Do as cyber insurers say, not as they do: insurers show weak links

A full one quarter of the top UK insurers are too lax on cyber security to clear the bar set by their own industry to qualify for cyber coverage requirements, a cyber security analysis and ratings firm has indicated.

“26% of the top 50 UK insurers have such poor cyber ratings that they would struggle to get cyber insurance for themselves,” according to an analysis by US-based cyber-ratings firm SecurityScorecard.

“Insurers setting standards that they cannot meet themselves could damage the credibility of those insurers whole,” SecurityScorecard’s director of insurance solutions, Chris Scott, said.

The industry stance against the single-greatest threat channel is lacking: 52% of all major breaches throughout 2022 came via a breach of a third party vendor within the digital supply chain. But insurers seem blasé.

Reviewing the posture of the UK’s Top-50 by premium ahead of a pending industry and regulator roundtable on cyber-security, SecurityScorecard found that half the field is exposed to third-party entities that have experienced a domain breach just between late January into May. Some 42% of the third party vendors that the top 50 UK insurers work with have a C-grade cyber rating or lower.

Overall, a majority of the field does have a defensible position. On the SecurityScorecard ratings scale, 40% of the UK Topo-50 are A-grade and 34% are B-grade, the firm claimed. Some 24% are C-grade and 2% D-grade, both levels “are significantly more likely to experience a breach” than their A- and B- peers.

“Third-party due diligence is a big focus topic for underwriters and this demonstrates a disparity between how insurers approach deployment of capital and manage their own risk,” Scott said. “This will likely be a big focus of regulation, so they need to think about how they address this at scale.”

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.