Information Security / How can we define risk in cyber insurance?
How can we define risk in cyber insurance?
23 April 2019
Matthew McKenna, VP EMEA at SecurityScorecard, discusses the ever-growing popularity of cyber insurance and how security ratings can be used within the underwriting process to determine an organisation’s insurability, as well as evaluate premiums for new policies and renewals.
Faced with a steadily escalating number of data breaches, the business world is gradually shifting to give the threat of a serious security incident similar consideration as other major events that may disrupt operations and impact bottom lines.
Just as, for example, the financial impact of a serious fire at a factory would be protected with property insurance and business interruption insurance, companies are increasingly exploring cyber insurance against the costly impact of threats such as data breaches and ransomware infections.
The cyber security insurance market is relatively young but is growing at an astounding rate as companies move to mitigate the cyber threat. The global market has been predicted to reach $17.55bn in 2023, up from $4.52bn in 2017.
Thanks in part to its fledgling status, the cyber insurance market currently tends to be cautious when issuing policies. The insurance industry thrives on its ability to accurately predict risks and gaining a precise measure of cyber risk is generally much more difficult than more traditional and well-established business issues.
Also of interest: Cyber insurance market to grow by 20% yearly till 2023
A headache for underwriters
There are several difficult challenges facing underwriters for cyber policies. One of the most fundamental issues is how to effectively assess the cyber risk a company might pose. Insurance policies are generally priced based on calculated risk by the issuing insurance company.
In auto insurance for example, policy is generally determined by the individual’s historical driving record. Someone who has been involved in multiple accidents or traffic violations naturally poses a greater risk and faces a more expensive premium.
Cyber liability insurance works along broadly the same lines, although brokers are hampered by a number of additional challenges.
The poor availability of breach data, inability to see inside a company without costly and intrusive processes, and difficulty in reflecting third-party risk means the underwriting industry must draw on many more vectors to understand the potential risks involved.
Another area where cyber differentiates from more well-established fields like auto insurance is the complexity of the field and a lack of an agreed common cyber risk taxonomy.
Brokers, insurers and insurance staff will generally be experts in insurance rather than the security industry and will not necessarily be familiar with all the technical terms and key issues.
Similarly, there is a challenge around effectively informing customers on their company’s cyber risk as it relates to the premium price of a policy. The decision makers within the company who have overview of insurance premiums will also not likely be security experts.
The most effective solution to these challenges is to condense the vast complexity of cyber risk into a form that can be easily understood by the layman and compared across organisations.
Setting the score
Just as we use credit scores to indicate a company’s financial solvency and the potential risk it poses as an investment or debtor; a security score can be used to create as accurate a picture of cyber risk.
Companies that boast a high score will enjoy access to better policies and premiums, while companies with lower scores will accordingly be seen as a high risk and be met with more expensive premiums unless they can improve their posture.
Establishing a reliable security score requires a thorough assessment of a company’s security capabilities across several key risk factors. Just as with any other area of risk assessment, this audit needs to be conducted by experts in the field, in this case armed with a deep understanding of both cyber security and business structure.
In order to create an accurate security score, an assessment must also account for an organisation’s entire ecosystem. Once this has been completed, it is possible to boil the vast complexity involved down to a clear and easily understood figure for insurers.
The resulting security score is an extremely useful vector for brokers to factor into a company’s risk level and premium.
Defining cyber risks
One of the most obvious indicators is the company’s ability to follow good practice around key tasks such as updating and patching operating systems, services, applications, software and hardware. Outdated systems are one of the most common vulnerabilities exploited by attackers, so poor practice in keeping up with patching is a clear sign of cyber risk.
The assessment must encompass the organisation’s entire digital footprint, including every device used to connect to its systems. Poorly secured laptops, mobiles and other endpoint devices frequently provide another easy attack route.
Network security performance also plays a major role. Poor practices such as open access points, insecure or misconfigured SSL certificates, or database vulnerabilities are commonly exploited by cyber attackers.
It’s also important to look beyond the confines of the organisation and consider its extended web of partners, service providers and other connections. Cybercriminals can exploit smaller and less well-guarded connections to help them circumvent a company’s defences, so a relatively well-secured company could still present a risk if it has close connections with a service provider with poor security.
Using a security score approach will enable insurers to cut through the complexity of the cyber security field and establish a clear picture of the potential cyber risks an organisation represents based on its current security posture.
This will help insurers to create more accurate policies that reliably reflect the risk of each client, rather than falling back on higher premiums to try and cover unknown risk factors. As the insurance industry grows more familiar with the security field, organisations will gain greater access to affordable premiums to manage the costs when a major security incident does occur.