Vendor Risk Management

Cyber Insurance Underwriting: What Role Do Security Ratings Play?

Samit Shah | March 23, 2017

If you’re involved in the cyber insurance underwriting process—from the transaction to the ongoing operations—you’re constantly looking for things to help you (and your team) select better risks. Here are three specific ways BitSight’s Security Ratings platform can play an integral role in the underwriting process. 

Cyber Insurance Underwriting: What Role Do Security Ratings Play?

1. Gaining Insight Into The Transaction

The first step in the cyber insurance underwriting process is the insurance application. It includes questions regarding security posture that virtually every carrier wants to learn more about. For example, if the applicant is looking for business continuity or business interruption coverage, you would focus your coverage-specific questions around disaster recovery procedures, how long it takes the applicant to get back online, business continuity management, and more.

Security Ratings make it easy for underwriters to map the answers to these security posture questions to risk vectors defined by BitSight. This way, you not only have the customer’s perspective on a topic, but you also have an objective. This can help you determine if there are any deviations or gaps between what the customer says and what Security Ratings tell you—and if there is, you can dig deeper into that particular part of the application.

2. Benchmarking Against Your Portfolio For Risk Context Watch On-Demand: Cyber Insurance Underwriting: A High-Tech Discipline?

A major issue with applications and questionnaires is that responses are generally the same across all applicants, making it difficult to distinguish a high-risk from a lower-risk applicant.

Security Ratings offer an objective way to benchmark applicants against your existing customers with similar attributes or demographic. For example, if a $10 million law firm headquartered in New York applies for cyber insurance through your organization, you can pull all the other organizations of a similar size and scope from your portfolio. This information will provide you the context you need to ask the applicant additional questions and price them accordingly.

3. Modeling & Risk Aggregation Strategy

Understanding how adding an applicant impacts vendor dependency risk across your larger portfolio is critical—and Security Ratings can help with this.

For example, if you have 100 customers using a certain DNS provider, and an applicant that also uses that provider comes to you looking for business continuity coverage, you can use Security Ratings to immediately verify that they’re also using that third-party DNS provider. If so, underwriting this applicant would mean that you’d have 101 customers using the same DNS provider—and you’d need to determine what this meant to you. Depending on the common vendor dependency risk you’re willing to take, you may or may not offer coverage. If you do offer it, you may change the limit, ask additional questions about vendor policies, increase the applicant’s retention, or change the applicant’s waiting period. Regardless, without insight from Security Ratings, it’s far more difficult to ensure your aggregate risk levels are at a level you’re comfortable with.

In Summary

It’s clear Security Ratings make an impact in a number of critical areas for cyber insurance underwriting—and we can’t forget about how Security Ratings make an impact from an operational perspective!

If you get the opportunity to write excess coverage, but you don’t know the level, Security Ratings can help steer you closer to writing the primary coverage. BitSight also gives you this information in real time so you don’t have to wait to make a decision until an applicant finishes their questionnaire or an applicant’s broker sends you their responses.

Looking for more information on how Security Ratings could impact your cyber insurance underwriting risk? Download this on-demand webinar to learn exactly how the underwriting process has developed over the years, hear experts discuss the current trends in the industry, and find out the latest tools carriers are adopting to better assess a corporation’s cyber preparedness.

Suggested Posts

Can Your Vendor Assessments Be More Efficient?

If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...


Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...


3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...


Subscribe to get security news and updates in your inbox.