Matthew Mckenna Vice President EMEA at SecurityScorecard
Cyber insurance is growing in popularity because of the increasing number of data breaches reported over the last few years.Some common examples of cyber insurance breaches are data theft, spyware virus, dumpster diving etc.To prepare for unforeseeable attacks, insurance companies write focused cyber liability policies.These policies may carve out specific protections for companies and their executives from potentially devasting costs required to recover from a major cyber incident. An important data point for consideration during the underwriting process is the cyber risk that a company might pose as a result of their cybersecurity posture. Something like security ratings can help here as they provide an up-to-date reflection of a potential insured’s security weaknesses, ensuring the correct policy is written.
Cyber Insurance and Compliance
While cyber liability policies do not discount a company’s obligation to meet their specific regulatory mandates, existing and emerging liability insurance products may provide a safety net for certain classes of companies that have a specific regulatory burden. Depending on the size of a company or the scope of the business, cyber insurance policies may change or may not even be available. For example, restricting a policy to have limits on personal records or bank information. Sectors such as healthcare, retail, food and beverage, education and financial will buy these cyber insurance policies as it may help cover expenses and attempt to prevent cyber breaches that have, for example PCI-DSS implications.
Firstly, one challenge is how to effectively assess the cyber-risk a company might pose. Insurance policies are price based on calculated risk by the issuing insurance company. It’s pretty simple if you look at it in terms of auto insurance, it’s typically determined on a driving record. The more auto accidents or moving violations a driver has – the more expensive an insurance policy will be. Cyber liability is very similar in that the more cyber incidents or poor cyber health track record a company has – the more expensive the insurance policy will be.
A secondary challenge is how to have a common cyber risk taxonomy that is easily understood by insurance staff, agents and brokers, that in many cases are not knowledgeable about cyber risk. Lastly, a third challenge is how to effectively inform customers on their company’s cyber risk as it relates to the premium price of a policy.
Example of how security ratings fits in
Insurance providers can integrate security ratings into their cyber insurance underwriting process in multiple ways, including:
Cyber Risk Assessment:
Security ratings provide an automated assessment of cyber risk for any company looking to purchase a cyber liability policy. In the case of a company not qualifying for a policy, security ratings will then report a simple school-based letter grade (e.g. A-F) that assesses how well a company has broadly addressed their cyber health. The solution gives a detailed insight into a company’s cyber health via fine grain scores for each of ten important cybersecurity factor areas. Using a cybersecurity rating solution, insurance providers can align potential risk across the entire underwriting process.
Cyber Posture Transparency:
Most individuals who are responsible for selling, quoting, issuing, or buying a cyber liability policy do not have expertise in cybersecurity. Security ratings can provide a solution for insurance companies that introduces a common cybersecurity language. On the other hand, security ratings also provide a sufficient level of detail for more cyber-aware individuals when required. The security ratings solution provides a strong basis for insurance agents and brokers to quote cyber liability insurance policies using a consistent representation of a company’s potential cyber risk. Similarly, the ability for an insurance buyer to see his company’s security ratings introduces unique transparency during the process of buying or renewing a cyber liability policy.
Cyber Gap Assessment:
Insurance providers that do not use an automated security rating solution often find themselves cobbling together a company’s cyber risk using various manual assessment methods which takes up much more time and makes it a lengthier process than it needs to be using methods such as cyber risk questionnaires. Security ratings provide the ability to quickly assess gaps in a company’s cybersecurity efforts which is important when preparing a cyber liability policy. Gap assessment provided by a cyber rating solution can be invaluable for both novice and advanced cybersecurity professionals. For example, the breadth provided by security ratings can assist a cybersecurity novice document in broad security gaps (e.g., historical breach frequency, use of secure websites etc.)
Unlike more manual assessment methods, workflow integration greatly improves the efficiency and accuracy of quoting, selling, and renewing cyber liability insurance policies. Security ratings provide APIs and custom integrations that enable connecting cybersecurity ratings into an insurance providers business process.
Results and Benefits
One significant benefit of using security ratings is that downstream constituents (e.g., agents, brokers, customers, etc.) perceive the insurance provider being a trusted advisor concerning cybersecurity. A secondary benefit is that the ratings provide an accurate and transparent test against company’s cyber risk. Independent research has shown that a company with a rating of less than ‘D’ is five times more likely to be breached as opposed to a company with a better score. Insurance providers are likely to decide that companies with a grade of “D”, “E” or “F” are too high risk to issue a cyber liability policy. However, the transparency of security ratings enables companies to understand and address their company’s cyber concerns and go on to fix them.
Insurance companies can gain numerous benefits using a security rating solution as a part of their cyber liability insurance programs. Security ratings are used by insurance companies to help across multiple phases of defining and issuing cyber liability policies including underwriting, quoting, and renewals. The result is the ability to offer the best cyber liability policies while maintain trusted advisor status across all relevant constituents including insurance agents, brokers, and customers.
Matthew Mckenna has extensive experience in the technology and security industry. Matthew is a high-energy strategy and operations executive with a track record of commercialising emerging technologies across sectors in global markets.