SOLUTIONS FOR A WORLD AT RISK

Safeguarding small businesses against cyber threats

Milliman innovations help an insurtech launch affordable cyber insurance coverage

AT A GLANCE

Main Street shops are prime targets for cyber criminals, but many lack the resources for adequate cyber insurance coverage. Innovative Milliman actuaries designed a new cyber product that made insurance affordable—and effective—for protecting small businesses.

Sector

Property and casualty insurance

Risk

A catastrophic cyber attack that could destroy a small enterprise

A local attorney’s client data was vulnerable to malware because the firm didn’t use endpoint detection and response.

A family-owned construction company would lose its cyber insurance coverage because it hadn’t installed multifactor authentication.

Elpha Secure’s founders had heard these stories many times, and they knew small businesses needed help.

“There were so many terms being thrown at these Main Street shops that they’d never even heard of,” says Josh MacDonald, Elpha’s chief underwriting officer. “Yet without these IT protections, small businesses weren’t qualifying for the robust cyber insurance coverage that all businesses need in our digital environment.”

$16.6 billion

in financial losses were reported to the FBI in 2024

43%

of cyber crime is aimed at smaller companies

More than $16 billion in financial losses were reported to the FBI in 2024. With cyber risks mounting, and cyber criminals’ tactics constantly evolving, the tools needed to defend against them have become increasingly sophisticated—and expensive. Large corporations, which might seem like more lucrative prey for bad actors, have the resources to thwart attackers.

So 43% of cyber crime is aimed at smaller companies, Elpha notes. For businesses with revenues of less than $50 million each year, paying millions to a ransomware attacker—not to mention the lost productivity and potential reputational damage—could be devastating.

Elpha set out to help protect these organizations. First, they designed affordable cybersecurity software. Once these tools were installed, Elpha planned to offer clients cyber insurance coverage. But creating this new insurance product was complicated, and Elpha’s leaders needed guidance.

“We needed actuaries who could move quickly, because cyber threats move so quickly,” MacDonald recalls. “We needed someone who could think outside the box.”

When they asked insurtech contacts for recommendations, they heard the same name again and again.

Elpha Secure needed Milliman.

Nimble thinking needed to keep pace with cyber risk

The unique nature of cyber risk requires a combination of deep actuarial expertise and nimble thinking.

More established types of insurance, such as personal auto coverage, have essentially remained the same for decades. The risks have historically been steady and predictable, with reams of data for actuaries to use as the basis of their assumptions.

In contrast, cyber risk is a moving target. Criminals change their methods as quickly as new technology is developed, rendering the limited historical data unreliable for predicting future threats. While insurers have seen growing demand for cyber risk coverage, the product line has experienced fluctuating financial results. Combined, these headwinds mean that developing a new cyber insurance product presents unique challenges compared to traditional lines of business.

But Milliman’s Sheri Scott, a principal and consulting actuary, was undaunted when Elpha Secure’s leaders approached her with their plans.

“I’m a very nontraditional actuary,” she says.

It’s like designing a house. You don’t just start pouring concrete for the foundation—you start with the design. So, we start by understanding the market and refining the product as we go, so the client doesn’t launch something that later has to be redone.

— Robert Zolla, Principal and Consulting Actuary, Milliman

Unusual career path leads to creative problem-solving

Scott began her career as an underwriter and risk manager, an uncommon background that fostered an innovative mindset she’s since drawn on in work across the insurance industry.

“As an underwriter, you really had to learn how to identify what all the risks were,” she recalls. “No one was going to say, ‘Here are all the risks. Rate it up.’ I had to actually go through the exercise of identifying all the risk exposures. That really encouraged me to think creatively.”

Scott has applied this ingenuity to study everything from wildfire risk to embedded insurance. To help Elpha launch a cyber product that would be both innovative and financially sustainable, she collaborated with insurtech specialists Eric Krafcheck and Robert Zolla, fellow Milliman principals and consulting actuaries.

“We see insurtech clients all the time who are excited to put out a new product but typically have small teams and therefore don’t always have all the insurance expertise to know how to do that,” Zolla says. “That’s where Milliman comes in. It’s like designing a house. You don’t just start pouring concrete for the foundation—you start with the design. So, we start by understanding the market and refining the product as we go, so the client doesn’t launch something that later has to be redone.”

From an ultimate loss perspective, you could take all your hurricanes, wildfires, and wind events and put them on the Florida Panhandle and the damage would still be lower than if a threat actor took down Microsoft.

Josh MacDonald, Chief Underwriting Officer, Elpha Secure

“Sophisticated ratemaking techniques”

As a managing general agent, Elpha Secure needed to find capacity providers, an increasingly challenging proposition as reinsurers shy away from all types of catastrophic risk, including exposure to a catastrophic cyber event as a result of systemic risk.

“From an ultimate loss perspective,” MacDonald says, “you could take all your hurricanes, wildfires, and wind events and put them on the Florida Panhandle and the damage would still be lower than if a threat actor took down Microsoft.”

But Milliman had the expertise to surmount this challenge, as Scott recalled an innovation she’d once used to manage the catastrophe risk on a homeowners insurance program and could now apply to cyber.

With homeowners, a catastrophe such as a hurricane puts property insurers’ capital at risk to pay for damage to multiple properties from a single event. Managing the catastrophe aggregation and concentration risk in that case requires different underwriting and pricing tools than those traditionally used in this line of business. To be able to apply different underwriting and pricing tools to the hurricane exposure, Scott split all the coverages apart, isolating the hurricane coverage. This allowed her to develop underwriting rules and rates specific to the hurricane coverage separate from the other coverages.

When the Milliman team applied this approach to cyber, it meant splitting the “attritional” risk—say, a small breach within a single company—from the “systemic” risk—an attack that affects many insureds, such as a breach in a payment system used by many websites. This granular risk breakdown enabled Elpha’s capacity providers to participate only in the portion of the risk they chose, at a rate that made them comfortable.

“We used sophisticated ratemaking techniques typically used to create a by-peril homeowners insurance product to build a novel cyber insurance product,” Scott explains. “To take our learnings and our experience from one line of business and apply them to a new and evolving line of business was exciting.”

The result was an innovative cyber insurance product that was appealing to capacity providers, appropriately priced, and within reach of small businesses.

Full cyber protection for small businesses

Today, Elpha Secure helps protect thousands of small and medium-sized enterprises across the United States, from seafood purveyors to solo accountants.

“We’ve been able to guarantee full coverage for businesses that would otherwise be restricted to a low-limits policy that wouldn’t help them much when they have a real claim,” MacDonald says.

Since Elpha launched its main product in 2022, leaders have continued to meet regularly with Milliman to refine the company’s insurance product rating and coverages, including a recent errors and omissions coverage enhancement. The ongoing relationship means Elpha can continue to adapt to the ever-evolving cyber market.

“I think it’s really fun work,” Zolla says. “And for us to be able to build something that meets our clients’ needs and helps Main Street businesses, it’s just fulfilling.”

MacDonald agrees. “There's so much room for innovation in cyber insurance, and Milliman recognizes that. It’s just a challenging—and exciting—industry to be in.”

This article was written by Milliman Senior Writer Adin Bookbinder.

Explore more on this topic

Discover how Milliman helps businesses confront cyber risk

Learn more

See how we’ve helped other insurers launch new products

Learn more

Solutions for a world at risk

Technology is powering breakthroughs in healthcare, insurance, and life sciences—but high costs, insufficient access, and inequity persist. Factors like market volatility and longevity risk are threatening the retirement security of millions of people worldwide. And as governments, businesses, and communities face the complex, cascading effects of climate change, the need for bold solutions of unprecedented scale has never been more urgent.

Read our solution stories