Security ratings can transform the insurance industry, by allowing insurers to compare companies against each other and against industry averages. This provides underwriters with an objective method to gauge the cyber risk of prospective insureds and offer insurers the capability to continuously measure and track the overall risk of their entire portfolio.
Cyber insurance is one of the fastest growing segments in the insurance industry. With the tremendous increase in data breaches companies are looking for insurance products to cover them in the event of a loss. As reported in a recent Boston Globe article one in three companies now has insurance coverage against cyber losses, and last year 20% more cyber insurance policies were sold than in 2012, according to a report by Marsh LLC.
Recently disclosed high profile breaches at Target, Neiman Marcus and other large retailers highlight the tremendous impact a cyber breach can have on a company – both financial and reputational. The potential losses can be significant. Some analysts see the Target breach costs exceeding $1 billion, far surpassing their insurance limits.
As insurance companies rush to meet the demand for cyber coverage how can they better understand and accurately price the security risk of the companies they wish to insure?
Companies ranging from small single site firms up to large multinationals generally deploy a wide array of techniques in an effort to thwart cyber attacks as part of their security risk management efforts. However, not all techniques are effective and not all companies implement those techniques in a manner that achieves the most optimal results.
Questionnaires used in cyber insurance underwriting as part of the application process can be broad and subjective. They give an indication of security policies and procedures that may be in place at a given company – but not the effectiveness of how those policies and procedures are implemented. Two companies with similar security practices may have very different security outcomes. A recent blog post by George Hulme outlines how questionnaires may lead to a false sense of security for risk managers.
Further compounding the problem, hackers are becoming ever more sophisticated in the methods they use to attack companies. It’s difficult for many companies to keep up with the latest security practices. According to a survey reported in CSO Online security spending continues to run a step behind the threats.
An objective, evidence based cyber risk metric, such as BitSight’s Security Rating, measures security effectiveness, not simply policies and procedures, and can offer underwriters a uniquely distinctive tool in helping to assess the potential for cyber loss at a particular company. Algorithms used to calculate cyber risk metrics analyze vast amounts of data, including Internet communication and evidence of actual security compromises and vulnerabilities, and distill the information into an easy to understand rating. Underwriters can use this security rating, in addition to their existing underwriting procedures, to provide a critical window of visibility into the security posture of a company that is otherwise invisible with other methods.