Case Study: Cyber Insurance
The Role of Cyber Insurers
The massive losses resulting from security breaches have called attention to the role of cyber insurance as a critical part of any risk management plan. While it is understandable that companies want to reduce the cost of a data breach or other security incident, creating the right cyber insurance policy to cover these situations can be a complicated endeavor.
A cyber insurer must look at a plethora of data points to paint a picture of a company’s risk for a security incident and then assess, through a complex process, whether such an incident would incur a financial cost. In this assessment process, where the scope is defined to meet the potential needs of the company, the insurer factors in the company’s overall security posture as one of its data points.
The customer talked to us about how SecurityScorecard (SSC), as a security ratings service, can help contribute to the assessment process by allowing cyber insurers to help customers make more informed decisions about improving their cyber risk posture.
At the customer, a number of information gathering methods, such as questionnaires and conference calls, were used to understand how and if a prospect’s security controls are effectively protecting the organization from potential risk. These same assessment techniques are also applied to the business partners, vendors, and third-party associates of the prospect to better understand whether it is at risk via a third party’s poor security practices.
The customer found that the challenges in the cyber insurance vertical include that there is often simply not enough time or access to ask all the questions that are needed.
The customer was in need of a manageable way to fill in the holes that were a result of time constraints, to validate information that they received through their existing information gathering methods, and to provide additional relevant information that can help paint a picture of a company’s cyber risk posture.
Validation of Other Assessment Techniques & Time-Saving
The customer uses SecurityScorecard’s security rating platform to obtain additional data points as a way to flesh out the information given by prospect questionnaires and calls.
The tool helps the customer in its mission to gather many data points and as much information in the least obtrusive way possible in order to understand the comprehensive picture of cyber risk. In short, the customer team uses the SSC platform to help stick to their “Trust but Verify” philosophy.
In addition to helping validate information, using the platform can help with bandwidth constraints, by allowing the customer to gather information on its customers without an extensive amount time and resource investments.
A Tool for Cybersecurity Awareness
The customer team is not only able to make more informed decisions during the policy period, they are also informing their clients about lessons such as:
- Hackers attack smaller companies too.
- Patch management should be a conscious choice based on risk management,
- Creating good security hygiene is not a point in time exercise but rather an effort in consistently proactive behavior.
As the math around quantifying cyber risk becomes increasingly complicated due to the evolving nature of cybersecurity threats, platforms like SecurityScorecard can help by serving as a valuable datapoint that allows cyber insurers to inform their customers of potential risks. For now, the customer has a distinct competitive advantage in its industry – the customer is equipped to make informed decisions about coverage and to add value to their client relationships by using SecurityScorecard’s comprehensive data and insights.