The insurance industry has used objective, well-understood metrics for assessing risk in nearly every line of coverage. For example, life insurance takes into account medical history, blood pressure, age, and other health metrics. Auto insurance is based on driving history, location, age, past accidents and tickets, and other driving-related metrics. Property insurance is based on location, susceptibility to inclement weather, and building materials.
As today’s cyber threat landscape evolves, cyber insurance is becoming more of a top priority for organizations across all industries. And, the industry recognizes the need for additional metrics in assessing cyber-related risk. For those who may not be as familiar with cyber insurance, however, let’s start by answering some FAQs about cyber insurance itself.
What is cyber insurance?
Cyber insurance is insurance that provides for first and third party (liability) coverage in case of a privacy or security event. A privacy event is a situation in which a business experienced a loss of sensitive confidential information — most commonly personally identifiable information (PII), protected health information (PHI), payment card industry data (PCI) – but even corporate records and intellectual property (IP) too. A security event, like a ransomware or DDOS attack, causes deterioration, suspended service, or limited access to data. Cyber insurance coverage is meant to help businesses respond to liability claims as well as protect them in the case of first party losses and expenses associated with incident remediation. Among other exposures, cyber insurance can also include multimedia liability coverage, cyber crime coverage, or bodily injury and/or property damage coverage.
Cyber insurance has existed since the late 1990’s, filling in privacy liability gaps related to companies’ Errors & Omissions policies. As internet usage grew across all industries, federal and state regulations took heed of the growing consumer privacy issues. Today, cyber insurance can be purchased both as a standalone coverage or in combination with other insurance programs (E&O, Directors & Officers, Property, Package). There are over 80 different carriers that provide a variety of coverages to all types of customers worldwide. While awareness and adoption of coverage is high, the market will only continue to grow as “written premium for the commercial cyber liability market that will reach $6.2 billion by 2020, with annual take-up rates growing 20 to 30 percent during the next several years.”
How do I purchase cyber insurance and what affects coverage?
Purchasing cyber insurance is traditionally handled through a broker who will solicit quotes from insurers. Organizations fill out an application; the broker then sends this over to several insurers to assess and price their risk. Insurers use not only what you provide on the application form, but also may ask for a phone or in-person interview. They also might supplement these evaluations with external data (e.g., financial information, news searches, security ratings, etc). After the risk is assessed and found acceptable, it is priced, and a quote is issued. Most likely, there will be some negotiation on pricing, coverage terms, and conditions. Lastly, a binder and policy are established that confirm an active policy has been put in place.
The underwriting cyber assessment process is typically organized into three areas of performance: people, process, and technology. An area of concern that impacts all three areas in the assessment process is password management. Over 81% of hacking breaches resulted from stolen or compromised passwords. There are generally questions in the assessment about users having unique passwords, default passwords for application updates, passwords being of a sufficient length/complexity and rotation schedule, and even passwords being saved in an encrypted way to avoid compromise in case of breach incident. Strong password management policy is at the foundation of cyber risk assessment. Solutions like LastPass by LogMeIn play a central role in safeguarding against unauthorized access to sensitive data and systems, and ultimately strengthens security posture.
What role do security ratings play in all of this?
Nearly every organization today has customers (i.e., confidential information), is internet-connected, and uses third party services to help run their business. Inherently, most organizations are exposed to risk when working with third parties. That may include experiencing an outage resulting from a vendor through no fault of their own. What makes security ratings such a valuable tool in cyber insurance is that they are an objective, actionable, and continuous measurement of this cyber risk.
Application question responses are also inherently biased to favor the applicant — that is, the company. BitSight Security Ratings help overcome this potential bias and allow both parties to use trusted, objectionable information in their assessment.
BitSight is rapidly becoming the standard for security ratings in the cyber risk insurance industry. In fact, 7 of the 10 largest cyber insurance carriers in the world use BitSight as a part of their underwriting.
Learn more about BitSight Security Ratings for cyber insurance.
Samit Shah is the Insurance Solutions Manager at BitSight. In this role, he engages with insurance industry customers on how to best use BitSight‘s leading security ratings technology to help solve for problems of assessing, managing, and improving their clients’ cyber risk. Prior to BitSight Technologies, Samit had a stint as the cyber underwriter at APRI, an MGU in New Jersey. Before that he worked for Zurich Insurance for a number of years in risk management, business development, operational strategy, and underwriting across several different lines of insurance including Cyber & E&O.