Welcome to the final blog in the series recapping Cyber Risk, Cyber Ratings and Cyber Risk Transfer at FICO World 2018, and my conversation with the session’s three panellists:
- Josh Ladeau, CISSP, Global Head of Cyber, Aspen Insurance
- Sasha Romanosky, Policy Researcher, RAND Corporation
- Dr. Mingyan Liu, Professor and Incoming Chair of Electrical Engineering & Computer Science, University of Michigan and founder of QuadMetrics
In my last blog, we left off with Mingyan saying: “When we built the (cyber risk scoring) technology (that would become the FICO® Enterprise Security Score), the industry-standard practice was to send security questionnaires for prospective customers to fill out… Even though underwriters knew they needed something more modern, they weren’t ready to let go of their existing practices… When we showed how our cybersecurity ratings are tied to predicting data breaches, some underwriters said, ‘This approach is enough, and all we need,’ and others said, ‘What will I do with this?’ They were not sure how they could bake it into their underwriting process.”
Scoring Cyber Risk: No Standardized Underwriting Processes
Sasha, who has deeply studied cyber insurance pricing and risk, added, “I’ve had many conversations about which factors go into pricing, what the properties are and how they are weighted. Yet none of the insurance companies would share those details because that’s their ‘secret sauce.’”
What Sasha did discover, though, was that small companies were typically charged flat premiums (in the $250 per month range) with no variation or variability based on the company’s cybersecurity posture. “OK, perhaps that’s appropriate for small companies,” he said. But larger companies’ base rates were being calculated based on factors such as asset values and revenues, and then customized by low premium, or high coverage levels, “and a few other insurance-y things. So, cyber insurance policies were being sold to many large companies without taking into account any information about their cybersecurity posture!
“While questionnaires asking, ‘Do you have a policy for BYOD [bring your own device], and how is that updated? Do you have an instant response plan, and is that updated every year?’ are helpful,” Sasha said, “when there’s room for variation and judgment is involved, it means that as an infosec industry, we still don’t have proper measures of risk or proper metrics by which to evaluate or assess the risk of a company—or, more importantly, differentiate one company from another one. That’s a sad but an important observation.”
Scoring Cyber Risk: An Insurer’s Point of View
Sasha’s study was based on information collected by state insurance commissions from admitted carriers. I asked Josh about the difference between what Sasha had observed and how cyberinsurance underwriting is evolving at Aspen.
“Aspen operates at a non-admitted basis for cyber–and we do have the secret sauce!” he laughed. “We do see real value to our methodology, which is differentiated for a number of reasons including our use of the FICO Enterprise Security Score. We operate at the mid-market and larger; pricing is illogical not just because it’s a ‘race to the bottom,’ but the cyber ratings models are pulled from other businesses that have some kind of similarity, such as errors and omissions (E&O) insurance that professionals like attorneys get.”
Cyber is very different than E&O, Josh was quick to add, due to malicious behavior, not mistakes. “Attackers want to do as much damage and take as much information as possible. Therefore every loss that is material should be anticipated to happen, and have a limit or tower to mitigate the impact, yet we are pricing on this accidental loss basis overall, which the industry, has mostly shifted away from.”
When asked what the primary components of risk comprise—company size, industry, security posture—Josh said most insurers focus on industry class. Banks and financial institutions are highly targeted, for example. “Industry-focused approaches don’t make a lot of sense, so we’ve taken a different route, analyzing a company’s exposure basis relative to its control sophistication.”
For example, a healthcare tech company would typically have high levels of intellectual property (IP) but low amounts of personally identifying information (PII). A healthcare provider is usually the opposite—relatively low amounts of IP and large amounts of PII. “It’s not about the industry class itself, it’s about how big the exposure basis is for a given industry class, and what is the sophistication of the controls relative to that.”
Aspen was an early adopter of using FICO ESS in the underwriting process and for ongoing monitoring of customers’ cyber risk levels. In October 2017 Josh said, “We selected the FICO Enterprise Security Score because of its empirical approach to scoring risk. The FICO cyber score presents the most accurate externally derived assessment of organizational security posture that I’ve seen, and when combined with the underwriting data we collect, will help us to shape a cyber insurance portfolio of the highest possible quality.”
Scoring Cyber Risk: Get Your Free FICO ESS Subscription
Aspen, Barbican and other leading cyber insurers choose the FICO solution because the Enterprise Security Score uses machine learning techniques to associate features describing the conditional and behavioral characteristics of organizations’ security practices with outcome data (breaches and non-breaches). The result is a high-performing supervised model that quantifies the likelihood of a significant breach event happening over a 12-month period.
Because FICO collects data continuously against the entire IP (internet protocol) address space, the training data set is always ready to absorb new breach cases, and the scoring engine is always ready to take time-dependent organizational behavior into account in calculating the risk of breach. Your company can monitor its cybersecurity risk with a free ESS subscription.
Thus, for both insurers and the companies they cyber-insure, FICO Enterprise Security Score is the “secret sauce’ of cyber risk management. To learn more, read my blog or watch my quick video. Sign up for ESS today! And follow me on Twitter @dougoclare. Thanks.