Security Ratings: An Objective Risk Metric for Cyber Insurers

Ira Scharf | February 25, 2014 | tag: Security Risk Management
Cyber Insurers Seek to Reduce Cyber Risk

Cyber insurance is one of the fastest growing segments in the insurance industry.  With the tremendous increase in data breaches companies are looking for insurance products to cover them in the event of a loss. As reported in a recent Boston Globe article one in three companies now has insurance coverage against cyber losses, and last year 20% more cyber insurance policies were sold than in 2012, according to a report by Marsh LLC.

Recently disclosed high profile breaches at Target, Neiman Marcus and other large retailers highlight the tremendous impact a cyber breach can have on a company – both financial and reputational. The potential losses can be significant. Some analysts see the Target breach costs exceeding $1 billion, far surpassing their insurance limits.

As insurance companies rush to meet the demand for cyber coverage how can they better understand and accurately price the security risk of the companies they wish to insure?

Companies ranging from small single site firms up to large multinationals generally deploy a wide array of techniques in an effort to thwart cyber attacks as part of their security risk management efforts. However, not all techniques are effective and not all companies implement those techniques in a manner that achieves the most optimal results.

Questionnaires used in cyber insurance underwriting as part of the application process can be broad and subjective. They give an indication of security policies and procedures that may be in place at a given company – but not the effectiveness of how those policies and procedures are implemented. Two companies with similar security practices may have very different security outcomes. A recent blog post by George Hulme outlines how questionnaires may lead to a false sense of security for risk managers.

Further compounding the problem, hackers are becoming ever more sophisticated in the methods they use to attack companies. It’s difficult for many companies to keep up with the latest security practices. According to a survey reported in CSO Online security spending continues to run a step behind the threats.

An objective, evidence based cyber risk metric, such as BitSight’s SecurityRating for Cyber Insurance, measures security effectiveness, not simply policies and procedures, and can offer underwriters a uniquely distinctive tool in helping to assess the potential for cyber loss at a particular company. Algorithms used to calculate cyber risk metrics analyze vast amounts of data, including Internet communication and evidence of actual security compromises and vulnerabilities, and distill the information into an easy to understand rating. Underwriters can use this security rating, in addition to their existing underwriting procedures, to provide a critical window of visibility into the security posture of a company that is otherwise invisible with other methods.

Security ratings can transform the insurance industry, by allowing insurers to empirically compare companies against each other and against industry averages. This provides underwriters with an objective method to gauge the cyber risk of prospective insureds and offer insurers the capability to continuously measure and track the overall risk of their entire portfolio.


2/26/14: Liberty International Underwriters announced a collaboration with BitSight to provide security ratings to their policy holders. Click here to read the press release.

Suggested Posts

The BitSight and Moody's Partnership: A New Era For Cybersecurity

Cybersecurity is one of the biggest threats to global commerce in the 21st century.

By providing data-driven insights into cybersecurity, we can empower the marketplace to make better, risk-informed decisions and create a more secure...


4 Critical Success Factors for Effective Security Risk Management

With the average cost of a data breach in the U.S. reaching nearly $8.6 million, your organization can’t afford to ignore cybersecurity risk. Indeed, the need for security risk management is greater than ever. When cyber risk is managed...


IoT Cybersecurity: How Your Organization Can Tame the Wild West

From sensors on the factory floor to those that guide autonomous vehicles, the Internet of Things (IoT) is transforming how we live and work. Over the coming years, IoT will continue to change our world, with the number of connected...


Get the Weekly Cybersecurity Newsletter.