At a time when both the demand for cyber insurance and the risk of cyber-attacks are growing, the need for accurate, scalable, and threat-informed cyber risk measurement is at an all-time high. With limited viable options, cyber insurers have been forced to compensate for high loss-ratios by increasing the cost of premiums at an unbearable rate for the insured. A new generation of cyber risk measurement and assessment is needed to achieve and sustain profitability in the cyber insurance industry for the long-term, without being cost-prohibitive for the insured.
The first generation of cyber risk measurement for policy underwriting relied heavily on questionnaire-based methods, and this approach worked back in a time when both risk and the ancillary cost of a breach were low (by today’s standards). As ransomware became an increasingly profitable venture for cyber criminals, the cyber risk measurement tools available at that time showed significant limitations as the volume and costs of attacks escaladed. To be effective, questionnaires required customers to have a level of insight into their cyber exposures/risks that many just did not have.
In recent years, we have entered a second generation of cyber risk measurement, which added passive or light cyber-attack surface characterization to the questionnaire method. This advancement has helped compensate for the limited understanding customers had about their cyber exposures and identify immediate red flags for providing coverage, such as exposed high-risk services and easily exploitable vulnerabilities.
A New Generation Is Needed
Current risk assessments are producing too many false positives and false negatives. The recent addition of cyber-attack surface characterization has been a step-up from the purely questionnaire-based method of previous generations, but there are limitations that many in the industry have observed. Light attack surface characterization introduces too many false positives – and this frustrates both underwriters and customers. Additionally, credential-based entry points are assumed to be secure – and this gives underwriters a false sense of security. Applicants are given credit for credential security controls in situations where, for example, the password policy and enforcement don’t stop intermediate and advanced attackers from breaking in with basic tools.
The false positives cause unnecessary friction during applicant eligibility and underwriting phases, which leads to a mismatch of risk pools with sub-optimal limits and premiums. The false negatives impose avoidable risk to underwriters which drastically impacts loss ratios. Today, these problems are avoidable - with the next generation of cyber risk management.
Automated Pen Testing: The Next Generation of Cyber Risk Underwriting
To stay ahead of the threats posed to cyber insurance policy holders and allow cyber insurance providers to manage their loss ratios more effectively, the next generation of cyber risk measurement must go further than passive or light cyber-attack surface characterization. This next generation must include testing the policyholder’s ability to stop the attacks they will likely face during the policy term.
Until very recently, this type of cyber risk assessment (commonly called ‘penetration testing’) required highly paid and well-trained ethical hackers to spend weeks surveying and testing an organization’s cyber exposures to provide this assessment from an attacker’s perspective. However, this is no longer the case. Using automation and machine learning, companies like BreachBits are paving the way to making these assessments fully automated, scalable and consistent.
Even more crucially for the cyber insurance industry, these advancements allow this automated penetration testing to fit the cost model of today and tomorrow’s cyber insurance premiums, with measurable results delivered in seconds and minutes, not weeks and months. Some companies already include services like pen testing as a value-add service. Integration automated pen testing as a pre-claim or pre-breach service can deliver better outcomes for all parties.
Benefits of the Continuous, Automated Pen Testing at Scale
By leveraging automated penetration testing to assess the cyber risk of applicants and insured (or giving them the ability to test themselves), cyber insurance providers can greatly reduce claims and ultimately accelerate underwriting with more accuracy. Additionally, it can reduce false negatives such as credential-based threats, the second-leading cause of cyber claims.
Other cybersecurity controls, such as multi-factor authentication, can be observed by these tests – giving proactive customers credit for implementing such controls and empowering providers to be able to validate that controls are in place. And while performing testing during application and renewal periods will be a linear improvement, providers that implement a continuous model can make these gains exponential.
Single assessments will play an important role, but there are also gains when conducting this type of testing at scale. When providers can understand entire industries, they can create better models for the many facets of cyber risk. For example, in our BreachRisk: Energy 2022 Cyber State of the Industry study we highlight trends across U.S. oil & gas industry. We characterize the risk for the industry, which allows individual applicants to be compared against averages. But we also identified markers that underwriters can use to optimize limits for policyholders by size, revenue, employee base, and industry function. This tailoring allows for greater optimization of limits and premiums and improves sustainability.
Into the Future…
This next generation is upon us. It has the potential to make cyber insurance profitable for underwriters and sustainable for insured. More importantly, though, it can potentially power a market-based approach that will finally turn the tide against cyber-crime. We at BreachBits are excited to be a part of it.
We are implementing the third generation of cyber risk measurement in the cyber insurance industry and beyond. To see this third generation in action, download BreachRisk: Energy 2022, our recent Cyber State of the Industry study.