Buying traditional insurance is a no-brainer if you want to protect assets of value—be it your life, your home, or your business. If you own, say, a building, chances are you’ll want to minimize your risk against fires, floods, and other tangible natural disasters. Buying cyber insurance, however, is a much more abstract concept for businesses to grasp—especially small to midsize enterprises (SMEs). However, even though data breaches, ransomware attacks, and malware infections aren’t top of mind for mom-and-pop shops, the risk of these incidents continues to grow thanks to rising cloud adoption. According to Accenture’s recent Cost of Cybercrime study, nearly half of all cyber attacks are aimed at small businesses, but only 14% of them are prepared to defend themselves. Worse still, only 1% of small and 8% of mid-sized businesses currently have cyber insurance as an additional protection layer.
So what accounts for this gap in cyber coverage for SMEs? For one, many SMEs simply are not aware that cyber insurance even exists. Second, even if SMEs are aware, their broker often does not have a product to offer them, or the policies that do exist often aren’t designed for SMEs and the types of risks they face. Why? In large part it’s becoming increasingly difficult for SMEs to secure new policies (some are even seeing existing policies canceled), because cyber losses have skyrocketed over the past several years and many incumbent insurance companies and managing general agents (MGAs) have increased prices or pulled out of the market.
These issues persist because the industry cannot dynamically serve its customer’s needs. Traditionally, across insurance categories, incumbents have relied on running existing and widely available data (e.g., the make and model of a car, or the year a building was built) through well-developed models to price products. This traditional modeling does not work for underwriting cyber risk. Incumbent models can’t understand or nimbly respond to today’s rapidly evolving cyber risks. Without the speed and ability to scale that software brings, companies are finding it difficult to underwrite policies for cyber—and losing a fortune in the process.
In line with the financial services businesses we invest behind, the presence of software here can create 10x advantages over existing solutions. Software can assess vulnerabilities, provide insights and recommendations, and continue to monitor the policyholder’s security posture. Without software, it is difficult to adequately understand a prospective customer’s risk profile from either an external or internal vantage point, mitigate the risk of a cyber event, or possibly even limit exposure through streamlined post-incident responses.
Importantly, for this gap to be covered, cyber policies also need to be developed and sold on a localized basis. For example, the costs of a cyber event in the US differ from one in the EU because of local differences in regulatory penalties, data costs, and costs to respond to incidents. Broker distribution is also unique by country. Therefore responding to a cyber event requires local pricing data and a locally regulated insurance entity—all data that is better evaluated by dynamic software and not staid models.
All of these dynamics are why we are so excited to announce our investment in Stoik, the first-to-market startup and a leader in European cyber insurance. Stoik is an MGA that offers proprietary cyber insurance products. The company has also developed software products to better understand and limit cyber risks on both an external and internal basis. They are positioned to price and distribute risk specifically with the regional reinsurance and distribution partners in Europe.
We first met Jules Veyrat, a cofounder and the CEO, in 2021. Over the past year, we’ve seen him and his cofounders Alexandre Andreini, Nicolas Sayer, and Philippe Mangematin execute at an almost impossibly quick rate. They have deep ties across the French and European insurance markets and have enlisted a strong technical team across product, engineering, and sales that are deeply steeped in the problem space. Moreover, Jules and his team are honest, dedicated, and personable—traits you want to see in a team dedicated to protecting you from risk.
Cyber insurance in Europe is just getting started. There are countless software products still to be built to protect the continent from cyber attacks, and new markets to be launched. Stoik has an exhilarating road ahead, and we’re thrilled to be their partner on the journey.
The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.
This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://a16z.com/investments/.
Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.