It’s no secret that loss control programs are essential for cyber insurance. Unlike other forms of insurance where the risk and assets don’t change much during a policy term, cyber insurance is meant to mitigate a constantly evolving risk and cover organizations whose security posture is always changing. A cyber insurance policy could be priced completely differently today compared to a few weeks or months later.
To protect their cyber insurance portfolio from unexpected claims and losses, insurers must proactively control their cyber risk exposure. For the following reasons, this is much easier said than done:
New vulnerabilities are frequently discovered. These can be exploited very quickly, before the target company even realizes they are exposed. In 2021, there was a 167% increase in confirmed exploits of zero-day vulnerabilities.
Organizations struggle to fix vulnerabilities in a timely manner; the average half-life of unpatched vulnerabilities is just over a year.
Determining which organizations are at risk and alerting them of their exposure is costly and time consuming, especially when this effort needs to be performed for hundreds or thousands of insurance customers.
While many cyber insurers have already implemented loss control programs, they tend to be relatively static with limited performance potential. That’s because they may rely on hands-on assessments that don’t scale, generic communications that aren’t actionable, or manual outreach that takes time to ramp up. The result can be a loss control program that relies on after-the-fact discovery because it’s only during the renewal process that the program’s effectiveness is brought to light.
Introduction of Risk Control
Risk Control allows cyber insurers to move from static to dynamic loss control management. This results in lower cyber risk and greater operational efficiency, and helps ensure that policyholders are ready for renewal. Risk Control works by executing risk reduction strategies whenever a specific security issue is identified, all with little or no manual intervention. Its associated visualizations enable the loss control manager to continuously monitor the performance of the programs while ensuring that their strategies remain aligned with the risk at hand. Here is an overview of the workflow:
Create Risk Control Programs
A risk control program aims to mitigate a specific driver of risk by creating awareness among those exposed to the risk, and enabling them to make remediations to prevent a cyber incident.
With SecurityScorecard, a risk control program can be defined using rules-based automation to cross-reference a portfolio of organizations against specific signals, such as Ransomware Infection Detected, Remote Access Services Exposed, or any of the hundreds of other signals we track. The automation of a risk control program enables the continuous analysis of risk as well as immediate action once a high-risk situation is identified.
Some cyber insurers have attempted to implement proactive loss control programs, but they have only been capable of sending generic alerts to their customers. This places the burden on the customer to determine whether or not they are truly at risk, reducing the effectiveness of the alert. At best: some customers take action. At worst: the customer views the message as spam.
SecurityScorecard can send the right message to the right person at the right time, resulting in more effective risk control programs. Loss control managers can create customized alerts containing actionable information about the specific issue that needs attention. An alert like this gives a policyholder clarity:
Monitor the performance of programs
Waiting for insureds to self-report—or until renewal—to discover if a loss control program has worked is too late to ensure a portfolio remains profitable.
SecurityScorecard can provide real-time insight into the results of a loss control program so that insurers can strategize with agility to match the risk’s pace of change. The burndown charts display the number of insureds impacted by the targeted risk and how they change over time. If you see exposure dropping, you can be confident that the alerts were effective. If the opposite happens, or exposure isn’t dropping fast enough, it can signal a need to reevaluate the program.
Make the Shift to Dynamic Loss Control
It’s time cyber insurers stopped underwriting and crossing their fingers, hoping to avoid losses that were not accounted for. Experts from leading insurers like Chubb and WTW agree that continuous cyber risk monitoring and communication is necessary to proactively manage loss ratios and avoid cyber incidents.
With SecurityScorecard, you can now shift from static to dynamic loss control. Contact us to see our Risk Control workflows in action.