Attacks are increasingly targeting software providers, such as Mimecast, SolarWinds, and Microsoft Exchange—which provide IT functions such as email, firewalls, and virtual private networks (VPNs). When cybercriminals successfully compromise a vendor's digital perimeter, they can victimize many connected organizations at once.
Business email compromise (BEC) and funds transfer fraud (FTF). Employees remain the single weakest link in an organization's security fence. As a result, we continue to see frequent BEC and FTF claims that target weaknesses in human processes, and the average FTF claim cost a small and medium-sized business over $215,000 in the first half of 2022. FTF severity has increased by 3% from 2021 to 2022, continuing the 3-year trend of increasing FTF claims costs.
Biometric data. Risks are coinciding with the increasing demand for fingerprints and other physical data. The Biometric Information Privacy Act (BIPA) doesn't require a plaintiff to have suffered actual harm to sue, potentially leading to much costlier class-action lawsuits.
Reputational damage. Reputational damage to companies and their officers can stem from various digital sources. Website and social media impersonations and scams directly targeting customers via email spoofing are two examples of tools.
Distributed workforce risks. With millions of employees now working remotely and relying on new technologies, organizations now face exposure to even more considerable risks. It has also created an explosion in potential litigation around wage issues, including time-tracking, overtime compensation, and compliance with the Fair Labor Standards Act (FLSA).
Advantages for Brokers
An active approach to underwriting improves the agent and broker experience. Data removes uncertainty and the complex, time-consuming work from the quoting and renewal process.
1) Simplifies the quoting process. When brokers submit a quote, an active scan of that organization produces a personalized risk assessment, which goes deeper than any questionnaire, looking at the entire technology supply chain that might affect a policyholder's operations.
For brokers, this reduces the tedious process of collecting technical information from clients to a few short questions. It eliminates numerous questions because it can identify everything from a company's operating system to the number of machines connected to the web to malware or infections that may already be in place.
2) Accelerate and optimize pricing. Risk scoring in this assessment determines the coverage price for any individual organization. This understanding allows insurers to accurately price risk based on what's happening—right now, inside an organization—instead of relying on data from a week, month, or even year ago.
3) Enhance broker expertise. These details can be made available to the broker so they can act as the expert to guide their policyholder through digital risk and coverage. Tools, knowledge, and live assistance help to ensure agents and brokers are prepared for policyholder needs.
Advantages for Insureds
The speed of digital threats doesn't just impact cyber risk; it can also affect other risks like directors & officers and employment practices liability, especially as information moves faster and more employees work remotely. Up-to-date data provides indications of public sentiment, litigation, changes to executive staff, and more.
Active insurance provides business policyholders with ongoing monitoring and support. Coalition offers proactive monitoring of known exploits and systemic vulnerabilities that may affect an organization based on their technologies, alerts for critical issues that may put the organization's data or executives at risk, and remediation suggestions to help organizations prevent losses.
The transition to the digital economy is far from over. By the end of 2022, nearly 65% of the global GDP will be digitized and reliant on digital systems, according to The World Economic Forum. The impacts of this shift are profound: a hyper-connected society, a re-imagined economy, and new risks.
Active insurance was born out of the need to respond to this new risk class. It's the logical evolution of risk management in a world where information moves so quickly that it can signal risk patterns in the weeks, days, or even moments before it strikes.
Identifying these signals in all the digital noise and building a model that can move fast enough to respond to them is the magic of active insurance. It is an approach we hope to see repeated in many industries and forms of protection over time.
Shawn Ram is head of insurance at Coalition.
Risk By Association
In today's hard market, cybercrime is becoming more recognized by businesses as a risk. Everyone is looking for coverage, and insurance companies are requiring more businesses to have risk management practices before approving coverage. Active insurance provides meaningful risk management insights throughout the policy term.
Unfortunately, nothing can completely prevent a cyber incident. Even the most secure companies can do everything right and still experience a cyber breach. Active insurance provides foresight into vulnerabilities, the ability to correct them, and strong incident response support if a threat still breaks through. It helps policyholders identify and solve the issue to get back up and running faster, with minimized downtime and financial losses.
When the pandemic struck, digitization came fast for many companies—faster than many could realistically manage. Thousands of employees transitioned overnight to remote work, opening up unsecured access points into networks. Many companies without the resources necessary to set up strong security protocols and systems to protect their data opened themselves to immense digital risk.
Even organizations that were more prepared to manage digitization were introduced to additional risk by third-party vendors or partners with access to their networks. Whatever risk their vendors had, they now took on by association.—SR