Vendor Risk Management

Cyber Insurance Underwriting: What Role Do Security Ratings Play?

Samit Shah | March 23, 2017

If you’re involved in the cyber insurance underwriting process—from the transaction to the ongoing operations—you’re constantly looking for things to help you (and your team) select better risks. Here are three specific ways BitSight’s Security Ratings platform can play an integral role in the underwriting process. 

Cyber Insurance Underwriting: What Role Do Security Ratings Play?

1. Gaining Insight Into The Transaction

The first step in the cyber insurance underwriting process is the insurance application. It includes questions regarding security posture that virtually every carrier wants to learn more about. For example, if the applicant is looking for business continuity or business interruption coverage, you would focus your coverage-specific questions around disaster recovery procedures, how long it takes the applicant to get back online, business continuity management, and more.

Security Ratings make it easy for underwriters to map the answers to these security posture questions to risk vectors defined by BitSight. This way, you not only have the customer’s perspective on a topic, but you also have an objective. This can help you determine if there are any deviations or gaps between what the customer says and what Security Ratings tell you—and if there is, you can dig deeper into that particular part of the application.

2. Benchmarking Against Your Portfolio For Risk Context Watch On-Demand: Cyber Insurance Underwriting: A High-Tech Discipline?

A major issue with applications and questionnaires is that responses are generally the same across all applicants, making it difficult to distinguish a high-risk from a lower-risk applicant.

Security Ratings offer an objective way to benchmark applicants against your existing customers with similar attributes or demographic. For example, if a $10 million law firm headquartered in New York applies for cyber insurance through your organization, you can pull all the other organizations of a similar size and scope from your portfolio. This information will provide you the context you need to ask the applicant additional questions and price them accordingly.

3. Modeling & Risk Aggregation Strategy

Understanding how adding an applicant impacts vendor dependency risk across your larger portfolio is critical—and Security Ratings can help with this.

For example, if you have 100 customers using a certain DNS provider, and an applicant that also uses that provider comes to you looking for business continuity coverage, you can use Security Ratings to immediately verify that they’re also using that third-party DNS provider. If so, underwriting this applicant would mean that you’d have 101 customers using the same DNS provider—and you’d need to determine what this meant to you. Depending on the common vendor dependency risk you’re willing to take, you may or may not offer coverage. If you do offer it, you may change the limit, ask additional questions about vendor policies, increase the applicant’s retention, or change the applicant’s waiting period. Regardless, without insight from Security Ratings, it’s far more difficult to ensure your aggregate risk levels are at a level you’re comfortable with.

In Summary

It’s clear Security Ratings make an impact in a number of critical areas for cyber insurance underwriting—and we can’t forget about how Security Ratings make an impact from an operational perspective!

If you get the opportunity to write excess coverage, but you don’t know the level, Security Ratings can help steer you closer to writing the primary coverage. BitSight also gives you this information in real time so you don’t have to wait to make a decision until an applicant finishes their questionnaire or an applicant’s broker sends you their responses.

Looking for more information on how Security Ratings could impact your cyber insurance underwriting risk? Download this on-demand webinar to learn exactly how the underwriting process has developed over the years, hear experts discuss the current trends in the industry, and find out the latest tools carriers are adopting to better assess a corporation’s cyber preparedness.

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.