<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Cyber Insurance

Why Loss Runs & Trends Alone Are Not Enough To Make Cyber Underwriting Decisions

Samit Shah | August 8, 2017

A loss trend can be defined as a projected loss expectation based on historical data. If you find that past losses might be indicative of potential future losses, you can then use this information to price your services accordingly. 

Three elements typically contribute to a loss trend: 

  • Frequency—the number of times a loss may occur.
  • Severity—the actual value associated with the loss.
  • Exposure—the risk you’re subjected to through an applicant. (In cyber insurance, exposure tends to be in line with a mix of the applicant’s annual revenue, employee count, and record count.)

From an underwriting perspective, the lack of data on frequency, severity, and exposure makes it difficult for loss trends to be sufficient for cyber underwriting decisions.

It’s always important to underwrite to the risk, which means underwriting to the applicant’s exposure. But applying loss trends as they relate to the applicant is more difficult. For example, if your application process requests information on past breaches (or loss runs if currently insured), your applicant is likely to provide information on their current incidents over the past year. This makes it challenging to assign the applicant to the right class of risk based on frequency and severity as you are working with very limited information. You may ask if the applicant has done anything to mitigate future risks after a reported incident. But even then, you have little visibility into the impact of their actions and will need to trust that their effort actually made a difference in decreasing overall risk.

So as an underwriter, it’s critical for you to be thoughtful during the underwriting process. You can contemplate the information you’re provided regarding frequency and severity (and how those things impact your risk exposure), but without access to any hard data on these points, loss information alone isn’t enough to make cyber underwriting choices.

“But if loss information isn’t enough to make underwriting decisions, where do I get additional data?”

This is a great question—and the answer is through BitSight Security Ratings. If you use the BitSight portal, you can gain more insight on frequency, severity, and exposure that will allow you to make better decisions during the underwriting process.

For example, you can use the Security Ratings portal to see the number of incidents of compromised systems as well as how long the activity lasted on the applicant’s network. This unique view into the frequency and severity can be benchmarked to the applicant's industry and your overall portfolio, giving you objective insight that goes beyond a subjective application form. You can also see the impact of any actions they say they’ve taken after a publicly disclosed incident on their overall security rating. Using Security Ratings for cyber insurance will enable you to be more nuanced in assessing risk, asking targeted questions, and make more data-driven decisions.

4 Ways To Leverage BitSight In Your Underwriting Process

Suggested Posts

Silent Cyber: What It Is & How You Can Avoid It

Companies typically buy several lines of insurance—from property, to general liability, to professional liability. When something goes wrong, it’s common for a company to run to its insurance provider and claim that it has coverage. But...


The Cost Of Cyber Risk: How Security Ratings Help With Policy Pricing

Policy pricing is something every insurance company and underwriter struggles with at some point. The primary issue is differentiating between the risk an applicant presents and the information you’re given. Let’s take a closer look at how...


To Quote Or Decline? Using Security Ratings To Validate Cyber Underwriting Decisions

Determining whether you should quote or decline a cyber insurance applicant is an extensive and critical process. Typically, the decision is made after gaining an understanding of what the company does, identifying critical application...


Subscribe to get security news and updates in your inbox.