As the threat landscape grows, so does the demand for cyber insurance coverage. For underwriters, this means a significant uptick in lengthy risk assessments to determine whether to offer and how to price policies. These manual risk reviews for underwriting and reviewing policyholder risk levels aren’t only causing a headache for underwriters themselves–it’s taking away from the insurance companies’ bottom line.
Many underwriting tools and software promise to be a silver bullet. However, the level of due diligence required for cyber liability insurance can only be satisfied by automation that was built specifically for third-party risk management (TPRM) programs. Here a few of the reasons cybersecurity ratings are the solution to streamline underwriting:
1. Accurately assess ransomware risk
Ransomware is at an all-time high– increasing by 105% in the last year. Fortunately, there are several key indicators that can help assess the potential risk for a ransomware attack during the cyber insurance application process.
For example, several industries in particular have taken even more of a hit–and ransomware attacks against healthcare grew over 7.5x in 2021. Company size is another factor, as ransomware groups tend to seek small businesses with direct access to larger organizations and their personal information–making it even more essential to consider the robustness of any applicant’s vendor risk management program.
Still, not all controls are as easily identifiable as industry or company size. Consider the number of critical ports an organization has open–which inherently would widen its attack surface. Underwriters simply don’t have the time on their hands to audit this control alone, despite its prevalent role in initiating ransomware attacks.
That’s where automation comes in. Actively scanning for critical vulnerabilities such as fraudulent domains and remote code execution vulnerabilities protects your business by shedding light on the ransomware susceptibility of both applicants and insureds in real time.
2. Confidently evaluate cyber coverage policies and maintain acceptable loss ratios
As a first step, underwriters can quickly evaluate the cyber health of each potential policyholder. Once a rating is in hand, underwriters can prioritize companies that they are willing and able to insure in the first place. This could potentially look like requiring a certain minimum grade or risk level to even run the application initially. This avoids having to get involved with any company ravaged with risk and vulnerabilities.
Additionally, cyber rating results directly translate to level of risk, and therefore the type of policy offered. Companies with poor scores reveal enough clarity for underwriters to offer policies that cover the level of risk they hold. As health improves, less coverage is needed and therefore lower premiums are offered.
In turn, this early-on visibility enables underwriters to clearly convey why someone was insured or not. The underwriter can then reveal red flags and critical vulnerabilities, and provide suggestions to the company so they can improve and come back for coverage.
3. Complete underwriting assessments in a fraction of the time
Using an automated cyber ratings platform can reduce the time it takes to analyze an ecosystem or complete a stack of applications from months to hours. In what used to be a manual process with multiple applications, can now be streamlined automatically as soon as a new customer is brought into play.
Eliminating the bottleneck of applications opens the door for more efficient conversation between underwriters and brokers. No need to waste time going back and forth any longer when applications are completed automatically in hours with full visibility into the risk being covered.
4. Gain real-time visibility into applicant risk
Gone are the days of relying on manual, point-in-time risk assessments to develop and maintain an acceptable portfolio loss ratio. Just as individuals rely on credit monitoring services to maintain proper financial health, underwriters can gain instant visibility into the applicant’s cyber posture with continuous third-party risk monitoring. Revealing the unknown and accounting for changes in policyholder risk then eliminates the need to run additional costly reports.
5. Speak a common language with stakeholders
Continuous monitoring isn’t only helpful for underwriters themselves–it also promotes alignment with stakeholders by helping them truly understand the associated risk in a language they can understand.
By following the industry standard of FAIR, stakeholders can better benchmark against others, and understand their risk in a quantified, digestible way. This encourages growth and diversification within the company and their partnerships as they understand the offered coverage in regards to their cyber health.
Of course, before you purchase any software–it’s important to know what to look for. When it comes to justifying underwriting processes, it’s essential that you address the level of transparency you are comfortable with. With such a critical degree of responsibility, it’s also important to optimize accuracy. These are all questions that you should be asking yourself when you’re assessing SRS tools.
Once implemented, there’s no doubt that security ratings can drive efficiency and significantly improve underwriting decisions for immediate impact. Still, the ultimate value-add is the direct impact on the bottom line over time. Underwriters at Markel, for example, are now seeing 100 – 500% more submissions due to drastically reduced times between themselves and trading partners. In turn, the company has been able to manage costs through unlimited licensing, making their budget consistent year-over-year.