Lockton Re has released a new report evaluating the use of vulnerability scanning technologies in cyber risk underwriting.
The report examines a range of scanning tools employed by cyber risk insurers and reinsurers. As digital networks grow in complexity, companies are facing increased exposure to potential cyberattacks.
By 2025, an estimated 50% of the world’s data will be stored in the cloud, intensifying the vulnerability to attacks for companies, both internally and through their supply chains.
Jacqueline Yeo, the lead author of the report and cyber analytics lead at Lockton Re, noted that the development of vulnerability scanning technologies reflects the rapid innovation in the cyber insurance industry.
“However, when used in conjunction with other underwriting and aggregation methodologies, scanning solutions can provide valuable additional insights,” Yeo said. “We researched the following emerging scanning tools with an independent data set: Cyberwrite, ISS, Kynd and Orpheus, to create the report”
The report highlights that vulnerability scans are not a standalone solution for cyber security. Rather, they should be considered part of a broader strategy that provides an overall picture of a company’s security posture.
Vulnerabilities, Yeo emphasized, need to be carefully interpreted, as not all carry the same level of risk, and context remains crucial in understanding a company's exposure.
Oliver Brew (pictured above), co-author of the report and cyber practice leader at Lockton Re in London, said that cyber risk data providers play an important role in assessing security risks. These tools can offer sensitivity tests for exposure data used in catastrophe models and serve as a secondary perspective on risk.
“However, it’s important to use these tools as part of best practices in portfolio management, like those promoted by regulatory bodies and Lloyd’s of London in their regulatory capability matrix, to promote more than one view of risk,” Brew said.
In the report, Lockton Re argues that in the uncertain landscape of cyber risk modeling, the use of multiple tools provides a more comprehensive understanding of exposure. This approach helps insurers benefit from technological advancements in vulnerability scanning while avoiding over-reliance on any single model.
Drawing a parallel to natural catastrophe modeling, the report cites past instances where models underestimated exposure, leading to outsized losses. By integrating scanning tools with traditional models, cyber insurers can work to mitigate such risks.
What are your thoughts on this story? Please feel free to share your comments below.
