Why Cyber Insurance Providers Need Security Ratings

Why cyber insurance?

While cybersecurity insurance is a relatively new line of service in the industry (it’s only been around for the last 10-15 years), it is currently the fastest-growing form of insurance. And it’s no wonder—today, a data breach at a large company could cost hundreds of millions of dollars. Spurred on by recent increases in breach activity that have resulted in direct consequences and major costs to companies in every industry, more and more organizations are looking to transfer some cyber risk to insurance companies.

What does cyber insurance cover?

Cyber insurance covers all kinds of data losses—from personally identifiable information (PII), to credit card data, to healthcare data, and much more. When a breach happens, there are both first-party and third-party costs that must be covered:

• First-party costs, including:
• Credit monitoring to the customers, patients, or employees affected by the breach.
• Cost of forensics teams to identify and remediate the issue.
• Notification costs, as a company must notify the attorney general in every state people are affected (47 states currently require this action).
• Third-party costs, including:
  • Lawsuits from customers, employees, or patients suing because their information was not properly maintained.

The Cyber Insurance Underwriting Process

To understand how much to charge a company, underwriters need to get a sense of how secure the company is and how big of a risk it poses. If the underwriter determines the company is tightly run and secure, the underwriter may charge a lower premium—but if the company doesn’t have the right cybersecurity controls in place, the underwriter may consider a higher premium, or choose not to underwrite the company at all.

But how do cyber liability insurers properly assess a company’s security posture? This has been the primary issue in the cyber insurance industry.

Historically, underwriters have assessed risk through the use of questionnaires and interviews with the company regarding their security practices. (This is very similar to how many companies review third parties for vendor risk.) The questionnaire typically asks many questions on the procedures, policies, hardware, and software that govern IT and cybersecurity, such as:

• “What kinds of security procedures, controls, and processes do you have in place for cybersecurity?”
• “Do you have a firewall? What kind of firewall?”
• “Do you use encryption? What policies do you have in place around encryption?”
• “What kinds of software controls do you have in place?”
• “What personnel procedures for cybersecurity do you follow?”

But this approach isn’t without its challenges. There are several issues with the questionnaire-only method of evaluating cybersecurity risk:

1. The respondent may not have all the information. Remember that the person answering the questionnaire (or answering your questions during an interview) may not know all the answers or may not understand the full story you’re looking for. For example, if you ask about their encryption policy and which machines it covers, the respondent may think you’re talking about the computers in their office—when you’re actually talking about all office locations around the U.S. or globally.
2. The respondent may be overconfident about their cybersecurity program. Security and compliance professionals in organizations are often overconfident when it comes to the maturity and status of their security and risk management programs. If you ask any “yes” or “no” questions, the respondent may simply assume that they have certain controls in place. If you ask for detailed explanations, the answers may not give you the full story.
3. The questions being asked might be too high-level. Many of the questions posed in a questionnaire simply aren’t detailed enough to give you a complete view of the insured’s cybersecurity posture—but audits and penetration costs are too expensive, intrusive, and lengthy to move forward with. So often, cyber risk insurance companies are stuck with these high-level questions as their only method of evaluation during the underwriting process.
4. It only allows you to look at a single point in time. Even the best questionnaire only shows a snapshot in time. In other words, it helps the underwriter get a glimpse at the cybersecurity posture of the company on the day the questionnaire was answered, but doesn’t often cover past events and certainly doesn’t look at what will happen in the future. Because cybersecurity is an ever-changing industry, this makes questionnaires highly subjective and not extremely useful.

An underwriter’s goal through these questions is to get as detailed of a picture of the company’s cybersecurity as possible to assess whether they are comfortable with the risk—but traditional methods are subjective and simply insufficient for a proper review of a company’s cybersecurity posture.

Why Cyber Insurance Providers Need Security Ratings

The insurance industry has used objective, well-understood metrics for assessing risk in nearly every other line of coverage. For example, life insurance takes into account medical history, blood pressure, age, and other health metrics. Auto insurance is based on driving history, location, age, past accidents and tickets, and other driving-related metrics.

But an objective metric that could measure cyber risk for underwriting purposes simply didn’t exist—until BitSight changed the game with ratings for cyber insurance companies.

There are two critical reasons cyber liability insurance providers need to utilize security ratings:

1. Underwriting requires an objective metric. With security ratings, you can look at different companies and understand how they are performing in cybersecurity relative to one another. And unlike subjective questionnaire answers, the ratings are simple, reliable, and easy to understand. The better the rating, the better the security posture.
2. Underwriters need a frictionless method of obtaining information from companies. BitSight Security Ratings provide an outside-in look at insureds, which means insurance companies or their brokers don’t need the permission or involvement of the companies they rate. This takes a great deal of burden and stress off of the underwriter.

In Summary

BitSight is rapidly becoming the standard for security ratings in the cyber risk insurance industry. In fact, seven of the 10 largest cyber insurance carriers in the world use BitSight as a part of their underwriting!

The simple truth is that it’s no longer enough to rely on questionnaires and interviews for underwriting—and with security ratings, such a simple, objective way to assess the risk of an insured, why would you want to?