<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Vendor Risk Management

Cyber Insurance Underwriting: What Role Do Security Ratings Play?

Samit Shah | March 23, 2017

If you’re involved in the cyber insurance underwriting process—from the transaction to the ongoing operations—you’re constantly looking for things to help you (and your team) select better risks. Here are three specific ways BitSight’s Security Ratings platform can play an integral role in the underwriting process. 

Cyber Insurance Underwriting: What Role Do Security Ratings Play?

1. Gaining Insight Into The Transaction

The first step in the cyber insurance underwriting process is the insurance application. It includes questions regarding security posture that virtually every carrier wants to learn more about. For example, if the applicant is looking for business continuity or business interruption coverage, you would focus your coverage-specific questions around disaster recovery procedures, how long it takes the applicant to get back online, business continuity management, and more.

Security Ratings make it easy for underwriters to map the answers to these security posture questions to risk vectors defined by BitSight. This way, you not only have the customer’s perspective on a topic, but you also have an objective. This can help you determine if there are any deviations or gaps between what the customer says and what Security Ratings tell you—and if there is, you can dig deeper into that particular part of the application.

2. Benchmarking Against Your Portfolio For Risk Context Watch On-Demand: Cyber Insurance Underwriting: A High-Tech Discipline?

A major issue with applications and questionnaires is that responses are generally the same across all applicants, making it difficult to distinguish a high-risk from a lower-risk applicant.

Security Ratings offer an objective way to benchmark applicants against your existing customers with similar attributes or demographic. For example, if a $10 million law firm headquartered in New York applies for cyber insurance through your organization, you can pull all the other organizations of a similar size and scope from your portfolio. This information will provide you the context you need to ask the applicant additional questions and price them accordingly.

3. Modeling & Risk Aggregation Strategy

Understanding how adding an applicant impacts vendor dependency risk across your larger portfolio is critical—and Security Ratings can help with this.

For example, if you have 100 customers using a certain DNS provider, and an applicant that also uses that provider comes to you looking for business continuity coverage, you can use Security Ratings to immediately verify that they’re also using that third-party DNS provider. If so, underwriting this applicant would mean that you’d have 101 customers using the same DNS provider—and you’d need to determine what this meant to you. Depending on the common vendor dependency risk you’re willing to take, you may or may not offer coverage. If you do offer it, you may change the limit, ask additional questions about vendor policies, increase the applicant’s retention, or change the applicant’s waiting period. Regardless, without insight from Security Ratings, it’s far more difficult to ensure your aggregate risk levels are at a level you’re comfortable with.

In Summary

It’s clear Security Ratings make an impact in a number of critical areas for cyber insurance underwriting—and we can’t forget about how Security Ratings make an impact from an operational perspective!

If you get the opportunity to write excess coverage, but you don’t know the level, Security Ratings can help steer you closer to writing the primary coverage. BitSight also gives you this information in real time so you don’t have to wait to make a decision until an applicant finishes their questionnaire or an applicant’s broker sends you their responses.

Looking for more information on how Security Ratings could impact your cyber insurance underwriting risk? Download this on-demand webinar to learn exactly how the underwriting process has developed over the years, hear experts discuss the current trends in the industry, and find out the latest tools carriers are adopting to better assess a corporation’s cyber preparedness.

Suggested Posts

Fact or Fiction (Part 3): How Security Ratings Play a Role in Third-Party Risk Management

Over the course of this blog series, we’ve addressed some of the major concepts surrounding third-party risk, as well as addressed some misconceptions. In this final post, we’ll continue to examine the last three of the top notions...

READ MORE »

Fact or Fiction (Part 2): More Misconceptions About Third-Party Risk Management

There are many third-party risk concepts, some of which we addressed in the first blog post of this series. While third-party risk management (TPRM) programs are becoming increasingly common for businesses, there are still some...

READ MORE »

Third Party Tiering: The Cornerstone of a Strong Third-Party Risk Management Program

With the number of third parties connected to businesses increasing, risk and security teams need to ensure they are spending the right amount of attention on the right third parties. To do this, organizations need a clearly defined,...

READ MORE »

Subscribe to get security news and updates in your inbox.