Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.


By Miles Tappin, VP of EMEA at ThreatConnect


The rise of advanced threats, particularly ransomware, has cast a shadow over the cyber insurance industry. As a result, more businesses have been looking for insurance protection in recent years to ensure they can mitigate future threats and protect themselves and their customers. However, both carriers and those seeking insurance lack the inherent ability to automate risk. Likewise, the financial models needed to calculate security improvements and reduce overall response times and exposure.

The escalation in the sophistication of cyber-attacks has led to a climb in demand for policies and increasing costs. Several carriers have raised premiums between 30% and 50% and introduced further restrictive policy terms and coverage limits. Some insurance brokers have reported carriers reducing the amount of coverage offered by millions, and at least one primary carrier, European insurance giant AXA, has dropped ransomware coverage altogether.

Ultimately, the cyber insurance market is facing three significant challenges. Insurance underwriters rely on a highly manual, point-in-time approach to gathering data and assessing a company’s cyber risk exposure. However, these underwriters cannot correlate loss data to vulnerabilities, deficient controls, misconfigured hardware or software, or the ability of an attacker to compromise a critical application or system successfully. Security assessments are conducted just once before binding coverage and not revisited until it’s time to renew the policy. In many cases, security assessments conducted on behalf of an underwriter are never shared with the company seeking insurance. As a result, a critical vulnerability in the industry is evident.

Manual Risk Assessments

It’s hard to believe, but just one year ago, most cybersecurity insurance questionnaires consisted of less than ten questions, and underwriters would give companies 60 to 90 days to get the required controls in place. Today, most applications involve dozens of questions, are still highly manual, and companies only get 30 days to get their security controls in order.

Today’s manual application process means underwriters are writing policies based on guesswork that is only valid on the day it was produced. Thus, the requirement to automate the quantitative process could not be more urgent.

Automated cyber risk quantification is now a reality. Businesses should move quickly to understand their business more accurately and prioritise efforts so that critical business processes, applications, and data are protected. Security Orchestration, Automation, and Response (SOAR) can provide three specific benefits. It enables companies to proactively model and predict risk, mitigate and monitor for changes and see ‘what-if’ recommendations that drive smart actions, mitigations, and response.

Correlation & Accounting for the Attacker

Cybersecurity insurance is different from other forms of insurance primarily because cyberattacks involve two things insurance can’t measure — the attacker and the defences they try to beat.

The struggle to understand loss exposure in cybersecurity isn’t the lack of loss data – it’s the lack of being able to correlate it to a vulnerability, a deficient control, a misconfigured software or hardware, or the ability of an attacker to reach a critical system or application.

Risk quantification automatically enters data into a risk model and automation engine. Those inputs include data from your organisation as well as industry, attack, and vulnerability data aggregated through various sources. That information is then applied to the risk model and automation engine to determine the financial impact of cyber risks and the probability of success of specific attacks.

These calculations drive a variety of other activities within risk quantification that lead to the operationalisation of information across the rest of your organisation, including:

Cyber Risk Assessments

Given the advanced capabilities of cyber adversaries and their tactics, techniques, and procedures, the current cyber insurance model almost guarantees that insurance carriers will be forced to pay claims. As a result, point-in-time assessments that are manual guesswork are inadequate for protecting enterprises from the onslaught of cyberattacks.

Being able to track cyber financial risk over time, understand the impact of budget decisions, and ultimately justify spending is now driving business decisions on which risks to tolerate, treat or transfer.

While the first step is to understand your organisation’s exposure in financial terms, the next is to decide how to mitigate risk. Risk quantification models many different types of attackers and attacks that may infiltrate an organisation, its controls, vulnerability data and critical applications.

Most risk quantification customers have their controls actively updated in the tool to assess which applications are most vulnerable. Still, they also provide vulnerability data that allows risk quantification to provide short-term recommendations on Common Vulnerabilities and Exposures (CVEs).

The capabilities of risk quantification can give insurance underwriters and their clients a clear picture of inherent and residual risk in a dynamic fashion. Not only is the threat landscape and the parts of it that are relevant to your business changing, but the controls, applications, endpoints, and type of data present in your environment are changing as well. Risk quantification enables you to apply these changes instantaneously to your models, allowing cyber risk measurement to move beyond point-in-time assessments and become programmatic.

Once finalised, analysis is put in a report that business leaders, board members, and insurance underwriters can understand.


Continue Reading

Why pay for news and opinions when you can get them for free?

       Subscribe for free now!

By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Posts