What Is Concentration Risk Management & Why Should It Matter To Insurers?

Melissa Stevens | November 8, 2016 | tag: Cyber Insurance

As insurers underwrite their book of business, they must have a good grasp on what potential losses could look like for each of their applicants. To better understand this, they evaluate hundreds of metrics—including those related to cybersecurity. But understanding an applicant's cyber risk is much more complex than it was 20 years ago. 

These days, the common practice of outsourcing means that insurers have to not only consider the applicant’s cybersecurity posture, but also the posture of the applicant’s third-party vendors. For example, insurers know that if a handful of applicants use a common vendor and that vendor is breached or disrupted, it could lead to a large number of claims from their insureds. The ripple effect such an event would cause to an insurer’s book of business is known as concentration risk or aggregate risk—and it’s becoming an increasingly large problem.

Download this white paper to see how the underwriting process is changing and what the future may hold for the cyber insurance market.

Take, for example, the recent breach on domain name service (DNS) provider Dyn, which experienced a complex distributed denial of service (DDoS) attack in October 2016. This attack caused extended outages for many large internet and ecommerce sites. If your insurance company underwrote business interruption insurance policies for a number of these affected companies, you’d be hit with a hurricane of claims all at one time.

Concentration Risk Management: Past & Present

Insurance companies need to gather as Cyber Insurance Underwriting: A High-Tech, Evolving Disciplinemuch information as possible on their applicants—and their applicants’ vendors—so they can determine if the risks are worth taking.

Previously, the approach to mitigating concentration risk was to ask applicants (via vendor risk assessment questionnaire or interview) to provide additional information on what types of vendors and third parties they work with. This approach is problematic for several reasons.

  • First, questionnaires are limited in their effectiveness
    • They’re subjective. Vendor risk assessment questionnaires are commonplace today, but their accuracy relies too heavily on human assessment and calculation.
    • They’re not verifiable. Often, you simply must trust your applicant’s answers. This kind of “aspirational security”  hopes their responses are true, but isn’t necessarily effective.
    • They’re not actionable. The real work begins when your applicant completes the template and returns it to you. Do you know how their responses impact your underwriting decisions?
  • Second, many companies don’t know all of their vendors. Even if they do, they may not be fully aware of the level of access those vendors have to their network.

Today, there’s a much better method for concentration risk management: allowing insurance companies to write more (or more comprehensive) policies. BitSight Discover uses data to help organizations identify third-party linkages to insurance applicants. For example, if you are considering underwriting policies for a number of organizations, you can look to see whether they have a vendor in common—and whether or not you need to make some additional calculations or decisions to take on that concentration risk.

Remember: Voluntarily submitted information from insurance applicants is an inadequate method for underwriting your book of business—especially when data analytics are available to help you make those decisions.

Suggested Posts

What You Are and Aren’t Responsible for Under Cyber Risk Insurance

It’s not hard to justify why you need property insurance when you’re surrounded by your physical goods that you don’t want to be lost or damaged in your home or business. So why isn’t cybersecurity the same?


The Financial Impact of SolarWinds: A Cyber Catastrophe… But Insurance Disaster Avoided?

The SolarWinds breach is already one of the most significant cybersecurity incidents ever. And as with any unprecedented cyber event, this will have long-term effects on the way businesses and government consider their security...


A Security Score vs. A Security Rating: What’s The Difference?

This post was originally published July 18, 2016 and has been updated for accuracy and comprehensiveness.


Get the Weekly Cybersecurity Newsletter.