Insurers and Marsh to Score Cyber Security Products: But Will That Make Us Any Safer?
As cyber security has become a top risk across the economy, a new collaborative rating system by insurers may make it easier for companies to identify and select security solutions.
Proponents of the idea say it could leverage cyber insurers’ expertise to foster greater adoption of security tools and reduce risk.
In late-March, Marsh announced the creation of Cyber Catalyst by MarshSM, a program that brings together leading cyber insurers to evaluate and identify the solutions they consider most effective in reducing risk. With more than 3,000 vendors in the space, organizations find the cyber security market difficult to navigate, said Thomas Reagan, cyber practice leader for Marsh.
“Organizations big and small struggle to evaluate everything that is out there,” Reagan said. “Clients ask for our perspective on a daily basis. It’s a way for us to use the expertise of some of the largest cyber insurers in the world.”
Participating insurers include Allianz, AXIS, AXA XL, Beazley, CFC, Munich Re, Sompo International and Zurich North America. With the help of Microsoft as a technical advisor, they will rate solutions based on their security performance in major risk areas, such as data breach, business interruption, data theft and extortion.
Top-rated solutions will earn the designation of “Cyber Catalyst.”
While Marsh has led the collaborative effort, it will not participate in rating the products, Reagan said. The ratings offer clients and the broader cyber security economy more clarity and confidence in the choices they are making, he added.
Selecting solutions can be complex, because organizations must now protect multiple layers and areas of control, from endpoint computing devices and access controls to networks and cloud environments, said Nadine Moore, Accenture cyber security lead for insurance.
“At each point, there are vulnerabilities that an attacker can exploit. The reason there are so many products is you need to protect all of those different elements against attack,” Moore said.
Will Ranking Cyber Security Products Be Enough?
As the threats increase and call for greater innovation, the number of products on the market may only grow. A recent report by MarketStudyReport.com forecasts the increasing frequency of cyber attacks, digitization across industries and mainstream adoption of IoT to push the global cyber security market to $300 billion by 2024.
“There is so much happening with artificial intelligence, I think you’re going to see more innovation … because of the risks and what attackers are doing, the industry has to perpetually change to keep up,” Moore said.
Yet some question the effectiveness of the ratings.
One risk is that it could influence CISOs to adopt whatever has the highest rating at the time, regardless of its performance, said Joseph Steinberg, a cyber security and emerging technologies advisor.
And because cyber criminals are constantly creating new attack methods, the best defenses often come from the newest and most innovative solutions, Steinberg said.
“I’ve seen it in meetings with major financial institutions. People will try to cover themselves. CISOs may ask if they go in and use something everyone else is using, or do they take a chance on a product that would deliver better security but leave questions if something goes wrong,” he said.
The highest rated products would create a “de facto standard” for which organizations would flock to adopt even if it doesn’t fully fit their needs, Steinberg added. “On the other hand, there may not be a better approach. At least the [rating system] could weed out bad products.”
The group is expected to announce the first Cyber Catalyst designations in the second quarter of 2019, and participating insurers will re-evaluate products a few times per year. While the group will create ratings, it will ultimately be up to each company to decide which products to use and how to deploy them, Reagan said.
While there are other rating systems on the market, such as Gartner’s Magic Quadrant and Forrester’s New Wave, it’s a notable milestone for the insurance industry to take a lead role on this topic, Moore said.
She believes that as organizations continue to adopt new tools, it will create better risk profiles for companies, reduce risk across the spectrum and improve the cyber insurance market.
Reagan noted that the insurance industry has a history of reducing risk by using its experience to make improvements in safety, such as has occurred with vehicles and transportation.
“This model of taking the insurance industry and applying it to the boarder [issue] has worked,” said Reagan. “Take the expertise and experience gained from dealing with the most challenging situations facing society and use it to prove guidance on how we can make things better.” &