Insurance companies use information gathered from cyberattacks and data breaches to formulate risk profiles. But because a cybersecurity incident does not always stem from poor security practices, insurers and brokers are doing their homework.
While insurance providers and brokers are leveraging technology — big data, AI and predictive analytics, among others — to improve underwriting risk, they are also relying on information security providers to quantify risk. Cyence, BitSight, SecurityScorecard, Guidewire are among the companies that rate a company's cyber hygiene.
Insurance providers can assess software associated with risk and either deny coverage or increase premiums. Insurers devise policies and premiums by assessing the risk of an organization's technology use, consistency in patching, the size of a company and what sector it resides in, among other factors.
"Everything is bucketed," said Keith Bergin, business development executive at West Monroe. Bergin was previously an SVP, and cyber liability and technology E&O leader at Marsh.
An insurer will place a company's multifactor authentication in one bucket, or lack thereof in another bucket. "But at a high level, the insurance marketplace doesn't have the manpower to get into the weeds around this technical detail," he said.
From the day insurers write a policy through its term expiration, there is too much volatility for insurance providers to adequately capture risk. Instead, insurers can consider the tools a company uses, and how they configure them, to adjust premiums.
If an exploit is spreading in the wild, a policyholder's appetite for mitigation will determine a premium increase, not the presence of vulnerabilities.
The majority of organizations, 87%, consider the number and type of internal IT vulnerabilities when measuring risk, according to a Marsh Microsoft Global Cyber Risk Perception Survey of 1,500 global respondents in 2019. Only half of respondents said they consider the probability of effectiveness in controls. Organizations focused on technical details during risk assessments, instead of remediation or other liabilities, according to the report.
Insurers are also reliant on data from service providers to provide insights that an insurance application, filled out by the client, may unintentionally blunder. "If we can find critical issues, so can an attacker," said Rotem Iram, founder and CEO of insurance company At-Bay. At-Bay performs an assessment on a potential client, evaluating the solutions they use.
For your consideration
Companies that were subject to high-profile vulnerabilities, including SolarWinds Orion and Microsoft Exchange, likely won't be penalized by insurers, according to Bergin. If premiums go up for policyholders, it is likely because they were unwilling or unable to mitigate the exploits.
"As more of these application or product exploits create vulnerability or loss, aggregating across carrier portfolios, they become factors in the trend toward hardening cyber liability premiums from a market-wide perspective," said Bergin.
It's up to insurers to maintain a continuous evaluation and underwriting throughout the life of a policy. "Make insurance premium pricing contingent on reliable evidence of cybersecurity practices," said Shauhin Talesh, law professor at the University of California Irvine School of Law, during a conference presented by the University of Connecticut Insurance Law Center and the University of Minnesota Law School in March.
"Fortunately, there are actually some companies that are starting to do that," which will position insurers with more meaningful means of intervention, he said.
For example, the email platforms companies use play a role in premium evaluations because email is the most popular and successful attack vector.
"Technology choices contribute to risk and some software is worse than others," said Iram. In some cases, it's better for companies to avoid an entire class of software.
"We have a duopoly of two vendors of email, Microsoft and Google, and they know how to stop these issues," said Iram, during the conference. As an insurance company, At-Bay wants to know if a company uses Microsoft Office 365, and if the company configures security settings beyond default settings.
It's how the insurance industry can create a sense of accountability between customers and service providers, but the industry isn't there yet. Security controls are available to customers, but in exchange for user experience, the controls might be switched off. User tolerance has taken the place of security in many areas of IT.
Otherwise "we will punish you for having selected that software, we will provide you with narrower coverage at higher prices," said Iram. However, "we will explain exactly why and how you can fix it. You don't have to replace Office."