Amazon Debuts Cyber Insurance Program for Speedy Policy Estimates

Amazon.com’s AWS cloud unit debuted Wednesday a program designed to cut the time to acquire cyber insurance from weeks to days, via partnerships with brokers and insurers.

Source: WSJ | Published on November 29, 2023

Amazon Cyber Insurance Program

Amazon.com’s AWS cloud unit debuted Wednesday a program designed to cut the time to acquire cyber insurance from weeks to days, via partnerships with brokers and insurers.

Through AWS’s Cyber Insurance Competency program, customers can allow brokers access to data from their Security Hub console. This gives potential insurers a list of controls enabled on a particular account, information on vulnerabilities and other details that allow carriers to quickly evaluate applications against AWS’s standards for security best practices and their own underwriting standards, and provide policy quotes.

“In an on-prem world it’s really difficult to say your router’s properly configured or not, and all the other things you need to know, whereas in the cloud, tools like Security Hub give you an accurate and real-time understanding of cloud security posture,” said Mark Ryland, director at Amazon Security.

The program is particularly beneficial for small and medium-size businesses, said Gregory Eskins, head of the Global Cyber Insurance Center at Marsh & McLennan’s broker unit, Marsh.

Attestations for insurance applications have become lengthy and complex as losses for cyber insurers have mounted from widespread cyberattacks. Smaller companies tend to lack the technical expertise to quickly answer questions from insurers about their defenses, Eskins said. Insurance applications can take weeks or months to complete.

Sharing AWS security information will cut down the number of questions insurers need to ask, he said, adding that this kind of automated disclosure can result in discounts of up to 15% on policies.

“We wanted to remove a lot of the complexity of these long applications,” he said.

Under this program, said Ryan Orsi, worldwide head of cloud foundation partners at AWS, brokers and carriers have committed to a two-day turnaround for policy quotes. Companies involved with the program at launch include Marsh, and insurers At-Bay, Resilience Cyber Insurance Solutions, Cowbell Cyber and Measured Insurance.

Taking a more technology-focused approach to assessing cyber insurance isn’t new, and companies that specialize in this approach, known broadly as insurtechs, have been around for a number of years.

Cloud providers say the scale of their customer base, and their experience in providing security, makes their programs different, and include information that insurance companies generally don’t have access to. In March 2021, Alphabet’s Google Cloud unit debuted a similar program with insurer Allianz and reinsurer Munich Re that provided the companies with access to a customer’s cloud security controls upon request, to issue customized quotes.

The ability for customers to share their security settings could have applications beyond insurance, said Amazon’s Ryland. Continuous monitoring of security controls and vulnerabilities, for instance, could help alert companies to security threats that require quick adjustments. In this regard, the insurance program also ties into another initiative announced by Amazon Wednesday, focused on cloud software resiliency.

That program focuses on connecting clients with Amazon-certified companies that can build secure cloud infrastructure designed for high availability, said AWS’s Orsi. Consulting firms Deloitte and Accenture are among the launch companies in the program. 

“Our mutual customers are also delivered not just the quotes but suggestions on maybe where to get healthier in their cloud environment,” Orsi said. This can include areas such as problems with access and identity management, or poorly implemented encryption, he said.

However, said Ryland, the appetite for insurance contracts that adjust relatively rapidly based on a company’s security posture likely isn’t high right now.

“The industry’s not quite ready for real-time, continuously changing policy prices, but I can imagine a future in which there was a more dynamic pricing risk model as we develop the technology and as people develop their business models,” he said.