Offer cyber insurance to everyone, says TransUnion’s Matt Cullina

Large corporate organisations carry a lot of risk and there’s a much bigger market waiting to be insured.

Prior to our prestigious invitation-only Underwriting Network event in London in June, we sat down with one of our speakers, Matt Cullina (pictured), to find out about a different way of viewing cyber insurance.

Cullina heads the global cyber insurance business at TransUnion and joined the company in 2021 as part of its acquisition of Sontiq and the Cyberscout brand.

Responsible for driving global growth of TransUnion’s cyber solutions, he has more than 25 years of experience in cyber services, insurance and claims management.

Previously managing director of global markets and chief executive officer at Cyberscout, Cullina’s career spans roles at Travelers, Allianz, and MetLife.

He chaired the Identity Theft Resource Center board for six years and is still excited about his role at TransUnion, as he told Intelligent Insurer. “TransUnion is all about people and their identity: we give insightful information about people, to help companies know their customers better.

“Our cyber division continues to grow more than ever,” Cullina observed. “It’s crucial to have accurate data in order to help the insurance industry engage with its market on a more nuanced level.”

Cullina spoke at the Underwriting Network event about how to address intangible and emerging risks for customers, and shared insights into what policyholders are asking for, so we started by asking him about his own company’s objectives for offering cyber solutions to the insurance market.

“It’s cyber insurance for the masses,” Cullina succinctly replied.

Is it risky to target “the masses” instead of opting to go down the safer route of insuring large corporate organisations? He didn’t think so.

“Small businesses don’t need a standalone cyber policy, which means we don’t need to build a new one that’s bespoke to individual needs every single time we get a new client.

“We’ve definitely missed a trick,” Cullina added. “People in the insurance industry have focused all their efforts on the larger risk entities and consequently spend a lot of their time worrying about having a broad enough transfer mechanism to take on all that subsequent risk.

“We don’t have to worry about any of that,” Cullina observed.

“Larger companies undoubtedly have intricate yet global tech networks, long supply chains and substantially more vulnerabilities for cyber attacks than the local businesses down your high street,” he explained. 

“The majority of risk that raises concern comes from large corporate organisations, yet these are the companies the industry is racing to cover. It doesn’t make much sense.

“Everyone should be protected against cyber threats, not just the big businesses, and it’s in the wider interest of the public to get as many businesses as possible insured against the threat of malicious cyber attacks that, let’s face it, can bankrupt a company overnight,” he continued.

“Everyone should be protected against cyber threats, not just the big businesses.” Matt Cullina, TransUnion

 A joint effort

TransUnion is indeed focusing on helping to protect smaller businesses “that don’t need to transfer a lot of risk”, Cullina said.

A May 2024 UK government report stated there were 5.5 million small or medium-sized businesses (SMEs) in the UK in 2023, representing more than 99 percent of the business population, whereas the 8,000 large businesses with 250 or more employees represented just 0.1 percent of the business population.

If TransUnion’s vision succeeds, there’ll be a huge market to tap into, but Cullina is clear that it must be a joint effort, or it won’t work.

“A lot of insurance companies try to find the best corporations to insure and want to sell to the businesses with the least number of claims, which is a high gamble for risk, whereas ensuring smaller companies is lower risk.

“Yes, that also means lower premiums,” said Cullina, “so we need a bulk approach in order for it to be financially viable.”

A chance to impress the public

As well as collaborating to insure a wider scope of customers, the insurance industry can collectively play an important role in educating the public on cybersecurity, Cullina explained.

“A change is due in terms of how people buy and how they view insurance, because people don’t know how much the insurance industry is doing to try and solve cyber risk problems.

“Cyber protection is relevant, and as an industry, we need to be relevant and explain how risks are constantly changing, and how in turn, cyber protection needs continual upgrading,” he added.

As the cyber threat landscape evolves, so must the cover.

“In terms of the insurance policy, it’s no longer a case of ‘set it and forget it’ because devices are getting so secure nowadays, they are no longer being targeted: it’s the people using them who are being targeted instead.”

As the use of digital devices increases, so too does the risk of being hacked, and Cullina wants the insurance industry to step up and inform the public.

“There is definitely a goodwill element of general education that the industry can—and should—jump at, because the public need to be educated,” Cullina said.

“We have a responsibility to work together and do our utmost to protect everybody from cyber risk. We started with the large corporations, now let’s trickle down and serve the wider public.

“It’s low risk if many of us are involved,” he concluded.

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.