A recent study by Gallagher Re evaluated cybersecurity performance data from Bitsight, which covered 62,000 organizations across 67 countries, alongside Gallagher Re's own data on cybersecurity incidents and claims.
The findings indicated that poor performance in key cybersecurity areas increases the likelihood of a cyber incident and subsequent insurance claim, while stronger performance correlates with reduced risk.
The study highlighted several key predictors of cybersecurity risk. One of the main findings was that external scanning data can play a crucial role in improving insurance loss ratios. By combining this targeted data with firmographic information, insurers could reduce their loss ratios by up to 16.4%, by focusing on the most damaging 20% of risks.
Another significant observation was that the size of an organization’s "cyber footprint," measured by the number of IP addresses it manages, is a strong indicator of claims. This suggests that insurers may benefit from considering technographic data, rather than relying solely on traditional metrics like employee count, industry, or revenue, when underwriting cyber policies.
The study also found that the use of certain technology products increased the likelihood of a claim, underscoring the importance of addressing single points of failure and third-party dependencies within an organization's tech stack. This insight is expected to influence future risk modeling approaches for the insurance industry.
In addition, the research showed that maintaining good cyber hygiene remains critical. Basic cybersecurity practices, such as patching speed, proper use of HTTP headers, SSL certificates, DNS security, and effective endpoint management, were found to be directly correlated with a reduction in cyber incidents.
Ed Pocock (pictured above), global head of cybersecurity at Gallagher Re, stated that the study offers clear, actionable insights for both insurers and enterprises regarding the effectiveness of security controls.
"Leveraging Bitsight's data, we've not only established a direct link between weak cybersecurity controls and higher insurance claims, but also highlighted additional strategies for insurers to more effectively assess an organization's cyber risk and potentially improve loss ratios,” Pocock said.
For enterprise cybersecurity leaders, these findings can help prioritize investments in their programs, reduce the chances of experiencing an incident, and make more informed risk management decisions.
Derek Vadala, chief risk officer at Bitsight, added that Bitsight's analytics have long been proven to correlate strongly with security incidents.
"Gallagher Re's analysis demonstrates that there is even more to the story – that meaningful, new insights, such as assessing the risk of Business Email Compromise (BEC), can be created through analyzing different parts of our massive trove of data. We are excited by these findings and will continue to explore the incredible opportunities ahead of us,” Vadala said.
What are your thoughts on this story? Please feel free to share your comments below.