BitSight EXCHANGE Sound Bites: Transferring Risk Through Cyber Insurance

BitSight | December 26, 2018 | tag: Cyber Insurance

In the months since BitSight’s inaugural EXCHANGE forum inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together security executives from all over to discuss the challenges they face in their roles every day.

One session that stood out was the discussion between Graeme Newman (Chief Innovation Officer at CFC Underwriting) and Jake Olcott (VP of Corporate Communications & Government Affairs, BitSight), which focused on how cyber insurance has developed and changed in the past few years, as well as their thoughts on the future of the market.

Below, Newman shares his thoughts on the cyber insurance underwriting process.

{{ script_embed('wistia', 'gcd0be3dk6', '', 'inline,responsive'', ''wistia', 'gcd0be3dk6', '', 'inline,responsive'') }}

“I suppose what we're really looking for is very much, like, the BitSight kind of philosophy. We try and look on the outside to see what we can see, and then make inferences about how that means that a business operates. So a few of the questions are just trying to gauge a level of security maturity, as much as we can see from the outside. Because we can't micro underwrite businesses. The economic model doesn't stack up for us to do weeks and weeks of review internally for us to ascertain a price, also remembering that we're not trying to price for your day to day operational risk. That's not what insurance is about.

You shouldn't be looking to get an annual return on investment on your cyber insurance spend. What we're looking to do is price the kind of one in 100, the one in 250-year event. When you're pricing what we call the tail of the distribution, right, the cat event, we tend to focus less on the control environment and more on the exposure environment, right? So we're looking for risk characteristics that will tell us how bad an event is in that one in 100, one in 250-year event, because that's the thing that we're worried about and that's the thing that we're pricing for.”

Thank you to Graeme and Jake for an extremely informative discussion!

Read the recap of the inaugural BitSight EXCHANGE forum. 

Suggested Posts

What You Are and Aren’t Responsible for Under Cyber Risk Insurance

It’s not hard to justify why you need property insurance when you’re surrounded by your physical goods that you don’t want to be lost or damaged in your home or business. So why isn’t cybersecurity the same?


The Financial Impact of SolarWinds: A Cyber Catastrophe… But Insurance Disaster Avoided?

The SolarWinds breach is already one of the most significant cybersecurity incidents ever. And as with any unprecedented cyber event, this will have long-term effects on the way businesses and government consider their security...


A Security Score vs. A Security Rating: What’s The Difference?

This post was originally published July 18, 2016 and has been updated for accuracy and comprehensiveness.


Get the Weekly Cybersecurity Newsletter.