The average cost of a ransomware attack is $1.85 million and 22 days to recover. If you’re looking for cyber insurance coverage to protect yourself, download our ebook to learn how to strengthen your cybersecurity program to influence coverage.
Cybersecurity continues to be a top risk for business and government leaders worldwide. In addition to reputational damage and lost business, the direct financial costs of a cyber incident continue to rise. Ransomware payment costs are up nearly 10% from the first quarter of 2022; and in 2021, U.S. banks processed roughly $1.2 billion in ransomware payments. The rising cost and likelihood of experiencing a cybersecurity incident has made cyber insurance a popular option for organizations seeking risk transfer solutions.
Cyber insurance decisions should be supported by trusted, objective data, but this has been far from the status quo:
- Security professionals have historically relied on cumbersome and lengthy cybersecurity frameworks to improve insurability
- Insurers have struggled to ascertain and analyze unbiased, trusted, and objective datasets to help inform loss models and pricing decisions
- Brokers need reliable statistics to help clients make the best decisions regarding pricing, scope, and terms
More than ever before, the market needs a set of trusted cybersecurity analytics on which to focus.
A new independent study by the world’s largest insurance broker, Marsh McLennan, found 14 BitSight analytics to be significantly correlated with cybersecurity incidents, helping organizations prioritize initiatives to measurably reduce the risk of an incident. These analytics fill an important gap in the market, allowing cyber insurers, insureds, and brokers to make decisions more closely tied to tangible outcomes.
To dive deeper into the analysis and what it means for the cyber insurance industry, BitSight’s Aaron Aanenson, senior director of cyber insurance thought leadership, sat down for an interview with Noah Stone, senior manager of thought leadership.
Stone: Aaron, I’m excited to discuss this important research with you. To kick us off, what’s the purpose of this study and how did Marsh McLennan’s Cyber Risk Analytics Center (Marsh McLennan) approach the logic behind it?
Aanenson: The primary objective of this study was to further enhance the value of BitSight’s cyber risk data for both the cyber insurance community and the broader cybersecurity industry. First, this enables cyber insurance underwriters to more easily synthesize the significant amount of risk data they analyze when they underwrite accounts. Second, it empowers cybersecurity leaders and risk managers to have clear data to articulate and support their cybersecurity risk strategies and budgets.
The study makes this possible by correlating likelihood of breach with performance in the cybersecurity risk areas that BitSight measures, thereby allowing leaders to prioritize which areas of cybersecurity should be optimized for the greatest return on investment.
Insurance customers are interested in this study for these purposes, especially in the current cyber insurance environment where cyber coverage is increasingly challenging to obtain and maintain at a cost that makes sense for risk transfer strategies. Marsh McLennan independently conducted this study by comparing BitSight’s risk vector ratings and the topline BitSight Security Rating to their proprietary exposure and loss database. Then, using a statistical technique called “rank biserial correlation,” they quantified the relationship between BitSight analytics and their loss data to produce the output you see in our report.
Stone: What exactly did Marsh McLennan find in their independent analysis, and why do you think it’s relevant to the cyber insurance industry?
Aanenson: Marsh McLennan found a significant correlation between 14 BitSight analytics (13 risk vectors and the BitSight Security Rating) and cybersecurity incidents. This data is incredibly valuable for cyber insurers because it provides objective data that the industry currently lacks. Other lines of insurance rely on decades, if not centuries, of historical risk data to make fairly reliable predictions for the future.
Cyber insurance faces unique challenges because most cyber incident data is kept private. And, the short history of claims data available to carriers demonstrates that the cyber claims of the past are drastically different from the cyber claims we see today. Since cyber threats change so quickly, we don’t necessarily need decades of claims data to inform underwriting decisions but the underwriting still needs to rely on current, reliable datasets that can be tied to losses in order to produce a viable and valuable insurance product.
Overall, this data enhances confidence in the predictability of losses which is critical to support the capacity of providers, underpinning the ability of insurance carriers to issue cyber insurance coverage.
Stone: Predictability is definitely an important element here, especially when so many cyber claims datasets skew towards geographic, sector, size, and other biases. How can cyber insurers utilize the data in their day-to-day business building activities?
Aanenson: When underwriting cyber insurance coverage, underwriters are significantly challenged by the sheer amount of data to analyze, which spans areas like the application, a plethora of cyber risk information, prior claims, peer analyses, and industry trends. Using the information in this study, underwriters can save time and make better decisions by:
- Prioritizing accounts having higher BitSight ratings and creating underwriting criteria based on those falling into certain segments (e.g. those with high ratings have less underwriting requirements; those in the middle have more; and those with low ratings maybe aren’t quoted or are non-renewed).
- Focusing underwriting decisions on the BitSight risk vectors that are most highly correlated to breach.
- Providing transparent feedback to insureds interested in improving their cyber insurance outcomes by focusing on the BitSight risk vectors that are most significantly affecting their BitSight rating.
Stone: How do you envision the cyber insurance landscape changing as a result of this research?
Aanenson: To me, the data is so strong that it seems possible to automate part of the cyber insurance underwriting process. Automation is critical for cyber carriers looking to insure SMEs, which represent the largest portion of the market with the most opportunity right now. In many cases, this segment can’t be insured profitably if the underwriting process isn’t automated in some fashion.
For larger risks, this data can be used to make better underwriting decisions faster, which can lead to better use of underwriters’ time and better hit ratios in an increasingly competitive industry.
And overall, with even greater confidence in the cyber risk data that BitSight provides, we will be fulfilling our company’s mission, which is to make the digital economy a safer place for all of us. This research helps us get there by identifying cyber risk where we can, and integrating that data into tangible outcomes that produce informed and effective cybersecurity investments.
Stone: How do you think security professionals and organizations should leverage this analysis? Why does it help them?
Aanenson: One of the most challenging parts of being a cybersecurity leader is articulating to a non-technical leadership team why certain security investments are needed to avoid an uncertain outcome. This study helps close the uncertainty gap by showing clear correlations between cybersecurity performance across key BitSight risk vectors and the likelihood of experiencing an incident. This should help cybersecurity leaders and risk managers better convey this information so security budgets are optimized for the best and most tangible outcomes. Additionally, when organizations monitor how their investments have impacted their BitSight rating over time, it will allow them to articulate a critical metric that drives budgeting decisions – return on investment.
To learn more about the 14 cybersecurity analytics most correlated with incidents, please download the report now.