Posted on Sep 19, 2019
Many underwriters today offer cyber insurance, designed to protect businesses from the effects of cyberattacks and data breaches. Cyber insurance is a relatively new area, and underwriters are always looking for ways to better understand cyber risk. The goal, as with all types of insurance, is to make more informed decisions and reduce the overall risk in their portfolios.
Cybersecurity ratings can help you achieve this goal. These ratings are designed to evaluate the level of cyber risk present at a given company. They also show how prepared companies are for a cyberattack and how they might respond to such incidents.
A security rating grades how well a company protects its valuable information. Here are five benefits of using security ratings for insurance underwriting.
No underwriter will sign a policy blindly. Every potential customer must complete a detailed application prior to approval. The questions on this application typically cover the company's data management structure, network security, IT and cybersecurity staff, disaster recovery plans, and more.
These questions seldom paint the entire picture, and the questions answered by the applicant are not completely subjective. Relying solely on the applicant's answers to these questions doesn’t tell you everything you need to know about how prepared the applicant is for a cyberattack or data breach.
Cybersecurity ratings provide more objective information about the applicant. For example, SecurityScorecard evaluates 10 groups of risk facts with 92+ signals for each company —network security, DNS health, patching cadence, endpoint security, IP reputation, web application security, cubit score, hacker chatter, leaked credentials, and social engineering. You can then examine more granular specifics about each factor, providing a detailed view of how much risk the applicant represents.
When deciding whether to underwrite a given applicant, it's important to know how the company's cybersecurity resources compared to those of similar organizations. Is the applicant more or less competent than other companies in managing its cybersecurity risk?
Based on detailed analysis, SecurityScorecard assigns each company a letter grade, from "A" to "F." The highest grade, an “A,” indicates that the company has a low number of susceptibilities and issues and thus a lower risk of attack. Companies with a "D" or "F" rating are 5.4 times more likely to be the targets of cyberattacks or data breaches than companies with "A" or "B" ratings.
Security ratings help you compare the applicant's risk factor with those of other companies. You're more likely to underwrite companies with an "A" or "B" grade than those with lower cybersecurity ratings. It's an objective way to differentiate high-risk applicants from lower-risk ones.
As an insurance underwriter, it's in your best interest to help your clients reduce cyber risks. The more diligent a company's cybersecurity efforts are, the lower the risk that company presents to you.
The detailed information present in a security rating helps identify a company's cybersecurity strengths and weaknesses. You can use this information to work with the applicant on specific areas that need improvement. For example, if a company receives a low social engineering score, you can work with the company to enact stronger protections against social engineering hacks, like improving employee training.
Improving specific areas of weakness in this fashion benefits both the applicant and the underwriter, reducing the risk to both entities.
The more information you have about the companies you insure, the more you can work to reduce the overall risk in your portfolio. Knowing the specific risks for each company in the portfolio is the first step in reducing the overall risk. Security ratings are essential in accomplishing this.
For example, if you have multiple companies in your portfolio with high DNS health scores and a handful with lower scores, you can drill down to determine why those companies achieved higher scores. According to EfficientIP, 22% of companies surveyed experienced DNS-based attacks in 2018.
You may find that most of those companies use the same DNS provider and then suggest to those companies with lower DNS scores that they switch to a superior provider. This helps those lower-rated companies in your portfolio, of course, but by bringing up their DNS scores, you reduce your portfolio's overall risk.
The more diligent you are in drilling down into the details contained in companies' security reports, the lower the risk you'll assume.
Security ratings are key to less risky and more profitable underwriting. You can use cybersecurity ratings to become smarter, not just about the companies you insure but also about cybersecurity in general.
You can use cybersecurity ratings to improve the data you collect and the decisions you make. You will make more informed and intelligent decisions when you have abundant independent data at your disposal. Obtaining security ratings for all applicants will not only help you determine which companies to insure but also what rates to charge. You will create a more balanced portfolio and more properly price your cyber policies.
Security ratings are essential for cyber insurance underwriting. Let SecurityScorecard provide accurate and objective cybersecurity ratings for your insurance applicants. Contact us to learn more about our cyber insurance solutions.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.