As insurers underwrite their book of business, they must have a good grasp on what potential losses could look like for each of their applicants. To better understand this, they evaluate hundreds of metrics—including those related to cybersecurity. But understanding an applicant's cyber risk is much more complex than it was 20 years ago.
These days, the common practice of outsourcing means that insurers have to not only consider the applicant’s cybersecurity posture, but also the posture of the applicant’s third-party vendors. For example, insurers know that if a handful of applicants use a common vendor and that vendor is breached or disrupted, it could lead to a large number of claims from their insureds. The ripple effect such an event would cause to an insurer’s book of business is known as concentration risk or aggregate risk—and it’s becoming an increasingly large problem.
Download this white paper to see how the underwriting process is changing and what the future may hold for the cyber insurance market.
Take, for example, the recent breach on domain name service (DNS) provider Dyn, which experienced a complex distributed denial of service (DDoS) attack in October 2016. This attack caused extended outages for many large internet and ecommerce sites. If your insurance company underwrote business interruption insurance policies for a number of these affected companies, you’d be hit with a hurricane of claims all at one time.
Concentration Risk Management: Past & Present
Methods
Insurance companies need to gather as 
much information as possible on their applicants—and their applicants’ vendors—so they can determine if the risks are worth taking.
Previously, the approach to mitigating concentration risk was to ask applicants (via vendor risk assessment questionnaire or interview) to provide additional information on what types of vendors and third parties they work with. This approach is problematic for several reasons.
- First, questionnaires are limited in their effectiveness.
- They’re subjective. Vendor risk assessment questionnaires are commonplace today, but their accuracy relies too heavily on human assessment and calculation.
- They’re not verifiable. Often, you simply must trust your applicant’s answers. This kind of “aspirational security” hopes their responses are true, but isn’t necessarily effective.
- They’re not actionable. The real work begins when your applicant completes the template and returns it to you. Do you know how their responses impact your underwriting decisions?
- Second, many companies don’t know all of their vendors. Even if they do, they may not be fully aware of the level of access those vendors have to their network.
Today, there’s a much better method for concentration risk management: allowing insurance companies to write more (or more comprehensive) policies. BitSight Discover uses data to help organizations identify third-party linkages to insurance applicants. For example, if you are considering underwriting policies for a number of organizations, you can look to see whether they have a vendor in common—and whether or not you need to make some additional calculations or decisions to take on that concentration risk.
Remember: Voluntarily submitted information from insurance applicants is an inadequate method for underwriting your book of business—especially when data analytics are available to help you make those decisions.
