While a new survey from analytics firm FICO has found that the number of US companies with full-coverage cybersecurity insurance has skyrocketed from last year, 24% still reported that they did not have any cyber insurance.
For those that remain uninsured, and the insurance companies with an eye on targeting these firms, a cybersecurity analytics platform has come up with a more effective way to price policies.
“From a cybersecurity perspective, when you’re an insurance company and you’re writing a policy for somebody, how do you charge them for it? We measure the risk and give them the metrics to charge for that policy,” said Steve Timmerman, VP of marketing and business development at RedSeal, which offers enterprise software that builds a model of a company’s network, identifies vulnerabilities, and provides a digital resiliency score that allows insurers to write a cyber premium based on that score.
It’s the larger entities that often need support in finding out where they have cybersecurity gaps.
“If you can keep track of your network on an Excel spreadsheet, you don’t need to buy enterprise software to do it,” said Timmerman, adding that RedSeal works with some of the biggest networks in the world. “These are the most complicated organisms on the planet now because they’ve been developed over 30 years by five different teams.”
The Internet of Things and a revolving door of new access points have made tracking a network’s structure and all of its at-risk points difficult, especially as many companies turn to cloud-based services that can potentially add to the problem.
“It’s those parts of the network that can be your Achilles’ heel because you don’t know they exist, you don’t manage those actively, and you may not scan them properly,” said Timmerman.
Recently, the cybersecurity company partnered with XL Catlin to reach its insureds. Based on how a client scores, the insurer can then update their policy to better reflect their risk profile.
“The idea is to provide both the insured, but also the underwriter and the broker, real information about how the network is operating, and that’s where the vacuum has been,” explained Timmerman. “There’s a lot of paper surveys [that ask companies] about your qualifications, what’s your philosophy about patching software, and those questions don’t even make sense,” especially since many risk managers are likely to respond with positive answers.
“We’re trying to inject more data into the decision about how underwriters measure and then price cyber insurance,” he told Corporate Risk and Insurance.