7 Factors that Drive Cyber Risk: New Research from Marsh McLennan and SecurityScorecard

The expanding attack surface of an increasingly interconnected digital world comes with a high degree of risk due to ransomware, phishing attempts, supply chain attacks, data breaches, and other cyber incidents. And while many organizations recognize the need for cyber insurance, a recent Forrester Research report found that only 55% of organizations in North America have purchased cyber insurance. ¹

Following a recent surge of ransomware attacks–which has led to a sharp uptick in claims–the cyber (re)insurance industry is looking for ways to help its customers increase their cyber resilience, reduce their premiums, and improve their overall cyber hygiene.² Because cyber risk is dynamic and influenced by a wide range of variables, quantifying it requires numerous, continuously updated data points.

Use security ratings to help assess cyber insurance risk 

In the world of financial markets, investors rely on credit ratings to estimate risk. With that in mind, the Marsh McLennan Global Cyber Risk Analytics Center and SecurityScorecard came together to study how cybersecurity ratings can be used to understand cyber risk. Much like credit ratings, security ratings package risk into a handful of quantifiable factors. This helps insurance companies provide quotes and manage their risk exposure while also offering customers the opportunity to manage and improve their security posture.

For the past ten years, SecurityScorecard has offered cybersecurity ratings that use continuous, external scanning to accurately provide an outside-in view of risk in this constantly shifting landscape. To build these scores, we build a map of digital assets, observe events and settings on these assets, and assign scores based on these observations and their correlation to cyber incidents.

Seven factors that can predict a cybersecurity breach

By analyzing security ratings and cyber insurance claims data, we found seven factors that are most predictive of a breach. They are:

1. Endpoint Security: Tracks identification points that are extracted from metadata related to the operating system, web browser, and related active plugins
2. Patching Cadence: Analyzes how quickly an organization installs security updates to measure vulnerability risk mitigation practices
3. Ransomware Score: Measures how susceptible the organization is to a ransomware attack
4. Network Security: Checks public datasets for evidence of high-risk or insecure open ports within the organization’s network
5. DNS Health: Measures the health and configuration of an organization’s DNS settings. It validates whether malicious events occurred in the passive DNS history of the organization’s network
6. IP Reputation: Makes use of the SecurityScorecard sinkhole infrastructure as well as a blend of OSINT malware feeds and third-party cyber threat intelligence data-sharing partnerships
7. Cubit Score: Measures a variety of security issues that an organization might have (e .g. checking public threat intelligence databases for IP addresses that have been flagged)

Using the SecurityScorecard platform, customers can identify and plan for clear areas of improvement and thus reduce their cyber risk, which can result in validation with a higher security rating and, ultimately, a lower cyber insurance quote. In turn, cyber (re)insurers can use security ratings in their underwriting strategies to more accurately evaluate a company’s cyber risk exposure.

Security ratings can be valuable when it comes to policy application forms by giving all parties a shared view of risk. And since everyone is speaking a common language, this fundamentally changes how insureds, brokers, and carriers think about and communicate cyber risk.

Whether you’re buying cyber insurance coverage or simply trying to reduce your premium, cybersecurity ratings will go a long way by helping you monitor and control risk while improving your overall cybersecurity posture. With this information in hand, you may  be better able to optimize your cybersecurity investments and allocate them efficiently to identify, protect, detect, respond, and recover from cyber incidents. With a more transparent and measurable view of cyber risk, the industry as a whole can move toward a more sustainable and resilient future.

To learn more about using cybersecurity ratings to reduce cyber insurance risk, download Marsh McLennan and SecurityScorecard’s report, Reduce cyber risk with the predictive power of security ratings.

About SecurityScorecard

Funded by world-class investors including Evolution Equity Partners, Silver Lake Waterman, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings with more than 12 million companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented rating technology is used by over 50,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. SecurityScorecard is the first cybersecurity ratings company to offer digital forensics and incident response services, providing a 360-degree approach to security prevention and response for its worldwide customer and partner base. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees and vendors. Every organization has the universal right to their trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.

About Marsh McLennan

Marsh McLennan (NYSE: MMC) is the world’s leading professional services firm in the areas of risk, strategy and people. The Company’s more than 85,000 colleagues advise clients in 130 countries. With annual revenue of over $20 billion, Marsh McLennan helps clients navigate an increasingly dynamic and complex environment through four market-leading businesses. Marsh provides data-driven risk advisory services and insurance solutions to commercial and consumer clients. Guy Carpenter develops advanced risk, reinsurance and capital strategies that help clients grow profitably and pursue emerging opportunities. Mercer delivers advice and technology-driven solutions that help organizations redefine the world of work, reshape retirement and investment outcomes, and unlock health and wellbeing for a changing workforce. Oliver Wyman serves as a critical strategic, economic and brand advisor to private sector and governmental clients. For more information, visit marshmclennan.com and follow us on LinkedIn and Twitter.

¹Breaches by The Numbers: Adapting to Regional Challenges is Imperative, Forrester Research, April 12, 2022

²Cyber Insurers Raise Rates Amid a Surge in Costly Hacks, The Wall Street Journal, May 18, 2022