In many lines of insurance, claim activity is part of the norm—and it’s expected that you’ll have to underwrite to losses consistently. For example, in casualty lines, it’s common to have workers file for worker’s compensation because of an injury they experienced on a job.
But in cyber insurance, the situation is a bit different—and several steps must be taken:
- First, you have to find out if the client has ever experienced a cyber event or circumstance before.
- If there was an event, you need to understand what the event was and why the event happened.
- From there, you must try to understand what the impact of the event was on the company. Did the company lose revenue? Did it have to close off part of their business or lay off employees?
- Finally, you want to know that the applicant has learned from the experience and has put some safeguards in place to prevent an event like the one they experienced from happening again. Have they invested in additional training or technology?
Trust, but verify.
Without objective data points, you simply have to trust that the information being provided to you by your applicant is accurate. But you’ll likely be left with many questions:
- If the applicant says they haven’t experienced a cyber incident, how do you know they’re telling the truth? What if they simply don’t know?
- Does the applicant understand the extent of the cyber event or why it happened?
- Has the applicant given you the full run-down on the impact the event has had on their business?
- If the applicant has put safeguards in place, how do you know that they’re the right ones—ones that are actually making a positive impact on their security posture?
All in all, you need a way to be certain that your applicant is actually putting steps in place to ensure that their organization is safeguarded from future potential cyber events and any circumstance that could increase their risk profile.
So what is the best way to verify? Objective data from BitSight Security Ratings.
Using data from your Security Ratings portal gives you an unprecedented look at your applicant’s current and previous security posture.
The BitSight Security Ratings portal provides you with information about your applicant for the previous year, which allows you to see if they experienced an incident during that time. If they have, you can then see how the applicant responded to and remediated the issues. If the applicant informed you that they put a number of measures in place after a security incident on their network but their company’s rating has dropped drastically, you know the applicant either hasn’t been forthcoming with you or the company hasn’t put the right measures in place.
On top of that, you’ll also gain recommendations on what your applicant can do to improve their security posture. For example, it may be recommended that the applicant focuses on scrutinizing why certain ports are open that may be better closed. This simple suggestion may come with a complex process of improved internal processes for the applicant, but it will help get them on the right path after a breach or a compromising event.
In Summary
You absolutely should underwrite a company that has experienced a breach or security event in the past (as long as they’re within your risk appetite)—but you should make sure you’ve evaluated all pertinent data and information about the company beforehand. In fact, experiencing a breach may help some applicants learn a lesson and limit the impact of a future breach...because you know it will happen again, right?
Using Security Ratings for Cyber Insurance can help you make or validate your underwriting decisions not just based on observation and subjective information from the applicant but based on objective, verifiable and actionable data. Once you have every data point possible, it’s much simpler to craft a policy that works for you and for the applicant.
Learn how to use BitSight Security Ratings to proactively identify, quantify, and mitigate cyber risk throughout the underwriting process and period of coverage.
