Determining whether you should quote or decline a cyber insurance applicant is an extensive and critical process. Typically, the decision is made after gaining an understanding of what the company does, identifying critical application information, and considering your organization’s risk appetite. But are you able to verify whether the decisions you’ve made are valid?
This is where BitSight Security Ratings for cyber insurance come in. Terabytes of data are pulled into BitSight’s algorithm and are then carefully assigned to a number of critical risk vectors. Together, these risk vectors help you understand your applicants security posture and the potential that they will be breached or have security issues.
Below, we’ll walk through five risk vectors in BitSight that help you validate your underwriting decisions for cyber insurance.
5 Risk Vectors To Help Validate Underwriting Decisions
1. Patching Cadence
Most cyber insurance application forms ask something about how frequently the applicant patches their systems (or whether they do so every 30 days), but gaining verifiable insight into this risk vector is very important. BitSight offers insight on how frequently a company patches vulnerabilities relative to the industry it’s associated with. This is especially important as we have seen with the outbreak of the WannaCry ransomware, which exploited certain Microsoft operating systems that had not been patched.
2. Botnet Infections
Botnet infection events indicate that devices on a company’s network were observed participating in botnets as either bots or Command and Control servers. Botnets can be used to exfiltrate corporate secrets and sensitive customer information, repurpose company resources for illegal activities, or serve as conduits for other infections. Companies with a BitSight botnet grade of B or lower are more than twice as likely to experience a publicly disclosed data breach.
3. Open Ports
When your applicant begins using an application that is open source (or they’re running an application to connect to the internet), do they take it off of the default port and configure it? This is something you’ll want to be aware of. The MongoDB security issue in early 2017 took place because open ports weren’t being properly configured. The open port risk vector allows BitSight customers to understand and identify companies that are running software applications on a default program so you can quickly remedy the issue.
4. User Behavior & File Sharing
File sharing applications like BitTorrent can be used correctly—but are often used to share, for example, applications (like a copy of Windows OS), music, or movies illegally. This makes it easy for bad actors to attach malicious code to the downloads, which could then get into your applicant’s system. In an exhaustive research study, BitSight observed that 43% of torrented applications contained malicious software. Therefore, it’s critical to know whether your applicant is monitoring their employees access to certain systems and reviewing their employee’s logs—and BitSight provides this information.
5. NIST Cybersecurity Framework
Many insurers use the NIST cybersecurity framework to follow a comprehensive (but easy-to-communicate) security standard and lead conversations with their customers based on this framework. Therefore, BitSight has mapped risk vectors to match several NIST categories and subcategories so you can quickly and easily understand where an applicant or insured falls relative to a particular NIST category.
Validation is crucial. Many cyber insurers write policies blind because they simply trust what their applicants tell them—but if you do this, you may not be getting the whole story. Regardless of whether you engage a risk engineer, speak directly with a CISO or IT directors at the applicant’s company, or use BitSight Security Ratings, a validation technique is necessary to ensure the data you’re getting back from your applicant is reflective of the risk.