What Drives Cyber Risk? Cyber Insurers and SecurityScorecard Reveal Answers
Seeking to stay ahead of hackers, many researchers have asked themselves what drives cyber risk. And many cyber insurance carriers have wondered how to accurately underwrite and price the risk. According to preliminary results from SecurityScorecard’s joint work with our cyber insurance partners, the answer is clear but multi-faceted.
Adoption of SecurityScorecard amongst the cyber insurance community has grown tremendously in the past couple of years. Our customers represent 35% of the cyber insurance premiums written in the US. We have worked with leading cyber insurance carriers, MGAs, and brokers to perform sophisticated correlation analysis against SecurityScorecard data. Our partners used their proprietary incident (notice of claims) data and enriched it with firmographic data, including NAICS industry codes and company revenue, to build predictive models of what drives risk.
The studies first looked at top level scores and correlated them to notice of claims. It found a clear, strong correlation between claims and SecurityScorecard top level scores. Companies with rating A found much lower notice of claims than those with lower grades.
One of the studies looked at factor scores for companies prior to the incident occurring. The overall data set showed these three factors had statistically significant predictive power:
- Endpoint Security – tracks identification points that are extracted from metadata related to the operating system, web browser, and related active plugins
- Patching Cadence – analyzes how quickly an organization installs security updates to measure vulnerability risk mitigation practices.
- Network Security – checks public datasets for evidence of high risk or insecure open ports within the organization network.
Another set of studies looked at the individual signals that make up SecurityScorecard’s factor scores. The results from this signal study are aligned with the conclusions of the factor score study since four of the five signals that were shown to have statistically significant predictive power are associated with Endpoint Security, Patching Cadence, or Network Security. The most predictive signals were:
- Exposed SMB protocol
- Presence of malware
- Observed common vulnerabilities and exposures (CVE)
- Outdated operating systems
- Exposed remote access service
Ransomware claims have tremendously grown in number and prominence over the period under study. Hence, it is no surprise that Endpoint Security and Patching cadence factors were the most predictive of risk. SecurityScorecard has been partnering with cyber insurance carriers and Managing General Agents (MGAs) globally to help them underwrite and price cyber risk. We are increasingly finding that rating plans based on industry and revenue are insufficient for underwriters looking to create a profitable book of business. Factoring in technical controls leveraging SecurityScorecard factor scores provides a substantial lift.
These are correlations, not causal studies. However, the results do point towards actions both insurers and their clients can take. Cybersecurity ratings data is entirely evidence-based; everything is scored on an underlying observation. Given that we know what cybersecurity data is correlated with incidents and how this data is created, we can provide recommended actions for companies to follow. For example, companies can improve endpoint security by enforcing operating systems and browser updates.
Perhaps most importantly, our study indicates that every stakeholder in the cyber insurance process should use cybersecurity ratings to build their cyber resilience strategies.Insurance underwriters can use ratings to select the most insurable risks and price them accurately. Insurance brokers can use ratings to ensure their clients are ready for underwriting and renewal. Enterprise risk managers can use ratings to develop comprehensive strategies that supplement their insurance coverages.
Best practices on using ratings data
As we work with our carrier, MGA and broker partners globally, we find that top level scores are a good discriminant as you are assessing small businesses. It is also prudent to look at Endpoint Security, Patching Cadence and a handful of other factors to accurately perform risk selection and pricing. As you look at medium and large businesses, risk assessors are digging deeper to understand the risk at factor and signal level. Endpoint Security and Patching Cadence vectors and their associated signals are big drivers of cyber risk. Leveraging our cyber risk quantification capability converts these risk drivers into measurable dollar loss estimates.
Getting started with Security Ratings
No other security ratings provider has made it as easy to use ratings data as SecurityScorecard. We offer two free options:
First is our SecurityScorecard Chrome extension, which lets anyone see a company’s security rating while navigating the web. Underwriters and brokers can leverage this tool to seamlessly incorporate security ratings in their pre-qualification workflows.
The second option is creating a free SecurityScorecard account. These accounts are free forever, enabling enterprise risk managers to understand their factor level scores and gain actionable insights that will help them obtain optimal cyber insurance coverage.
The dynamic and ever-evolving nature of cyber risk is no longer a reason not to be prepared. SecurityScorecard is proud to be sharing these insights and will continue to collaborate with the insurance industry to make the world a safer place from cyber threats.