What the insurance industry has done for auto and building safety products, insurance broker Marsh wants to extend to cybersecurity products. That is, recommend the cybersecurity products that are the most effective.
The program, named Cyber Catalyst, calls on leading cyber insurers to evaluate cybersecurity products they consider effective in reducing cyber risk, thereby giving organizations some guidance in navigating the cybersecurity marketplace of more than 3,000 providers.
“This is a proven model for the insurance industry,” said Thomas Reagan, Cyber Practice Leader for Marsh, describing it as “applying knowledge and experience about the economic consequences of risk” to support better decision making and behaviors. “This is like seat belts or air bags or building sprinklers.”
According to Reagan, the program is a response to the two most common questions clients ask brokers when it comes to cyber.
“The first one is, ‘What cybersecurity products and services should I use, particularly the one that may not be on my radar?'” he said “And then the second question is, ‘If I use them, what value will those products and services have for my insurer and for my insurance program?'”
The plan establishes a panel of cyber insurers to independently evaluate cybersecurity offerings that address major cyber risks such as data breach, business interruption, data theft or corruption, and cyber extortion.
The initial group of insurers includes Allianz; AXIS; AXA XL, a division of AXA; Beazley; CFC; Munich Re; Sompo International; and Zurich North America, a group that Marsh says represents a substantial portion of gross written premiums in the $4 billion global cyber insurance market.
Microsoft will be a technical advisor to the insurers, providing counsel on the products and services being evaluated. Marsh will not itself take part in the evaluations, Reagan said.
The individual evaluations by insurers will determine if a product or service earns a Cyber Catalyst designation.
Firms that then adopt Cyber Catalyst-designated products may qualify for enhanced terms and conditions on any cyber insurance policies they negotiate with the participating insurers.
One of the issues within the cyber insurance world has been data, or in some cases the lack of data needed for insurers to gauge some cyber risks. Reagan does not see this as a problem for the insurers being asked to evaluate the effectiveness of individual cyber security products. He thinks that insurers have “earned the right” to play this role in the cyber security discussion as a result of their “extensive insight and experience” responding to cyber events over the past decade.
Reagan stressed that the evaluations by insurers are not ratings. Either a product or service will make the cut to earn the designation, or it won’t.
“We’re not going to say certain organizations or products and services didn’t receive the designation,” he added. “We’re just trying to identify things that we think are worthy.”
Reagan said Marsh and the insurers will not be selecting the cyber security organizations that can apply. “Organizations apply based on their own decision,” he said.
Cybersecurity vendors can submit products and services for evaluation in this initial program cycle through May 3. Eligibility criteria can be found on the cyber section of Marsh’s website.
In terms of potential conflicts of interest between insurers and vendors that apply for the designation, Reagan said Marsh expects participating carriers to “act in good faith and to disclose any potential conflicts of interest.”
Marsh hopes to announce the first Cyber Catalyst product designations in the second quarter of 2019.
As might be expected of an insurance program, the Cyber Catalyst brochure contains a disclaimer: “The Cyber Catalyst designation is not a guarantee of performance or certification of cybersecurity prevention or protection.”
*This story appeared previously in our sister publication Insurance Journal.