As an underwriter in the cyber insurance industry, you know that insurance is all about information. You’re responsible for making decisions about your applicants based on the details given to you—but you’re also aware of the potential for asymmetry in this information.
Ideally, your potential customer’s insurance application will be completed in the company of the CISO, CIO, or someone in IT—and possibly with a broker or cybersecurity expert. And at times, your applicant will be able to provide you with loss runs or cyber risk assessments other third parties have performed. The more information you have, the better you’ll be able to sense the vulnerabilities and risk exposures you’ll be underwriting.
During this process, you are likely honing in on the framework and controls your applicants have in place for people, processes, and technology. Here are a few of the questions you may be asking:
- People: Are your applicant’s employees aware of cybersecurity issues? Are they getting that information through regular training? One of the biggest risks in security as it relates to people is employees opening attachments or clicking on links associated with phishing campaigns. Thus, it’s important to know if the applicant’s employees know how to differentiate between the two and are aware of common phishing techniques.
- Process: Your applicant should have policies or procedures in place for vendor risk management. Are you evaluating their third-party vendors appropriately? Do they have a defined incident response plan in the event of a cybersecurity incident, including what steps they’ll take and who will get involved?
- Technology: Your applicant may have antivirus applications and firewalls—but beyond that, are they monitoring the traffic coming out of their IP addresses? Are they actually examining the log files generated by the tools they’re using to see if there’s malicious activity within their system or trying to attack their system? Are they identifying any open port issues? What technologies are they using to safeguard themselves?
With all this in mind, the question that stands out is, “Are we doing everything possible to gain more insight into the cybersecurity posture of our applicants?” The traditional route of examining applications and third-party cyber risk assessments is critical—but there are more tools you should take advantage of:
- Work with a risk engineer. Risk engineers have technical expertise, background, and training and can be sent to an applicant’s organization to dig deeper into their cyber health.
- Look at Security Ratings. Your applicants may say they’ve configured their applications appropriately, but how do you know that for sure? That’s where Security Ratings for cyber insurance come in. All you have to do is plug in the applicant’s URL, and you’ll be able to see, for example, if they’re running MongoDB on any open ports. If you see this, but their application says they have everything configured properly, then you can focus in on this discrepancy. Furthermore, Security Ratings help you prioritize the questions you’ve asked and focus your time and effort on the right areas.
A Final Thought...
You can certainly trust what your applicants tell you and hope for the best—but it’s critical to use every tool at your disposal to verify that the information they’ve provided to you is accurate. Blindly accepting their word is negligent and is bound to be a poor strategy in the long run.
If you want more information on Security Ratings, check out this Security Ratings for cyber insurance data sheet. It gives details on how to analyze, rate, and monitor the security performance of your insured and insight into how BitSight Security Ratings are calculated.