The quality of the recipients of this past week’s 2016 Advisen Cyber Risk awards highlights that, while the cyber risk market is not fully mature, it is moving toward adolescence.
On June 15, Advisen announced the winners of the 2016 Cyber Risk Awards. Lockton’s Ben Beeson received the Cyber Champion of the Year award for outstanding contributions to the industry. Other awards were conferred on individuals, teams, and vendors for innovation, service, and market success. In reviewing the rewards, I realized that they are one sign of a maturing market.
In 2014, the cyber risk market was highly fragmented. It had ballooned into a multitude of cybersecurity technology solutions and services created in response to the rapidly growing frequency and impact of threats worldwide. We formed Cybernance in early 2015 based on our recognition of a market need for a governance solution to oversee cybersecurity efforts. We hypothesized that the cybergovernance market would track the formation of the Governance, Risk & Compliance (GRC) space in the early 2000s.
Several trends we are seeing suggest that, while the cyber risk space is not yet mature, it is moving toward adolescence:
- Cyber risk could have been subsumed by GRC as another source of risk. Instead, it became recognized as a separate discipline because of its distinct characteristics and specialized knowledge.
- New classes of higher order solutions and services are emerging to manage the multitude of cyber technologies that crowd the marketplace. A major focus of these is to provide more vision into the cybersecurity maturity of the organization. Many of them take external measures of cyber maturity (e.g, BitSight, SecurityScorecard). Other systems measure and monitor defensive measures internally (e.g., Cybernance).
- Recent acquisitions point toward the beginning of a market consolidation likely to last for several years. Symantec’s acquisition of Blue Coat and FICO’s acquisition of QuadMetrics are two examples. Our broadly fragmented market contains many companies that will become targets as their businesses mature.
The next five years promise to be a period of continued innovation and consolidation, with incorporation of cyber risk services into other areas. In a recent TechCrunch post, the YL Ventures authors supported this thesis:
We may also see insurance companies open cybersecurity departments and offer pre-breach and post-breach services, such as security architectural analysis, monitoring, incident response, forensics and more. If this happens, we will likely see insurance companies start hiring cybersecurity specialists and even “acqui-hiring” cybersecurity startups.