The certainty and severity of cybercrime has driven demand for insurance policies to cover the cost of damage when the inevitable occurs. Insurers, needing a clearer picture of clients’ risk so they can create policies and determine coverage, are turning to security ratings firms for help.
As technology has become more complex, so, too, have data breaches, explains Aleksandr Yampolsky, co-founder and CEO at SecurityScorecard. He points to the cloud shift as a turning point for cybersecurity.
Insurance companies started jumping into the budding space, offering policies to address demand. Now the industry is skyrocketing as companies transfer cyber-risk onto insurers.
Cyber insurance policies are complicated for buyers and sellers alike, and several questions around how to underwrite cyber-risk still remain. Unlike auto or homeowners insurance, there is little continuity from policy to policy in the cyber insurance marketplace. It’s difficult to gauge the time, impact, and potential total cost of a security breach using limited information.
“Many of those insurers who offer [cyber] insurance policies have done absolutely no legwork to verify the companies are totally secure,” Yampolsky says.
To underwrite cyber-risk, insurers often provide questionnaires in which they ask clients about factors such as business continuity or how they typically handle incidents, such as ransomware attacks. But many of their answers are subjective, Yampolsky says, and most insurers lack insight on historical data loss. What they need is concrete information to inform a growing number of cyber insurance policies, and they’re finding it through partnerships in the cybersecurity space.
Indeed, a new trend sees cyber insurers teaming up with security ratings firms to get the data they need to create policies. A recent partnership came from AXA and SecurityScorecard, which will provide AXA underwriters with both risk rating and view into their clients’ security posture.
“What I see more and more is discovery and ratings are key tools to accelerate the decision-making process,” says AXA partner Sebastien Loubry. The tools used by ratings firms to gauge security posture will inform insurers’ policy decisions.
“We can’t predict when they’ll get breached but can measure good and poor security practices,” Yampolsky says. SecurityScorecard monitors 200,000 businesses and rates them on a scale from A to F. Every security breach correlates with a letter grade; firms with poor marks (D or F) are 5.4 times more likely to be breached than those with an A or B security rating.
He refers to April’s Panera Bread security incident as an example. “We weren’t particularly surprised,” he says. Panera had consistently trended below the industry average; as a result, it suffered a breached. Newtek, which also scored poorly, was breached in February.
SecurityScorecard uses outside indicators to gauge a firm’s security habits. Yampolsky likens the process to assessing a person’s physical health: If you see someone who is coughing, flushed, and overweight, you can reasonably guess that person is not in the best health. You can’t predict when he’ll get sick, but outside signals show his lifestyle could be improved.
To assess security health, the ratings firm collects signals across 10 categories of risk: network security, DNS health, patching frequency, endpoint security, IP reputation, Web application security, exposed admin portals, hacker forums, leaked credentials, and social engineering. Threat actors are also watching these; if they notice something amiss, they’ll succeed, he says.
“The most relevant part for the insurance company is the level of protection that’s put around the data,” AXA’s Loubry says. The better a client protects its data, the lower the risk for an insurer. This is especially relevant in Europe, he notes, with the onset of GDPR.
Data Drives Security Improvement, Loss Control
The partnership between AXA and SecurityScorecard is neither the first of its kind, nor will it be the last. Jake Olcott, vice president of strategic partnerships for security ratings firm BitSight, points to three main use cases for security ratings in cyber insurance.
The first, as previously mentioned, is understanding clients’ security posture: collecting quantitative measurements, analyzing performance over time, and using that data to create and price policies. Ratings firms collect data after a breach, and what they find can help clients lessen the risk of future attacks through portfolio management.
“When some of these incidents break out – WannaCry or the MongoDB vulnerability being exploited – with any name-brand vulnerabilities, people get concerned about how it will impact their portfolio,” Olcott says.
In the second use case, carriers can leverage BitSight’s data to see how many underwritten companies are experiencing WannaCry today. Olcott calls it “accumulation risk,” or seeing how an incident accumulates across different parts of an insurer’s portfolio. Insurance companies can use this data to determine the extent and severity of a threat. Aggregation risk, a separate measurement, looks at how different policies all commonly depend on a third-party service provider like Amazon or Azure.
The third use case is loss control. More insurers are interested in improving their clients’ security posture after a policy is signed. Sure, they want to know about security habits before the policy is created, but they also want security to continue being top of mind. Olcott says more companies are working with vendors and supply chain partners to improve security.
“We see a lot of carriers focusing on this,” he explains. “They want to work directly with their customers on ways to improve: How do we improve? How do we mitigate breaches as best we can? How do we identify things quickly?”
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio