Policy pricing is something every insurance company and underwriter struggles with at some point. The primary issue is differentiating between the risk an applicant presents and the information you’re given. Let’s take a closer look at how policy pricing is examined in cybersecurity today.
Pricing is separated out into two pieces: exposure-based decision-making and risk-based decision-making.
To determine exposure, insurance companies look at the annual revenue associated with an entity and the industry the applicant is in. Exposure-based decisions make up the bulk majority of cyber insurance pricing decisions—and this baseline is then adjusted according to the individual risk characteristics specific to each entity.
Determining applicant risk, however, is much more complex. The standard is to examine the responses on the entity’s application form and use those responses to formulate an idea of the risk they present based on your underwriting guidelines and your risk appetite.
Once you’ve determined risk and exposure, the two are multiplied together to give you the price—which is then multiplied by the amount of coverage the applicant is looking for. (Other factors, like discounts for multiple lines of insurance with the same company and retention factors, are also added in.)
The trouble is, this traditional way of pricing cybersecurity policies doesn’t give you much insight into the actual risk the applicant presents.
Here are four of the biggest issues with this method of policy pricing—and how BitSight can solve those problems.
Issue #1: You don’t receive all the information you need to get a clear idea of the risk the applicant presents.
Every cyber insurance application has a generic quota of questions about risk controls, making it a less-than-useful tool for differentiating each applicant based on risk. For example, if every client says they have security firewalls in place, does that mean they all have them installed correctly or have them running on the right ports?
BitSight Security Ratings provide a common set of risk vectors across every applicant for you to examine. This means you’re not just relying on an application, and you can gain deeper insight into the specific risk each applicant presents.
Issue #2: You have to simply trust that the applicant’s responses are accurate.
The problem with most questionnaires is that they’re generic—and most applicants respond similarly. If everyone answers “yes” or “no” to the same questions, it becomes very difficult to know if what they’re saying is accurate.
BitSight Security Ratings give you an objective, outside look at the actual security posture of your applicant. Additionally, many of the risk vectors provided to you in BitSight can align with risk control questions on your vendor application for double verification.
Issue #3: Applicant risk can change very quickly, and you may not know of those changes during the underwriting process.
The risk position of a company changes the moment they complete the application. While they attest to having a certain level of security posture today, how do we know that holds through throughout the underwriting process. This process can take up to several weeks. And we all know a lot can happen in that amount of time for the risk position to change drastically.
You can use BitSight Security Ratings for Cyber Insurance to continuously monitor your applicant’s risk. For example, if your applicant comes back to you ready to sign a contract 30 days after you’ve given them a quote, you can re-run their Security Rating to see if their risk exposure has changed during that time period. If their Security Rating has remained the same or gone up, you’ll feel confident with the risk—and if it’s dropped, you’ll know to take a closer look at their risk vectors and see if the changes are material enough to affect the initial underwriting decision.
Issue #4: It’s easy—and dangerous—to generalize policy pricing based on the applicant’s industry.
It’s only natural to set pricing based on a class of customer. Using some commonly identified characteristic to generalize what rates to set and how to underwrite. However, the risk posture of one company within an industry compared to another in the same industry can change drastically even when the exposures are similar. The exposure and risk questions on the application may appear identical. So how do you got about differentiating the entities?
We don’t predicate our Security Ratings based on the sector of the entity, which makes our ratings very objective. This is particularly important in the underwriting process, as it can be tempting to bias your decision based on generalizations about a sector. In reality, every company—regardless of industry—could stand out (or fall well below) the standard set by its industry, so it’s important to have an objective third party look at each applicant’s cyber risk.
Policy pricing should reflect not only an understanding of the exposure but the actual risk performance of the applicant as well. When you use a tool like BitSight Security Ratings, you’re able to make consistent, data-driven decisions across your portfolio—which is why seven of the top 10 cyber insurers choose BitSight to identify and measure security risk. Learn why the most sophisticated insurers use BitSight for cyber underwriting.