Cyber insurance underwriting this risky business. As with any other form of insurance, one way of mitigating risk is by scoring it and then setting premiums accordingly. Clients with a greater risk score pay more. As a client, it helps to know how insurance carriers score risk so that steps can be taken to keep premiums manageable.
Insurance is always about risk. From the insurance carrier’s perspective, the big risk is paying out more in claims than the company takes in by way of premiums. Do that too many times and a carrier is at risk of failure. Carriers carry reinsurance for that purpose, but even reinsurance companies face the same types of risks.
The Basics of Risk Scoring
There is no black-and-white formula for scoring risks in cyber insurance underwriting. Carriers and reinsurance providers tend to use a combination of scoring methods and risk assessment methodologies. Therefore, systems can differ quite a bit from one carrier to another.
DarkOwl, a dark web threat intelligence firm offering a number of solutions for cyber insurance underwriting, explains that carriers tend to consider a number of key components in their risk assessments:
1. Vulnerability
Carriers attempt to understand a client’s vulnerability through scoring. There are several standardized tools for doing so, including the Common Vulnerability Scoring System (CVSS). It is a system for evaluating the severity of a client’s known vulnerabilities.
2. Likelihood
Insurance carriers also attempt to understand the likelihood of any particular cyber-attack. They rely on historical data and industry trends to predict the probability of different types of events occurring with their clients.
3. Compliance
How well a client complies with regulatory standards plays a huge role in risk. Therefore, insurance carriers do their due diligence in assessing compliance before applying it to risk scoring.
4. Client Practices
A significant factor and risk scoring is a client’s willingness to implement controls and practices related to tighter security. Carriers look at everything from security strategies to policies to the technologies a client employs.
Carriers need to accommodate for industry-specific factors that could unduly increase a client’s risk score. In addition, they need to be careful about where they source their data from. Score accuracy is only as reliable as a carrier’s data sources.
Cyber Insurance Underwriting Premiums
Coming up with premiums requires calculating an actual score based on the previously mentioned factors. Again, there is no black-and-white rule. However, a simple scoring formula is as follows: Risk Score = Likelihood x Impact.
The higher the score, the more questionable a client’s cybersecurity posture. Higher scores result in higher premiums and vice versa. A client facing an unusually high premium can and should take steps to improve its cybersecurity posture. Bring down the risk and an insurance carrier can see its way clear to reducing premiums.
An Ever-Changing Landscape
Risk scoring is not a one-time thing for carriers and reinsurance providers. In fact, scoring is an ongoing exercise. It needs to be. Cybersecurity represents an ever-changing landscape that evolves with every new technology and strategy threat actors employ.
As a result, organizations face risk scoring whenever policies are renewed. Their insurance carriers are constantly looking at future risks and how they play into potential losses. They translate perceived risks into a score that determines how much clients pay.
Any organization concerned about cyber insurance underwriting and costly premiums would do well to understand its own risk posture. An organization posing significant risk to insurance carriers is going to face higher premiums. The best way to keep premiums in check is to improve the organization’s security posture.

You must be logged in to post a comment Login