• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

Cyber Insurance: Effectively Underwrite Cyber Risk Policies

11/11/2019

Cyber risk often seems difficult to quantify which makes it difficult for insurance companies to appropriately underwrite their cyber risk policies. The number of threat vectors and continuously evolving threats, such as new types of malware/ransomware, lead to confusion over adequate pricing. Companies that underwrite cyber risk insurance policies need metrics to help reduce the risk in their portfolios.

Why insurance providers need to “mind the gap”

As cyber risk continues to increase in importance, companies now recognize that traditional commercial general liability (CGL) policies lack coverage for these new risks. Knowing this, insurance companies attempt to leverage specialized cyber risk policies. Cyber risk policies act as “gap” insurance, providing coverage where exclusions in CGL and business continuity policies limit policyholder recovery. However, insurance companies

For example, in a recent coverage dispute, an insurer claimed that the NotPetya attack was cyber warfare, thus invoking the war exclusion to limit coverage. However, even despite the inclusion of the cyber risk policy’s war exclusion, the cyber risk company would need to know whether the policyholder’s controls should have been effective at reducing malware and ransomware threats.

Why companies struggle to underwrite cybersecurity insurance policies

Cyber insurance policy underwriting mimics the issues with environmental pollution policies in the mid- to late-1990’s. Just as no one could predict when and how a chemical spill would occur, no one can predict when and how a malicious actor will attempt to infiltrate a company’s systems, networks, and software. However, also similar to environmental coverage, organizations can be responsible for their business practices and controls.

Who collects data?

Many organizations collect data, but sometimes a company purchases it from or manages it for someone else. If your policyholder isn’t the one collecting the information, you need insight into who is collecting it and gain visibility into how well they secure its transmission, storage, and collection.

Where does data reside?

Similar to understanding who collects data, you also need to know where the information is stored and transmitted. You need to know whether the data is stored on-premises, in the cloud, or in a data center. You might even need to know what region the information resides in.

How is data secured?

Even if you know the “who” and “where” of data collection, you still need to know how the policyholder and its supply chain secure data. A single weak control in the supply stream can lead to a data breach that your insurance company has to cover under its cyber risk policies.

Establishing metrics for underwriting cybersecurity insurance policies

Whether your underwriters want the information to determine whether a company is worthwhile or your actuaries are struggling to assess financial risk for your cyber risk products, you need visibility into how well your policyholders secure their data.

Security ratings help insurance companies better price their cyber risk policies to reduce risk in their portfolios. Security ratings use publicly available information and assess the potential data breach risks arising from control weaknesses. Cybersecurity insurance providers can use security ratings to gain insight into the way your policyholders and their supply stream partners secure data so that you can write policies based on metrics, not just guesses.

Security ratings provide clear metrics that help cyber risk insurers analyze policyholder risk to the business. In the same way that an insurance company reviews a credit rating or a person’s driving history to gain actionable intelligence before writing a CGL or auto policy, security ratings provide information about a policyholder or potential policyholder’s security profile.

Web application risk

Malicious actors use web-based applications as a way to gain unauthorized access to user information. Some of the most common forms include cross-site scripting (XSS), SQL injection, and security misconfigurations. Security ratings platforms continuously monitor the internet for potential control weaknesses increase the risk of a malicious actor using a web application to obtain access to systems, networks, and services. When using security ratings to mitigate underwriting risk, a potential policyholder with a low rating has weaknesses that make them more likely to experience a data breach and increase your likelihood of having a claim.

Network security risk

As organizations move their mission-critical business operations to the cloud, network security becomes more important. A single misconfigured cloud resource can wreak havoc across the supply stream. Security ratings help gather information such as pesky misconfigured S3 buckets that leave companies at risk of a data breach. A low score for Network Security means that the company is an increased liability to your insurance company.

IP reputation

Malware and ransomware attacks, like the NotPetya attack, infiltrate an organization’s infrastructure by running in the background, looking like regular programs. Security ratings can help identify potential policyholders whose networks are infected. Moreover, since security ratings continuously monitor for these types of infiltrations, insurance companies can gain real-time visibility into how well their policyholders’ and potential policyholders’ anti-malware and anti-ransomware protections work. The sooner a company identifies a potential malware or ransomware attack, the less money and less downtime the company experiences. A low security rating in the IP Reputation category means that a policyholder is at greater risk and isn’t managing its controls well.

Patching cadence

Many companies lack the financial resources to update their IT assets on a regular basis. Whether it’s an old laptop or a server, all IT assets need to be updated with the most recent security patches. Malicious actors infiltrate organizations by using commonly known vulnerabilities (CVEs) and attacking an organization’s lack of security patch update. While 30 days is the generally accepted security update timeframe, not all organizations patch regularly. If you’re looking to underwrite a company with a low security rating for patching cadence, you may be increasing your insurance company’s financial risk.

How SecurityScorecard enables cyber risk insurance companies

SecurityScorecard continuously monitors the internet, ingesting publicly available information, to provide the metrics necessary for determining whether a company is a worthwhile risk. Our analytics and machine learning capabilities continuously update so that insurers can monitor the threats within their portfolio.

Our research has found that companies who rate a D or F are five times more likely to experience a data breach than organizations with an A-C rating. Cybersecurity policy underwriters can use our ratings to determine whether a policyholder or potential policyholder is maintaining effective controls. If a company with an A rating experiences a data breach, for example, the likelihood of negligence is low, meaning that the policy may cover their losses. A policyholder with a security rating of D or F, however, may not be maintaining continuously effective controls, which could indicate a coverage issue.

SecurityScorecard not only provides information into an organization’s overarching security posture, but our platform also provides individual security ratings for our ten factors. Cyber risk insurers using SecurityScorecard can gain actionable insight into individual control weaknesses. For example, while a company’s Network Security rating may be an A, its Patching Cadence rating may be a D. Cyber risk insurers can review their portfolio regularly and use the SecurityScorecard platform’s remediation suggestions to give actionable feedback to policyholders. These detailed analyses can also help drill down to specific control weaknesses in the event of a data breach claim.

Finally, SecurityScorecard’s easy-to-read security ratings enable all members of your insurance company to understand the risks inherent in underwriting a potential policy. Underwriters can easily see how risky a company is and where those risks are, translating to more accurate pricing.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube