Monica Shokrai (pictured), head of business risk & insurance at Google Cloud, provides a frank and insightful look into the evolving state of cyber insurance. Speaking to IB, she said that at a high level the market is still maturing, noting that cyber insurance remains relatively "immature" compared to other lines of business.
This immaturity reveals itself through a divergence in coverage across different carriers. Unlike something as standardized as auto insurance, where coverage is relatively consistent, cyber insurance lacks a uniformity that complicates both purchasing and underwriting decisions.
"It makes it hard on the buyer," Shokrai added, underscoring how this lack of consistency puts pressure on brokers to ensure they are making accurate coverage and premium comparisons for their clients.
The lack of standardization in cyber insurance and the technical nuance of the coverage differences is one of the biggest hurdles buyers face today. Cyber risks are complex, diverse, and evolving rapidly - especially in a "digital-first" world where companies are increasingly aware of their exposure to threats. Recent high-profile incidents have spurred greater interest from corporate boards, but with this rising awareness comes the demand for more comprehensive and tailored coverage, which insurers struggle to provide on systemic and interconnected risks in particular.
“You’re seeing a lot of the recent cyber incidents [bring] awareness at the board level of the importance of cyber risk," Shokrai said.
Another area where the insurance sector faces challenges is in the relationship between cloud adoption and cyber risk. Cloud technology is now a key pillar in many organizations’ digital strategies, but its integration into cyber insurance remains complex as the industry shifts focus towards accumulation risk. Shokrai points out that cloud environments offer consistency in deployment in a way that will help insurers, over time, better calculate correlations and identify the main drivers of risk. They also provide plenty of advantages from a security perspective that better protect customers, pointing to a series of Cloud Security megatrends.
She highlights one megatrend when talking about how the cloud, by enabling "economies of scale", can reduce the cost of implementing security. "The cost of implementing security per unit of infrastructure is getting lower and lower over time," she explained. This efficiency can make the cloud a safer bet than on-premise environments, where security costs tend to rise. Nevertheless, the shift to the cloud can introduce its own set of risks, such as dependency on a third-party , that insurers must consider carefully when managing accumulation risk across their portfolio.
One of the more innovative approaches to tackling these complexities is Google Cloud’s Risk Protection Program. Shokrai explained how this initiative seeks to align an organization’s cybersecurity efforts with its insurance underwriting process.
"Over the past five years, insurers have been sending these long questionnaires to potential insureds," she noted, critiquing how many of these questions don’t necessarily correlate to the actual risk levels. Instead, the Risk Protection Program leverages Google Cloud’s security products, which allows companies to scan their environments and produce metrics that are then shared with partner insurers like Allianz and Munich Re. These metrics offer a more nuanced picture of a company’s risk utilizing “inside out” data, enabling more accurate pricing and coverage.
"The more secure they are, the better the premium that will result," Shokrai explained, likening it to usage-based insurance in the auto sector, where safer drivers pay lower premiums. It provides insureds with a strong incentive when their efforts are not only better protecting the company, but also showing a visible ROI via broader coverage and premiums.
This digital-first approach to risk management and insurance is crucial as cyber threats grow more complex. Shokrai touched on the confusion many organizations face when deciphering what their cyber insurance policies actually cover.
"I think especially with recent events, one broad umbrella they should look into is how third-party risks are covered," she said. Systemic risks, where a single cyber incident could impact numerous clients, are a particular area of concern. She points to the importance of examining how policies address contingent business interruption and other systemic risks, which can be capped or subject to sub-limits. Companies need to be aware of these potential gaps, especially given the increasing interconnectedness of today’s business landscape.
Artificial Intelligence (AI) is another emerging area where the insurance industry is grappling with coverage questions. Shokrai explained that although she believes AI risks should be included in existing cyber or tech Errors and Omissions (E&O) policies, “there’s some industry debate around whether it warrants its own standalone coverages and how AI would be covered, as the risk continues to evolve.”