5 Reasons Cyber Insurance Underwriters Need Security Ratings
Written by: Black Kite
After two years of uncertainty in the cyber insurance markets, with premiums spiking, payouts dropping and the settling of a few legal test cases [ICS v Travelers and Mondelez v Zurich] it appears like we may be moving into a period of stability in the market. That said, insurers are formalizing and looking for efficiencies in the underwriting process, which currently is onerous (one large insurer told us off the record that they have 20 analysts devoted full time to the technical cybersecurity assessment element of underwriting). The increase in stability is offset in part by the fact that while Cyber Insurance is quite common in the US and to a lesser extent the UK and the EU, uptake in APAC, ANZ and LatAm is quite slow. As these regions come on board the pressure on underwriters will only grow.
The threat landscape keeps getting worse, the attackers are getting smarter and we appear to be on the precipice of further economic turmoil. All of this is pushing the demand for cyber insurance coverage. For underwriters, this means an uptick in time consuming risk assessments to determine whether to offer and how to price policies. These manual risk reviews for underwriting and reviewing policyholder risk levels aren’t only causing a headache for underwriters themselves–it’s taking away from the insurance companies’ bottom line. Questionnaires and point in time assessment reports are of debatable value the day they are ‘finalized’ and only get less accurate and useful over time.
While many promises have been made, there is no silver bullet. However, the level of due diligence required for cyber liability insurance can only be satisfied by automation that was built specifically for third-party risk management (TPRM) programs. The SRS method additionally removes bias from each evaluation, as the standards-based approach streamlines the conclusion that multiple people could disagree on. Here a few other reasons cybersecurity ratings are the solution to streamline underwriting:
1. Accurately assess ransomware risk of insureds
Ransomware is at an all-time high– involved in 25% of breaches in 2022. According to Corvus Risk Insights, of all cyber insurance claims in 2022, 34% were tied to ransomware. The average ransom paid out by the insurer during the same time period was $255,000.
Fortunately, there are several key indicators that can help assess the potential risk for a ransomware attack during the cyber insurance application process.
For example, several industries in particular have been targeted more frequently – in 2021, 66% of healthcare organizations were hit by ransomware.
Company size is another factor, as ransomware groups tend to seek small businesses with direct access to larger organizations and their personal information–making it even more essential to consider the robustness of any applicant’s vendor risk management program.
Source: Coveware
Still, not all controls are as easily identifiable as industry or company size. Consider the number of critical ports an organization has open–which inherently would widen its attack surface. Underwriters simply don’t have the time on their hands to audit this control alone, despite its prevalent role in initiating ransomware attacks.
That’s where automation comes in. Scanning for critical vulnerabilities such as fraudulent domains and remote code execution vulnerabilities protects your business by shedding light on the ransomware susceptibility of both applicants and insureds in real time.
2. Confidently evaluate cyber coverage policies and maintain acceptable loss ratios
As a first step, underwriters can quickly evaluate the cyber health of each potential policyholder. Once a rating is in hand, underwriters can prioritize companies that they are willing and able to insure in the first place. This could potentially look like requiring a certain minimum grade or risk level to even run the application initially. This avoids having to get involved with any company ravaged with risk and vulnerabilities.
Additionally, cyber rating results directly translate to level of risk, and therefore the type of policy offered. Companies with poor scores reveal enough clarity for underwriters to offer policies that cover the level of risk they hold. As health improves, less coverage is needed and therefore lower premiums are offered.
In turn, this early-on visibility enables underwriters to clearly convey why someone was insured or not. The underwriter can then reveal red flags and critical vulnerabilities, and provide suggestions to the company so they can improve and come back for coverage.
3. Complete underwriting assessments in a fraction of the time
Using an automated cyber ratings platform can reduce the time it takes to analyze an ecosystem or complete a stack of applications from months to hours, as well as further standardize the process. In what used to be a manual process with multiple applications, can now be streamlined automatically as soon as a new customer is brought into play.
Eliminating the bottleneck of applications opens the door for more efficient conversation between underwriters and brokers. No need to waste time going back and forth any longer when applications are completed automatically in hours with full visibility into the risk being covered.
4. Gain real-time visibility into applicant risk
Gone are the days of relying on manual, point-in-time risk assessments to develop and maintain an acceptable portfolio loss ratio. Just as individuals rely on credit monitoring services to maintain proper financial health, underwriters can gain instant visibility into the applicant’s cyber posture with continuous third-party risk monitoring. Revealing the unknown and accounting for changes in policyholder risk then eliminates the need to run additional costly reports.
5. Speak a common language with stakeholders
Continuous monitoring isn’t only helpful for underwriters themselves–it also promotes alignment with stakeholders by helping them truly understand the associated risk in a language they can understand.
By following the industry standard of Open FAIR™, stakeholders can better benchmark against others, and understand their risk in a quantified, digestible way. This encourages growth and diversification within the company and their partnerships as they understand the offered coverage in regards to their cyber health.
Of course, before you purchase any software–it’s important to know what to look for. When it comes to justifying underwriting processes, it’s essential that you address the level of transparency you are comfortable with. With such a critical degree of responsibility, it’s also important to optimize accuracy. These are all questions that you should be asking yourself when you’re assessing SRS tools. This is also why we know Black Kite is the best solution for the underwriting job.
Black Kite offers the only reliable and scalable solution for insurance underwriters looking to make more informed underwriting decisions. With Black Kite, underwriters can quickly view and approve applications based on data. Black Kite offers transparency and visibility into the key risk indicators that cause claims, so that you can minimize the risk to your business and more accurately assess policies.
Once implemented, there’s no doubt that security ratings can drive efficiency and significantly improve underwriting decisions for immediate impact. Still, the ultimate value-add is the direct impact on the bottom line over time.
Underwriters at Markel, for example, are now seeing 100 – 500% more submissions due to drastically reduced times between themselves and trading partners. In turn, the company has been able to manage costs through unlimited licensing, making their budget consistent year-over-year.
Make better decisions, reduce your risk.
Download the Case Study