Cyber Insurers Enter the Ratings Game

The recent surge in ransomware attacks on U.S. cities and companies has data security and privacy professionals as well as third party information security leaders scrambling for better defenses and responses. This need is focusing more attention on cybersecurity insurance policies, which are designed to offset the recovery costs organizations incur after falling prey to a significant cyberattack.


In 2018, an estimated 38 percent of Marsh & McLennan’s corporate clients had standalone cyber insurance policies in force, according the The Wall Street Journal. This marks a significant increase compared to the 19 percent of Marsh clients that had cyber insurance policies in 2014. Companies in the education (65 percent), healthcare (62 percent), hospitality and gaming (57 percent), and communications/media technology industries (51 percent) are most likely to have cyber insurance.


Given that this type of policy is new, buyers may have difficulty distinguishing among different products, determining what needs to be covered, understanding what insurers may exclude, parsing other policy components and making well-informed purchases. (This Wall Street Journal article offers a cyber insurance primer.)


A collaborative initiative launched last spring and spearheaded by Marsh aims to bring more clarity to the cybersecurity insurance marketplace. The collaboration involves many other large insurers that offer cyber insurance, including Allianz; AXIS; AXA XL, a division of AXA; Beazley; CFC; Munich Re; Sompo International; and Zurich North America. The purpose of the effort to identify products and services the insurers deem effective in reducing cyber risk. The offerings that pass muster earn a  “Cyber Catalyst by MarshSM” designation. Cyber insurance policyholders may qualify for lower premiums and/or other more favorable policy terms by using these products and services.


Last fall, the consortium published an initial list of 17 Cyber Catalyst products and services after evaluating more than 150 cybersecurity offerings. The assessment was based on six criteria, according to Marsh:


  • Reduction of cyber risk: demonstrated ability to address major enterprise cyber risk such as data breach, theft or corruption; business interruption; or cyber extortion.
  • Key performance metrics: demonstrated ability to quantitatively measure and report on factors that reduce the frequency or severity of cyber events.
  • Viability: client-use cases and successful implementation.
  • Efficiency: demonstrated ability of users to successfully implement and govern the use of the product to reduce cyber risk.
  • Flexibility: broad applicability to a range of companies/industries.
  • Differentiation: distinguishing features and characteristics.


The evaluation process consisted of two phases: an initial “deep dive into eligible solutions the participating insurers felt merited review” followed by product and service demonstrations. The web page identifying the 17 Cyber Catalyst products indicates that that insurers in the consortium voted independently on each solution. Neither Marsh, which tallied the votes, nor Microsoft, which served as a technical advisor, participated evaluations or voting.


In a statement, Marsh U.S. Cyber Practice Leader Tom Regan positions this rating system as “a ground-breaking approach to help organizations make well-informed decisions in the complex $125 billion cybersecurity marketplace.”


Some cybersecurity vendors and experts also have described the Cyber Catalyst program as a positive development while others have raised questions, as this SC Media article demonstrates. One executive with Europe-based enterprise information security vendor notes that cybersecurity professionals may be confused by the growing number of rating frameworks for cybersecurity offerings (analyst firms Gartner and Forrester have their own software rating systems) and by the difficulty in organizing a broad and constantly changing array of security products into standard categories.


The rating systems and, more broadly, cyber insurance raise other important questions. In August, a FireEye manager who specializes in financial crimes analysis told The New York Times that she wouldn’t be shocked to at some point soon “see some evidence that there is specific targeting of organizations that have insurance.” (Two FireEye cybersecurity products earned the Cyber Catalyst rating in 2019.)


Raising tough questions about cyber security approaches while at the same time participating in efforts to improve those approaches is productive. More of that effort will be needed from all data security and privacy stakeholders to help ensure that betters laws, policies, practices and products are continually developed in the face of a constantly evolving risk.


Have a topic, trend or post to suggest? Please email