Vendor Risk Management

How To Combat Security Risks In Cyber Insurance

Samit Shah | March 14, 2017

As an underwriter in the cyber insurance industry, you know that insurance is all about information. You’re responsible for making decisions about your applicants based on the details given to you—but you’re also aware of the potential for asymmetry in this information.

Make informed underwriting decisions—download this data sheet to learn how.

Ideally, your potential customer’s insurance application will be completed in the company of the CISO, CIO, or someone in IT—and possibly with a broker or cybersecurity expert. And at times, your applicant will be able to provide you with loss runs or cyber risk assessments other third parties have performed. The more information you have, the better you’ll be able to sense the vulnerabilities and risk exposures you’ll be underwriting.

During this process, you are likely honing in on the framework and controls your applicants have in place for people, processes, and technology. Here are a few of the questions you may be asking:

  • People: Are your applicant’s employees aware of cybersecurity issues? Are they getting that information through regular training? One of the biggest risks in security as it relates to people is employees opening attachments or clicking on links associated with phishing campaigns. Thus, it’s important to know if the applicant’s employees know how to differentiate between the two and are aware of common phishing techniques.
  • Process: Your applicant should have policies or procedures in place for vendor risk management. Are you evaluating their third-party vendors appropriately? Do they have a defined incident response plan in the event of a cybersecurity incident, including what steps they’ll take and who will get involved?
  • Technology: Your applicant may have antivirus applications and firewalls—but beyond that, are they monitoring the traffic coming out of their IP addresses? Are they actually examining the log files generated by the tools they’re using to see if there’s malicious activity within their system or trying to attack their system? Are they identifying any open port issues? What technologies are they using to safeguard themselves?

With all this in mind, the question that stands out is, “Are we doing everything possible to gain more insight into the cybersecurity posture of our applicants?” The traditional route of examining applications and third-party cyber risk assessments is critical—but there are more tools you should take advantage of:

  • Work with a risk engineer. Risk engineers have technical expertise, background, and training and can be sent to an applicant’s organization to dig deeper into their cyber health.
  • Look at Security Ratings. Your applicants may say they’ve configured their applications appropriately, but how do you know that for sure? That’s where Security Ratings for cyber insurance come in. All you have to do is plug in the applicant’s URL, and you’ll be able to see, for example, if they’re running MongoDB on any open ports. If you see this, but their application says they have everything configured properly, then you can focus in on this discrepancy. Furthermore, Security Ratings help you prioritize the questions you’ve asked and focus your time and effort on the right areas.

A Final Thought...

You can certainly trust what your applicants tell you and hope for the best—but it’s critical to use every tool at your disposal to verify that the information they’ve provided to you is accurate. Blindly accepting their word is negligent and is bound to be a poor strategy in the long run.

If you want more information on Security Ratings, check out this Security Ratings for cyber insurance data sheet. It gives details on how to analyze, rate, and monitor the security performance of your insured and insight into how BitSight Security Ratings are calculated.

Datasheet: Security Ratings for Cyber Insurance

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...

READ MORE »

FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...

READ MORE »

Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...

READ MORE »

Subscribe to get security news and updates in your inbox.