Every type of insurance has its own underwriting process which is used to gather the relevant information and then assess and price the risk. Underwriting for cyber insurance is relatively more complex for the following reasons:
- Lack of statistics and actuary information – since cyber insurance is rather new, there is lack of statistics and actuary information. This is amplified by the fact that most cyber incidents are not even reported because companies prefer to hide the fact that their security systems were not able to prevent the attack.
- Constantly changing – even when there is relevant information, the risks are constantly changing and evolving, due to the constant changes in the computer systems and technology, requiring continuous assessment of new risks and their impact.
- Requires technological knowledge – unlike other fields, cyber insurance underwriting is very technical in its nature. It requires technological knowledge and a deep understanding of the threats, the measures used to prevent damage, the vulnerabilities, and the possible impact, which can include reputational damage, and more.
The task of cyber insurance underwriting is therefore to adequately assess the exposures faced by clients and to determine the extent to which those threats are being mitigated in the risk management process. Once all the information is gathered, and the proper due-diligence process is preformed, the underwriter can select the appropriate levels of cover they wish to offer the potential client and insurance pricing.
Tools used by cyber insurance underwriters
Over the last few years, most underwriters adopted technological tools that assist them in the underwriting process. These tools allowed them to not only evaluate more accurately the level of cyber exposure, but also to improve the quantification and pricing model.
Without getting into the specifics of each tool and how it is used, the underwriting tools are used to perform the following processes:
- Non-invasive Assessment – there are tools that allow non-invasive assessment of the client’s security posture. These tools scan the network and its related domains, sub domain and IP addresses, which will be covered by the policy to perform a security assessment. For example, Port and Vulnerabilities Scanning, Exposed Credentials checks, SSL Credential Validation, whether cyber security controls such as Secure-email gateway and DDoS protection are implemented, etc. At the end of the assessment process, the tool provides a score from 1 to 100 on the defense level/security posture in place. Since the assessment is not invasive, it can be performed continuously and without the consent of the assessed party. These assessments also combine web-intelligence tests and scraping to look for information that is available on the web and the dark web, which may be useful to potential attackers. The output of such assessments is a detailed report, which lists the IP addresses and the domains that were scanned, what technological scans and tests were conducted, and their findings.
- Cyber Risk Quantification – these tools are used to evaluate the financial impact of a cyber-attack, by considering the company’s characteristics (e.g., size, territories, revenue, security posture level, etc.). Using quantification tools provides a holistic view of an organization’s cyber risk profile, and provides an estimated to the potential loss due to various scenarios, such a data breach, ransomware, DDoS, etc. The evaluation includes the “Estimated Aggregated (Max) Loss” and the “Estimated Probable Loss”.
- Benchmarking – Benchmarking tools help compare between the company’s security posture level to other similar companies. These scores allow organizations to measure the effectiveness of their cyber risk management, and their cyber insurance policies, compared to the performance of their peers within the same industry in order to assess whether they need to improve their security posture. These tools also help determine the terms and conditions of the policy by comparing Knowing limits of liability, premiums, coverages, and deductibles of similar companies, operating in the same industry.
As we’ve seen, although cyber insurance underwriting is a relatively new discipline, the insurance industry is already embracing various tools that assist the underwriter and the broker in the process of assessing, quantifying and benchmarking cyber risks. These technologies have become essential tools in setting the appropriate prices and establishing the cyber insurance premiums for client.