Small business, smart protection: HDI Global's CyberQuick solution in the Nordics

The CyberQuick initiative, which emerged as a standalone project, represents a strategic move to address the unique needs of smaller enterprises while maintaining robust security standards. Despite its current regional focus, the solution has garnered attention beyond its original scope. "Our head office in Hannover is interested in potentially expanding this product to other European countries, and perhaps beyond," Holmgrün notes.

The development of CyberQuick stems from a clear market need. "We're coming from insuring international conglomerates where we perform a very thorough risk assessment to be able to get an understanding of what we can offer them," explains the underwriter. "What we did for CyberQuick was look at the cyber requirements for smaller companies in our markets. While developing this product, we saw a need to scale down the risk questions we had. This process helped us find the sweet spot – where we had just enough information to assess smaller clients' risks effectively."

"In cyber we use T-shirt sizes when we talk about company sizes," Holmgrün explains. "When it comes to CyberQuick, the size we cater to is small, maybe even an extra small since we only have 11 questions on which we base our risk assessment." However, this streamlined approach doesn't mean larger companies are excluded from HDI Global's cyber coverage. "It's very important to bear in mind that even a company that has a turnover of €100 million or €10 billion, for example, remains in our field of interest for cyber. Our setup is determined by the size and activities of the company. This is where the t-shirt sizes come into play."

The programme's scope is carefully defined. "When we speak about SMEs in the Nordics, we have set a threshold of €35 million," says Holmgrün. This threshold may vary across different markets, and the team continuously evaluates opportunities to expand the programme's reach.

True to its name, the solution delivers quick turnaround times. "Essentially, CyberQuick allows for a fast-track underwriting process," the underwriter says. "We try to have a turnaround of 48 hours from when we get the request to when we send an offer." Looking ahead, the team aims to further streamline this process through automation.

A distinguishing feature of CyberQuick is its straightforward approach to IT security pricing. "By offering this product and asking questions up front, we want to be transparent that IT security costs money," Holmgrün emphasises. "We have requirements, and we pass these on to our clients to make sure that they are not the weakest link in the chain or the slowest prey on the Savannah. They need to invest, and they need to invest continuously."

This commitment to transparency extends to the insurer's partnership with IT service provider itm8, a local company with subsidiaries in Denmark and Sweden. The partnership brings a high degree of transparency to cyber security investment with itm8's calculation tool that allows for concrete price estimates for necessary improvements. "We wanted to support clients as a one-stop shop in all eleven questions," he adds. "If I have a client who doesn't have multi-factor authentication, for example, I get an estimate of the cost for itm8 to implement this measure."

This comprehensive support also means allowing for some flexibility. "It might be that a client cannot confirm two or three of our risk questions but instead they have implemented an alternative measure to protect themselves, and that's fine. We can nonetheless insure that client and offer them a grace period to implement such measures," notes Holmgrün. This approach allows companies to secure coverage while working towards improved security standards.

In terms of pertinent security measures, Holmgrün deems backups and the separation of them as essential. "It is crucial for companies to create a backup and protect it so it cannot be overwritten accidentally or by hackers," he says. The stakes are particularly high when it comes to data protection. "It is one thing to lose a copy of something to a hacker who then has access to it. But imagine simultaneously losing important information to a hacker and not having access to it yourself – then you're even worse off."

Holmgrün also stresses the human factor in cybersecurity: "In many cases, employees are the root cause of cyberattacks." This is why employee training forms another crucial component, with requirements varying by company size. "For larger organisations, we would perhaps require that the company has an annual cycle during which employees are obliged to take training once or twice a year," he explains. This includes specialised training for high-risk areas. For smaller companies under CyberQuick, the approach is more flexible with training taking place within a recurring annual cycle, ensuring that new employees are always on board at least one year after they start.

As cyber threats continue to evolve, Holmgrün identifies several key challenges on the horizon. "One thing that's definitely on the rise is AI," he notes. "Many companies are already looking into AI if they aren't using it already. In the broader insurance industry, we already use it as well, but unfortunately, so are the bad guys." With new AI regulations in development, particularly in the EU, companies will need to adapt their protection measures accordingly.

Supply chain security has emerged as another critical focus area. "We are trying to teach our clients to have requirements for their suppliers," the cyber expert explains. "For instance, many smaller companies use some kind of IT provider. But hackers can potentially access one entry with information about hundreds if not thousands of company clients." This interconnectedness creates new vulnerabilities that need to be addressed, such as the security of third-party providers. "If a company uses a single hosting partner or uses a provider to manage personal information or generate backups, they need to make sure that their provider fulfils the same requirements they would have for their own IT department," says Holmgrün. "Companies must understand the full scope of these supply chain relationships and apply the same security requirements throughout."

What drives Holmgrün is the ability to effect real change in companies' security practices. "By leveraging our expertise and what we see on the markets, in other companies, and in the claims that we have, we are able to improve companies' IT security," he explains. "It is highly motivating that what we do makes a difference. It's not just pure risk transfer, but also knowledge transfer."

This impact is amplified by HDI Global's unique position in the market. "In the everyday business, we are a local insurance company," Holmgrün notes. "But of course, we as HDI Global Denmark are just one branch of HDI Global as a whole." This structure creates what he describes as "the perfect balance" – the ability to be responsive to local needs while leveraging global capabilities. "Sometimes a company may have requirements exceeding what is normally offered in the Nordic markets. Then we have the financial power and possibilities to offer that client a special solution."

While CyberQuick is designed for smaller enterprises, HDI Global maintains a clear position on certain sectors that require more comprehensive coverage irrespective of size. "It's very important to make a distinction that these exclusions don't mean that HDI Global doesn't want to ensure these kinds of companies, but we have scaled the coverage within CyberQuick to the needs of companies of this size," Holmgrün explains.

Among the sectors that demand more thorough evaluation than the eleven questions in the CyberQuick risk assessment are utility companies, financial services, and aviation, for example, due to their unique risk profiles and data protection requirements. However, these sectors aren't left without support. Through HDI Global's head office in Hannover, comprehensive solutions are available, including one-to-one support from cyber risk engineers who can help shape a company's IT roadmap. "That definitely adds a lot of value and provides beneficial support in a company's digital journey," he observes. "Plus, the HDI Global Network allows us to provide support for local policies and master programmes for many different types of products. Essentially, we can follow the client all over the world."