In late March, Marsh announced the launch of a program with a number of leading cyberinsurance firms including Allianz, AXA, Beazley, XL, and Zurich to evaluate cybersecurity products and services. Products that meet a minimum standard of criteria receive the designation of “Cyber Catalyst” for their effectiveness in reducing cyber risk. The intent is for insurance premiums to decrease for companies using Cyber Catalyst products/services, though there is no indication of how much premiums will drop by. This is not the first time that cyberinsurers have announced partnerships with vendors in an attempt to sell more products and keep premiums down, but it is the most ambitious.
How Does It Work?
Security vendors submit an application to have their products/services evaluated by participating cyberinsurers. Each cyberinsurer will individually conduct an evaluation and send results to Marsh; Marsh then aggregates the assessments and awards Cyber Catalyst status to products meeting a minimum baseline. Though no explicit details are given on how the evaluation works, the core principles guiding the process are: 1) reduction of cyber risk; 2) ability to measure that reduction; 3) solution viability; 4) efficiency; 5) flexibility; and 6) unique features. It’s unclear if there will be regular (annual? biennial?) updates to the completed evaluations for maintaining the status over time.
Why Is This Happening?
Insurance growth is weak: 2.6% in the Americas and -.8% in Europe. Faced with a slow and stale market, insurers are pursuing market opportunities wherever they can, and the cyberinsurance market will grow from $4.5 billion in 2017 to an estimated $17.6 billion by 2023. That’s where the Cyber Catalyst program comes in. It’s a promotional campaign for cyberinsurers and security vendors to get their products into the doors of more businesses. It also doubles as an opportunity for cyberinsurers to collect risk data on security products/services, which is desirable for insurers, as they lack the decades of historical pricing data used in other kinds of insurance.
What’s Wrong With The Cyber Catalyst Approach?
The program assumes that having products or services with the Cyber Catalyst gold star pasted on it reduces the likelihood of your company suffering a breach. Overall, it will spawn a cottage industry within the security market associated with performing assessments for the cyberinsurers. While this might gainfully employ an army of consultants, it doesn’t help businesses. Put plainly, acquiring new technology does not automatically make you more secure. Proper technology implementation and ongoing operations are already challenging for many organizations. You also can’t shortchange good security strategy and risk management.
What It Means For Customers
When the Cyber Catalyst finalists are announced in June, security professionals can largely ignore it. Businesses should not be buying security solutions based on their Cyber Catalyst designation; they should be buying based on the alignment of a solution with their security and risk strategy and the needs of their organization. Products that make the cut for the list are likely ones that would have made your shortlist anyway. If you happen to already be using a product named on the list, see if you can get a cyberinsurance premium discount.
If you’re interested in learning more about cyberinsurance, check our report, “Your Guide To Cyberinsurance.”
(Written with Trevor Lyness, researcher at Forrester)