By The Numbers: Defining Risk in Cyber Insurance

By Matthew Mckenna, VP EMEA at SecurityScorecard

As organizations continue to adjust to the reality of the threat presented by cyber attacks, one of the most important factors has been the growth of cyber insurance. An increasing number of businesses are beginning to align their views on cyber risks with more traditionally understood risks such as property damage and financial difficulties.

A recent report by the global insurance broker Marsh estimated that cyber insurance market in the US had increased to $1.8bn in 2018, roughly tripling in size from 2015. Marsh stated that the overall number of US companies purchasing cyber insurance had doubled over the past five years, while there was also growth for policy limits for existing buyers.

On a global scale, the cyber insurance market has been predicted to reach $17.55bn in 2023, up from $4.52bn in 2017. All this growth is a positive sign of companies taking cyber threats more seriously and assimilating risks such as ransomware and data breaches alongside more traditional business risks.

However, the cyber insurance market is still in a nascent stage and both organizations and insurance underwriters are still working through a number of serious challenges. The scope and complexity of cybersecurity mean that fully understanding the risks can be a difficult proposition. While premiums have gone down and policies have become more accessible, obtaining cyber insurance is still a more difficult and expensive proposition than in many other fields.

The challenge for underwriters 

Perhaps the biggest issue is the sheer number of vectors involved in accurately assessing cyber risks – many of which are continuing to evolve and change. By comparison, in the long-established auto insurance industry, premiums are based on several well-defined and understood factors, primarily the individual’s historical driving record. A motorist with a history of accidents and traffic violations will obviously be seen as a greater risk and will face more expensive premiums in order for insurers to absorb the risk.

Because cybersecurity is a relatively new field which is not widely understood, cyber liability insurance is much harder to define. There is very limited availability of breach data and assessing a company’s inner workings around security is usually an expensive and invasive affair. Additionally, the cyber health of a company’s suppliers, partners and customers can be as important as its own internal security. This means insurers must also deal with a complex and often vast network of interlinked companies in order to arrive at an accurate conclusion.

Similarly, the insurance industry must also contend with the lack of a commonly agreed taxonomy around cyber risk. Brokers, insurers and insurance staff are unlikely to have more than a passing familiarity with all the technical terms and key issues involved in cybersecurity – particularly as the field is changing and evolving at a rapid rate.

Aside from complicating the process of establishing policies and setting premiums, this also creates several issues when it comes to informing customers on their company’s cyber risk as it relates to the premium price of a policy. Since the decision makers with an overview of insurance premiums are also likely to be unfamiliar with the industry, it can easily be a case of the blind leading the blind.

To overcome the difficulties presented by understanding and defining such a complex and fast-moving field, we need to translate cyber risk issues into a format that can be more easily understood and compared.

Cutting through the complexity

One of the most effective ways of presenting the myriad vectors involved in cyber risk is to boil everything down to a simple numeric score. The practice has been widely used for decades to handle financial risk for organizations, individuals and even entire nations. A numeric credit score provides a useful shorthand that summarises an often-vast number of factors contributing to the entity’s financial solvency and potential risk as a debtor.

By the same token, a cybersecurity score can be used to provide a simple and easily understood representation of a company’s cyber risk level. A good score will indicate that a company represents a low risk and can be granted a lower premium, while a poor score shows that the firm is a riskier proposition and accordingly needs a higher premium until it can improve.

Translating so many different factors into a single numeric score is easier said than done of course. Just as with any other area of risk assessment, this audit needs to be conducted by experts in the field, in this case, armed with a deep understanding of both cybersecurity and business structure.

How are cyber risks defined? 

Several key factors must be assessed to establish an accurate security score. A firm’s ability to follow basic cyber hygiene is one of the most important elements, as many successful cyber attacks are the result of poor practice around tasks such as updating and patching operating systems, services, applications, software and hardware. Similarly, poor practices such as open access points, insecure or misconfigured SSL certificates, or database vulnerabilities are commonly exploited by cyber attackers and therefore indicate a higher level of risk.

As a single device can lead to a serious cyber incident, a proper assessment must include every device used to connect to the firm’s systems, including laptops, mobiles and IoT devices.

Finally, because cybercriminals will facilitate attacks through trusted third parties, the assessment must go beyond the walls of the organization and include its network of partners, service providers, and other connections. Even if the company itself is well-secured, it could still be considered at a high risk of attack if a poorly secured third party can access its systems.

Condensing these cyber issues and other key factors down into a single score will provide insurers with a shorthand reference to a company’s level of cyber risk. This will enable insurers to create more accurate policies for each client, rather than having to rely on generic higher premiums because they are unable to accommodate all of the risk factors involved.

With cyber risk becoming more accessible and widely understood by the insurance industry, organizations will be better able to access affordable policies that will help them mitigate the impact of a serious cyber incident.

About the Author

Matthew McKenna – Vice President EMEA at Security Scorecard – has extensive experience in the technology and security industry. Matthew is a high-energy strategy and operations executive with a track record of commercializing emerging technologies across sectors in global markets.