Enterprise

How Google Cloud, Microsoft and AWS are trying to fix cyber insurance with data

The cloud hyperscalers say that with data on the security of customer configurations, cyber insurers can gain more confidence in writing policies. Customers, meanwhile, can benefit from cheaper pricing and broader coverage.

Umbrella on abstract technological background

"There's a lot of noise and a lot of misconceptions around cyber insurance — about what it covers, what it doesn't cover, when it pays, when it doesn't pay."

Image: blackdovfx/E+/Getty Images

As the nascent market for cybersecurity insurance develops and matures, insurance companies think they've found a better way to provide coverage and set rates: working directly with cloud providers.

Global insurance giant Munich Re, for instance, has been working with Google Cloud and insurer Allianz on a policy that aims to provide customers with lower costs, coverage for a broader set of cyber risks and greater transparency into the entire process.

Cyber insurance provides financial protection against damages caused by cyberattacks, but the market has been thrown off-kilter by a wave of ransomware attacks that have led insurers to rapidly raise prices and pare back coverage.

"There's a lot of noise and a lot of misconceptions around cyber insurance — about what it covers, what it doesn't cover, when it pays, when it doesn't pay," said Bob Parisi, Munich Re's head of cyber solutions for North America. "Transparency hasn't been our strongest suit in the cyber insurance marketplace up until now. But transparency and being data-driven are probably the way to increase the sustainability of the cyber insurance market."

The crux of the approaches is the use of a customer’s IT configuration data provided directly from the cloud providers, which can give insurers a degree of certainty they’ve never before had when assessing the cyber risk of potential policyholders.

While a number of startups have championed the idea of using data on customer security posture to inform cyber insurance decisions, the idea of a vendor taking a hands-on role in co-designing a unique policy for customers is newer. Google Cloud and its insurance partners began publicly offering their "Cloud Protection +" policy in mid-2021.

Other major cloud vendors have since launched their own bids to enable a more data-powered cyber insurance market. AWS has partnered with startup Cowbell Cyber and insurer Swiss Re to provide insurance coverage of workloads running in its cloud. And Microsoft has teamed up with another cyber insurance startup, At-Bay, on a policy focused around the use of the cloud-based Microsoft 365 productivity suite.

For Microsoft’s efforts in cyber insurance, “we really wanted to create better access” for customers, said Ann Johnson, corporate vice president of security, compliance and identity at Microsoft. At the same time, the company has sought to give insurers “the confidence that they could accurately assess the risk of an organization," Johnson said.

In terms of the business case for Google Cloud, Microsoft and AWS getting involved in cyber insurance, the programs each act as an incentive for customers to rely more heavily on their respective cloud-based services.

But at a time of major concern about the sustainability of cyber insurance, the efforts also aim to serve as a model for how to get things back on track, the cloud providers told Protocol.

The power of data

The price of U.S. cyber insurance policies surged 79% in the second quarter from the same period a year ago, though that was actually below the two prior quarters, when prices more than doubled, according to a report from Marsh McLennan.

At the same time, demand for cyber insurance has been increasing and coverage has tightened, especially for higher-risk sectors such as health care, the U.S. Government Accountability Office has reported.

Together, these factors have led to a shortfall of available cyber insurance along with elevated premiums for those that are able to access it.

In order to continue providing customers with cyber insurance, and help it to mature as a category of insurance, major cloud platforms are focusing on data collection and using that as the basis for writing more trustworthy cyber insurance policies.

Of the three cloud providers, Google Cloud has acted the most quickly — and its executives would argue, the most aggressively — when it comes to getting involved in cyber insurance. Google Cloud first announced its Risk Protection Program and accompanying Cloud Protection + policy as a private preview in March 2021.

Bolstered by Google's track record for embedding strong security into its own infrastructure, “our emphasis in this area is unique,” said MK Palmore, director for the office of the CISO at Google Cloud. The company's adoption more than a decade ago of "zero trust" architecture, which requires a higher level of user verification, is among the key indicators of this long-running focus on security, Palmore said.

The program requires customers to use Google Cloud, though not exclusively; policies written through the program will cover all of a customer's IT environments.

To participate, customers use Google Cloud's Risk Manager tool to scan their cloud environment, which picks up the security metrics that inform the underwriting process. Right now, the metrics are based around CIS (Center for Internet Security) benchmarks, which offer guidelines for secure configurations and were developed in part by industry experts and vendors.

After that, customers can choose to share the data from the scan directly with Allianz and Munich Re, which launches the insurance purchasing process.

Unique coverage

While the policy does cover a customer's entire IT footprint, the unique element is that it offers broader coverage for Google Cloud workloads than would be available for insuring assets in any other type of IT environment, as well as potentially lower pricing. "The more Google Cloud that you use, the more the metrics that they're getting from the report, and the more that impacts the premium," said Monica Shokrai, head of business risk and insurance at Google Cloud. The pricing savings will vary by customer, according to Google Cloud.

The broader coverage available in Google Cloud compared to other environments includes both enhanced third-party liability along with more coverage for direct losses from a cyberattack incident, according to Munich Re's Parisi.

Expanded direct loss coverage includes a full year of coverage for business interruption loss, compared to the usual standard of six months, he said.

Another enhancement is coverage for protection against the theft of trade secrets in a Google Cloud environment, which is typically excluded in cyber insurance policies, Parisi said.

To provide that sort of protection, an underwriter would want to know a lot of information about how a customer's environment is configured, he noted. However, "having a client give us that inside look as to how they're using Google Cloud gives us the level of comfort to do that," Parisi said.

There has been some education needed both among brokers and customers about the program since it's a new concept, he said. But every time the insurer has succeeded at getting a broker to fully understand the program, the interest “snowballs.”

Currently the policy is offered only to U.S. customers that have between $500 million and $5 billion in annual revenue, though the goal is to expand it more widely and cover “as many customers as we can over time," Shokrai said.

Ultimately, for both insurers and customers, "we're providing a solution that helps them in an area that is particularly difficult at this point in time," she said.

For Microsoft's cyber insurance program with At-Bay, first announced in September 2021, the focus for now is just on Microsoft 365 and does not cover Azure, the cloud platform that competes with Google Cloud and AWS. Crucially though, Microsoft 365 includes applications that are often leveraged by attackers, such as Outlook and Word, in order to spread ransomware and other malware.

According to Microsoft and At-Bay, for customers that implement certain security controls, and opt in to share data showing secure configurations for Microsoft 365, the savings on a cyber insurance policy can reach as high as 15%, compared to At-Bay’s regular pricing. Key security controls include multifactor authentication and Microsoft Defender for Office 365, an email security service.

The policy also covers other parts of a customer's IT environment, in addition to Microsoft 365. But given how essential Microsoft 365 is to many businesses, just taking additional security measures on that platform can justify the savings for the customer's entire cyber insurance policy, according to Rotem Iram, founder and CEO at At-Bay.

"By having them strengthen their email environment, by having them deploy MFA — we're not eliminating the risk, but we move the needle in a very significant way," Iram said.

While the program is targeted toward midmarket companies, there is no revenue limit for participation. It’s currently only available for U.S. customers.

Helping insurers to scale

The data provided to the insurers is combined with Microsoft threat intelligence and boiled down to a customer's Secure Score with Microsoft, which the insurer uses to write a policy.

In the future, Microsoft may extend this approach to enabling cyber insurance for the use of Azure as well, Johnson said. The company is also working on partnerships with other cyber insurers, she said, though they haven't been publicly announced yet.

AWS is also taking a data-driven approach in its partnership with Cowbell Cyber, which was initially announced in November 2021 with a risk assessment tool aimed at helping customers to better secure themselves in order to acquire cyber insurance coverage.

Earlier this month, the partnership expanded with the introduction of cyber insurance coverage for AWS workloads, which includes involvement from insurer Swiss Re. AWS did not make an executive available for comment.

The policy just covers usage of AWS and is most ideal for customers that use the AWS cloud extensively, said Jack Kudale, founder and CEO at Cowbell Cyber. U.S. customers with up to $750 million in annual revenue are eligible.

The program utilizes Cowbell Factors, the startup's underwriting platform that rates a business on its security risk relative to its peers in the industry. The program derives a premium and coverage limits based on the Cowbell Factors rating, providing lower premiums and higher limits for customers that rate better on configuration, vulnerabilities and compliance measures, Kudale said.

The program stands out by being 100% automated, with the entire insurance process completed based upon the data analysis performed by Cowbell's software, he said.

For the purpose of insuring against cyberattacks, "you want to be able to underwrite to precision, and not based upon the traditional rating factors" used in other areas of insurance, such as industry and size, Kudale said. "When it comes to cyber risk, it's not realistic to be able to underwrite a business on those factors."

Ultimately, in the cyber insurance market, "all the hyperscalers will have the opportunity to participate — and should participate, by the way," Microsoft’s Johnson said. “I think there's an obligation there.”

Data and visibility are what the cyber insurers “need desperately," and the hyperscalers have it, she said.

Providing this visibility to insurers “will help them break through that ceiling they're facing right now,” Johnson said. “They just can't scale [without] the data."

A 'Soho house for techies': VCs place a bet on community

Contrary is the latest venture firm to experiment with building community spaces instead of offices.

Contrary NYC is meant to re-create being part of a members-only club where engineers and entrepreneurs can hang out together, have a space to work, and host events for people in tech.

Photo: Courtesy of Contrary

In the pre-pandemic times, Contrary’s network of venture scouts, founders, and top technologists reflected the magnetic pull Silicon Valley had on the tech industry. About 80% were based in the Bay Area, with a smattering living elsewhere. Today, when Contrary asked where people in its network were living, the split had changed with 40% in the Bay Area and another 40% living in or planning to move to New York.

It’s totally bifurcated now, said Contrary’s founder Eric Tarczynski.

Keep Reading Show less
Biz Carson

Biz Carson ( @bizcarson) is a San Francisco-based reporter at Protocol, covering Silicon Valley with a focus on startups and venture capital. Previously, she reported for Forbes and was co-editor of Forbes Next Billion-Dollar Startups list. Before that, she worked for Business Insider, Gigaom, and Wired and started her career as a newspaper designer for Gannett.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.
Fintech

Binance CEO wrestles with the 'Chinese company' label

Changpeng "CZ" Zhao, who leads crypto’s largest marketplace, is pushing back on attempts to link Binance to Beijing.

Despite Binance having to abandon its country of origin shortly after its founding, critics have portrayed the exchange as a tool of the Chinese government.

Photo: Akio Kon/Bloomberg via Getty Images

In crypto, he is known simply as CZ, head of one of the industry’s most dominant players.

It took only five years for Binance CEO and co-founder Changpeng Zhao to build his company, which launched in 2017, into the world’s biggest crypto exchange, with 90 million customers and roughly $76 billion in daily trading volume, outpacing the U.S. crypto powerhouse Coinbase.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Enterprise

How I decided to leave the US and pursue a tech career in Europe

Melissa Di Donato moved to Europe to broaden her technology experience with a different market perspective. She planned to stay two years. Seventeen years later, she remains in London as CEO of Suse.

“It was a hard go for me in the beginning. I was entering inside of a company that had been very traditional in a sense.”

Photo: Suse

Click banner image for more How I decided seriesA native New Yorker, Melissa Di Donato made a life-changing decision back in 2005 when she packed up for Europe to further her career in technology. Then with IBM, she made London her new home base.

Today, Di Donato is CEO of Germany’s Suse, now a 30-year-old, open-source enterprise software company that specializes in Linux operating systems, container management, storage, and edge computing. As the company’s first female leader, she has led Suse through the coronavirus pandemic, a 2021 IPO on the Frankfurt Stock Exchange, and the acquisitions of Kubernetes management startup Rancher Labs and container security company NeuVector.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Enterprise

UiPath had a rocky few years. Rob Enslin wants to turn it around.

Protocol caught up with Enslin, named earlier this year as UiPath’s co-CEO, to discuss why he left Google Cloud, the untapped potential of robotic-process automation, and how he plans to lead alongside founder Daniel Dines.

Rob Enslin, UiPath's co-CEO, chats with Protocol about the company's future.

Photo: UiPath

UiPath has had a shaky history.

The company, which helps companies automate business processes, went public in 2021 at a valuation of more than $30 billion, but now the company’s market capitalization is only around $7 billion. To add insult to injury, UiPath laid off 5% of its staff in June and then lowered its full-year guidance for fiscal year 2023 just months later, tanking its stock by 15%.

Keep Reading Show less
Aisha Counts

Aisha Counts (@aishacounts) is a reporter at Protocol covering enterprise software. Formerly, she was a management consultant for EY. She's based in Los Angeles and can be reached at acounts@protocol.com.

Latest Stories
Bulletins