Insights blog.

Companies typically buy several lines of insurance—from property, to general liability, to professional liability. When something goes wrong, it’s common for a company to run to its insurance provider and claim that it has coverage. But many times, companies like this assume that their insurance will cover them—but this may not always be the case.

Policy pricing is something every insurance company and underwriter struggles with at some point. The primary issue is differentiating between the risk an applicant presents and the information you’re given. Let’s take a closer look at how policy pricing is examined in cybersecurity today.

Determining whether you should quote or decline a cyber insurance applicant is an extensive and critical process. Typically, the decision is made after gaining an understanding of what the company does, identifying critical application information, and considering your organization’s risk appetite. But are you able to verify whether the decisions you’ve made are valid? 

If I were to ask you whether your cyber risk underwriting strategy is mature, your first question would likely be: “How do you define mature?” It’s a great question! Here’s the answer: A mature cyber risk underwriting strategy considers all relevant underwriting issues when assessing an applicant's or insured’s risk profile.

Most insurers find that the cyber insurance renewal process is fairly efficient from a time perspective—but it’s not very effective. In other words, they are able to quickly re-underwrite a company in their portfolio, but don’t have any better understanding about the insured’s security posture to see whether the risk has changed and is still suitable to keep on the books.

In many lines of insurance, claim activity is part of the norm—and it’s expected that you’ll have to underwrite to losses consistently. For example, in casualty lines, it’s common to have workers file for worker’s compensation because of an injury they experienced on a job.

A loss trend can be defined as a projected loss expectation based on historical data. If you find that past losses might be indicative of potential future losses, you can then use this information to price your services accordingly. 

As an underwriter who’s constantly trying to balance being both quick and careful, the worst thing you can do is treat every single applicant the same. Doing so can ultimately be setting you up to take on more risk than you’d expect. Of course, the more experience you have, the better you’re able to quickly assess a company’s risk posture.

As an underwriter in the cyber insurance industry, you know that insurance is all about information. You’re responsible for making decisions about your applicants based on the details given to you—but you’re also aware of the potential for asymmetry in this information.

Over the past couple of weeks, a major issue has surfaced affecting numerous companies that use MongoDB to store their data. Those who install MongoDB on a server and use default settings are exposing their data to the internet and allowing anybody to browse the databases, download information, and erase them entirely. Many companies are unaware of the vulnerability and that their information may be exposed to hackers. Criminals are reacting quickly and opportunistically by stealing data, then asking for a ransom. To make matters worse, some criminals asking for a ransom don’t actually have the data, so when the ransom is paid, companies are still left without answers. In addition to MongoDB, it was reported that clusters of Elasticsearch, an enterprise search engine has also been hit with ransomware.

Written with the assistance of Dan Dahlberg, Ethan Geil, and Ross Penkala.

While cybersecurity insurance is a relatively new line of service in the industry (it’s only been around for the last 10-15 years), it is currently the fastest-growing form of insurance. And it’s no wonder—today, a data breach at a large company could cost hundreds of millions of dollars. Spurred on by recent increases in breach activity that have resulted in direct consequences and major costs to companies in every industry, more and more organizations are looking to transfer some cyber risk to insurance companies.

What does cyb

PwC recently published The Global State of Information Security Survey 2016, which highlights security trends in a number of industries and key themes across all industries.

Last week, Bitsight co-sponsored a webinar with Advisen on the use of risk mitigation services for cyber insurance underwriting. Ira Scharf, GM of Cyber Insurance at Bitsight, joined Tracie Grella of AIG and Neeraj Sanhi of Willis Group to discuss several topics in this emerging field. Here are some of the highlights:

Today AIG announced a strategic partnership with Bitsight to recommend Bitsight Security Ratings for Vendor Risk Management to CyberEdge customers. CyberEdge insureds can now benefit from the data-driven insights and continuous monitoring Bitsight can provide and be alerted of potential threats to their network, as well as promote understanding of individual company risks.