In recent years, the growing number of high-profile and large-scale cyber attacks—WannaCry, NotPetya, Log4j, ProxyNotShell, to name a few—has underscored the potential for related catastrophic (CAT) events and resulting financial loss.
In response, businesses have increasingly sought cyber insurance coverage. The number of large- and mid-size U.S. businesses opting for cyber coverage has grown from about 25% to nearly 50% over the last few years reported, and yet the cost of cyber attacks to U.S. insurers has nearly doubled over the same period.
The dynamic threat environment, the potential for catastrophic loss, and the relative newness of cyber insurance has presented many challenges for insurers, not least of which are underwriting and pricing challenges.
In turn, much of the insurance industry has responded to the increasing frequency, severity, and cost of cyber-attacks by implementing coverage and capacity limitations, increasing rates, and by turning to reinsurers for coverage.
This approach may not be sustainable over time. Especially in an era when a growing number of business assets reside in the digital domain – exposed to cyber threats. Stabilizing and unlocking new cyber insurance capacity requires precise and dynamic intelligence of the insureds and the threat landscape. As cyber-attack trends and techniques evolve with exceptional speed, so too must cyber risk mitigation techniques.
In our estimation, this state of the cyber market requires active, continuous cyber risk monitoring.
To survive and thrive in this challenging environment, cyber risk insurers must practice risk selection informed by the latest threat landscape developments at the time of underwriting, maintain constant awareness of the digital assets they insure, scan continuously for emerging risks, identify vulnerable companies quickly and accurately, and proactively help insureds implement patches and solutions as quickly as possible.
Underwriting a cyber policy without a timely scan of an organization’s network is akin to underwriting a property policy without understanding the property risk.
Many traditional cyber insurance policy processes and applications do not gather important security details such as the software and tools employed by the insured. Additionally, they do not include questions on security posture, often making the mistake of assuming that insureds can and will accurately answer technical questions about their technology and security configurations.
Guidewire Cyence and At-Bay collaborated to quantify the financial benefits, both attritional and catastrophic, of active scanning and continuous monitoring solutions.
Rather than relying on organizations to accurately report their own digital infrastructure, cyber insurance carriers can perform active scanning to determine the digital assets and overall security posture of each applicant at the time of underwriting.
This process gives insurers real-time views of a company’s digital assets and vulnerabilities, which enables better risk selection and pricing decisions. It also creates the foundation for continuous cyber risk monitoring over the course of the policy period.
That active scanning can be complemented with continuous risk monitoring. Continuous cyber risk monitoring of an organization’s digital infrastructure over the course of the policy period allows insurers to keep pace with the ever-changing threat landscape and technological evolution of companies.
In an era of fast-evolving cyber risk, insurers would be wise to undertake both active scanning and continuous monitoring of insureds and their digital assets and evolve these scans to keep pace with the dynamic cyber threat environment. This needs to occur both at the point of underwriting as well as throughout the policy period.
To learn more about the subject and our solution offerings, download the newly released whitepaper, The Future of Cyber Insurance: Active Scanning and Continuous Monitoring for Improved Loss Ratio.