AXA XL & Slice Labs launch on-demand SMB cyber insurance

Slice Labs, provider of on-demand insurance cloud services, and AXA XL have announced the launch of an AXA Xl Cyber Insurance product specifically designed for small and midsize businesses (SMBs), the first on-demand cyber insurance solution for SMBs.

The new product analyzes an SMBs digital presence and provides instant alerts on cyber risk scores, secure network traffic, website attractiveness and more. In the event of a cyberattack, the AXA XL product also provides coverage for ransom, loss of income and claims related to cyber breaches.

To comment on the new product launch, Lauren Tennant-Pollock, Accelerate Partner at AXA XL, answered a few questions for PC360 about the AXA XL/Slice deal.

How exactly would you qualify the cyber threat to small and mid-size businesses?

The motivation of most cyber attacks is to steal and exploit sensitive data. According to Ponemon Institute, the most prevalent of attacks for small businesses are phishing/social engineering and web-based attacks. Phishing emails look like legitimate correspondences and often entice an employee of a small business to share confidential information.

Ransomware, often resulting from phishing, is a very common type of cyber threat for small businesses. Ransomware occurs when a small business gets malware on their computer either through clicking on a suspicious link or downloading a file with malicious code.

As a result, the small business gets locked out of their systems and data gets hijacked until payment (most often demanded in the form of cryptocurrency) is received. Wannacry made headlines in 2017 when hundreds of thousands of computers were infiltrated many of which were those of small businesses.

Lastly, social engineering or fraudulent transfer schemes exploit publicly available information and weaknesses in email to trick small businesses into transferring money. We have seen a rise in these types of attacks in the last year.

While SMBs do not have data at scale, they still retain sensitive customer details and provide an easy access point into larger, enterprise-level companies by which they participate as suppliers or third-party vendors too.

The interconnection of business partners’ networks and systems allows small businesses to serve as a gateway to larger companies and thus increases their vulnerability to being targeted by cyber thieves. It was believed that Target’s breach back in 2013 which led to the theft of 70 million individuals’ personal information was perpetrated by hacking a small business which provided heating & cooling services to Target.

How urgent is the need to educate small and MSBs about cyber threats? How many business-owners remain naive about this threat, despite frequent, well-publicized breaches?

There is a pressing need to educate small businesses about their cybersecurity risk posture. This is in part due to the rising number of cyber attacks on small businesses today and the increase in their associated costs. But also small businesses face a disproportionate amount of risk when it comes to cybersecurity. In fact, studies show that 60% of small businesses fail 6 months after a cyber attack due to the increase vulnerabilities these small businesses face.

According to the Ponemon Institute’s “2017 State of Cybersecurity in Small & Medium-Sized Businesses report,” the percentage of small businesses that have experienced a cyber attack in the past 12 months has risen from 55% in 2016 to 61% in 2017. Not only are the number of cyber attacks increasing but these attacks are becoming more sophisticated, targeted, and severe.

Ponemon Institute’s report also notes that the average cost associated with damage or theft of assets during a cyber breach has increased over 15% to just over $1 million from 2016 to 2017 and the average business interruption cost due to disruption in normal business operations increased 25% to $1.2 million over the same time horizon.

Such costs are devastating for small businesses and often disproportionately so. Large businesses not only have more defenses in place to prevent a cybersecurity attack but are also more prepared with business continuity plans and other resources to get them back up and running quickly when an attack occurs.

The latest large-scale attacks (e.g. WannaCry) have led to more small companies asking for Cyber insurance but even then, the market still remains in its infancy. A report by Aon noted that the penetration for standalone cyber protection for small business is less than 5% constituting $282 million in GWP in 2015. Growth expectations for this market segment are upwards of 30% but in order to get there, we must increase awareness and education for the underlying risk.

What exactly sets your cyber insurance product apart from what competitors might offer?

There are four features that uniquely set apart AXA XL’s SMB cyber insurance offering from our peers. First, our SMB Cyber offering is cloud-based and on-demand, available digitally either through the web or mobile phone. There is no lengthy application form. All we ask are a few simple questions and a qualifying customer can purchase the policy instantly online. The product is pay-as-you-go and cancellable at any time. In this way, we seek to mirror how small businesses today are both consuming and delivering goods and services through technology partners and connected platforms.

Second, we offer a real-time, individualized HealthCheck upon binding a policy that gives the insured a deeper look at their cybersecurity posture relative to their peers. This HealthCheck provides guidance to our insureds as to how they can improve their overall risk position and strengthen their cyber defenses. Linking closely to our payor to provider strategy, we seek to become a trusted partner that assesses, manages, and prevents our customers’ business risk.

The aim here is that we not only want to make it easier for SMBs to buy protection and coverage for when they need it, but we also want to help them monitor the dynamic nature of their Cyber risk posture — tying the protection closely to their changing needs — and helping our customers over time improve their overall risk position through an ecosystem of software solutions and services.

Third, we have designed the product and platform with the customer at the center. Our policy form is short, simple, transparent, and has only one easy-to-understand insuring agreement covering the most important cyber risks — including loss of business income, extra expense, data recovery expense, cyber-extortion expense, data breach and crisis management costs, social engineering / financial fraud loss, and prevention & recovery.

A customer can receive a bindable quote within minutes, interact with their real-time cyber risk dashboard, and submit a first notice of loss through our claims bot all through our digital platform — allowing them to manage their small business needs in one place.

Lastly, we aim to meet customers where they are already interacting today and this means creating distribution modality. While we have launched the first iteration of our product with a direct to customer look and feel (utilizing Slice as our E&S broker) we believe that partnerships are going to be critical to become a trusted cybersecurity expert for our customers. We are currently working on an array of distribution ideas which include everything from agency networks to managed software security providers to even co-working spaces and banks specializing in small business offerings.

Besides an absence of the right insurance, what other factors make businesses exceptionally vulnerable to this type of threat?

In addition to the absence of insurance, lack of concern and education around cyber risk makes small businesses increasingly more vulnerable to such threats. In fact, a recent poll from Insureon shows that 84% of small business owners (out of a 2,400 sample size) believe they are not at risk of a cyber breach and therefore view cybersecurity as an extra expense that is not pressing for their business operations.

This complacency results in many small businesses neither having the adequate security measures in place to prevent an attack nor the active response plans to answer quickly to an attack (if it occurs) and mitigate the damages. In the absence of the right safety procedures, guardrails, and a cybersecurity plan — small businesses are vulnerable and consequently, they are more often targeted by cyber thieves as they are easier to fall victim to their efforts. Furthermore, small businesses are targeted as a conduit for hackers to get access to the larger companies by which the small business serves (as a supplier or third-party vendor).

What insights or tips can you provide for other carriers looking to forge InsurTech partnerships?

Recognizing the importance of collaboration is the first step to creating meaningful partnerships. When I look at all the transformation that is happening in our industry, we must have the humility to know that we can’t go at it alone. As an incumbent carrier, we need to recognize our strengths (e.g. capital and risk management) as well as our weaknesses and identify where partnerships are needed across the entire value chain.

As a response to a Insurtech startup’s pitch, sometimes I hear that we can build the same proposition or even that we can build it better. This is the exact type of thinking that we must challenge. Speed to market is critical for learning fast and creating customer-centric propositions and external perspectives, new skill sets, and diversity of thought and experience gained through partnerships adds a tremendous amount of value to our work. The leverage that we can get from partnering with startups is incredibly powerful.

Collaboration with Insurtechs works very well when there is a business unit problem that a startup’s product or service really fits to solve. Trying to fit a square peg into a round hole never works well and while it’s a bit of dance — we have been most successful with our experiments when we have started with a business unit problem. It is also important to prioritize where we engage within the business. Without business unit buy-in, enthusiasm, willingness to think differently and move beyond legacy, and trust in trying something new — we are wasting startups’ time and resources.

Also important is communication (learn fast, learn quickly) — don’t be afraid to pivot when something isn’t working, mutual trust (in that the startup can deliver on what is promised but equally the business is committed and engaged). Lastly, alignment of stakeholders internally. Every experiment needs an advocate to help them get the top-down and bottom-up support, guide them through the internal processes and procedures, and advocate for challenging the traditional mindset each step of the way.

Related: 5 factors driving small business cyber insurance market growth