How Google Cloud, Microsoft and AWS are trying to fix cyber insurance with data

The cloud hyperscalers say that with data on the security of customer configurations, cyber insurers can gain more confidence in writing policies. Customers, meanwhile, can benefit from cheaper pricing and broader coverage.

Umbrella on abstract technological background

"There's a lot of noise and a lot of misconceptions around cyber insurance — about what it covers, what it doesn't cover, when it pays, when it doesn't pay."

Image: blackdovfx/E+/Getty Images

As the nascent market for cybersecurity insurance develops and matures, insurance companies think they've found a better way to provide coverage and set rates: working directly with cloud providers.

Global insurance giant Munich Re, for instance, has been working with Google Cloud and insurer Allianz on a policy that aims to provide customers with lower costs, coverage for a broader set of cyber risks and greater transparency into the entire process.

Cyber insurance provides financial protection against damages caused by cyberattacks, but the market has been thrown off-kilter by a wave of ransomware attacks that have led insurers to rapidly raise prices and pare back coverage.

"There's a lot of noise and a lot of misconceptions around cyber insurance — about what it covers, what it doesn't cover, when it pays, when it doesn't pay," said Bob Parisi, Munich Re's head of cyber solutions for North America. "Transparency hasn't been our strongest suit in the cyber insurance marketplace up until now. But transparency and being data-driven are probably the way to increase the sustainability of the cyber insurance market."

The crux of the approaches is the use of a customer’s IT configuration data provided directly from the cloud providers, which can give insurers a degree of certainty they’ve never before had when assessing the cyber risk of potential policyholders.

While a number of startups have championed the idea of using data on customer security posture to inform cyber insurance decisions, the idea of a vendor taking a hands-on role in co-designing a unique policy for customers is newer. Google Cloud and its insurance partners began publicly offering their "Cloud Protection +" policy in mid-2021.

Other major cloud vendors have since launched their own bids to enable a more data-powered cyber insurance market. AWS has partnered with startup Cowbell Cyber and insurer Swiss Re to provide insurance coverage of workloads running in its cloud. And Microsoft has teamed up with another cyber insurance startup, At-Bay, on a policy focused around the use of the cloud-based Microsoft 365 productivity suite.

For Microsoft’s efforts in cyber insurance, “we really wanted to create better access” for customers, said Ann Johnson, corporate vice president of security, compliance and identity at Microsoft. At the same time, the company has sought to give insurers “the confidence that they could accurately assess the risk of an organization," Johnson said.

In terms of the business case for Google Cloud, Microsoft and AWS getting involved in cyber insurance, the programs each act as an incentive for customers to rely more heavily on their respective cloud-based services.

But at a time of major concern about the sustainability of cyber insurance, the efforts also aim to serve as a model for how to get things back on track, the cloud providers told Protocol.

The power of data

The price of U.S. cyber insurance policies surged 79% in the second quarter from the same period a year ago, though that was actually below the two prior quarters, when prices more than doubled, according to a report from Marsh McLennan.

At the same time, demand for cyber insurance has been increasing and coverage has tightened, especially for higher-risk sectors such as health care, the U.S. Government Accountability Office has reported.

Together, these factors have led to a shortfall of available cyber insurance along with elevated premiums for those that are able to access it.

In order to continue providing customers with cyber insurance, and help it to mature as a category of insurance, major cloud platforms are focusing on data collection and using that as the basis for writing more trustworthy cyber insurance policies.

Of the three cloud providers, Google Cloud has acted the most quickly — and its executives would argue, the most aggressively — when it comes to getting involved in cyber insurance. Google Cloud first announced its Risk Protection Program and accompanying Cloud Protection + policy as a private preview in March 2021.

Bolstered by Google's track record for embedding strong security into its own infrastructure, “our emphasis in this area is unique,” said MK Palmore, director for the office of the CISO at Google Cloud. The company's adoption more than a decade ago of "zero trust" architecture, which requires a higher level of user verification, is among the key indicators of this long-running focus on security, Palmore said.

The program requires customers to use Google Cloud, though not exclusively; policies written through the program will cover all of a customer's IT environments.

To participate, customers use Google Cloud's Risk Manager tool to scan their cloud environment, which picks up the security metrics that inform the underwriting process. Right now, the metrics are based around CIS (Center for Internet Security) benchmarks, which offer guidelines for secure configurations and were developed in part by industry experts and vendors.

After that, customers can choose to share the data from the scan directly with Allianz and Munich Re, which launches the insurance purchasing process.

Unique coverage

While the policy does cover a customer's entire IT footprint, the unique element is that it offers broader coverage for Google Cloud workloads than would be available for insuring assets in any other type of IT environment, as well as potentially lower pricing. "The more Google Cloud that you use, the more the metrics that they're getting from the report, and the more that impacts the premium," said Monica Shokrai, head of business risk and insurance at Google Cloud. The pricing savings will vary by customer, according to Google Cloud.

The broader coverage available in Google Cloud compared to other environments includes both enhanced third-party liability along with more coverage for direct losses from a cyberattack incident, according to Munich Re's Parisi.

Expanded direct loss coverage includes a full year of coverage for business interruption loss, compared to the usual standard of six months, he said.

Another enhancement is coverage for protection against the theft of trade secrets in a Google Cloud environment, which is typically excluded in cyber insurance policies, Parisi said.

To provide that sort of protection, an underwriter would want to know a lot of information about how a customer's environment is configured, he noted. However, "having a client give us that inside look as to how they're using Google Cloud gives us the level of comfort to do that," Parisi said.

There has been some education needed both among brokers and customers about the program since it's a new concept, he said. But every time the insurer has succeeded at getting a broker to fully understand the program, the interest “snowballs.”

Currently the policy is offered only to U.S. customers that have between $500 million and $5 billion in annual revenue, though the goal is to expand it more widely and cover “as many customers as we can over time," Shokrai said.

Ultimately, for both insurers and customers, "we're providing a solution that helps them in an area that is particularly difficult at this point in time," she said.

For Microsoft's cyber insurance program with At-Bay, first announced in September 2021, the focus for now is just on Microsoft 365 and does not cover Azure, the cloud platform that competes with Google Cloud and AWS. Crucially though, Microsoft 365 includes applications that are often leveraged by attackers, such as Outlook and Word, in order to spread ransomware and other malware.

According to Microsoft and At-Bay, for customers that implement certain security controls, and opt in to share data showing secure configurations for Microsoft 365, the savings on a cyber insurance policy can reach as high as 15%, compared to At-Bay’s regular pricing. Key security controls include multifactor authentication and Microsoft Defender for Office 365, an email security service.

The policy also covers other parts of a customer's IT environment, in addition to Microsoft 365. But given how essential Microsoft 365 is to many businesses, just taking additional security measures on that platform can justify the savings for the customer's entire cyber insurance policy, according to Rotem Iram, founder and CEO at At-Bay.

"By having them strengthen their email environment, by having them deploy MFA — we're not eliminating the risk, but we move the needle in a very significant way," Iram said.

While the program is targeted toward midmarket companies, there is no revenue limit for participation. It’s currently only available for U.S. customers.

Helping insurers to scale

The data provided to the insurers is combined with Microsoft threat intelligence and boiled down to a customer's Secure Score with Microsoft, which the insurer uses to write a policy.

In the future, Microsoft may extend this approach to enabling cyber insurance for the use of Azure as well, Johnson said. The company is also working on partnerships with other cyber insurers, she said, though they haven't been publicly announced yet.

AWS is also taking a data-driven approach in its partnership with Cowbell Cyber, which was initially announced in November 2021 with a risk assessment tool aimed at helping customers to better secure themselves in order to acquire cyber insurance coverage.

Earlier this month, the partnership expanded with the introduction of cyber insurance coverage for AWS workloads, which includes involvement from insurer Swiss Re. AWS did not make an executive available for comment.

The policy just covers usage of AWS and is most ideal for customers that use the AWS cloud extensively, said Jack Kudale, founder and CEO at Cowbell Cyber. U.S. customers with up to $750 million in annual revenue are eligible.

The program utilizes Cowbell Factors, the startup's underwriting platform that rates a business on its security risk relative to its peers in the industry. The program derives a premium and coverage limits based on the Cowbell Factors rating, providing lower premiums and higher limits for customers that rate better on configuration, vulnerabilities and compliance measures, Kudale said.

The program stands out by being 100% automated, with the entire insurance process completed based upon the data analysis performed by Cowbell's software, he said.

For the purpose of insuring against cyberattacks, "you want to be able to underwrite to precision, and not based upon the traditional rating factors" used in other areas of insurance, such as industry and size, Kudale said. "When it comes to cyber risk, it's not realistic to be able to underwrite a business on those factors."

Ultimately, in the cyber insurance market, "all the hyperscalers will have the opportunity to participate — and should participate, by the way," Microsoft’s Johnson said. “I think there's an obligation there.”

Data and visibility are what the cyber insurers “need desperately," and the hyperscalers have it, she said.

Providing this visibility to insurers “will help them break through that ceiling they're facing right now,” Johnson said. “They just can't scale [without] the data."


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories