Addressing the rising risks in cyber insurance
Review how active scanning and continuous monitoring can improve the loss ratio for cyber insurance.
In recent years, the growing number of high-profile and large-scale cyberattacks — WannaCry, NotPetya, Log4j, ProxyNotShell, to name a few — have underscored the potential for related catastrophic events and resulting financial loss.
In response, businesses have increasingly sought cyber insurance coverage. The number of large- and mid-sized U.S. businesses opting for cyber coverage has grown from about 25% to nearly 50% over the last few years reported, and yet, the cost of cyber-attacks to U.S. insurers has nearly doubled over the same period.
The dynamic threat environment, the potential for catastrophic loss, and the relative newness of cyber insurance has presented challenges to insurers.
Much of the insurance industry has responded to the increasing frequency, severity and cost of cyberattacks with a traditional approach: Implementing coverage and capacity limitations, increasing rates and turning to reinsurers for coverage.
But this approach can be limited in its scope — and may not hold up in the long run. An increasing number of business assets reside in the digital domain. The complexity of securing these intangible assets has increased, and so have the dangers of not securing them safely. And cyberattack trends and techniques continue to evolve with exceptional speed. To proactively confront these challenges, insurers must:
- Practice risk selection informed by the latest cyber security threat landscape.
- Maintain constant awareness of the digital assets they insure.
- Scan continuously for emerging risks.
- Identify vulnerable companies quickly and accurately.
- Proactively help insureds implement updates and security patches as quickly as possible.
Insurers must understand that underwriting a cyber policy without a timely scan of an organization’s security posture is akin to underwriting a property without understanding the property risk.
Many traditional cyber insurance policy processes and applications do not gather important security details such as the software and tools employed by the insured. Additionally, they do not include questions on security posture, often making the mistake of assuming that insureds can and will accurately answer technical questions about their technology and security configurations.
A practice called active scanning can offer an answer to this problem. Rather than relying on organizations to accurately report digital infrastructure, cyber insurance carriers can perform active scans to determine the digital assets and overall security posture of each applicant at the time of underwriting.
This process gives insurers real-time views of a company’s digital assets and vulnerabilities, which enables better risk selection and pricing decisions.
Active scanning, ideally, should be complemented with continuous risk monitoring. Continuous cyber risk monitoring of an organization’s digital infrastructure over the course of the policy period is necessary to keep pace with the ever-changing threat landscape and the technological evolution of companies.
Cyberattack trends and techniques change with exceptional speed, meaning the risk and performance of a given cyber policy can differ drastically not only from year to year but also within a 12-month policy period. Because attackers are as innovative as they are secretive — and because impacted organizations are hesitant to share breach details for liability and reputational reasons — understanding cyberattack techniques requires continuous risk monitoring of the threat landscape.
In an era of fast-evolving cyber risk, insurers should undertake both active scanning and continuous monitoring of insureds and their digital assets — and keep pace with the dynamic cyber threat environment.
Lewis Guignard is director of data science at Guidewire.
Yoshifumi Yamamoto is director of modeling for At-Bay.
Guignard and Yamamoto have also developed a whitepaper on this topic.
Opinions expressed here are the author’s own.
Related: