This piece is by Thomas Johnson head of threat intelligence for TacitRed, based in Irvine, California, and was a lead cybersecurity engineer at Coalition Inc., a leading cyber insurance and security company based in San Francisco.
What was once thought to be a small segment within the insurance industry, cyber insurance – also known as cyber risk insurance – is now considered to be the fastest-growing subsector of the global insurance market. In 2023 there were over 1,800 cyber claims, and cyber insurance premiums reached about $12 billion. According to S&P Global Rating, those premiums are estimated to increase to $20 billion by the end of 2024.
As the cyber insurance industry grows, controlling losses by underwriting intelligently is more important than ever to build a profitable book of business. Underwriters must be prepared to effectively handle increased demand and an ever-changing threat landscape. Like any underwriting process, it involves evaluating applicants to be certain the policy offers reasonable protection to both the insured and the insurer. But unlike other insurance, cyber is particularly complex, fast-paced, and highly technical. As a result, underwriters must conduct an even more thorough evaluation of applicants (and their potential risks) in order to create a cybersecurity insurance policy that provides all the necessary protections.
Cyber insurance underwriters should consider following the steps below to ensure they are creating a robust policy.
- Identify & Analyze Business Risk: The foundation of any sound insurance policy is an understanding of business risk. For cyber insurance, this means gaining an understanding of an applicant’s business, cybersecurity measures, compliance, and vulnerabilities. Beyond an applicant’s assertions of security certifications, policies, and adherence to compliance mandates, the underwriter must consider how vulnerabilities, misconfigurations, and active exposures might pose a threat to the organization.
For example, a data breach is more severe for a data aggregator that lacks security controls. It is extremely important to translate the risk from technical controls to the business model of an applicant.
- Technological Assessment: Beyond organizational risks, it’s vital for cyber underwriters to identify, review, and assess where evident vulnerabilities and security threats exist on the proposed applicant’s external attack surface. Even more important is to understand which of these threats may materialize into a cyber incident or if exposures are actively being exploited. Cyber insurance underwriters must know what the technological environment of an insured looks like and identify potential claims vectors.
This process is becoming more time-consuming, difficult, and costly in today’s digital age. Oftentimes, the best option is to identify and enlist a suite of threat intelligence and attack surface management tools that can help support the research process. This enables the underwriter to develop a rich knowledge and understanding of the cyber landscape.
- Continuous Monitoring: According to Coalition’s 2024 Cyber Claims Report, over the past three years, cyber insurance claims have increased by over 100% and payouts have increased a total of 200%. A potential reason for this is insufficient monitoring. An example of this is when underwriters limit their research to a manual search of past data breaches/other events of cyber security. Unfortunately, this often does not yield a complete picture of the applicant’s history and could result in insuring a risky applicant that is perceived as low-risk.
To avoid this, cyber underwriters need to have access to continuous monitoring, which gives them actionable intelligence about the dynamic cybersecurity landscape. Without having these insights and data readily available, it is incredibly challenging to assess and price accurately.
- Underwriter Analysis Armed with the right data and information, a cyber underwriter must review, evaluate, and analyze risk. Only then can they provide a recommendation to the insurer as to whether the applicant is worth the policy, the investment, and the risk. It is imperative that an underwriter can derive meaning from both the technical and organizational data provided. Underwriters need to be able to properly understand what risks can materialize into cyber incidents, and which underwriting indicators can predict loss. Excellent underwriting means going beyond typical assessments of a company’s level of risk (like financial stability), to predicting what the next major loss vector is in the industry.
For the underwriter and insurer, the best cyber insurance policyholder is one that stays up to date with industry best practices, policies, and regulations, and enacts them swiftly. One way that cyber insurance underwriters can see how policyholders are following best practices is to use a modern external attack surface management (EASM) solution to determine the riskiness of their external attack surface. The solution enables them to gain a more realistic assessment of the client’s security posture and extent of cyber risk. It provides assessment efficiencies for the underwriter. Most importantly, it enables the underwriter to help their clients navigate typically complex regulatory environments to provide effective coverage.
A robust cyber risk insurance policy—that is good for both the insurer and the insured—is the product of thorough research and a subsequent evaluation of both internal and external risk factors of the applicant. Through the process of these risk factors and continuously monitoring for the latest cyber threat developments, the underwriter can develop a sound policy that all elements of the applicant’s attack surface into account.
Be the first to comment