Cyber threats are insidious. The first indication many organizations receive that they have a cyber vulnerability is when they are victims of an attack. Developing a fully staffed and equipped cyber resilience team internally can prove prohibitively expensive and, in the past, businesses have relied on their insurers as the solution of last resort—paying out when the damage is done.
Now the tide has turned and insurers are actively requiring their insureds to develop a robust cyber security strategy. But this still presents a challenge for many who struggle to understand where they most urgently need to act.
In the upcoming webinar, Translate Cyber Ratings Into Positive Underwriting Outcomes and Reduce Claims, BitSight cyber insurance thought leader Aaron Aanenson and a panel of experts from Everest Insurance, CFC, Beazley and Vantage Risk will delve into how insurers can overcome the challenge of writing profitable cyber coverage. It will explore the role of cyber ratings, look into the tools and tactics to reduce the incidence of claims and demonstrate how carriers can help their customers improve their cyber security practices.
Intelligent Insurer took some time to speak to Aanenson ahead of the webinar to understand exactly what cyber ratings look like, how they could be instrumental in helping underwriters make better decisions faster and how insurers can help their insureds to improve their ratings for better insurance outcomes.
Q: Why is now the right time to think about cyber ratings?
A: Although cyber ratings have been around for over 11 years, we’re now starting to see them used prolifically across the business world. Cyber ratings are used to inform decision makers around which vendors to use because, as we know, vendors are a security risk. So, cyber ratings are used to inform organizations’ procurement processes. They’re also being used to inform credit ratings, recognizing that cyber security can have a tangible impact on financial performance. As this area continues to mature, there’s a recognition that cyber security ratings are important across a lot of different use cases.
Q: How do companies go about acquiring a healthy cyber rating?
A: A helpful analogy is consumers who track their credit ratings ahead of applying for a mortgage or a loan. They want to be aware of all the things that might impact that score. We take the same approach and make some recommendations, knowing that cyber ratings are an integral part of business decision making. It’s important to be aware of what’s in these reports and make sure they’re a fair reflection of the security program that’s in place, but also, to use the results to make improvements which in turn improve the BitSight rating.
Q: Why is it so important to get the message of cyber preparedness across?
A: Insurance carriers are the closest to incident data because they’re the ones that get the claims. Often, information about cyber incidents isn’t publicized. Through the various studies we do with either brokers or carriers themselves, we’re able to fine tune our cyber rating criteria so that the rating itself conveys the predictability of a breach in the future. It’s fairly accurate in predicting future breach potential.
There has been a lack of transparency in what is driving cyber insurance underwriting decisions. BitSight provides some of the inputs underwriters use to evaluate cyber risk. Since insureds can easily access the BitSight risk data that their underwriters see, they have the ability to remediate or dispute the findings in the report either prior to application or during the policy period to improve underwriting outcomes in the future.
Q: What is the ideal level of information carriers should seek from their insureds to be able to issue policies confidently?
A: It’s impossible to get cyber risk to zero because the cost to achieve that just doesn’t make business sense. There is always going to be some residual risk left after security controls are implemented. And that’s the purpose of cyber insurance—to protect against that little bit of risk that remains. There was a time when cyber insurance was underpriced and it made a lot more sense for risk managers and CISOs to spend, for example, tens of thousands of dollars on a cyber policy, rather than a million on enhanced cyber security controls. But the carriers today want to see that organizations have made the right amount of effort and investment to avoid simple, common cyber threats.
So, the ideal insured is one that has taken steps to mitigate the risk of severe, high frequency cyber incidents with good security controls so that insurance is reserved for cyber incidents in the rare chance that good cybersecurity fails.
Q: What do you hope attendees will take away from this webinar?
A: We want to dispel some myths about the role of cyber ratings in the insurance process. Ultimately, we want to be a partner in the cyber insurance ecosystem and sometimes we’ve been perceived as a barrier. Our goal is to help organizations improve their security, based on the things we know are vital to a good cyber security program, using simple metrics that are easy to understand.
The session is really designed to help insurers understand what’s driving cyber ratings so they can help their insureds better plan for cyber security investments and obtain the best insurance outcomes. We want carriers and brokers to be comfortable with data that we provide to them so that they can feel empowered to deliver this information to their clients who have a strong voice that resonates with the senior leadership that controls the budgets and influences investments within those organizations.
Join Bitsight’s Aaron Aanenson and other market-leading experts to learn how to ‘Translate Cyber Ratings Into Positive Underwriting Outcomes and Reduce Claims’ by joining this webinar on Tuesday, Dec 06 2022 at 4:00 PM GMT. Join here: https://www.brighttalk.com/webcast/16535/560545
Bitsight, Cyber Threats, Technology, Cyber, Insurance, Reinsurance, Aaron Aanenson