As insurers underwrite their book of business, they must have a good grasp on what potential losses could look like for each of their applicants. To better understand this, they evaluate hundreds of metrics—including those related to cybersecurity. But understanding an applicant's cyber risk is much more complex than it was 20 years ago.
These days, the common practice of outsourcing means that insurers have to not only consider the applicant’s cybersecurity posture, but also the posture of the applicant’s third-party vendors. For example, insurers know that if a handful of applicants use a common vendor and that vendor is breached or disrupted, it could lead to a large number of claims from their insureds. The ripple effect such an event would cause to an insurer’s book of business is known as concentration risk or aggregate risk—and it’s becoming an increasingly large problem.
Take, for example, the recent breach on domain name service (DNS) provider Dyn, which experienced a complex distributed denial of service (DDoS) attack in October 2016. This attack caused extended outages for many large internet and ecommerce sites. If your insurance company underwrote business interruption insurance policies for a number of these affected companies, you’d be hit with a hurricane of claims all at one time.
Insurance companies need to gather as much information as possible on their applicants—and their applicants’ vendors—so they can determine if the risks are worth taking.
Previously, the approach to mitigating concentration risk was to ask applicants (via vendor risk assessment questionnaire or interview) to provide additional information on what types of vendors and third parties they work with. This approach is problematic for several reasons.
Today, there’s a much better method for concentration risk management: allowing insurance companies to write more (or more comprehensive) policies. BitSight Discover uses data to help organizations identify third-party linkages to insurance applicants. For example, if you are considering underwriting policies for a number of organizations, you can look to see whether they have a vendor in common—and whether or not you need to make some additional calculations or decisions to take on that concentration risk.
Remember: Voluntarily submitted information from insurance applicants is an inadequate method for underwriting your book of business—especially when data analytics are available to help you make those decisions.
The SolarWinds breach is already one of the most significant cybersecurity incidents ever. And as with any unprecedented cyber event, this will have long-term effects on the way businesses and government consider their security programs....
This post was originally published July 18, 2016 and has been updated for accuracy and comprehensiveness.
Hardly a day goes by without the emergence of a disturbing new trend in cyber crime or headline-grabbing hack. Hackers are getting smarter and threat vectors are constantly evolving. The escalating threat is forcing businesses to file more
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469