Why Loss Runs & Trends Alone Are Not Enough To Make Cyber Underwriting Decisions

A loss trend can be defined as a projected loss expectation based on historical data. If you find that past losses might be indicative of potential future losses, you can then use this information to price your services accordingly.

Three elements typically contribute to a loss trend:

• Frequency—the number of times a loss may occur.
• Severity—the actual value associated with the loss.
• Exposure—the risk you’re subjected to through an applicant. (In cyber insurance, exposure tends to be in line with a mix of the applicant’s annual revenue, employee count, and record count.)

From a cyber underwriting perspective, the lack of data on frequency, severity, and exposure makes it difficult for loss trends to be sufficient for cyber underwriting decisions.

It’s always important to underwrite to the risk, which means underwriting to the applicant’s exposure. But applying loss trends as they relate to the applicant is more difficult. For example, if your application process requests information on past breaches (or loss runs if currently insured), your applicant is likely to provide information on their current incidents over the past year. This makes it challenging to assign the applicant to the right class of risk based on frequency and severity as you are working with very limited information. You may ask if the applicant has done anything to mitigate future risks after a reported incident. But even then, you have little visibility into the impact of their actions and will need to trust that their effort actually made a difference in decreasing overall risk.

So as an underwriter, it’s critical for you to be thoughtful during the underwriting process. You can contemplate the information you’re provided regarding frequency and severity (and how those things impact your risk exposure), but without access to any hard data on these points, loss information alone isn’t enough to make cyber underwriting choices.

“But if loss information isn’t enough to make underwriting decisions, where do I get additional data?”

This is a great question—and the answer is through BitSight Security Ratings. If you use the BitSight portal, you can gain more insight on frequency, severity, and exposure that will allow you to make better decisions during the underwriting process.

For example, you can use the Security Ratings portal to see the number of incidents of compromised systems as well as how long the activity lasted on the applicant’s network. This unique view into the frequency and severity can be benchmarked to the applicant's industry and your overall portfolio, giving you objective insight that goes beyond a subjective application form. You can also see the impact of any actions they say they’ve taken after a publicly disclosed incident on their overall security rating. Using Security Ratings for cyber insurance will enable you to be more nuanced in assessing risk, asking targeted questions, and make more data-driven decisions.