“What gets measured gets managed,” might be the oldest saw in the business universe. But in my mind, it is closely followed by another: “What gets measured gets monetized.” And that is exactly what is happening today in the booming, yet very-brand-new market for enterprise cyber breach insurance.
Specifically, I believe that the new FICO® Enterprise Security Score (ESS), a metric that quantifies the vulnerability of an organization to cyber attack, will dramatically catalyze the growth of the cyber breach insurance market. ESS can be used by an enterprise to understand its cyber risk and shore up defense gaps. It is also an important assessment tool for third parties such as potential business partners and, notably, cyber insurance providers.
With its quantitative, empirically derived analytics, FICO ESS will drive objective risk measurement, transparency and predictability into both breach insurance underwriting and longer-term portfolio management––essential requirements in monetizing the rapidly evolving market for cyber breach insurance.
Explosive growth for cyber breach insurance
Breach insurance premiums are on a tear, and expected to grow tenfold over the next ten years from $2 billion to $20 billion per annum by 2025. The number of underwriters active in the US market is growing rapidly as well, with a double-digit CAGR. These volumes are growing in response to a well-publicized need; large breaches are happening frequently and the expense associated with containment and clean-up is escalating.
In addition, new regulations (such as those being pushed forward by the New York Department of Financial Services) will create additional pressure on organizations and their downstream suppliers to take steps to protect themselves and their customers. This includes acquiring appropriate financial coverage to remediate debilitating incidents.
The need for objective risk measurement
Breach insurance is still a relatively new coverage category. It has not yet been reduced to an actuarial problem, and underwriting remains dependent on intensive expert review. This gap has been recognized by the market, and the last couple of years has seen new entrants looking to provide quantitative cyber risk assessments for use by enterprises and by their breach underwriters.
Some of these new players’ products are not likely to add value beyond the judgmental assessments that any cyber expert might provide to an underwriter. Others, like ESS, take an empirical, quantitative approach that will provide a direct and predictable correlation to long-term outcomes.
The latter category of solutions will be the one to watch. Publicly available data, dark web information, firmographic information and IP scan information can all yield insights about organizations that can be correlated to breach risk. While many of these indicators are not necessarily breach vectors unto themselves, the correlation between the externally visible characteristics of exposed information technology assets and actual breach events can be empirically derived.
Consumer credit scoring provides a useful analog: It’s fair to think of enterprise cyber data assets in the same way as one would think about the data available at credit bureaus for consumers relative to their credit performance. It’s equally fair to think about the resulting ability to correlate these characteristics with breach events, as akin to credit scores.
The lingua franca of cyber breach underwriting
The rapid growth in demand for breach coverage will draw new, inexperienced underwriters into the market, and also will bring new, unquantified risks to experienced players (as insurance is sought by a broader array of organizations). In addition, new threat vectors, significant breach events, and new regulations will bring in buyers with new, previously unknown risk profiles. Simply put, it’s going to be a wild ride.
Managing risk and correlating price with that risk will require new quantitative tools at underwriting. Empirical tools like the FICO Enterprise Security Score will help underwriters to understand the subsequent, changing portfolio level risk as they book today’s business, based on the evolving risk of what has already been underwritten. FICO’s broad-based and consistent enterprise security risk scores will be an important catalyst in the rapid expansion of coverage, and will bring efficiency to the market by enabling risk-based pricing, continuous risk quantification at the policy level, and portfolio-level risk assessment.
We are already seeing strong indications that the FICO Enterprise Security Score will become the lingua franca of the cyber breach insurance market, enabling the transparency and predictability required to make this major shift in business risk management both safe and successful. And not a moment too soon.
Follow me on Twitter @dougoclare