With 6% market share, AIG is the largest commercial insurance provider in the United States. The giant insurer, who was one of the most infamous participants in the 2008 financial crisis, has a market cap of $50B and offers policies that cover 90 million clients across 100 countries. AIG’s reputation and performance in underwriting has been volatile through the years, but they have built a massive business by aggregating data, amassing capital, and quantifying risk.
The challenge for AIG in 2018 is understanding how to quantify and evaluate risk in an increasingly digital world. The digital age has delivered a plethora of data and resources to better understand risk and to make more precise decisions. However, it has also introduced entirely new areas of risk. Data, computers, and the machines they power are swiftly becoming the most important and the most vulnerable assets in the economy.
Until recently, most of the focus has been on protecting those digital assets through cyber security. Data breaches are incredibly damaging to any organization, not just because data or other vital information was stolen, but also because the 2nd and 3rd order consequences of a breach (notifications, theft, PR, forensic services) are incredibly costly. As major breaches (Equifax, Sony, Anthem) increase in frequency, we are learning that security measures are not enough. Due to the dynamic nature of cyber threats and the inability to protect against internal human error, 100% effective cyber security is not plausible.
Therefore, organizations are finally starting to see data security as not just an IT problem but also a risk management problem. Consequently, cyber insurance has emerged as a market need and a crucial opportunity for AIG.
Standalone cyber insurance (outside of a general policy) is a recent phenomenon, and the underwriting of cyber insurance is limited by immature inputs and limited expertise. Potential buyers of cyber insurance are likewise confused by inconsistent product offerings and lack of standardization in cyber policies. The problem for underwriters like AIG is they have no precedent and very little historical data for evaluating a firm’s cyber risk. Cyber insurance is not like providing flood insurance, where one can look at decades of historical data and then analyze a one-dimensional risk. An organization’s IT environment is constantly evolving, with various endpoints and countless vulnerabilities. Furthermore, the threats or the bad actors are often unknown, originating from any number of sources (internal, external, foreign, etc.) Simply put, an organization like AIG would have no institutional muscle for underwriting cyber risk, building an “actuarial” table, or gathering the requisite threat intelligence data to inform their evaluation. In addition, risk management firms and cyber security firms that may have the requisite cyber expertise do not have the underwriting capability, the financing, or the breadth of data needed to offer effective policies.
To successfully serve this nascent market, firms need to leverage capabilities from disparate entities and coordinate them into a coherent offering.
What is AIG doing now?
AIG knows that cyber insurance is going to be critical to their business and they are investing as such. The insurer has launched multiple standalone cyber insurance policies, including the first P&C (property and casualty) cyber policy. AIG’s main cyber product is called CyberEdge, which is a liability insurance that covers financial costs associated with the breach, as well as the first-party costs of breach remediation and network restoration. CyberEdge also includes the option to insure physical world losses and business interruption (increasingly more important as IoT explodes).
AIG is trying to approach digital asset risk in a holistic way, building a solution that starts with risk consultation and preventative measures and flows to insurance coverage and breach resolution services. Although at this time, it is unclear how much of their offering is marketing and how much they can effectively deliver on.
AIG is buttressing these offerings through multiple partnerships with firms that have cyber security and risk management expertise. For example, AIG recently launched CyberMatics, a cyber underwriting application model to provide more clarity around how they are evaluating cyber risk. The insights and data that power Cybermatics are coming from CrowdStrike and Darktrace, two of the market leaders in Endpoint security and threat intelligence, respectively. AIG is also partnering with firms like Bitsight (which offers cyber risk scores), RSA (vulnerability assessments), IBM (security services), RiskAnalytics (risk management), and K2 Intelligence (dark web intelligence).
What must AIG do going forward?
Partnerships & Capabilities –
To effectively capitalize on this market opportunity and deliver operative policies for their customers, AIG needs to continue its aggressive coordination of partnerships where they have expertise gaps. In parallel, AIG also needs to start building in house capabilities for assessing risk in their customers digital assets. AIG should be strategic about which capabilities it builds, focusing on the most foundational capabilities first. For example, a data management system that can organize all of AIG’s clients proprietary data in the context of cyber vulnerabilities. This will give AIG more efficiency in assessing risk and also the ability to create a larger network of threat data that can be shared across customers (network effect).
Capability development will require strategic focus and targeted hiring, and it can also be done through investments and acquisitions. It will be very difficult for a venture-backed startup to raise enough capital to underwrite policies, so as clever technological solutions emerge, AIG is well positioned to invest and/or partner.
Organization & Leadership –
9 years after the financial crisis in 2008, the U.S. Financial Stability Oversight Council removed AIG from the list of Systemically risky institutions (too big to fail). The collateralized debt obligations (CDOs) that AIG’s financial products division were insuring through credit default swaps cost the company $25 billion dollars, but the U.S. government saved the insurer because it was systemically important to our economy. Since then, AIG has changed several things about the way they operate. Improving the firm’s digital posture and capacity to utilize data continues to be a challenge, but it is essential for their survival.
Setting aside the need for cyber insurance policies, AIG has struggled to future fit their business (both operationally and customer facing) to the norms of the digital age. Until now, their sheer size and underwriting capacity (and their status as “too big to fail”) has given them a moat around disruption. However, as 2008 showed us, this is not just a business that needs to more efficiently leverage its data and resources to offer new products. AIG is a business that needs to disrupt its processes, re-purpose its people, and shift its strategic focus to deliver big-data-driven insurance. This starts at the top, with a more precise focus on using their data to carefully analyze risk.
In the past, AIG focused on growing assets as a means of continuing to deliver value to shareholders. For the first time in a while, AIG has less than $500B of assets on their balance sheet, and they seem to be focusing on efficiency and quality. As they continue their efforts to modernize the company, AIG will encounter significant internal and external pressure. Legacy stakeholders and employees will push back on the changes, and some will be left behind. Shareholders may bemoan investments. But AIG leadership needs to be steadfast in their sponsorship of cyber insurance and digital innovation.
Within cyber insurance specifically, it will be a challenge to upright an entire new division of policy underwriting. Through partnerships, recruiting, and asset acquisition, AIG needs to give the necessary resources and management sponsorship to make cyber insurance a pillar of their commercial insurance business. Most of the legacy decision makers in commercial insurance will not understand why AIG is doing this, and many will object. Inserting cyber expertise into an old insurance organization will be like mixing oil with water at first, but they must follow through. Leadership can look at the business from 10,000 feet, and thus should steadfastly maintain the importance of building out this part of the business. If the mandate is left to middle-management, it will lose prioritization quickly.
Most in the cyber security community believe that market forecasts and analyses grossly underestimate the magnitude of cyber risk and thus the requisite investment that will be required to secure our data. We are approaching an age where all data is stored in the cloud and all machines are managed from handheld devices. As these things happen, the potential for disruption and damage done through cyber-attacks is limitless. AIG is well positioned to help companies manage these risks.
- AoN Hewitt Global Report
- Allied Market Research
- Goldman Sachs – Cyber Security in a Digital and Connected World https://www.gsam.com/content/dam/gsam/pdfs/us/en/advisor-resources/business-practices/BP-Cybersecurity-Presentation-ind.pdf?sa=n&rd=n