Google Working With Allianz and Munich Re on Cyber Insurance

Working with a cloud provider such as Google allows insurers greater insight into how companies are configuring their cloud services, with verifiable information, said Bob Parisi, head of cyber solutions for North America at Munich Re.

Traditionally, insurers rely on due-diligence forms filled out by clients, and only have relatively simple means of confirming that information, such as scanning servers for obvious security flaws. Mr. Parisi likened that approach to driving on a street to check whether residents had left their doors open.

“It’s all good information, but not the same as having actual, real-time inside data on the customer,” he said.

Newsletter Sign-up

WSJ Pro Cybersecurity

Cybersecurity news, analysis and insights from WSJ’s global team of reporters and editors.

Phil Venables, chief information security officer at Google Cloud, said that the tool used to analyze an organization’s risk profile has been developed using benchmarks created by organizations including the Center for Internet Security, a nonprofit focused on cybersecurity, and the National Institute of Standards and Technology, a standards-setting body within the U.S. Commerce Department.

These standards cover areas like controlling access to sensitive information, configuring cloud environments to close security gaps, and ensuring hardware and software used to connect to cloud environments are secure.

“Over time, more and more things about the customer’s environment will be provided through this, which can further enrich the insurance underwriting process,” Mr. Venables said.

High-profile cyberattacks in recent years have exploited poorly configured cloud services to steal data or launch other attacks. An attack on Capital One Financial Corp. in 2019 involved a hacker gaining access to cloud storage through a firewall, affecting more than 100 million customers and credit-card applicants, with the bank saying that a configuration vulnerability led to the data loss.

Lawmakers last week questioned the role of cloud services in a cyberattack on SolarWinds Corp. that was discovered last year and affected dozens of companies and government agencies.

Companies are increasing their use of cloud, with research firm Gartner Inc. estimating that world-wide spending on public cloud services will grow 18% in 2021.

Google Cloud’s security chief, Phil Venables, shown in 2018. Google helped insurers build a tool to price cyber insurance policies.

Google, Allianz and Munich Re spent around a year working out how to incorporate data from cloud customers into information that could feed into underwriting processes, said Thomas Kang, North American head of cyber at Allianz Global Corporate & Specialty. A key goal was to create a way to assess cybersecurity in a uniform manner.

“It’s one thing to get the data, but it’s a whole other thing to actually analyze it and get on the same page on how we’re going to review and assess the risk, and ultimately how that’s going to impact pricing and coverage,” he said.

The insurance industry has been criticized for an uneven approach to pricing cyber coverage. In March 2020, the Cyberspace Solarium Commission, a federal body set up to analyze U.S. cybersecurity preparedness, said in its final report that the industry had a poor understanding of cyber risk, and called for a federal review of cyber insurance offerings.

The cyber insurance market is experiencing a hardening phase, Mr. Parisi of Munich Re said, meaning that the cost of coverage is going up while the amount of coverage offered is being limited.

For example, insurance that offers $50 million in coverage today likely will involve multiple carriers and policies to reach that mark. The partnership with Google means that customers with appropriate security levels may be able to gain up to that level in a single policy, he said, without having to deal with multiple brokers and carriers.

The partnership initially will be targeted at large businesses in North America using Google Cloud, Mr. Parisi said, with eligible customers in the $750 million to $5 billion revenue range. The program may expand internationally and into smaller and midsize enterprises, Mr. Kang of Allianz said.

The insurers now better understand how cloud technology and security actually work by joining with Google, rather than trying to assess it from the outside, Mr. Parisi said. The firms’ skills in modeling cyber risk, and consequently in pricing policies, will improve as a result, he said.

“We are going to obviously use that to improve our overall underwriting and hopefully move the market towards a more data-driven underwriting process,” he said.

More From WSJ Pro Cybersecurity