Insuring Unnatural Disasters - Cyber Risk Scoring
Updated: Mar 24
The last few years have been a bit of a mess, and this year is not off to a great start either. Current events around the globe have thrown the masses into a tumultuous sea of fear and uncertainty. With so many risks and unknowns, it’s hard to know where to start. John and I have been through these situations before. We know that with excellent leadership, planning, and the appropriate precautions in place, your squad will make it out in one piece.
Protecting Critical Assets in a Crisis
As we address cybersecurity, I’d like to specifically discuss cyber insurance. For those not familiar with the term, think of it like flood insurance, but for unnatural disasters. These disasters are of a malicious nature, wherein hackers will intentionally attack a business or organization’s online infrastructure. Very similar to how building on a floodplain requires flood insurance to be considered insurable, cyber insurance is equally necessary for vulnerable online business verticals to be deemed safe.
Hospitals are a great example, as they store protected patient data and use sensitive medical devices with network connections. Other examples include banks, major retailers, institutions, even municipalities, all with access to critical data which can be ransomed, stolen, or destroyed entirely. In fact, I’d argue that every business today is an information-centric business, whether they know it or not. That means they both benefit from, and are vulnerable to, cyberspace risks and rewards.
Ransom isn’t a new concept. Just as pirates ransom ships for money and robbers hold hostages for safe passage, so too can hackers ransom your business for profit.
For cyber insurance underwriters, I think it’s understandable for you to operate with apprehension, especially given our current political climate. And you are not alone. We’ve had frequent discussions with both enterprise and medium-sized businesses and we’re in the trenches finding solutions with them. From our industry discussions, we’re aware that business leaders across the world are sweating bullets. Whichever category your organization falls into, you should certainly consider ways to understand where you stand and manage your company’s cyber risks. One innovative solution that is only recently viable and meaningful is cyber risk scoring. It does exist and is now being used to actively support cyber insurance underwriters.
Setting the Standard to Turn a Profit With Cyber Insurance
Unlike a few years ago, it’s very difficult in 2022 for businesses to find a suitable cyber insurance policy. And when they do, the premiums are too high, the liability limits are far too low, and the policy simply fails to mitigate the risk of catastrophic loss. And it’s not because insurance companies want to build a bad policy; far from it.
Insurance underwriters can't determine which customers are “in the floodplain” - they can’t tell how secure their customers are. When they do write a policy, there is a significant risk of a claim, and that the risk pool as a whole ultimately won’t be profitable enough to keep offering insurance, regardless of how high the premium is. This is a fundamental problem when we’re talking with thought leaders in insurance. Underwriters aren't willing to take the risk and businesses are left with huge risks.
Now imagine a world where cyber insurance can be tailored to the exact risk of each individual insured. A world where policies are based on the current and potential risks for unique and accountable organizations. In this scenario, rather than overcharging (or worse, undercharging), a standardized scoring system for each policy holder not only shows underwriters where the floodplains are, but allows the organization to preemptively see their problems and fix them ahead of the flood, reducing the risks for themselves and for the insurance provider.
We’re In the Trenches With You
We understand the risks. We feel the apprehension. That’s why we use our own risk scoring services to survey businesses over a variety of industries. We want to know where the floodplains are so that we know how best to support these areas. John and I are military cyber veterans and practical data scientists. Finding critical elements that reveal cybersecurity risks while bringing next-level insights to our clients is what our team does best.
Innovation starts with risk… and scoring that risk is our innovation.
Those looking to innovate can benefit (as we have) from quantifying and qualifying that risk, particularly as technology becomes cheaper and more accessible to hackers, and businesses move more and more of their business online.
We want to learn where the floodplains are, which companies are in danger, and how to effectively prepare our clients (and beyond) for the next level of cybersecurity. If you have a question or insight, I’d love to hear from you. Drop a comment below or connect with me at breachbits.com/contact.
John and I will be at RiskWorld 2022 in San Francisco's George R. Moscone Convention Center from April 6 - 14; look for us at our booth near the Thought Leader Theater. We'll be working with others in the City all week, meeting with insurance underwriters, enterprise risk managers, and venture capital funds to exchange ideas and solve the next set of challenges. I highly encourage people to contact us to set up a session either at the conference or around town.