Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/11/2018
05:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security Ratings Answer Big Questions in Cyber Insurance

More insurers are teaming up with security ratings firms to learn more about their clients, define policies, and determine coverage.

The certainty and severity of cybercrime has driven demand for insurance policies to cover the cost of damage when the inevitable occurs. Insurers, needing a clearer picture of clients' risk so they can create policies and determine coverage, are turning to security ratings firms for help.

As technology has become more complex, so, too, have data breaches, explains Aleksandr Yampolsky, co-founder and CEO at SecurityScorecard. He points to the cloud shift as a turning point for cybersecurity.

"We started seeing an intensification of data breaches," he says. "As a result, companies started calling insurance companies and asking for cyber insurance."

Insurance companies started jumping into the budding space, offering policies to address demand. Now the industry is skyrocketing as companies transfer cyber-risk onto insurers.

Cyber insurance policies are complicated for buyers and sellers alike, and several questions around how to underwrite cyber-risk still remain. Unlike auto or homeowners insurance, there is little continuity from policy to policy in the cyber insurance marketplace. It's difficult to gauge the time, impact, and potential total cost of a security breach using limited information.

"Many of those insurers who offer [cyber] insurance policies have done absolutely no legwork to verify the companies are totally secure," Yampolsky says.

To underwrite cyber-risk, insurers often provide questionnaires in which they ask clients about factors such as business continuity or how they typically handle incidents, such as ransomware attacks. But many of their answers are subjective, Yampolsky says, and most insurers lack insight on historical data loss. What they need is concrete information to inform a growing number of cyber insurance policies, and they're finding it through partnerships in the cybersecurity space.

Dynamic Duo 
Indeed, a new trend sees cyber insurers teaming up with security ratings firms to get the data they need to create policies. A recent partnership came from AXA and SecurityScorecard, which will provide AXA underwriters with both risk rating and view into their clients' security posture.

"What I see more and more is discovery and ratings are key tools to accelerate the decision-making process," says AXA partner Sebastien Loubry. The tools used by ratings firms to gauge security posture will inform insurers' policy decisions.

"We can't predict when they'll get breached but can measure good and poor security practices," Yampolsky says. SecurityScorecard monitors 200,000 businesses and rates them on a scale from A to F. Every security breach correlates with a letter grade; firms with poor marks (D or F) are 5.4 times more likely to be breached than those with an A or B security rating.

He refers to April's Panera Bread security incident as an example. "We weren't particularly surprised," he says. Panera had consistently trended below the industry average; as a result, it suffered a breached. Newtek, which also scored poorly, was breached in February.

SecurityScorecard uses outside indicators to gauge a firm's security habits. Yampolsky likens the process to assessing a person's physical health: If you see someone who is coughing, flushed, and overweight, you can reasonably guess that person is not in the best health. You can't predict when he'll get sick, but outside signals show his lifestyle could be improved.

To assess security health, the ratings firm collects signals across 10 categories of risk: network security, DNS health, patching frequency, endpoint security, IP reputation, Web application security, exposed admin portals, hacker forums, leaked credentials, and social engineering. Threat actors are also watching these; if they notice something amiss, they'll succeed, he says.

"The most relevant part for the insurance company is the level of protection that's put around the data," AXA's Loubry says. The better a client protects its data, the lower the risk for an insurer. This is especially relevant in Europe, he notes, with the onset of GDPR.

Data Drives Security Improvement, Loss Control
The partnership between AXA and SecurityScorecard is neither the first of its kind, nor will it be the last. Jake Olcott, vice president of strategic partnerships for security ratings firm BitSight, points to three main use cases for security ratings in cyber insurance.

The first, as previously mentioned, is understanding clients' security posture: collecting quantitative measurements, analyzing performance over time, and using that data to create and price policies. Ratings firms collect data after a breach, and what they find can help clients lessen the risk of future attacks through portfolio management.

"When some of these incidents break out – WannaCry or the MongoDB vulnerability being exploited – with any name-brand vulnerabilities, people get concerned about how it will impact their portfolio," Olcott says.

In the second use case, carriers can leverage BitSight's data to see how many underwritten companies are experiencing WannaCry today. Olcott calls it "accumulation risk," or seeing how an incident accumulates across different parts of an insurer’s portfolio. Insurance companies can use this data to determine the extent and severity of a threat. Aggregation risk, a separate measurement, looks at how different policies all commonly depend on a third-party service provider like Amazon or Azure.

The third use case is loss control. More insurers are interested in improving their clients' security posture after a policy is signed. Sure, they want to know about security habits before the policy is created, but they also want security to continue being top of mind. Olcott says more companies are working with vendors and supply chain partners to improve security.

"We see a lot of carriers focusing on this," he explains. "They want to work directly with their customers on ways to improve: How do we improve? How do we mitigate breaches as best we can? How do we identify things quickly?"

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...