Steps to Mitigate Cyber Risk

Insurers' traditional methods--enforcing limits on coverage and capacity, raising premiums and seeking reinsurance--are no longer adequate.

Blue photo showing cyber with binary code

KEY TAKEAWAYS:

--Cyber insurance carriers should stop relying on security questionnaires and should perform active scans to determine the digital assets and overall security posture of each applicant.

--Insurers must then monitor the risk continuously. Cyber-attack trends and techniques evolve rapidly, meaning the risk and performance of a policy can differ drastically not only from year to year but also within a 12-month policy period.

----------

Cybersecurity risks continue to pose a significant threat to businesses, and the insurance industry is feeling the impact of these attacks. The percentage of insurance clients opting for cyber coverage has risen 47% over the last several years – while the costs associated with cyber events have steadily increased. 

The increasing frequency of large-scale cyber-attacks — WannaCry, NotPetya, Log4j, ProxyNotShell, to name a few — has highlighted the potential for catastrophic events and the resulting financial losses. This has put pressure on insurance companies to find new ways to mitigate risk and protect their policyholders.

Too often, insurers have reacted through traditional methods, such as enforcing limits on coverage and capacity, raising premiums and seeking coverage from reinsurers. But these approaches may not be sufficient in the long run.

Insurers must take a more comprehensive approach, including (1) practicing risk selection informed by the latest cyber security threat landscape, (2) maintaining constant awareness of the digital assets they insure, (3) scanning continuously for emerging risks, (4) identifying vulnerable companies quickly and accurately and (5) helping their insureds implement security patches as quickly as possible.

Issuing a cyber insurance policy without promptly assessing an organization's security stance is comparable to providing property insurance without comprehending the building materials used in its construction.

Unfortunately, many traditional cyber insurance policy processes and applications do not gather essential security details, such as the software and tools employed by the insured. This often leads to over-reliance on security questionnaires, whose answers are inherently biased and may not be completed by the correct technical staff.

Active scanning can offer a solution to this problem. Cyber insurance carriers can perform active scans to determine the digital assets and overall security posture of each applicant at the time of underwriting. This gives insurers real-time views of a company's digital assets and vulnerabilities – and enables much better risk selection and pricing decisions.

Such active scanning should be complemented with continuous risk monitoring. Cyber-attack trends and techniques evolve rapidly, meaning the risk and performance of a given cyber policy can differ drastically not only from year to year – but also within a 12-month policy period. Continuous cyber risk monitoring of an organization's digital infrastructure over the course of the policy periods allows insurers to keep pace with the changing threat landscape and the technological evolution of companies.

Amid an age of rapidly advancing cyber threats, insurance companies should start a program of active scanning and continuous cyber risk monitoring of insureds and their digital assets. By adopting such measures, insurers can improve their loss ratio and better protect their policyholders against cyber risks.

You can find a whitepaper on the topic here.


Lewis Guignard

Profile picture for user LewisGuignard

Lewis Guignard

Lewis Guignard is director of data science at Guidewire Software, where he is responsible for leading the development of cyber risk analytics technologies for the P&C insurance industry.

Guignard has over a dozen years of experience leading engineering, research and data science projects. Previously, he served as the head of data science at Corax, a cyber insurance software company.

Guignard holds a master's degree in electrical engineering from Stanford University.


Yoshifumi Yamamoto

Profile picture for user YoshifumiYamamoto

Yoshifumi Yamamoto

Yoshifumi Yamamoto serves as the director of cyber risk modeling at At-Bay, a cyber insurance provider.

He has over two decades of experience in technology development and over a decade in the risk management and insurance technology market. He previously worked as the lead modeler for risk management solutions at Moody's, as well as the global head of risk modeling and cyber risk analytics at Cyence.

Yamamoto earned a Ph.D. in structural engineering and a master's in statistics from Stanford University.

Read More