Cyber Insurance: Looking at Third Party Risk

network_modelThe tremendous growth in cyber insurance is being fueled in part by the desire of companies to cede some of the risk of a cyber breach to insurers. In many cases insurers are eager to take on this risk – provided they can objectively quantify and understand the risks they are underwriting. In a recent post I looked at the need for cyber insurers to employ cyber risk metrics as a way to better understand and quantify those risks.

However, is it enough to only look at the cyber risk of the insured? Increasingly companies are being attacked through their third-party vendor networks; one study by the Ponemon Institute reported 23% of data breaches are attributable to third party vendors. As companies share critical customer information with vendors, they expose themselves to a breach through these extended networks. Criminals have even started to target small to medium sized companies as a way to access the sensitive information of the larger firms they serve.

One case of this new tactic is documented in a recent New York Times article in which a mischievous attack was perpetrated by inserting malware into a Chinese take-out menu favored by employees of the targeted company. Last December, when Target Corp was breached and hackers stole credit card data from 70 million customers, the attack was traced to malicious code getting into Target’s network through a heating and air conditioning vendor.

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow

For an insurer these risks are very real and a potential blind spot in the risk assessment process. When a breach occurs through a third-party vendor and involves the loss of sensitive data on behalf of a customer, the financial and reputational damage that ensues falls primarily on the customer – the owner of the data – and their insurer. Insurers today are grappling with the task of evaluating the cyber risk of the insured themselves. Often there is little thought given to the cyber security of the insured’s third-party vendors. Some underwriters are asking prospective clients to list their critical vendors in the application, but this is primarily to identify areas of risk aggregation – where a large percentage of insureds are relying on the same set of vendors. Identifying risk aggregation is an important part of overall risk assessment, however simply enumerating critical vendors – and identifying potential aggregation issues – fails to identify whether those vendors are secure!

In order to overcome this obstacle for underwriters, objective cyber risk metrics can be used to both assess the insured and their critical vendors. Cyber risk ratings, such as BitSight Security Ratings for Cyber Insurance, can be a valuable tool to identify problem areas within an insureds internal network and extended ecosystem. Identifying and mitigating these problems before a breach can help both client and insurer avoid costly losses of money and reputation. These ratings are a powerful tool to help insurers assess the potential for a cyber breach within a company’s own network - and those of their critical vendors.