Jenny Soubra, US head of cyber at Allianz Global Corporate & Specialty, spoke with TechRepublic’s Dan Patterson about the growth of the cyber-insurance industry, and how businesses can determine the right options for their own cybersecurity. Here’s part of their conversation:

Patterson: I wonder if we could start by defining the scope, the scale of not just the cybersecurity challenge, but the cybersecurity insurance industry. How big are the attacks that we experience when we talk about SMBs, startups, and enterprise companies, and how big is the insurance industry that protects those companies?

Soubra: In terms of the industry as a whole, the current industry, in terms of gross written-premium, is at about $3.5 billion. Over the next five to seven years, it’s projected to grow to 20 billion, so we’re looking at significant growth in terms of the cyber-insurance space.

In the U.S., specifically, only 32% of companies are currently buying cyber-specific insurance, and when you couple that with the fact that 90% of the world’s cyber insurance is bought in the U.S., it’s an extremely under-served market. The numbers are staggering, When you think about the fact that small to mid-sized businesses, 60% of them fold within the first year after having a privacy incident when they don’t carry cyber insurance.

SEE: DHS cyberinsurance research producing insights about security trends (TechRepublic)

The insurance piece is a critical part of the risk management program for any organization, because it really covers those hard costs associated with dealing with a cyber breach, so not just in terms of the downstream liability that may come as a result of losing your customers’ personal information, or mishandling it, or whatever the case may be, it’s also just the cost of the forensics to figure out what happened, any of the notification costs, setting up call-centers, public relations costs as well, to deal with the breach itself.

Patterson: This seems like a flag or a marker of the digital transformation of almost every industry, and as we see more companies behave in a way that is digital, or at least use digital tools like the cloud, we also see this rise in breaches. How do I, if I run an SMB, or a startup in particular, at an enterprise company, I may have some of these resources, but how do I begin the process of assessment? How do I really understand what my real risk is versus some of the fears I might have about my company?

Soubra: There are a lot of fears out there, and that comes from a lack of education and knowledge around the topic, especially for SMBs. It’s difficult to know where to start. One of the problems that exists in the market, especially for small and mid-sized businesses, is they are unable to quantify their risk. It does start with an assessment. There are tools available to self-assess as a starting point. Do I have certain basic controls in place to mitigate risk? But the checkbox approach, of course, is never enough.

SEE: Security awareness and training policy (Tech Pro Research)

Being able to also make educated decisions around what technology to deploy is also an issue. A full cottage industry has sprung up around cybersecurity services, and it’s difficult to know which firms are reputable, which actually have experience, which ones might just be Uncle Joe trying to dabble into the cybersecurity space. So, a lot of companies, organizations, we at Allianz as well, have created solutions around vendor panels, looking at all of the different areas that a company might need assistance with when determining what their cybersecurity cluster is. That can range from penetration testing on their network, helping them to identify what their vulnerabilities are, and then making recommendations around technology on how to mitigate those risks.

Also see: