Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/11/2018
05:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security Ratings Answer Big Questions in Cyber Insurance

More insurers are teaming up with security ratings firms to learn more about their clients, define policies, and determine coverage.

The certainty and severity of cybercrime has driven demand for insurance policies to cover the cost of damage when the inevitable occurs. Insurers, needing a clearer picture of clients' risk so they can create policies and determine coverage, are turning to security ratings firms for help.

As technology has become more complex, so, too, have data breaches, explains Aleksandr Yampolsky, co-founder and CEO at SecurityScorecard. He points to the cloud shift as a turning point for cybersecurity.

"We started seeing an intensification of data breaches," he says. "As a result, companies started calling insurance companies and asking for cyber insurance."

Insurance companies started jumping into the budding space, offering policies to address demand. Now the industry is skyrocketing as companies transfer cyber-risk onto insurers.

Cyber insurance policies are complicated for buyers and sellers alike, and several questions around how to underwrite cyber-risk still remain. Unlike auto or homeowners insurance, there is little continuity from policy to policy in the cyber insurance marketplace. It's difficult to gauge the time, impact, and potential total cost of a security breach using limited information.

"Many of those insurers who offer [cyber] insurance policies have done absolutely no legwork to verify the companies are totally secure," Yampolsky says.

To underwrite cyber-risk, insurers often provide questionnaires in which they ask clients about factors such as business continuity or how they typically handle incidents, such as ransomware attacks. But many of their answers are subjective, Yampolsky says, and most insurers lack insight on historical data loss. What they need is concrete information to inform a growing number of cyber insurance policies, and they're finding it through partnerships in the cybersecurity space.

Dynamic Duo 
Indeed, a new trend sees cyber insurers teaming up with security ratings firms to get the data they need to create policies. A recent partnership came from AXA and SecurityScorecard, which will provide AXA underwriters with both risk rating and view into their clients' security posture.

"What I see more and more is discovery and ratings are key tools to accelerate the decision-making process," says AXA partner Sebastien Loubry. The tools used by ratings firms to gauge security posture will inform insurers' policy decisions.

"We can't predict when they'll get breached but can measure good and poor security practices," Yampolsky says. SecurityScorecard monitors 200,000 businesses and rates them on a scale from A to F. Every security breach correlates with a letter grade; firms with poor marks (D or F) are 5.4 times more likely to be breached than those with an A or B security rating.

He refers to April's Panera Bread security incident as an example. "We weren't particularly surprised," he says. Panera had consistently trended below the industry average; as a result, it suffered a breached. Newtek, which also scored poorly, was breached in February.

SecurityScorecard uses outside indicators to gauge a firm's security habits. Yampolsky likens the process to assessing a person's physical health: If you see someone who is coughing, flushed, and overweight, you can reasonably guess that person is not in the best health. You can't predict when he'll get sick, but outside signals show his lifestyle could be improved.

To assess security health, the ratings firm collects signals across 10 categories of risk: network security, DNS health, patching frequency, endpoint security, IP reputation, Web application security, exposed admin portals, hacker forums, leaked credentials, and social engineering. Threat actors are also watching these; if they notice something amiss, they'll succeed, he says.

"The most relevant part for the insurance company is the level of protection that's put around the data," AXA's Loubry says. The better a client protects its data, the lower the risk for an insurer. This is especially relevant in Europe, he notes, with the onset of GDPR.

Data Drives Security Improvement, Loss Control
The partnership between AXA and SecurityScorecard is neither the first of its kind, nor will it be the last. Jake Olcott, vice president of strategic partnerships for security ratings firm BitSight, points to three main use cases for security ratings in cyber insurance.

The first, as previously mentioned, is understanding clients' security posture: collecting quantitative measurements, analyzing performance over time, and using that data to create and price policies. Ratings firms collect data after a breach, and what they find can help clients lessen the risk of future attacks through portfolio management.

"When some of these incidents break out – WannaCry or the MongoDB vulnerability being exploited – with any name-brand vulnerabilities, people get concerned about how it will impact their portfolio," Olcott says.

In the second use case, carriers can leverage BitSight's data to see how many underwritten companies are experiencing WannaCry today. Olcott calls it "accumulation risk," or seeing how an incident accumulates across different parts of an insurer’s portfolio. Insurance companies can use this data to determine the extent and severity of a threat. Aggregation risk, a separate measurement, looks at how different policies all commonly depend on a third-party service provider like Amazon or Azure.

The third use case is loss control. More insurers are interested in improving their clients' security posture after a policy is signed. Sure, they want to know about security habits before the policy is created, but they also want security to continue being top of mind. Olcott says more companies are working with vendors and supply chain partners to improve security.

"We see a lot of carriers focusing on this," he explains. "They want to work directly with their customers on ways to improve: How do we improve? How do we mitigate breaches as best we can? How do we identify things quickly?"

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.