How to more effectively underwrite cyber, ransomware risk

Cyber insurance has become more expensive and harder to get, yet it's more necessary than ever.

Cyber coverage is determined, in part, by an organization’s overall cyber hygiene. (Axtem/Adobe Stock)

The state of cybersecurity seems bleak.

Despite massive spending worldwide to the tune of $150 billion, according to Gartner, cyberattacks keep occurring.

What’s more, Check Point Software Technologies reports that ransomware attacks — a type of cyberattack that encrypts an organization’s network or locks users out of their devices and requires a ransom before restoring access — doubled last year.

Within the next few years, nearly half of companies worldwide will experience cyberattacks on their software supply chains. And threats like malware and botnets (such as the recent Emotet re-emergence) are wreaking havoc on companies worldwide.

It comes as no surprise that cyber insurance claims are exploding. As companies scramble for coverage, insurers are experiencing significant losses and rethinking their underwriting decisions. The result? Stricter underwriting standards, which take longer to evaluate.

So how do insurers determine which organizations are going to be good insureds? It depends on an organization’s overall cyber hygiene and their ability to effectively respond to new attacks and vulnerabilities. It’s more important than ever to continue writing good and opportunistic risks, while not overcorrecting for the high loss ratios the industry is seeing.

This raises two critical questions: What is good cyber hygiene, and how do you measure it?

The link between ransomware & cyber insurance

Before unpacking cyber hygiene, first consider how ransomware is impacting the cyber insurance landscape. Traditional insurance, such as auto or home insurance, provides coverage for high impact, low frequency events. This type of insurance covers events that likely won’t happen, but could be very costly if they did. Organizations transfer these risks to insurers because it’s impractical to mitigate or avoid them.

With the explosion of ransomware, companies suddenly experience high impact and high frequency incidents, making cyber insurance more expensive and harder to get, yet more necessary than ever.

“Ransomware has been a threat for a long time,” says Stephen Boyer, co-founder and CTO of BitSight. “Five years ago, we published an article to draw attention to the problem, and we’ve only continued to see this type of threat increase. Nowadays, attackers use cryptocurrencies to monetize ransomware in a way that’s easier to get payment and avoid tracking. Plus, the rapid speed of digital transformation in the last few years means that the attack surface has never been bigger.”

Cyber insurance carriers need to maintain the right balance in their policies by offering valuable coverage that pays claims when covered losses occur, while being careful not to encourage risky behavior with overly broad policy coverage. The underwriter has to determine which organizations are doing enough to prevent frequent claims in order to be eligible for the specific coverage they have to offer.

Most notably, frequent ransomware claims drive a lot of the chaos in the cyber insurance market. Ransomware usually exploits common, known vulnerabilities in insecure services and software. A strong cybersecurity program includes activities like managing vulnerabilities, protecting endpoints, and monitoring the effectiveness of security controls so that they can be improved over time. From an insurer’s perspective, knowing if a company can effectively perform these functions is a good way to start understanding their cyber hygiene.

What is (good) cyber hygiene?

Cyber hygiene is a set of essential practices and tasks a company uses to keep systems, data, and users secure. Through regular assessments, improvements, patching, control implementation and secure configuration, strong cyber hygiene enhances overall cybersecurity. Regular processes like these give companies insight to determine whether their security controls work effectively as well as ways to improve them over time.

Good cyber hygiene significantly lowers the chance of ransomware and other cyberattacks.

“I encourage underwriters to focus on the concept of cyber maturity, not just cyber controls, so that security information can be inferred quickly when underwriting particularly complex organizations,” Boyer says. “For example, asking an organization to explain their process for identifying and remediating new vulnerabilities provides a slew of insights, and gives the underwriter a sense of how they would handle zero-day vulnerabilities in the future. Asking intelligent questions guides the understanding of a company’s cyber maturity, and in turn, their cyber hygiene.”

Effective cyber hygiene begins with an understanding of best practices for improving security and reducing risk, such as those identified in the NIST Cybersecurity Framework or other cybersecurity standard or framework.

By mapping existing security practices to a framework, security teams can evaluate their current level of cyber hygiene and take steps to improve it. Organizations must continuously monitor their efforts on each of these tasks and alert security teams to lapses in best practices.

How to measure an applicant’s cyber hygiene

Despite the significant increase in cyber insurance premiums, there are still organizations that lean on their cyber policy in lieu of making larger investments in new and more effective security controls. Part of an underwriter’s job is to identify these cases and avoid insuring them.

A strong candidate for cyber insurance is typically an organization that:

A strong candidate for cyber insurance is an organization that performs these tasks and then seeks insurance for risks that are unlikely to materialize (yet would be devastating if they did). Once that has occurred, underwriters can perform a more in-depth discovery so that the risk is qualitatively and quantitatively evaluated against specific underwriting criteria.

The most common quantitative method to measure cyber hygiene is with a cybersecurity ratings tool. Modern IT environments are complex, and it’s hard to make and understand claims about cybersecurity. Cybersecurity ratings solutions help underwriters verify the accuracy of the information they receive from applicants with an unbiased view of a cybersecurity program.

The best indicator for future performance is past performance. Underwriters can derive this from cybersecurity ratings because they are based on historical cybersecurity performance. Think of a security rating like a credit rating — if someone missed a payment by the due date, their credit score might be impacted and then need time to recover. When it comes to cyber insurance, the same principles should apply so that applicants are incentivized to maintain strong cybersecurity throughout the policy period. Without that incentive, some insureds might treat cybersecurity as a once-a-year exercise, leaving insureds vulnerable throughout the policy period and their carriers on the hook for claims.

Aside from a quantitative cybersecurity rating, consider analyzing other findings like expired certificates and patching cadence. While it may not seem like a significant risk, research shows that these findings are strongly correlated with ransomware attacks. Certificate management is a simple, routine IT task for most organizations; therefore, a history of expired certificates demonstrates low cyber maturity overall. From that, an underwriter can infer that other, more critical cybersecurity practices are lacking too. And that means that cyber criminals may have more opportunities to identify and exploit vulnerabilities.

No organization is immune from determined cyber criminals, just like how no homeowner can ever be immune to severe weather damage to their home. But, there are best practices for minimizing the likelihood of being victimized, chief among them being a relentless focus on cyber hygiene — the practice of ensuring that the organization is performing effectively every day.

When an insurer identifies poor hygiene in one area, no matter how small it may seem, it almost certainly means that the organization lacks adequate controls in other areas as well. It’s not about looking at cyber controls on their own. It’s about looking at what they infer about an insured’s cyber maturity.

The carrier’s role in loss control

As insurance carriers continue to develop methods to limit losses that drive loss ratios to uncomfortable levels, it’s important to look within. Carriers have an opportunity to support their insureds to limit losses through the policy period. Because cyber insurance is now a business requirement, some small-to-medium businesses simply struggle to create and maintain security programs that meet strict underwriting requirements.

To help, some carriers may pay outside firms for mentoring services. In other cases, carriers and managing general agents (MGAs) use cyber ratings tools to monitor their insureds for vulnerabilities. In some cases, they may even provide remediation support. Lowering the portfolio’s loss ratio by even a single digit can be well worth the investment for these loss control services.

Providing valuable cyber insurance policies

Cyberattacks and ransomware will only continue to ravage companies worldwide. The cyber insurance industry needs a strategy to quickly respond to this risk landscape, and provide valuable cyber policies that protect against risks to stay viable in an increasingly high-tech, connected landscape. Combining these insights with the way that end-users are leveraging cybersecurity products to support their cyber hygiene workflows, insurance carriers can provide more risk mitigation services alongside the cyber ratings tools they use to underwrite accounts.

Aaron Aanenson

Aaron Aanenson (aaron.aanenson@bitsight.com) is senior director of Cyber Insurance Thought Leader at BitSight, which provides trusted data and insights that enable risk-based decision-making for insurers, investors, enterprises and governments.

See also: