Business cyber insurance should be more like car insurance
Many businesses own vehicles for business purposes. Many more allow employees to use their personal vehicles for business purposes - the classic example being sales people who use their own cars to make sales calls. The company can carry "non-owned auto" liability for accidents that happen in personal vehicles on work business. The employee's personal car insurance covers the "primary" liability, and the employer's "non-owned auto" policy covers "excess" and pays second.
In today's world - only accelerated by COVID-19 - personally-owned computers and devices have become the equivalent of a personal vehicle being used for work purposes. Employees "drive" their personal computers and home networks to make video sales calls to customers. The company carries liability for "work cyber accidents" that happen. But relative to the vehicle example, there is one crucial difference. In cyber insurance, there is typical no personal cyber insurance carried by the employee to act as the primary payer in case of a "cyber accident".
If the employer and employee are to move to a shared responsibility situation like they do with vehicles, some new thinking is needed.
A change of mindset - from "securing a place" to protecting a workforce
Most business owners and IT managers treat business cyber-insurance in a similar way to building insurance. They are primarily insuring against a break-in, or destruction of their place of business. Employee use of personal devices for work purposes is generally a secondary consideration.
While many companies mandate use of company-provided computer equipment and networks, most also permit use of personal computers and equipment. Companies can control the configuration of a work computer (just as they can specify the specs of a delivery van they buy) but have much less control over devices their employees own and use for work.
Individuals are not going to self-insure for cyber-risk overnight. There are no regulatory mandates on the horizon that would make an individual carry personal cyber-insurance. So there is a role for the employer to introduce information and support to help their team understand and manage their own personal cyber-risk.
Our customer Delta Insurance has done exactly that. They have introduced PerCy - a personal and household cyber protection insurance product. Employers can buy this product as a group product that covers their entire workforce. An employer can now make this part of a three-pronged strategy that makes "work from home" safer, and more of a shared responsibility between employer and employee for overall cyber-safety:
- Equipment - the employer can describe what devices and software can and can't be used for work purposes
- Education - the employer must inform and educate the employee about what proper usage looks like
- Risk Management - insurances and support services that cover usage of personal devices and software
Over time, we can see more and more of this approach reaching workplaces. As companies get better at educating, supporting and insuring their people to operate safely from home using their own computers, there will be increased acceptance of risk-sharing between individuals and employer.
How cyber insurance could be more like car insurance
Thinking beyond the workplace, there is considerable scope for personal cyber-insurance to be more tailored to the individual, and easier to buy. I think the auto insurance paradigm is a pretty useful one to model on.
Auto insurers consider many factors when they price car insurance. What's the make and model of the vehicle being covered? (proxy for 'what does it cost to fix? or 'does this type of vehicle get stolen?' or 'do drivers of this kind of vehicle behave a certain way?'). What's the age and driving experience of the person? (proxy for likelihood to be involved in accidents or claims). Where does the person live? (proxy for what accident and claim rates look like in that area). How do they intend to use the vehicle? (second car, just driving to the store and school, or work or commercial use?)
If insurers could think about and price personal cyber-insurance risk in a similar way, it could be quite interesting. What devices do you use? (proxy for how 'safe' your 'vehicle' might be). What's your usage experience? (proxy for likelihood to experience a problem). What do you do with your device? (proxy for what's the degree of security risk for this person on this device)?
So imagine a person could say "I have a 2019 Microsoft Surface Pro 7 running Windows 10, and an iPhone 8. I'm 32, and I live in Berlin. I do graphic design work and use videoconferencing from home" and get a tailored personal cyber-insurance quote? Unlike vehicles, with good UX design the underwriting and purchase process could be made even simpler. For example "Do you want to insure for this device?" and detect for hardware and operating system settings.
This of course oversimplifies things. But like many innovations in insurance, like 'pay by the mile' car insurance or parametric insurance, perhaps such products may not be that far away. They could help insurers, employers and individuals to better manage evolving risk around these new ways of working.