Google Cloud, Microsoft and AWS dive into cyber insurance | Business Insurance

know about this Google Cloud, Microsoft and AWS dive into cyber insurance

in complete details.

As the nascent cybersecurity insurance market develops and matures, insurance companies believe they have found a better way to provide coverage and set rates: working directly with cloud providers.

Global insurance giant Munich Re, for example, has been working with Google Cloud and insurer Allianz on a policy that aims to give customers lower costs, coverage for a broader set of cyber risks, and greater transparency around everything. the process.

Cyber ​​insurance provides financial protection against damage caused by cyber attacks, but the market has been thrown off balance by a wave of ransomware attacks that have prompted insurers to rapidly raise prices and cut coverage.

“There’s a lot of noise and a lot of misconceptions about cyber insurance: what it covers, what it doesn’t cover, when it pays, when it doesn’t pay,” said Bob Parisi, head of cyber solutions at Munich Re. North America. “Until now, transparency has not been our strong point in the cyber insurance market. But transparency and data orientation are probably the way to increase the sustainability of the cyber insurance market.”

The crux of the approaches is the use of a customer’s IT configuration data provided directly by cloud providers, which can give insurers a degree of certainty they’ve never had before when assessing the cyber risk of assets. potential insured.

While several startups have championed the idea of ​​using customer security posture data to inform cyber insurance decisions, the idea of ​​a provider taking a hands-on role in co-designing a single policy for customers is more new. Google Cloud and its insurance partners began publicly offering their “Cloud Protection +” policy in mid 2021.

Since then, other major cloud providers have launched their own offerings to enable a more data-driven cyber insurance market. AWS has partnered with startup Cowbell Cyber ​​and insurer Swiss Re to provide insurance coverage for workloads running on its cloud. And Microsoft has partnered with another cyber insurance startup, At-Bay, on a policy focused on the use of the cloud-based Microsoft 365 productivity suite.

For Microsoft’s efforts in cyber insurance, “we really wanted to create better access” for customers, said Ann Johnson, corporate vice president of security, compliance and identity at Microsoft. At the same time, the company has sought to give insurers “the confidence that they can accurately assess an organization’s risk,” Johnson said.

In terms of the business case for Google Cloud, Microsoft, and AWS to engage in cyber insurance, each of the programs acts as an incentive for customers to trust their respective cloud-based services more.

See also  Manchin and Schumer in surprise agreement on health, energy and taxes | Health & Fitness

But at a time of heightened concern about the sustainability of cyber insurance, the efforts are also meant to serve as a blueprint for how to get things back on track, the cloud providers told Protocol.

The power of data

According to a report by Marsh McLennan.

At the same time, the demand for cyber insurance has been on the rise and coverage has tightened, especially for higher-risk sectors like health care, the US Government Accountability Office. has informed.

Together, these factors have led to a deficit of cyber insurance available along with high premiums for those who can afford it.

To continue to provide customers with cyber insurance and help it mature as an insurance category, leading cloud platforms are focusing on data collection and using it as the basis for writing more reliable cyber insurance policies.

Of the three cloud providers, Google Cloud has moved the fastest, and its executives would argue, the most aggressively, when it comes to getting involved in cyber insurance. Google Cloud first announced its Risk Protection Program and the accompanying Cloud Protection + policy as a private preview at March 2021.

Bolstered by Google’s history of building strong security into its own infrastructure, “our emphasis in this area is unique,” said MK Palmore, director of the CISO office at Google Cloud. The company’s adoption of more than a decade of “zero trust” architecturerequiring a higher level of user verification is among the key indicators of this longstanding focus on security, Palmore said.

The program requires customers to use Google Cloud, but not exclusively; Policies written through the program will cover all of a customer’s IT environments.

To opt in, customers use Google Cloud’s Risk Manager tool to scan their cloud environment, which collects security metrics that inform the opt-in process. At this time, the metrics are based on CIS (Center for Internet Security) points of referencethat provide guidelines for secure configurations and were developed in part by vendors and industry experts.

After that, customers can choose to share the scan data directly with Allianz and Munich Re, which starts the insurance buying process.

unique coverage

While the policy covers all of a customer’s IT space, the unique element is that it offers broader coverage for Google Cloud workloads than would be available to insure assets in any other type of IT environment, as well as potentially lower prices. “The more Google Cloud you use, the more metrics you get from the report and the more it impacts your premium,” said Monica Shokrai, director of business risk and insurance at Google Cloud. Price savings will vary by customer, according to Google Cloud.

See also  Insurance reform died last week. Will legislators come back to address it in a Special Session?

The broader coverage available in Google Cloud compared to other environments includes enhanced third-party liability along with more coverage for direct losses from a cyberattack incident, according to Munich Re’s Parisi.

The expanded direct loss coverage includes a full year of coverage for business interruption losses, compared to the usual standard of six months, it said.

Another improvement is protection coverage against trade secret theft in a Google Cloud environment, which is typically excluded in cyber insurance policies, Parisi said.

To provide that kind of protection, an underwriter would want to know a lot of information about how a customer’s environment is set up, he said. However, “having a client that gives us an inside view of how they’re using Google Cloud gives us the comfort level to do so,” Parisi said.

Some education has been needed among both brokers and customers about the program, as it is a new concept, he said. But every time the insurer gets a broker to fully understand the program, interest skyrockets.

The policy is currently offered only to US clients who have between $500 million and $5 billion in annual income, though the goal is to expand it more widely and cover “as many clients as we can over time,” Shokrai said. .

Ultimately, for both insurers and clients, “we’re providing a solution that helps them in an area that’s particularly difficult right now,” he said.

For Microsoft’s cyber insurance program with At-Bay, first Announced in September 2021, the focus for now is only on Microsoft 365 and does not cover Azure, the cloud platform that competes with Google Cloud and AWS. More importantly, however, Microsoft 365 includes applications that are often exploited by attackers, such as Outlook and Word, to spread ransomware and other malware.

According to Microsoft and At-Bay, for customers who implement certain security controls and choose to share data showing secure settings for Microsoft 365, savings on a cyber insurance policy can be up to 15%, compared to At-Bay . regular prices. Key security controls include multi-factor authentication and Microsoft Defender for Office 365, an email security service.

The policy also covers other parts of a customer’s IT environment in addition to Microsoft 365. But given how essential Microsoft 365 is to many businesses, simply taking additional security measures on that platform can justify the savings on the entire insurance policy. customer cyber, according to Rotem Iram, founder and CEO of At-Bay.

“By having them harden their email environment, by having them implement MFA, we’re not removing risk, but we’re moving the needle in a very significant way,” Iram said.

See also  Avoid These 3 Critical Investing Mistakes At All Costs Right Now | Smart Switch: Personal Finance

While the program is geared toward midsize businesses, there is no income limit for participation. Currently only available to US customers.

Helping insurers scale

The data provided to insurers is combined with Microsoft threat intelligence and boiled down to a customer’s secure score with Microsoft, which the insurer uses to write a policy.

In the future, Microsoft may expand this approach to also enable cyber insurance for Azure usage, Johnson said. The company is also working on partnerships with other cyber insurers, he said, though these have yet to be publicly announced.

AWS is also taking a data-driven approach in its partnership with Cowbell Cyber, which was initially Announced in November 2021 with a risk assessment tool intended to help customers better protect themselves to purchase cyber insurance coverage.

Earlier this month, the association expanded with the introduction of cyber insurance coverage for AWS workloads, which includes participation from insurer Swiss Re. AWS did not make any executives available for comment.

The policy only covers AWS usage and is more ideal for customers who use the AWS cloud extensively, said Jack Kudale, founder and CEO of Cowbell Cyber. US customers with up to $750 million in annual revenue are eligible.

The program uses Cowbell Factors, the startup’s underwriting platform that rates a company based on its security risk relative to peers in the industry. The program derives a premium and coverage limits based on the Cowbell Factors rating, providing lower premiums and higher limits for customers who qualify better on configuration, vulnerabilities and compliance measures, Kudale said.

The program is notable for being 100% automated, and the entire insurance process was completed based on data analysis performed by Cowbell’s software, he said.

In order to insure against cyberattacks, “you have to be able to underwrite accurately, and not based on traditional rating factors” used in other areas of insurance, such as industry and size, Kudale said. “When it comes to cyber risk, it’s not realistic to be able to back a business on those factors.”

Ultimately, in the cyber insurance market, “all hyperscalers will have a chance to participate, and should participate, by the way,” said Microsoft’s Johnson. “I think there is an obligation there.”

Data and visibility are what cyber insurers “desperately need,” and hyperscalers have it, he said.

Providing this visibility to insurers “will help them get through the ceiling that they’re facing right now,” Johnson said. They just can’t scale [without] the data.”