The ever-changing nature of cyber risk, combined with the lack of historic cyber insurance claims data, makes it challenging for insurers to rapidly assess risk and determine appropriate premiums for their cyber insurance clients, especially for small- to medium-sized enterprises (SMEs).
This is a stumbling block that Avi Bar-Tov (pictured), cybersecurity expert and CEO of GamaSec, an Israel-based B2B2C insurtech, has set out to fix. Bar-Tov, who used to serve as an officer in the Israeli army, has been in the cybersecurity industry for over two decades. The first company he launched in Europe offered cybersecurity consultancy to Fortune 100 companies, but Bar-Tov’s interests soon shifted to the SME market, which he saw was in dire need of cybersecurity support.
That’s when GamaSec was born. Bar-Tov and the GamaSec team set out to create a cloud-based software-as-a-service (SaaS) technology, specifically geared toward SMEs, designed to prevent cyberattacks by using virtual hacker technology to identify and eradicate dangerous malware threats and website application vulnerabilities in real time. They quickly saw that online penetration testing was not enough to provide full pre-breach protection for SMEs, so they created a portfolio of services including web vulnerability scanning, daily malware detection, blacklist monitoring and application Firewall (WAF) with DDoS detection.
In 2017, Bar-Tov modified the strategy of GamaSec in two ways. “We saw the cyber insurance market for SMEs was growing around the world,” he said. “Insurance companies were moving from enterprise to the SME market, and we saw they had a few challenges. Firstly, they did not have enough SME cyber claims data compared to the other risks they were providing coverage for. Secondly, cyber risks change all the time, making it very difficult for insurers to predict and price the risk accurately.
“The tools that insurers were using for enterprise risks were not applicable at the SME level; they were too expensive and too complicated. We saw that what insurers were looking for was not something to predict cyber risk, but something to prevent the risk – a pre-breach solution with the capacity to prevent and minimise the loss ratio, while at the same time being simple to deploy and interpret for the end-customer.”
In 2019, GamaSec created a new technology called GamaEye, which the firm hopes to launch in the second quarter of 2021. GamaEye is a web attack detection technology that uses changeable deception elements to identify and reveal malicious activity targeted at a business website. In other words, it traps hackers (human or robot) by luring them into cyber honeypots that automatically modify themselves after every attack in order to avoid future detection.
“We are, by definition, good hackers,” Bar-Tov told Insurance Business. “We know exactly what honeypots the hackers will fall into. We know what the robots are looking for, where they’re scanning customer websites, and what triggers they required to carry out their manipulation and infiltration. By having this in our DNA, we have the ability to [identity and prevent attacks in real time].”
GamaSec’s suite of solutions have garnered interest from insurance companies worldwide. Its current insurance partners in North America, Europe, the UK and Asia– CNA Hardy, Zurich Insurance, Lombard Insurance, and MyCyberCare – are bundling GamaSec’s technology with their cyber insurance policies to shore up their pre-breach cyber risk mitigation services and to increase cyber risk transparency throughout the lifetime of their policies.
“One thing we learned from working with cyber insurance companies is that we have a lot of intelligent data that can help them,” said Bar-Tov. “We provide our insurer partners with a Risk Score, which identifies how many clients in their portfolios have a high vulnerability, medium vulnerability or low vulnerability to cyber risk, and how clients are reacting to their vulnerability score. This helps insurers better understand the behaviour of their clients and determine which companies are taking the right actions and which companies need to do more.
“We also added education and awareness training to our suite of security services for the customer. In 2020, a lot of cyber breaches came from phishing attacks and ransomware. On the SME level, there aren’t many phishing and ransomware tools that are applicable – they’re often too expensive and too complicated. We determined that the best way to proactively mitigate that risk is to educate employees about cyber risk. So, we entered a partnership with a US-based firm through which we are providing cyber training sessions with videos, quizzes and questionnaires designed to improve employee knowledge around cybersecurity.”
Like the changing nature of cyber risk, Bar-Tov and GamaSec are never standing still. One thing drives them, the CEO stressed, which is their “focus is on proactive loss prevention and minimising the exposures that companies face.”