Underwriting Cyber Risk Part 2: Metrics to Track Cyber Hygiene
Cyber insurers regularly get requests for new business and increased limits. How can they determine which organizations will be a risk worth taking? In my previous blog, I discussed how understanding an applicant’s cyber hygiene is the best indicator of whether they may experience a successful ransomware or other cyber attack. In this blog, I’ll walk through how to measure an applicant's cyber hygiene and which metrics are categorically proven to stand out.
How to measure an applicant's cyber hygiene
Despite the significant increase in cyber insurance premiums, there are still organizations that lean on their cyber policy in lieu of making larger investments in new and more effective security controls. Part of an underwriter’s job is to identify these cases and avoid insuring them.
A strong candidate for cyber insurance is typically an organization that performs the following tasks and then seeks insurance for risks that are unlikely to materialize (yet would be devastating if they did):
- Demonstrates that they have processes in place to identify cyber risk
- Mitigates high likelihood and high impact risks sufficiently
- Integrates backup controls and other layers of security to enforce a defense-in-depth strategy
- Monitors their security program for effectiveness
- Seeks incremental improvements over time
Armed with this information, underwriters can perform a more in-depth discovery with applicants so that the risk is qualitatively and quantitatively evaluated against specific underwriting criteria. The most common quantitative method to measure cyber hygiene is with a cybersecurity ratings tool. Modern IT environments are complex, and it’s hard to make and understand insureds’ claims about cybersecurity. Cybersecurity ratings solutions help underwriters verify the accuracy of the information they receive from applicants with an unbiased view of a cybersecurity program.
Start with an applicant's security rating
The best indicator for future performance is past performance. Underwriters can derive this from cybersecurity ratings because they are based on historical cybersecurity performance. Think of a security rating like a credit rating—if someone missed a payment by the due date, their credit score might be impacted and then need time to recover. When it comes to cyber insurance, the same principles apply so that applicants are incentivized to maintain strong cybersecurity throughout the policy period. Without that incentive, some insureds might treat cybersecurity as a once-a-year exercise, leaving insureds vulnerable throughout the policy period and their carriers on the hook for claims.
Key metrics that highlight cyber hygiene
Aside from a quantitative cybersecurity rating, other findings may correlate to the likelihood of an applicant experiencing a cybersecurity incident. For example, expired certificates may not seem like a significant risk, but certificate management is a simple, routine IT task for most organizations. Therefore, a history of expired certificates demonstrates low cyber maturity overall. From that, an underwriter can infer that other, more critical cybersecurity practices are lacking too. And that means that cyber criminals may have more opportunities to identify and exploit vulnerabilities.
More importantly though, certain analytics are statistically correlated to the likelihood of experiencing a cybersecurity incident. A new, independent study by the world’s largest insurance broker, Marsh McLennan, found 14 Bitsight analytics to be significantly correlated with cybersecurity incidents. Looking at some of the key metrics in this study—such as patching cadence and the Bitsight Security Rating—enables underwriters to easily synthesize the significant amount of risk data they analyze when they underwrite accounts. You can read my interview to learn more about how this study impacts the cyber insurance industry.
No organization is immune from determined cyber criminals, just like how no homeowner can ever be immune to severe weather damage to their home. But, there are best practices for minimizing the likelihood of being victimized, chief among them being a relentless focus on cyber hygiene—the practice of ensuring that the organization is performing effectively every day. When an insurer identifies poor hygiene in one area, no matter how small it may seem, it almost certainly means that the organization lacks adequate controls in other areas as well. It’s not about looking at cyber controls on their own. It’s about looking at what they infer about an insured’s cyber maturity.
The carrier's role in risk control
As insurance carriers continue to develop methods to limit risks that drive loss ratios to uncomfortable levels, it’s important to look within. Carriers have an opportunity to support their insureds to limit losses through the policy period. Because cyber insurance is now a business requirement for so many, some small-to-medium businesses simply struggle to create and maintain security programs that meet strict underwriting requirements.
To help, some carriers may pay outside firms for mentoring services. In other cases, carriers and managing general agents (MGAs) use cyber ratings tools to monitor their insureds for vulnerabilities, and they may even provide remediation support. Lowering the carrier’s cyber loss ratio by even a single digit can be well worth the investment for these loss control services.
For example, Bitsight advisors work with insureds to help them understand reactive and proactive opportunities to improve their risk profiles. In addition, by collaborating with insureds, the advisors help insureds create self-published ratings that reflect the distinctions between various segmented networks (such as guest networks). Through this service, Bitsight creates plans for insureds to remediate weaknesses that can help them avoid cyber attacks, as well as provide a high-level comprehensive review of the Bitsight solution as it relates to features and capabilities. The study from Marsh McLennan found that organizations that have a lower Bitsight rating has a higher likelihood of cybersecurity incidents by as much as 4.8 times. By working with Bitsight advisors, organizations can improve their cyber hygiene and therefore reduce their risk.
Providing valuable cyber insurance policies
Cyber attacks and ransomware will only continue to ravage companies worldwide. The cyber insurance industry needs a strategy to quickly respond to this risk landscape, and provide valuable cyber policies that protect against risks to stay viable in an increasingly high-tech, connected landscape. Combining these insights with the way that end-users are leveraging cybersecurity products to support their cyber hygiene workflows, insurance carriers can provide more risk mitigation services alongside the cyber ratings tools they use to underwrite accounts.