Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/11/2018
05:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security Ratings Answer Big Questions in Cyber Insurance

More insurers are teaming up with security ratings firms to learn more about their clients, define policies, and determine coverage.

The certainty and severity of cybercrime has driven demand for insurance policies to cover the cost of damage when the inevitable occurs. Insurers, needing a clearer picture of clients' risk so they can create policies and determine coverage, are turning to security ratings firms for help.

As technology has become more complex, so, too, have data breaches, explains Aleksandr Yampolsky, co-founder and CEO at SecurityScorecard. He points to the cloud shift as a turning point for cybersecurity.

"We started seeing an intensification of data breaches," he says. "As a result, companies started calling insurance companies and asking for cyber insurance."

Insurance companies started jumping into the budding space, offering policies to address demand. Now the industry is skyrocketing as companies transfer cyber-risk onto insurers.

Cyber insurance policies are complicated for buyers and sellers alike, and several questions around how to underwrite cyber-risk still remain. Unlike auto or homeowners insurance, there is little continuity from policy to policy in the cyber insurance marketplace. It's difficult to gauge the time, impact, and potential total cost of a security breach using limited information.

"Many of those insurers who offer [cyber] insurance policies have done absolutely no legwork to verify the companies are totally secure," Yampolsky says.

To underwrite cyber-risk, insurers often provide questionnaires in which they ask clients about factors such as business continuity or how they typically handle incidents, such as ransomware attacks. But many of their answers are subjective, Yampolsky says, and most insurers lack insight on historical data loss. What they need is concrete information to inform a growing number of cyber insurance policies, and they're finding it through partnerships in the cybersecurity space.

Dynamic Duo 
Indeed, a new trend sees cyber insurers teaming up with security ratings firms to get the data they need to create policies. A recent partnership came from AXA and SecurityScorecard, which will provide AXA underwriters with both risk rating and view into their clients' security posture.

"What I see more and more is discovery and ratings are key tools to accelerate the decision-making process," says AXA partner Sebastien Loubry. The tools used by ratings firms to gauge security posture will inform insurers' policy decisions.

"We can't predict when they'll get breached but can measure good and poor security practices," Yampolsky says. SecurityScorecard monitors 200,000 businesses and rates them on a scale from A to F. Every security breach correlates with a letter grade; firms with poor marks (D or F) are 5.4 times more likely to be breached than those with an A or B security rating.

He refers to April's Panera Bread security incident as an example. "We weren't particularly surprised," he says. Panera had consistently trended below the industry average; as a result, it suffered a breached. Newtek, which also scored poorly, was breached in February.

SecurityScorecard uses outside indicators to gauge a firm's security habits. Yampolsky likens the process to assessing a person's physical health: If you see someone who is coughing, flushed, and overweight, you can reasonably guess that person is not in the best health. You can't predict when he'll get sick, but outside signals show his lifestyle could be improved.

To assess security health, the ratings firm collects signals across 10 categories of risk: network security, DNS health, patching frequency, endpoint security, IP reputation, Web application security, exposed admin portals, hacker forums, leaked credentials, and social engineering. Threat actors are also watching these; if they notice something amiss, they'll succeed, he says.

"The most relevant part for the insurance company is the level of protection that's put around the data," AXA's Loubry says. The better a client protects its data, the lower the risk for an insurer. This is especially relevant in Europe, he notes, with the onset of GDPR.

Data Drives Security Improvement, Loss Control
The partnership between AXA and SecurityScorecard is neither the first of its kind, nor will it be the last. Jake Olcott, vice president of strategic partnerships for security ratings firm BitSight, points to three main use cases for security ratings in cyber insurance.

The first, as previously mentioned, is understanding clients' security posture: collecting quantitative measurements, analyzing performance over time, and using that data to create and price policies. Ratings firms collect data after a breach, and what they find can help clients lessen the risk of future attacks through portfolio management.

"When some of these incidents break out – WannaCry or the MongoDB vulnerability being exploited – with any name-brand vulnerabilities, people get concerned about how it will impact their portfolio," Olcott says.

In the second use case, carriers can leverage BitSight's data to see how many underwritten companies are experiencing WannaCry today. Olcott calls it "accumulation risk," or seeing how an incident accumulates across different parts of an insurer’s portfolio. Insurance companies can use this data to determine the extent and severity of a threat. Aggregation risk, a separate measurement, looks at how different policies all commonly depend on a third-party service provider like Amazon or Azure.

The third use case is loss control. More insurers are interested in improving their clients' security posture after a policy is signed. Sure, they want to know about security habits before the policy is created, but they also want security to continue being top of mind. Olcott says more companies are working with vendors and supply chain partners to improve security.

"We see a lot of carriers focusing on this," he explains. "They want to work directly with their customers on ways to improve: How do we improve? How do we mitigate breaches as best we can? How do we identify things quickly?"

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7751
PUBLISHED: 2020-10-26
This affects all versions of package pathval.
CVE-2020-27678
PUBLISHED: 2020-10-26
An issue was discovered in illumos before 2020-10-22, as used in OmniOS before r151030by, r151032ay, and r151034y and SmartOS before 20201022. There is a buffer overflow in parse_user_name in lib/libpam/pam_framework.c.
CVE-2020-27388
PUBLISHED: 2020-10-23
Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.