Applying scores to cyber insurance underwriting
Just as credit scores changed the game for risk management, analytics have the potential to change the game in cyber insurance.
Breach insurance premiums are on the rise and expected to grow tenfold over the next decade from $2 billion to $20 billion. The number of underwriters also is growing.
This rapid growth in breach insurance premiums and underwriters come as large breaches are becoming more frequent and the expense associated with containment and clean up continues to increase.
Despite this growth, underwriting remains dependent on intensive expert review. This isn’t scalable or efficient, which has caused the market to recognize the need for quantitative cyber risk assessments for enterprises. This is valuable not just for insurers but for businesses themselves, which tend to have a hazy view of their cybersecurity posture. Consider this: A FICO survey conducted earlier this year with Ovum found that 68% of U.S. firms believe they are better prepared for data breaches than their competitors — which is statistically unlikely, to say the least.
In recent years, new entrants have emerged to provide quantitative cybersecurity risk assessments and breach underwriters. These cyber risk assessments provide a snapshot of an enterprise’s security posture and assess the relative strength of a firm’s defenses against cyber breaches.
Related: How to respond and recover quickly from a cyber event
How risk analytics can change a market
To understand the potential benefits of these kinds of analytics, let’s look at a similar tool from another part of financial services: credit scores.
Credit scores were one of the key factors that enabled the explosive growth in consumer credit (and the resulting expansion of payments and e-commerce) in the last 30 years because they were better quantitative tools for understanding risk.
In the 1980s, banks adopted highly effective credit risk scoring algorithms for underwriting new loans, including revolving debt products and credit cards. Shortly after, similar scores were available through credit bureaus, which enabled not only better underwriting but a consistent view of the consumer across lenders.
This improved transparency and risk management, not only in underwriting, but throughout the customer life-cycle as portfolios of credit were traded or acquired through mergers and acquisitions.
The availability of refreshed scores on an ongoing basis (post underwriting) allows banks to continuously monitor for credit quality and persistently keep track of risk at the portfolio level.
Credit scoring allows banks to constantly tweak underwriting criteria to maintain credit quality at a portfolio level, commensurate with their goals and objectives — including their risk appetite. It also allows for risk-based pricing, meaning that consumers pay something closer to what they ought to pay (in terms of rates and fees) based on the risk that they represent to capital.
These tools have contributed useful elasticity to the consumer economy, and serve as a means for banks to regulate portfolio risk post-underwriting as macro-economic conditions change.
Just as credit scores changed the game for risk management, cybersecurity analytics have the potential to change the game in breach insurance underwriting. Emerging technologies will enable quantitative, empirically derived analytics to play a significant role in driving transparency and predictability into both breach insurance underwriting and longer-term portfolio management.
What to look for in cyber scores
New cyber risk products that take an empirical, quantitative approach can provide a direct and predictable correlation to long-term outcomes. Publicly available information, dark web data, firmographic information, and IP scans can all yield insights about organizations that can be correlated to breach risk.
While many of these indicators are not necessarily breach vectors unto themselves, the correlation between the externally visible characteristics of exposed information technology assets and actual breach events can be empirically derived. It’s fair to think of these data assets in the same way as one would think about the data available at credit bureaus for consumers relative to their credit performance, and it’s useful to think about the resulting ability to correlate these characteristics with breach events as akin to credit scores.
As with credit scores, standards will be important. As part of our work with the U.S. Chamber of Commerce, we participated in the establishment of some principles for cyber security risk ratings:
- Transparency: Rating companies shall provide sufficient transparency into the methodologies and types of data used to determine their ratings, including information on data origination as requested and when feasible, for customers and rated organizations to understand how ratings are derived.
- Dispute, Correction and Appeal: Rated organizations shall have the right to challenge their rating and provide corrected or clarifying data.
- Accuracy and Validation: Ratings should be empirical, data-driven, or notated as expert opinion.
- Model Governance: Prior to making changes to their methodologies and/or data sets, rating companies shall provide reasonable notice to their customers and clearly communicate how announced changes may impact existing ratings.
- Independence: Commercial agreements, or the lack thereof, with rating companies shall not have direct impact on an organization’s rating.
- Confidentiality: Information disclosed by a rated organization during the course of a challenged rating or dispute shall be appropriately protected.
Where credit scores have driven broad access to consumer credit to grow our economy, widespread adoption of breach insurance will help protect businesses and consumers from the ill effects of intentional or unintentional data breaches and security incidents. Taking a quantitative approach can transform this into another financial trend integral to economic stability. Luckily, emerging empirical scoring solutions can play a big role in enabling the kind of transparency and predictability required to make such a major shift in business risk management both safe and successful.
As vice president for cybersecurity solutions for FICO, Doug Clare (dougclare@fico.com) leads the company’s product management team for cyber security solutions, including FICO’s Enterprise Security Scores solution for enterprise assessment, vendor management, and breach insurance underwriting.
The opinions expressed here are the author’s own.
See also: