While cybersecurity insurance is a relatively new line of service in the industry (it’s only been around for the last 10-15 years), it is currently the fastest-growing form of insurance. And it’s no wonder—today, a data breach at a large company could cost hundreds of millions of dollars. Spurred on by recent increases in breach activity that have resulted in direct consequences and major costs to companies in every industry, more and more organizations are looking to transfer some cyber risk to insurance companies.
Cyber insurance covers all kinds of data losses—from personally identifiable information (PII), to credit card data, to healthcare data, and much more. When a breach happens, there are both first-party and third-party costs that must be covered:
To understand how much to charge a company, underwriters need to get a sense of how secure the company is and how big of a risk it poses. If the underwriter determines the company is tightly run and secure, the underwriter may charge a lower premium—but if the company doesn’t have the right cybersecurity controls in place, the underwriter may consider a higher premium, or choose not to underwrite the company at all.
But how do cyber liability insurers properly assess a company’s security posture? This has been the primary issue in the cyber insurance industry.
Historically, underwriters have assessed risk through the use of questionnaires and interviews with the company regarding their security practices. (This is very similar to how many companies review third parties for vendor risk.) The questionnaire typically asks many questions on the procedures, policies, hardware, and software that govern IT and cybersecurity, such as:
An underwriter’s goal through these questions is to get as detailed of a picture of the company’s cybersecurity as possible to assess whether they are comfortable with the risk—but traditional methods are subjective and simply insufficient for a proper review of a company’s cybersecurity posture.
The insurance industry has used objective, well-understood metrics for assessing risk in nearly every other line of coverage. For example, life insurance takes into account medical history, blood pressure, age, and other health metrics. Auto insurance is based on driving history, location, age, past accidents and tickets, and other driving-related metrics.
But an objective metric that could measure cyber risk for underwriting purposes simply didn’t exist—until BitSight changed the game with ratings for cyber insurance companies.
There are two critical reasons cyber liability insurance providers need to utilize security ratings:
BitSight is rapidly becoming the standard for security ratings in the cyber risk insurance industry. In fact, seven of the 10 largest cyber insurance carriers in the world use BitSight as a part of their underwriting!
The simple truth is that it’s no longer enough to rely on questionnaires and interviews for underwriting—and with security ratings, such a simple, objective way to assess the risk of an insured, why would you want to?
The SolarWinds breach is already one of the most significant cybersecurity incidents ever. And as with any unprecedented cyber event, this will have long-term effects on the way businesses and government consider their security programs....
This post was originally published July 18, 2016 and has been updated for accuracy and comprehensiveness.
Hardly a day goes by without the emergence of a disturbing new trend in cyber crime or headline-grabbing hack. Hackers are getting smarter and threat vectors are constantly evolving. The escalating threat is forcing businesses to file more
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469