Risk management in its simplest form can be quite formulaic. If you make X investment, you will get Y reduction in risk. If the value of X exceeds Y, then it probably doesn’t make sense from a risk management perspective to make that investment. However, that type of equation is extremely problematic when it comes to cybersecurity, according Josh Ladeau, global head of tech E&O and cyber at Aspen Insurance.
“With cyber risk, it’s a very difficult proposition for a risk manager to say: ‘If I invest X, we’ll get Y value out of it.’ It’s just not clear,” Ladeau told Insurance Business. “The clichés out there that anybody can be hacked are true. Even if you’ve made every possible investment and are at the cutting edge of cybersecurity preparedness, you can still be penetrated and breached. Rather than attempting to eliminate cyber risk, we can change the conversation to one of enhancing your organization’s competitive advantage relative to your peers.
“As cyber concerns around third-party B2B relationships grow, it’s becoming more valuable than ever for your organization to demonstrate genuine investment in cybersecurity. When vying for a contract, everything might be equal in terms of product and service, but if you can demonstrate substantially higher levels of cybersecurity investment and thought, you’ll be much more likely to win that contract. If we think of cyber risk management as enhancing your competitive advantage, it changes the equation so that you’re making an investment into your business, rather than simply reducing risk.”
Cyber risk management services are included with most cyber insurance policies today. Typically, insurers outsource these services to vetted third-party vendors. Policyholders might receive a financial discount related to those services, and, in some very rare cases, they might actually get some policy benefit to making an investment with those vendors.
Aspen Insurance is doing things a bit differently. The insurer has just launched its very own cyber protection platform called SSIMPLETM, which includes in-house risk management services to address prevention and detection gaps. The SSIMPLE platform includes existing components of Aspen’s Apex insurance policy and incident response capabilities, with added and differentiating pre-incident services. When combined together, the Aspen SSIMPLE platform is designed to help Aspen’s cyber insurance clients “achieve a state of holistic security.”
“With the SSIMPLE platform, we’re not saying: ‘Go and work with vendor X and we’ll give you a 15% discount.’ Rather, we’re saying: ‘We’ll bring vendor X and their product to you, and then we’ll work with you on the implementation and management of that solution.’ The idea is that we’re directly engaged in the implementation of cyber risk management,” explained Ladeau, who was one of the masterminds behind the SSIMPLE platform.
“Our focus is not going to be on providing the most cost-effective deployment of a given solution, but rather that we’re 100% optimizing the deployment of the solution. All third-party vendors, by their nature, have to worry about cost. If they’ve built 30 hours of service into a contract but they end up giving 41 hours of service, they’re losing money. We don’t have that concern. Our in-house talent is 100% focused on optimization and providing technical interaction with the clients. We’re really trying to differentiate where the market has been and we’re hoping to get more value out of the services we have.”
The SSIMPLE platform has its business benefits for Aspen. Ladeau’s hope is that by providing in-house risk management services, his team will “improve the stickiness of risks.” He said the cyber insurance market shouldn’t just be about a race to the bottom, with everyone trying to provide the highest limits with the greatest breadth of coverage and the cheapest premium. Ladeau added: “You’re much more likely to retain that business if you provide material risk management services with a focus on optimization.”