Cyber risk often seems difficult to quantify which makes it difficult for insurance companies to appropriately underwrite their cyber risk policies. The number of threat vectors and continuously evolving threats, such as new types of malware/ransomware, lead to confusion over adequate pricing. Companies that underwrite cyber risk insurance policies need metrics to help reduce the risk in their portfolios.
Why insurance providers need to “mind the gap”
As cyber risk continues to increase in importance, companies now recognize that traditional commercial general liability (CGL) policies lack coverage for these new risks. Knowing this, insurance companies attempt to leverage specialized cyber risk policies. Cyber risk policies act as “gap” insurance, providing coverage where exclusions in CGL and business continuity policies limit policyholder recovery. However, insurance companies
For example, in a recent coverage dispute, an insurer claimed that the NotPetya attack was cyber warfare, thus invoking the war exclusion to limit coverage. However, even despite the inclusion of the cyber risk policy’s war exclusion, the cyber risk company would need to know whether the policyholder’s controls should have been effective at reducing malware and ransomware threats.
Why companies struggle to underwrite cybersecurity insurance policies
Cyber insurance policy underwriting mimics the issues with environmental pollution policies in the mid- to late-1990’s. Just as no one could predict when and how a chemical spill would occur, no one can predict when and how a malicious actor will attempt to infiltrate a company’s systems, networks, and software. However, also similar to environmental coverage, organizations can be responsible for their business practices and controls.
Who collects data?
Many organizations collect data, but sometimes a company purchases it from or manages it for someone else. If your policyholder isn’t the one collecting the information, you need insight into who is collecting it and gain visibility into how well they secure its transmission, storage, and collection.
Where does data reside?
Similar to understanding who collects data, you also need to know where the information is stored and transmitted. You need to know whether the data is stored on-premises, in the cloud, or in a data center. You might even need to know what region the information resides in.
How is data secured?
Even if you know the “who” and “where” of data collection, you still need to know how the policyholder and its supply chain secure data. A single weak control in the supply stream can lead to a data breach that your insurance company has to cover under its cyber risk policies.
Establishing metrics for underwriting cybersecurity insurance policies
Whether your underwriters want the information to determine whether a company is worthwhile or your actuaries are struggling to assess financial risk for your cyber risk products, you need visibility into how well your policyholders secure their data.
Security ratings help insurance companies better price their cyber risk policies to reduce risk in their portfolios. Security ratings use publicly available information and assess the potential data breach risks arising from control weaknesses. Cybersecurity insurance providers can use security ratings to gain insight into the way your policyholders and their supply stream partners secure data so that you can write policies based on metrics, not just guesses.
Security ratings provide clear metrics that help cyber risk insurers analyze policyholder risk to the business. In the same way that an insurance company reviews a credit rating or a person’s driving history to gain actionable intelligence before writing a CGL or auto policy, security ratings provide information about a policyholder or potential policyholder’s security profile.
Web application risk
Malicious actors use web-based applications as a way to gain unauthorized access to user information. Some of the most common forms include cross-site scripting (XSS), SQL injection, and security misconfigurations. Security ratings platforms continuously monitor the internet for potential control weaknesses increase the risk of a malicious actor using a web application to obtain access to systems, networks, and services. When using security ratings to mitigate underwriting risk, a potential policyholder with a low rating has weaknesses that make them more likely to experience a data breach and increase your likelihood of having a claim.
Network security risk
As organizations move their mission-critical business operations to the cloud, network security becomes more important. A single misconfigured cloud resource can wreak havoc across the supply stream. Security ratings help gather information such as pesky misconfigured S3 buckets that leave companies at risk of a data breach. A low score for Network Security means that the company is an increased liability to your insurance company.
IP reputation
Malware and ransomware attacks, like the NotPetya attack, infiltrate an organization’s infrastructure by running in the background, looking like regular programs. Security ratings can help identify potential policyholders whose networks are infected. Moreover, since security ratings continuously monitor for these types of infiltrations, insurance companies can gain real-time visibility into how well their policyholders’ and potential policyholders’ anti-malware and anti-ransomware protections work. The sooner a company identifies a potential malware or ransomware attack, the less money and less downtime the company experiences. A low security rating in the IP Reputation category means that a policyholder is at greater risk and isn’t managing its controls well.
Patching cadence
Many companies lack the financial resources to update their IT assets on a regular basis. Whether it’s an old laptop or a server, all IT assets need to be updated with the most recent security patches. Malicious actors infiltrate organizations by using commonly known vulnerabilities (CVEs) and attacking an organization’s lack of security patch update. While 30 days is the generally accepted security update timeframe, not all organizations patch regularly. If you’re looking to underwrite a company with a low security rating for patching cadence, you may be increasing your insurance company’s financial risk.
How SecurityScorecard enables cyber risk insurance companies
SecurityScorecard continuously monitors the internet, ingesting publicly available information, to provide the metrics necessary for determining whether a company is a worthwhile risk. Our analytics and machine learning capabilities continuously update so that insurers can monitor the threats within their portfolio.
Our research has found that companies who rate a D or F are five times more likely to experience a data breach than organizations with an A-C rating. Cybersecurity policy underwriters can use our ratings to determine whether a policyholder or potential policyholder is maintaining effective controls. If a company with an A rating experiences a data breach, for example, the likelihood of negligence is low, meaning that the policy may cover their losses. A policyholder with a security rating of D or F, however, may not be maintaining continuously effective controls, which could indicate a coverage issue.
SecurityScorecard not only provides information into an organization’s overarching security posture, but our platform also provides individual security ratings for our ten factors. Cyber risk insurers using SecurityScorecard can gain actionable insight into individual control weaknesses. For example, while a company’s Network Security rating may be an A, its Patching Cadence rating may be a D. Cyber risk insurers can review their portfolio regularly and use the SecurityScorecard platform’s remediation suggestions to give actionable feedback to policyholders. These detailed analyses can also help drill down to specific control weaknesses in the event of a data breach claim.
Finally, SecurityScorecard’s easy-to-read security ratings enable all members of your insurance company to understand the risks inherent in underwriting a potential policy. Underwriters can easily see how risky a company is and where those risks are, translating to more accurate pricing.

