Cyber Risk Challenges
Every type of insurance has its own underwriting process, but all will follow a basic common structure: first, all relevant information pertaining to a specific risk will be gathered, then this intelligence will be used to assess and price the risk. Underwriting for cyber insurance is relatively more complex for the following reasons:
- Lack of statistics and actuary information – since cyber insurance is a young product, there remains a dearth of statistics and actuary information. This is exacerbated by the fact that most cyber incidents go unreported because companies who have fallen victim to a cyber-attack often hide the event for fear of bad press or legal action against them.
- Constantly changing cyber trends – even when up-to-date information exists, the risks change and evolve on a constant and continual basis alongside technological advances. The nature of cyber security is such that it requires continuous assessment of new risks and their impact.
- Shortage of technical expertise – unlike other fields, cyber insurance underwriting places heavy emphasis on technology. It working with such a unique product, therefore, demands technical knowledge, a deep understanding of the threats, the measures necessary to prevent damage, the vulnerabilities, and the possible impact of such vulnerabilities being exploited.
The task of cyber insurance underwriting is therefore to adequately assess the exposures faced by clients and to determine the extent to which those threats are being mitigated in the risk management process. Once all the information is gathered, and the proper due-diligence process is preformed, the underwriter can select the appropriate levels of cover they wish to offer the potential client and insurance pricing.
Tools used by cyber insurance underwriters
Over the last few years, most underwriters adopted technological tools that assist them in the underwriting process. These tools allowed them to not only evaluate the level of cyber exposure more accurately but also to improve the quantification and pricing model.
These tools are used to perform the following processes:
- Non-invasive Assessment – there are tools that allow non-invasive assessment of the client’s security posture. These tools scan the network and its related domains, subdomain, and IP addresses, which will be covered by the policy to perform a security assessment. For example, Port and Vulnerabilities Scanning, Exposed Credentials checks, SSL Credential Validation, whether cyber security controls such as Secure-email gateway and DDoS protection are implemented, etc. At the end of the assessment process, the tool provides a score from 1 to 100 on the defense level/security posture in place. Since the assessment is not invasive, it can be performed continuously and without the consent of the assessed party. These assessments also combine web-intelligence tests and scraping to look for information that is available on the web and the dark web, which may be useful to potential attackers. The output of such assessments is a detailed report, which lists the IP addresses and the domains that were scanned, what technological scans and tests were conducted, and their findings.
- Cyber Risk Quantification – these tools are used to evaluate the financial impact of a cyber-attack, by considering the company’s characteristics (e.g., size, territories, revenue, security posture level, etc.). Using quantification tools provides a holistic view of an organization’s cyber risk profile, and provides an estimate of the potential loss due to various scenarios, such as a data breach, ransomware, DDoS, etc. The evaluation includes the “Estimated Aggregated (Max) Loss” and the “Estimated Probable Loss”.
- Benchmarking – Benchmarking tools help compare the company’s security posture level to other similar companies. These scores allow organizations to measure the effectiveness of their cyber risk management, and their cyber insurance policies, compared to the performance of their peers within the same industry in order to assess whether they need to improve their security posture. These tools also help determine the terms and conditions of the policy by comparing Knowing limits of liability, premiums, coverages, and deductibles of similar companies, operating in the same industry. Read more about the minimum requirements demanded by cyber insurers here.
Although cyber insurance underwriting is a relatively new discipline, the insurance industry is already embracing various tools that assist the underwriter and the broker in the process of assessing, quantifying, and benchmarking cyber risks. These technologies have become essential tools in setting the appropriate prices and establishing the cyber insurance premiums for clients.
Interested to learn more about the latest developments in cyber insurance? Visit our course catalog for more information on our cyber insurance training.