How to Improve Your Cyber Insurance UnderwritingReading time: 9 minutes
Cyber attacks can and do happen, and they happen all the time. There are all kinds of different attacks and threats you can encounter on the Internet, to the extent that we've even written about the most common network security threats. This has inevitably led to cyber risk coverage as an important and growing market.
With the growing digitalization of all industries, all SMBs and larger enterprises depend on their computer systems and networks. By relying greatly on them, they invite the threat of cyber security breaches, that not only bring financial loss but can often break an SMB and lead a company to its demise.
- Growth of cyber insurance
- Slow development of cyber insurance industry
- Top 4 tips to improve your cyber insurance underwriting
Growth of cyber insurance
Even if the cyber insurance field has issues that are more than apparent, we're witnessing its rise and gaining a better understanding of the market.
According to reports, the cyber insurance market accounted for $4.2 billion in 2017 and is expected to reach $22.8 billion globally by 2024.
With all that investment involved, the cyber insurance industry might seem like a work in progress — for some, it seems that the industry's standards, and their rate of improvement, are not up to par.
Available data for cyber risk underwriting remains in its early states, keeping underwriters and insurers far from creating a standardized and established strategy for assessment and pricing.
However, cyber insurance underwriters, like all insurance underwriters, need to determine a potential policy buyer's risk profile and whether that risk fits within the insurer's risk appetite. In addition, underwriters must be able to accurately price policies in a way that is commensurate with the risk, but not prohibitively expensive.
Underwriters often encounter challenges in these tasks, mainly because they are not properly trained or equipped to understand the complexity of a potential insured's cyber risk.
Slow development of cyber insurance industry
What are some of the barriers that are holding back the true potential of cyber insurance underwriting?
Lack of industry standards
In the cyber insurance industry, the management and analysis of data collected is not the same across all insurers. This creates an issue when capturing points for the underwriting application since there is no commonly adopted data classification and security rate scoring map.
The insurers are not just capturing different data, but the data they capture is not continuous and contextualised. It's one thing if you ask a company if they enforce their security policy and train employees to understand what is sensitive internal data and how it's handled, and another to actually check that — by doing penetration tests, launching phishing simulations to see how the company's staff holds up.
What is really important on the businesses' side is to enforce an evaluation of their existing security policies so they can claim with certainty that there is clear information about data that requires protection.
The continuity of assessment of cyber risks is crucial. One year of increasing the maturity of a company with technology and digitalization can make a significant difference.
Limited historical data
Another challenge that comes hand-in-hand with managing collected data from companies is that there is limited historical data on security risks and vulnerabilities. The inaccuracy of historical data is sometimes a result of dishonesty by the company itself, with a culture that internally protects information about its breaches. Also, the high level of complexity of these risks and breaches can lead to the company's lack of understanding their severity, so much so that company representatives might not even mention them, mistakenly thinking of them as minor. In addition, it's highly likely that their computer and network systems have already been exposed but the company isn't aware of it.
No appropriate pricing schemes
Both the lack of industry standards and limited access to correct data lead to cyber insurance insurers' and underwriters' inability to create an appropriate pricing scheme, one that would not only protect the insurer by providing accurate coverage, but also the client — premium cyber insurance is pricey, but it should have controlled and standardized pricing.
With so many gaps to fill before achieving the highest level of coverage and continuity with cyber insurance, underwriters need to accurately assess cyber risk. A good starting point is to look at other types of insurance and how they assess the risk.
You are assessing something that is fluid, just as you would with life insurance. Assessing someone's health means that at that moment in time, there's no guarantee that it will stay the same; there is a need to assess lifestyle and history to best predict what may come in the future.
You shouldn't trust your client completely. As we mentioned, there may be instances of cyber security risks they don't realise were major, or they may even not mention them due to enforced company policies. What needs to be taken is an empirical approach, based on proven evidence about their security “hygiene” and policies.
And just as you know that health and lifestyle threats aren't always visible, cyber threats can be hidden within their computer networks, going undetected until you start your underwriting process.
Top 4 tips to improve your cyber insurance underwriting
The cyber insurance underwriting process can be long and exhaustive because it needs to be so detailed. But taking all the right steps and covering all the important data will help to create optimal coverage and cost. The threat intelligence needed to offer the best insurance and protection against financial and data losses can be overwhelming, but we're here to help you on your journey. Here are 4 important tips for you to consider:
Asking companies about their endpoints, servers and encryptions is part of the norm, and should always be included in the underwriting process. However, when you include questions about known previous security threats and breaches, the answers will not provide true and relevant information without validation from a third party. As we've mentioned, malware and security threats can be left undetected for long time before you start your testing for underwriting purposes.
The questions you need to ask the company should depend on what type of insurance and coverage they need.
To complete the process accurately, honesty is needed from both sides. While it sounds like one of those “easier said than done” situations since you're not able to force honesty from your client, showing professionalism, explaining the process from start to finish, asking the right questions and showing the client all the ways in which honest responses from them will help will be mutually beneficial. The client should be open with you about their security protocols, history of security breaches, disaster recovery systems and organization policies. Accurate data should also include information on the quantity of company's data on their internal network.
Listing all the domains the company has as well as their subdomains, certificates, port scanning and all hostnames pointing to IP blocks the company owns are of critical importance to getting the best picture of a company's infrastructure. Sometimes it isn't possible to obtain all that information by merely asking your clients, so you may need to dig deeper. By auditing internal infrastructure, examining networking and server systems you will one step ahead in accessing sensitive data, so then you can work on your attack surface reduction strategy. Collecting that stuff that is even publicly available about a company, that most skip over just because it can appear too “obvious”, should not be skipped because those are the information that attackers are most likely to exploit first.
Talk with the right people
The underwriting process is difficult in itself, but you can make it much more efficient and less complicated by engaging the right people. For the underwriting to be performed extensively, and to ensure you have the right people telling you the right information, it's important to engage the CISO, IT department, CFOs, risk managers, legal department and the marketing team.
Know the industry for which you are handling cyber security
Even if cyber insurance is new and just being formatted, and it's hard to have extensive knowledge in any one specific industry, you may eventually find yourself drawn to, and more comfortable in, one type of business.
To improve your cyber insurance underwriting, work with companies closely related to the industry you are most familiar with — so you can most accurately assess what kind of coverage is necessary.
Third-party cyber security companies
Collecting accurate data and getting information about the history of a company's breaches can be tough without involving third-party organizations. But with the number of technologies and companies aimed towards assessing cyber security risks, getting help from one is a logical step while you are in the process of insurance underwriting.
You, as a cyber security underwriter, should leverage these companies providing cyber threat intelligence data for businesses, and choose the one with the best track record and technologies to help you create an accurate cyber risk profile for your client. Making use of OSINT will also help for a better cyber risk profile, so be sure to check out how you can use it to your advantage.
By partnering with these companies, you'll have access to all relevant, up-to-date and historical threat intelligence data about the company you are underwriting for. Whether it's about their domains, open ports, any type of DNS record or secret their historical data can keep, having this as your underwriting tool will not only make your job easier, it will also provide insight you might not be able to get on your own. You are able to investigate the entire surface area of a company, with information that are publicly available, making them an easy threat for impending attacks.
You'll have a clearer picture of possible damages that can affect your client, allowing you to organize the most appropriate insurance coverage for the client and the cost of the insurance itself.
You can always go with SecurityTrails and our SurfaceBrowser for passive intelligence data about your client's internal infrastructure and surface area, whether you are auditing main domains, associated domains and subdomains, open ports across all IP ranges, PTR records and all SSL certificate information available about a company. You can find it all in the SurfaceBrowser using an intuitive interface and our algorithm that gives you all relevant data with no need to further typing and searching. Researching and obtaining all that intelligence data will help you avoid any stale DNS records that can be exploited in the future, or use reverse DNS to uncover critical information about the company's infrastructure. All you need is to type in a domain or a company you are interested in, and you can then easily analyze any data you can possibly need about your own organization or any other company, so you are sure the full audit on all publicly exposed data is ensured.
Even if this industry is still in its early days, the predictions for prospects of cyber insurance are looking bright and cyber insurance underwriting will only grow as a sought-after career. While the market is developing and demand is rising, you as an underwriter have the chance to further your knowledge, catch up on all the right tips and tricks for creating the most accurate cyber risk profiles, and find partners in companies that offer all the intelligence data needed for your high-quality process.
SecurityTrails is devoted to providing all the data you need and in the way you need it. We build customer solutions for our enterprise clients and everyone else who needs customized cyber intelligence data. Check out our SurfaceBrowser and Feeds page, specifically designed for cyber insurance underwriting and providing all the necessary data on a target company.