Security Ratings: An Objective Risk Metric for Cyber Insurers

Ira Scharf | February 25, 2014 | tag: Security Risk Management
Cyber Insurers Seek to Reduce Cyber Risk

Cyber insurance is one of the fastest growing segments in the insurance industry.  With the tremendous increase in data breaches companies are looking for insurance products to cover them in the event of a loss. As reported in a recent Boston Globe article one in three companies now has insurance coverage against cyber losses, and last year 20% more cyber insurance policies were sold than in 2012, according to a report by Marsh LLC.

Recently disclosed high profile breaches at Target, Neiman Marcus and other large retailers highlight the tremendous impact a cyber breach can have on a company – both financial and reputational. The potential losses can be significant. Some analysts see the Target breach costs exceeding $1 billion, far surpassing their insurance limits.

As insurance companies rush to meet the demand for cyber coverage how can they better understand and accurately price the security risk of the companies they wish to insure?

Companies ranging from small single site firms up to large multinationals generally deploy a wide array of techniques in an effort to thwart cyber attacks as part of their security risk management efforts. However, not all techniques are effective and not all companies implement those techniques in a manner that achieves the most optimal results.

Questionnaires used in cyber insurance underwriting as part of the application process can be broad and subjective. They give an indication of security policies and procedures that may be in place at a given company – but not the effectiveness of how those policies and procedures are implemented. Two companies with similar security practices may have very different security outcomes. A recent blog post by George Hulme outlines how questionnaires may lead to a false sense of security for risk managers.

Further compounding the problem, hackers are becoming ever more sophisticated in the methods they use to attack companies. It’s difficult for many companies to keep up with the latest security practices. According to a survey reported in CSO Online security spending continues to run a step behind the threats.

An objective, evidence based cyber risk metric, such as BitSight’s SecurityRating for Cyber Insurance, measures security effectiveness, not simply policies and procedures, and can offer underwriters a uniquely distinctive tool in helping to assess the potential for cyber loss at a particular company. Algorithms used to calculate cyber risk metrics analyze vast amounts of data, including Internet communication and evidence of actual security compromises and vulnerabilities, and distill the information into an easy to understand rating. Underwriters can use this security rating, in addition to their existing underwriting procedures, to provide a critical window of visibility into the security posture of a company that is otherwise invisible with other methods.

Security ratings can transform the insurance industry, by allowing insurers to empirically compare companies against each other and against industry averages. This provides underwriters with an objective method to gauge the cyber risk of prospective insureds and offer insurers the capability to continuously measure and track the overall risk of their entire portfolio.


2/26/14: Liberty International Underwriters announced a collaboration with BitSight to provide security ratings to their policy holders. Click here to read the press release.

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with...


3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so,...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result,...


Get the Weekly Cybersecurity Newsletter.