Cyber Insurance

Gallagher Re's Scanning the Horizon

Eric Cisternelli — Wed, 16 Oct 2024 19:21:07 +0000

Gallagher Re's Scanning the Horizon Eric Cisternelli Wed, 10/16/2024 - 15:21

How broadening our use of cybersecurity data can help insurers

Gallagher Re’s 2024 cyber claims correlation study, developed with Bitsight’s data, explores how external cybersecurity scanning data can enhance underwriting accuracy for the (re)insurance industry. By examining over 62,000 companies and 589 million IP addresses, Gallagher Re compares companies’ security controls with actual insurance claims. This study identifies key predictive factors, including IP address count and patching cadence, that help forecast claims. It also introduces Single Point of Failure (SPoF) data, which highlights dependencies on third-party services like AWS and VPNs.

Key insights from Gallagher Re’s 2024 cyber claims correlation study include:

External scanning data can reduce loss ratios by up to 16.4%.
IP address count is a strong predictor of cyber claims, offering valuable insight into company risk profiles.
Patching cadence, or the speed at which vulnerabilities are fixed, remains a critical factor in predicting losses.
And more!

Download the study for the full findings.

Off

Gallagher Re_Scanning the Horizon-How broadening our use of cybersecurity data can help insurers.pdf

Research

Cyber Insurance

Hide Resource from Lists?

Off

Button Text

Get Free Copy

New?

YES

As Cyber Insurance Claims Soar, Businesses Need to Demonstrate a Standard of Care

admin_bitsight — Sun, 17 Dec 2023 13:30:00 +0000

As Cyber Insurance Claims Soar, Businesses Need to Demonstrate a Standard of Care admin_bitsight Sun, 12/17/2023 - 08:30

Hardly a day goes by without the emergence of a disturbing new trend in cyber crime or headline-grabbing hack. Hackers are getting smarter and threat vectors are constantly evolving. The escalating threat is forcing businesses to file more cyber insurance claims than ever. But are they taking the proactive steps necessary to boost their security postures and become a better underwriting risk?

Cyber insurance claims double

According to a new study by AIG, claims frequency has spiked significantly. In 2018, there were as many cyber insurance claims as the previous two years combined, with business email compromise (BEC) overtaking ransomware as the primary claim.

Clearly, cyber insurance is fast becoming a “must-have” for any organization. However, because cyber incidents are becoming more complex and costly for insurers to investigate, companies are under increasing pressure to demonstrate a high standard of care when it comes to their security and third party management programs.

Insurers are careful to provide coverage to a business that is not aware of its own cyber security risk posture. Therefore, in seeking cyber insurance or filing a claim, companies must demonstrate that they are doing everything they can to protect themselves from attacks.

Here are some tactics that businesses can take to gain the trust of underwriters and protect themselves from the rising cost of cyber crime.

Adopt a hackers viewpoint

Organizations must work towards a greater understanding of how hackers see their network, including its systems, high-value targets, and vulnerabilities. By thinking like a cybercriminal and seeing what they see, organizations can better anticipate attacks before they occur.

To adopt this viewpoint, organizations must be more vigilant in visualizing and quantifying the performance of their cybersecurity program. With a better understanding of how their security apparatus is performing, organizations can also demonstrate a standard of care to their insurer which is beneficial in the event of a breach or compromise.

Be diligent with vendor selection

Currently, 59% of breaches originate with third-party vendors. Yet, organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains because they lack transparency into the security posture of these partners. This blindspot of their enterprise security risk can cause them to fail to secure the right level and type of insurance coverage.

How Bitsight Helps You Get Cyber Insurance Coverage

The average cost of a ransomware attack is $1.85 million and 22 days to recover. If you’re looking for cyber insurance coverage to protect yourself, download our ebook to learn how to strengthen your cybersecurity program to influence coverage.

Download eBook

Rather than be handicapped by their inability to identify risky vendors and potential third-party vulnerabilities, organizations can use security ratings to quickly identify risk in their digital supply chain and help put procedures in place to protect their organization from an attack and demonstrate due diligence to insurers.

Turn the C-suite’s gaze beyond the headlines

In a dynamic threat environment, it’s all too easy for the C-suite and Board of Directors to get distracted by the latest headlines and steer resources in a reactive manner. But risks are always changing - today it’s phishing scams, but tomorrow it may be something else. Executives can’t afford to lose sight of the long term threat picture, or else risk a significant hit to their organizations’ reputations or heavy fines.

CISOs must look beyond the four walls of the SOC and build bridges with other stakeholders, including the CEO, CTO, and legal counsel, to clearly and succinctly articulate how cybersecurity impacts their organization and the value and limits of their cyber insurance program. Simultaneously, CISOs can’t be insulated, either; they must be continually vigilant about potential risks that may fall outside of their purview.

Don’t turn insurance into a catch-all

Cyber insurance has become a necessary component of doing business, but it can’t be a catch-all. Companies still need to be proactive in their approach to security, less insurance fails to adequately cover their risk exposure. Organizations must show the insurers that they’re serious about security by implementing a prolonged and proactive approach to risk management.

What is Cyber Insurance Underwriting?

rachel.holmes@bitsight.com — Fri, 15 Dec 2023 09:30:00 +0000

What is Cyber Insurance Underwriting? rachel.holmes@… Fri, 12/15/2023 - 04:30

Cyber insurance underwriting is a process that insurance companies rely on to assess client risk, evaluate exposure, and model losses, such as the cost to recover from a data breach, ransomware attack, or other malicious cyber activity.

Due to a rise in claims (many of them stemming from the surge in ransomware), the underwriting process has changed significantly in recent years. As a result, insurers are revisiting their policies and enhancing their risk assessment processes.

If you’re getting ready to purchase cyber insurance or renew an existing policy, here’s how you can secure the right coverage.

Why Your Organization Needs Cyber Insurance

Every organization is vulnerable to a cyber attack. If you become a victim, cyber insurance can cover the cost your business may incur as result of the incident. Cyber insurance typically covers a common set of scenarios and impacts, including:

Data loss
Business interruption
Lost profits
Extortion and ransom payments
Fines and penalties imposed by regulators
Reputation management
Credit and identity monitoring services for those impacted by a breach

Cyber insurance can also support and defend your organization from any legal liability arising from those affected by the incident, such as customers, employees, vendors, and business partners.

How Cyber Insurance Underwriting Has Evolved

As cyber attacks have become more commonplace and the frequency of claims has grown, the process of cyber insurance underwriting has evolved significantly.

To reduce risk and potential losses, insurers are becoming more diligent about risk assessment during the application process and throughout the life of the policy. They want to know what measures your organization is taking to protect against cyber attacks and mitigate their impact—and they are turning to technology for answers.

In addition to relying on traditional methods such as risk assessment questionnaires, which are often subjective and hard to verify, today’s sophisticated underwriting technology can shine a light on your security posture in a non-invasive and data-driven way. These tools can help underwriters evaluate the financial impact of a cyber attack on your business, compare your security performance to others in your sector, and assess cyber risk in your supply chain.

Once a policy is secured, insurers can continuously monitor your organization's cybersecurity health and keep a pulse on emerging risk throughout the period of coverage.

What Risks Do Cyber Insurance Underwriters Look For?

Many hackers rely on network and system vulnerabilities such as open ports, unpatched software, and misconfigured systems for their attacks. Insurers want to know that your organization is taking steps to understand and act on these risks. A failure to do so may result in a higher premium or declined coverage.

Other elements of a mature and established security management program that underwriters look for are a robust data management strategy, multi-factor authentication, network segmentation, and endpoint protection.

To ensure you can procure the right policy at the right cost, use a tool like Bitsight Security Ratings. Bitsight provides a complete view of hidden risk in your network and across your integrated supply chain, so that you can remediate it before it becomes an issue and help reduce potential cyber risk insurance claims in the future. Additionally, 50% of global cyber insurance gross written premiums are underwritten by Bitsight customers including AIG, Chubb, and Hartford.

Prepare For Your Cyber Insurance Application

When applying for cyber insurance or renewing a policy, preparation can ensure the best outcome. Engage multiple teams including security, IT, compliance, and legal—each has a role to play in providing timely input.

Next, begin gathering the information that potential insurance companies will need. Your list should include relevant data points that prove your organization’s commitment to sound cybersecurity.

Bitsight Security Ratings are a great way to prove your digital risk protection efforts to a cyber risk insurance provider. Presenting an external, objective view of your network’s cybersecurity posture will give your potential insurance provider a trusted view into what your organization does to protect from threats, and will make securing a cyber risk insurance policy smoother.

Ensure Your Policy Covers Relevant Risks

Before you sign on the dotted line, study your insurer’s contractual wording to avoid any misunderstanding of what is covered and what’s excluded. For example, if your organization is hit by ransomware and chooses to pay the ransom, verify that your organization is protected against those financial losses. Another common exclusion are state-sponsored cyber-attacks. If you’re in a high-risk sector, such as critical infrastructure, technology, or finance, this form of coverage is crucial.

Read more about cyber insurance, what is and isn’t covered, and other things to look for in an insurer.

Cyber Insurance FAQs

What Is Cyber Insurance?

Cyber insurance is a policy intended to protect businesses from financial loss associated with a breach of privacy, breach of network security, network interruption, systems failure, or cyber extortion. Cyber losses are typically excluded from — or remain “silent” within (meaning that they are neither specifically granted nor specifically excluded) — traditional property and casualty insurance policies.

What does Cyber Insurance cover?

Coverage provided in a cyber insurance policy may include both first party expense coverage and third party liability coverage.

First Party – Expenses

Services: Computer forensics, legal, PR, breach notification, and credit monitoring expenses
Ransom demands
Data restoration expenses
Extra expenses incurred to run the business during a network interruption or systems failure (direct or contingent)
Revenue loss arising out of a network interruption or systems failure (direct or contingent)

Third Party – Liability

Fines and penalties
Defense costs, judgements, or settlements (class actions)

Who Needs Cyber Insurance?

Glass Doors Make Everyone More Secure

Eric Cisternelli — Wed, 22 Nov 2023 16:35:40 +0000

Glass Doors Make Everyone More Secure Eric Cisternelli Wed, 11/22/2023 - 11:35

No company is an island anymore, and enterprises typically have hundreds and even thousands of vendors. To complicate the matrix of interconnectivity, most companies are themselves within the supply chain, or at a minimum, clients for businesses, including cyber insurers. Organizations struggle to understand the risks within their supply chain because of a lack of transparency beyond their own organization, and often don’t have a good sense of their own security posture or the effectiveness of their controls.

Download this webinar and watch Chris Poulin, Director of Technology and Strategy and Deputy CTO at Bitsight, share how to:

Assess the security program and controls of your vendors using observable data;
Manage your cybersecurity reputation as a competitive advantage;
Right-size your insurance limits and premiums.

701Hn000001GHd6IAG

Webinars

Third Party Risk Management

Vendor Risk Management

Cyber Insurance

Hide Resource from Lists?

Off

First Name

Last Name

Phone

Company Email

Company Name

Job Title

Country

State

Province

We will use your information to communicate with you about this contact form and other solutions and related resources that may be of interest to you. You may unsubscribe at any time. For more information, please see our Privacy Policy.

Button Text

Watch Webinar

These 14 cybersecurity analytics can help you make better cyber insurance decisions

Eric Cisternelli — Sat, 14 Oct 2023 13:00:00 +0000

These 14 cybersecurity analytics can help you make better cyber insurance decisions Eric Cisternelli Sat, 10/14/2023 - 09:00

Cybersecurity continues to be a top risk for business and government leaders worldwide. In addition to reputational damage and lost business, the direct financial costs of a cyber incident continue to rise. Ransomware payment costs are up nearly 10% from the first quarter of 2022; and in 2021, U.S. banks processed roughly $1.2 billion in ransomware payments. The rising cost and likelihood of experiencing a cybersecurity incident has made cyber insurance a popular option for organizations seeking risk transfer solutions.

Cyber insurance decisions should be supported by trusted, objective data, but this has been far from the status quo:

Security professionals have historically relied on cumbersome and lengthy cybersecurity frameworks to improve insurability
Insurers have struggled to ascertain and analyze unbiased, trusted, and objective datasets to help inform loss models and pricing decisions
Brokers need reliable statistics to help clients make the best decisions regarding pricing, scope, and terms

More than ever before, the market needs a set of trusted cybersecurity analytics on which to focus.

A new independent study by the world’s largest insurance broker, Marsh McLennan, found 14 Bitsight analytics to be significantly correlated with cybersecurity incidents, helping organizations prioritize initiatives to measurably reduce the risk of an incident. These cybersecurity analytics fill an important gap in the market, allowing cyber insurers, insureds, and brokers to make decisions more closely tied to tangible outcomes.

To dive deeper into the analysis and what it means for the cyber insurance industry, Bitsight’s Aaron Aanenson, senior director of cyber insurance thought leadership, sat down for an interview with Noah Stone, senior manager of thought leadership.

Stone: Aaron, I’m excited to discuss this important research with you. To kick us off, what’s the purpose of this study and how did Marsh McLennan’s Cyber Risk Analytics Center (Marsh McLennan) approach the logic behind it?

Aanenson: The primary objective of this study was to further enhance the value of Bitsight’s cyber risk data for both the cyber insurance community and the broader cybersecurity industry. First, this enables cyber insurance underwriters to more easily synthesize the significant amount of risk data they analyze when they underwrite accounts. Second, it empowers cybersecurity leaders and risk managers to have clear data to articulate and support their cybersecurity risk strategies and budgets.

The study makes this possible by correlating likelihood of breach with performance in the cybersecurity risk areas that Bitsight measures, thereby allowing leaders to prioritize which areas of cybersecurity should be optimized for the greatest return on investment.

Insurance customers are interested in this study for these purposes, especially in the current cyber insurance environment where cyber coverage is increasingly challenging to obtain and maintain at a cost that makes sense for risk transfer strategies. Marsh McLennan independently conducted this study by comparing Bitsight’s risk vector ratings and the topline Bitsight Security Rating to their proprietary exposure and loss database. Then, using a statistical technique called “rank biserial correlation,” they quantified the relationship between Bitsight analytics and their loss data to produce the output you see in our report.

Stone: What exactly did Marsh McLennan find in their independent analysis, and why do you think it’s relevant to the cyber insurance industry?

Aanenson: Marsh McLennan found a significant correlation between 14 Bitsight analytics (13 risk vectors and the Bitsight Security Rating) and cybersecurity incidents. This data is incredibly valuable for cyber insurers because it provides objective data that the industry currently lacks. Other lines of insurance rely on decades, if not centuries, of historical risk data to make fairly reliable predictions for the future.

Cyber insurance faces unique challenges because most cyber incident data is kept private. And, the short history of claims data available to carriers demonstrates that the cyber claims of the past are drastically different from the cyber claims we see today. Since cyber threats change so quickly, we don’t necessarily need decades of claims data to inform underwriting decisions but the underwriting still needs to rely on current, reliable datasets that can be tied to losses in order to produce a viable and valuable insurance product.

Overall, this data enhances confidence in the predictability of losses which is critical to support the capacity of providers, underpinning the ability of insurance carriers to issue cyber insurance coverage.

How Bitsight Helps You Get Cyber Insurance Coverage

Download eBook

Stone: Predictability is definitely an important element here, especially when so many cyber claims datasets skew towards geographic, sector, size, and other biases. How can cyber insurers utilize the data in their day-to-day business building activities?

Aanenson: When underwriting cyber insurance coverage, underwriters are significantly challenged by the sheer amount of data to analyze, which spans areas like the application, a plethora of cyber risk information, prior claims, peer analyses, and industry trends. Using the information in this study, underwriters can save time and make better decisions by:

Prioritizing accounts having higher Bitsight ratings and creating underwriting criteria based on those falling into certain segments (e.g. those with high ratings have less underwriting requirements; those in the middle have more; and those with low ratings maybe aren’t quoted or are non-renewed).
Focusing underwriting decisions on the Bitsight risk vectors that are most highly correlated to breach.
Providing transparent feedback to insureds interested in improving their cyber insurance outcomes by focusing on the Bitsight risk vectors that are most significantly affecting their Bitsight rating.

Stone: How do you envision the cyber insurance landscape changing as a result of this research?

Aanenson: To me, the data is so strong that it seems possible to automate part of the cyber insurance underwriting process. Automation is critical for cyber carriers looking to insure SMEs, which represent the largest portion of the market with the most opportunity right now. In many cases, this segment can’t be insured profitably if the underwriting process isn’t automated in some fashion.

For larger risks, this data can be used to make better underwriting decisions faster, which can lead to better use of underwriters’ time and better hit ratios in an increasingly competitive industry.

And overall, with even greater confidence in the cyber risk data that Bitsight provides, we will be fulfilling our company’s mission, which is to make the digital economy a safer place for all of us. This research helps us get there by identifying cyber risk where we can, and integrating that data into tangible outcomes that produce informed and effective cybersecurity investments.

Stone: How do you think security professionals and organizations should leverage this analysis? Why does it help them?

Aanenson: One of the most challenging parts of being a cybersecurity leader is articulating to a non-technical leadership team why certain security investments are needed to avoid an uncertain outcome. This study helps close the uncertainty gap by showing clear correlations between cybersecurity performance across key Bitsight risk vectors and the likelihood of experiencing an incident. This should help cybersecurity leaders and risk managers better convey this information so security budgets are optimized for the best and most tangible outcomes. Additionally, when organizations monitor how their investments have impacted their Bitsight rating over time, it will allow them to articulate a critical metric that drives budgeting decisions – return on investment.

To learn more about the 14 cybersecurity analytics most correlated with incidents, please download the report now.

Cyber Insurance Underwriting: What Role Do Security Ratings Play?

admin_bitsight — Fri, 06 Oct 2023 16:36:39 +0000

Cyber Insurance Underwriting: What Role Do Security Ratings Play? admin_bitsight Fri, 10/06/2023 - 12:36

If you’re involved in the cyber insurance underwriting process—from the transaction to the ongoing operations—you’re constantly looking for things to help you (and your team) select better risks. Here are three specific ways Bitsight’s Security Ratings platform can play an integral role in the underwriting process.

Cyber Insurance Underwriting: What Role Do Security Ratings Play?

1. Gaining Insight Into The Transaction

The first step in the cyber insurance underwriting process is the insurance application. It includes questions regarding security posture that virtually every carrier wants to learn more about. For example, if the applicant is looking for business continuity or business interruption coverage, you would focus your coverage-specific questions around disaster recovery procedures, how long it takes the applicant to get back online, business continuity management, and more.

Security Ratings make it easy for underwriters to map the answers to these security posture questions to risk vectors defined by Bitsight. This way, you not only have the customer’s perspective on a topic, but you also have an objective. This can help you determine if there are any deviations or gaps between what the customer says and what Security Ratings tell you—and if there is, you can dig deeper into that particular part of the application.

How Bitsight Helps You Get Cyber Insurance Coverage

Download eBook

2. Benchmarking Against Your Portfolio For Risk Context

A major issue with applications and questionnaires is that responses are generally the same across all applicants, making it difficult to distinguish a high-risk from a lower-risk applicant.

Security Ratings offer an objective way to benchmark applicants against your existing customers with similar attributes or demographic. For example, if a $10 million law firm headquartered in New York applies for cyber insurance through your organization, you can pull all the other organizations of a similar size and scope from your portfolio. This information will provide you the context you need to ask the applicant additional questions and price them accordingly.

3. Modeling & Risk Aggregation Strategy

Understanding how adding an applicant impacts vendor dependency risk across your larger portfolio is critical—and Security Ratings can help with this.

For example, if you have 100 customers using a certain DNS provider, and an applicant that also uses that provider comes to you looking for business continuity coverage, you can use Security Ratings to immediately verify that they’re also using that third-party DNS provider. If so, underwriting this applicant would mean that you’d have 101 customers using the same DNS provider—and you’d need to determine what this meant to you. Depending on the common vendor dependency risk you’re willing to take, you may or may not offer coverage. If you do offer it, you may change the limit, ask additional questions about vendor policies, increase the applicant’s retention, or change the applicant’s waiting period. Regardless, without insight from Security Ratings, it’s far more difficult to ensure your aggregate risk levels are at a level you’re comfortable with.

In Summary

It’s clear Security Ratings make an impact in a number of critical areas for cyber insurance underwriting—and we can’t forget about how Security Ratings make an impact from an operational perspective!

If you get the opportunity to write excess coverage, but you don’t know the level, Security Ratings can help steer you closer to writing the primary coverage. Bitsight also gives you this information in real time so you don’t have to wait to make a decision until an applicant finishes their questionnaire or an applicant’s broker sends you their responses.

Looking for more information on how Security Ratings could impact your cyber insurance underwriting risk? Download this on-demand webinar to learn exactly how the underwriting process has developed over the years, hear experts discuss the current trends in the industry, and find out the latest tools carriers are adopting to better assess a corporation’s cyber preparedness.

What You Are and Aren’t Responsible for Under Cyber Risk Insurance

admin_bitsight — Sat, 30 Sep 2023 17:45:53 +0000

What You Are and Aren’t Responsible for Under Cyber Risk Insurance admin_bitsight Sat, 09/30/2023 - 13:45

It’s not hard to justify why you need property insurance when you’re surrounded by your physical goods that you don’t want to be lost or damaged in your home or business. So why isn’t cybersecurity the same?

Cyber risk insurance is often not considered until it’s too late. Imagine you’ve discovered malicious software present on your network, like a ransomware attack on employee information or a backdoor breach through a third-party access point. Without cyber risk insurance, your organization is solely responsible for all of the resources and monetary needs to remediate your systems and respond to the attack.

Definitely not ideal for any organization dealing with growing attack surfaces and increasingly sophisticated recent hacking attempts.

What is cyber risk insurance?

Cyber risk insurance protects an organization from security & privacy events by covering the cost to recover from a data breach, virus, or other form of malicious cybersecurity activity. Besides aiding your organization in your own recovery, cyber insurance is also important to support and defend your organization from legal liability from those affected by the breach. This could potentially come from customers, employees, partners, third parties, and anyone connected to your network who is affected and potentially had their data exposed.

Coverage Explained

It’s important to match your expectations with reality when deciding on cyber insurance for your organization. Where are the risks most prominent on your network, and who could be impacted by a breach?

In short, every organization is vulnerable to a cyber incident, and even if the data you store on your network isn’t particularly desirable to hackers, it is likely that sensitive data may reside with your third party providers.

Like other insurance coverages, cyber risk insurance covers a common set of scenarios, but there are situations where an organization can still be exposed. Most insurers offer similar coverage options, however a few offer less-common ones. Here is a breakdown of what is covered, and not covered, with cyber risk insurance:

When you can expect coverage

Data breach or Distributed Denial of Service (DDOS) attack that brings down your network
Malware infection that spreads through devices connected to your network, making it impossible to operate
Extortion demands made by bad actors holding sensitive information they are threatening to expose
Ransomware demands that lock up devices and threaten to leak sensitive data
Business-email compromise resulting in sharing sensitive information
Liabilities associated with contractual obligations, including within the payment card industry (PCI) Fines & Penalties
Defending against class-action lawsuits and paying settlements
Legal expenses, fines, and penalties associated with regulatory investigations
Lost business profits, accrued expenses, and extra costs while actively experiencing a cyber incident, either due to malicious hack or human error
Media liability associated with infringement and other content that is electronically disseminated
Losses due to social engineering fraud tricking you or your employees into sending funds you shouldn’t have
The business profit lost due to reputational damage to your brand soon following a publicized cyber attack

For many of the scenarios above, these can also be triggered by trusted third-party vendors whom you are sharing data with and/or rely on for critical business operations.

When you aren’t covered

When physical company property is damaged or destroyed, even if it holds sensitive data
The lost value to an organization due to theft of intellectual property
The loss of potential future company profits

Beyond covering first and third-party costs associated with the above scenarios, cyber insurers also offer customers a vetted list of providers they can work with. These providers can be: pre-breach - like Bitsight - to help organizations better understand their security posture and prepare themselves to be more resilient to a cyber event; post-breach providers like a legal firm who acts as a “breach coach” helping clients navigate through an event; forensic service providers, public relations companies, and more. You should try to align yourself with an insurer that has both a comprehensive set of coverages they provide and also a panel of expert vendors you can work with to prepare, prevent and protect yourself from a cyber event.

Like other types of insurance, cyber risk insurance often requires organizations to prove they are taking some sort of action to protect their network against threat actors. If an organization doesn’t protect their network at all, they might not be approved for insurance, or be charged a high rate, similar to how if someone has a riskier health behavior like smoking they might be given a higher health-insurance monthly cost.

Bitsight Security Ratings are a great way to prove your cybersecurity protection efforts to a cyber risk insurance provider. Presenting an objective view of your network’s cybersecurity posture will give your potential insurance provider a trusted view into what your organization does to protect from threats, and will make securing a cyber risk insurance policy smoother.

Real examples happening around us

There are countless real-world cyber incident examples where organizations have suffered financial, reputational, and operational losses due to a seemingly small vulnerability. Just look at the recent Microsoft Exchange Hafnium breach that affected thousands of organizations around the world.

Organizations trusting their sensitive email conversations and contact information stored in the Exchange servers were left scrambling to update their devices and patch their systems from a vulnerability that occurred on a seemingly cybersecurity-focused corporation like Microsoft.

You can’t ignore the possibility of a compromise to your network any longer. With large, well-funded, global organizations being targeted by malicious actors, it is less of a “if” a cyber incident will occur and more shifting to a “when”. Organizations rely on cloud management services to facilitate company operations and stay competitive in their industry. Preventing attacks to your network is now becoming just as vital to organization success, as well as not letting an attack completely drain your organization’s funds.

Insurance that you can trust

Even if you have a mature, established security management system, your network is subject to the performance of your vendors’ cybersecurity management practices as well. Gaining full visibility in the threats on your network, including your vendor risk landscape, will help prepare you for the level of cyber risk insurance you need. Accurate data on your vendor risks can also help you stay informed if your vendors are meeting their cybersecurity requirements potentially listed out in your contract, or in a recent audit.

Bitsight Security Ratings provide an external view of the risks to your network, as well as third parties and partners with integrated systems. Utilizing security ratings to get a complete view of your network now can help reduce potential cyber risk insurance claims in the future.

How Bitsight Helps You Get Cyber Insurance Coverage

Download eBook

Underwriting Cyber Risk Part 2: Metrics to Track Cyber Hygiene

rachel.holmes@bitsight.com — Sat, 23 Sep 2023 12:30:00 +0000

Underwriting Cyber Risk Part 2: Metrics to Track Cyber Hygiene rachel.holmes@… Sat, 09/23/2023 - 08:30

Cyber insurers regularly get requests for new business and increased limits. How can they determine which organizations will be a risk worth taking? In my previous blog, I discussed how understanding an applicant’s cyber hygiene is the best indicator of whether they may experience a successful ransomware or other cyber attack. In this blog, I’ll walk through how to measure an applicant's cyber hygiene and which metrics are categorically proven to stand out.

How to measure an applicant's cyber hygiene

Despite the significant increase in cyber insurance premiums, there are still organizations that lean on their cyber policy in lieu of making larger investments in new and more effective security controls. Part of an underwriter’s job is to identify these cases and avoid insuring them.

A strong candidate for cyber insurance is typically an organization that performs the following tasks and then seeks insurance for risks that are unlikely to materialize (yet would be devastating if they did):

Demonstrates that they have processes in place to identify cyber risk
Mitigates high likelihood and high impact risks sufficiently
Integrates backup controls and other layers of security to enforce a defense-in-depth strategy
Monitors their security program for effectiveness
Seeks incremental improvements over time

Armed with this information, underwriters can perform a more in-depth discovery with applicants so that the risk is qualitatively and quantitatively evaluated against specific underwriting criteria. The most common quantitative method to measure cyber hygiene is with a cybersecurity ratings tool. Modern IT environments are complex, and it’s hard to make and understand insureds’ claims about cybersecurity. Cybersecurity ratings solutions help underwriters verify the accuracy of the information they receive from applicants with an unbiased view of a cybersecurity program.

Start with an applicant's security rating

The best indicator for future performance is past performance. Underwriters can derive this from cybersecurity ratings because they are based on historical cybersecurity performance. Think of a security rating like a credit rating—if someone missed a payment by the due date, their credit score might be impacted and then need time to recover. When it comes to cyber insurance, the same principles apply so that applicants are incentivized to maintain strong cybersecurity throughout the policy period. Without that incentive, some insureds might treat cybersecurity as a once-a-year exercise, leaving insureds vulnerable throughout the policy period and their carriers on the hook for claims.

Key metrics that highlight cyber hygiene

Aside from a quantitative cybersecurity rating, other findings may correlate to the likelihood of an applicant experiencing a cybersecurity incident. For example, expired certificates may not seem like a significant risk, but certificate management is a simple, routine IT task for most organizations. Therefore, a history of expired certificates demonstrates low cyber maturity overall. From that, an underwriter can infer that other, more critical cybersecurity practices are lacking too. And that means that cyber criminals may have more opportunities to identify and exploit vulnerabilities.

More importantly though, certain analytics are statistically correlated to the likelihood of experiencing a cybersecurity incident. A new, independent study by the world’s largest insurance broker, Marsh McLennan, found 14 Bitsight analytics to be significantly correlated with cybersecurity incidents. Looking at some of the key metrics in this study—such as patching cadence and the Bitsight Security Rating—enables underwriters to easily synthesize the significant amount of risk data they analyze when they underwrite accounts. You can read my interview to learn more about how this study impacts the cyber insurance industry.

No organization is immune from determined cyber criminals, just like how no homeowner can ever be immune to severe weather damage to their home. But, there are best practices for minimizing the likelihood of being victimized, chief among them being a relentless focus on cyber hygiene—the practice of ensuring that the organization is performing effectively every day. When an insurer identifies poor hygiene in one area, no matter how small it may seem, it almost certainly means that the organization lacks adequate controls in other areas as well. It’s not about looking at cyber controls on their own. It’s about looking at what they infer about an insured’s cyber maturity.

The carrier's role in risk control

As insurance carriers continue to develop methods to limit risks that drive loss ratios to uncomfortable levels, it’s important to look within. Carriers have an opportunity to support their insureds to limit losses through the policy period. Because cyber insurance is now a business requirement for so many, some small-to-medium businesses simply struggle to create and maintain security programs that meet strict underwriting requirements.

To help, some carriers may pay outside firms for mentoring services. In other cases, carriers and managing general agents (MGAs) use cyber ratings tools to monitor their insureds for vulnerabilities, and they may even provide remediation support. Lowering the carrier’s cyber loss ratio by even a single digit can be well worth the investment for these loss control services.

For example, Bitsight advisors work with insureds to help them understand reactive and proactive opportunities to improve their risk profiles. In addition, by collaborating with insureds, the advisors help insureds create self-published ratings that reflect the distinctions between various segmented networks (such as guest networks). Through this service, Bitsight creates plans for insureds to remediate weaknesses that can help them avoid cyber attacks, as well as provide a high-level comprehensive review of the Bitsight solution as it relates to features and capabilities. The study from Marsh McLennan found that organizations that have a lower Bitsight rating has a higher likelihood of cybersecurity incidents by as much as 4.8 times. By working with Bitsight advisors, organizations can improve their cyber hygiene and therefore reduce their risk.

Providing valuable cyber insurance policies

Cyber attacks and ransomware will only continue to ravage companies worldwide. The cyber insurance industry needs a strategy to quickly respond to this risk landscape, and provide valuable cyber policies that protect against risks to stay viable in an increasingly high-tech, connected landscape. Combining these insights with the way that end-users are leveraging cybersecurity products to support their cyber hygiene workflows, insurance carriers can provide more risk mitigation services alongside the cyber ratings tools they use to underwrite accounts.

Underwriting Cyber Risk Part 1: Focus on Cyber Hygiene

rachel.holmes@bitsight.com — Wed, 20 Sep 2023 12:30:00 +0000

Underwriting Cyber Risk Part 1: Focus on Cyber Hygiene rachel.holmes@… Wed, 09/20/2023 - 08:30

Cyber risk uncertainty is growing. Despite massive spending worldwide to the tune of $173 billion, cyber attacks keep occurring. Ransomware attacks—a type of cyberattack that encrypts an organization's network or locks users out of their devices and requires a ransom before restoring access—are costing companies 20 days of downtime on average. Within the next few years, nearly half of companies worldwide will experience cyber attacks on their software supply chains. And threats like malware and botnets (such as the recent Emotet re-emergence) are wreaking havoc on companies worldwide.

It comes as no surprise that cyber insurance claims are exploding. As companies worldwide scramble for coverage, insurers are experiencing significant losses and rethinking their underwriting decisions. The result? Stricter underwriting standards, which take longer to evaluate.

So how do cyber insurers determine which organizations are going to be a risk worth taking? It depends on an organization’s overall cyber hygiene and their ability to effectively respond to new attacks and vulnerabilities. It’s more important than ever to continue underwriting good and opportunistic risks, while not overcorrecting for the high loss ratios the industry is seeing. Insureds need to answer two questions: what is good cyber hygiene and how do you measure it? In this blog, I will tackle the first of these questions. Insurers have to first understand the current cyber insurance landscape and how it impacts cyber hygiene.

The link between ransomware and cyber insurance

Before unpacking cyber hygiene, first consider how ransomware is impacting the cyber insurance landscape. Traditional insurance, such as auto or home insurance, provides coverage for high impact, low frequency events. This type of insurance covers events that likely won’t happen, but could be very costly if they did. Organizations seek insurance coverage for these risks because it’s impractical to mitigate or avoid them. With the explosion of ransomware, companies suddenly experience high impact and high frequency incidents—making cyber insurance more expensive and harder to get, yet more necessary than ever.

Ransomware has been a threat for a long time. In 2016, Bitsight published an article to draw attention to the problem. Since then, ransomware and other similar threats are only continuing to explode. Nowadays, attackers use cryptocurrencies to monetize ransomware attacks in a way that’s easier to get payment and avoid tracking. Plus, the rapid speed of digital transformation in the last few years means that the attack surface has never been bigger for attackers to find areas of weakness.

What does this mean for cyber insurance carriers? They need to maintain the right balance of risk by offering valuable policies that pay claims when covered losses occur, while being careful not to encourage risky behavior with overly broad policy coverage. The underwriter has to determine which organizations are doing enough to prevent frequent claims to be eligible for the specific coverage they offer.

Most notably, frequent ransomware claims drive a lot of the chaos in the cyber insurance market. Ransomware usually exploits common, known vulnerabilities in insecure services and software. But a strong cybersecurity program will be able to manage vulnerabilities, protect endpoints, and monitor the effectiveness of security controls so that they can be improved over time. From an insurer’s perspective, knowing if a company can effectively perform these functions is a good way to start understanding their cyber hygiene.

What is (good) cyber hygiene?

Cyber hygiene is a set of essential practices and tasks a company uses to keep systems, data, and users secure. Strong cyber hygiene enhances overall cybersecurity through activities like regular assessments, improvements, patching, control implementation, and secure configuration. Regular processes like these give companies insight to determine if their security controls work effectively and ways to improve them over time. Good cyber hygiene significantly lowers the chance of ransomware and other cyber attacks.

Effective cyber hygiene begins with an understanding of best practices for improving security and reducing risk, such as those identified in the NIST Cybersecurity Framework or other cybersecurity standard or framework. By mapping existing security practices to a framework, security teams can evaluate their current level of cyber hygiene and take steps to improve it. Organizations should continuously monitor their efforts on each of these tasks and alert security teams to lapses in best practices.

Additionally, underwriters should focus on the concept of cyber maturity, not just cyber controls, so that security information can be inferred quickly when underwriting particularly complex organizations. For example, asking an organization to explain their process for identifying and remediating new vulnerabilities provides a slew of insights, and gives the underwriter a sense of how they would handle zero-day vulnerabilities. Asking intelligent questions during the insurance application process guides the understanding of a company’s cyber maturity, and in turn, their cyber hygiene.

Cyber hygiene proves to insurers that an applicant is invested in cybersecurity

The likelihood of an applicant experiencing a successful ransomware attack begins with understanding their cyber hygiene. And the best applicants know that good cyber hygiene proves to cyber insurers that they are actively invested in their security posture, which makes them better risks to write. Now that we’ve established a baseline for why cyber hygiene is important, the next blog in this series will cover how an insurer can tell whether an organization has good cyber hygiene and which metrics to monitor.

Bitsight Cyber Insurance Policyholder Detection & Response

Eric Cisternelli — Mon, 17 Jul 2023 14:24:55 +0000

Bitsight Cyber Insurance Policyholder Detection & Response Eric Cisternelli Mon, 07/17/2023 - 10:24

Bitsight Cyber Insurance Policyholder Vulnerability Detection & Response empowers organizations to take action on high-priority incidents at a moment’s notice. Teams rely on these capabilities to initiate outreach to policyholders and track responses to critical vulnerabilities through scalable templated questionnaires—with tailored exposure evidence—for more effective remediation and to leverage industry-leading data to prioritize mitigation efforts.

Download our datasheet to learn how Policyholder Vulnerability Detection & Response enables you to:

Quickly access comprehensive views of vulnerabilities across your portfolio
Prioritize, scale, and track policyholder outreach with built-in questionnaires and workflows through the Bitsight Cyber Insurance application
Provide insureds with exposure evidence and action plans to remediate risk to their organization—and your portfolio
Mitigate potential claims and losses to the policyholders across your portfolio

Download the free data sheet

Off

Cyber Insurance Vulnerability Detection.pdf

Data Sheets

Cyber Insurance

Hide Resource from Lists?

Off

Button Text

Download Now