Businessman with umbrellas in heavy rain.

Cyber insurance: Data science to calculate cyber risks and premiums

Estimated reading time: 5 minutes

Ransomware attacks have increased to the point Veeam and Cloudian observed cyber insurance companies require minimum technology settings before they renew policies. Insurance underwriting also turns to data science to help determine cyber risk and reduce cyber insurance premiums.

You could say it all began in 2017 when the NotPetya ransomware attack happened. The event caused over USD10 billion in damages across a number of major companies. One victim, pharmaceutical company Merck, is suing its insurers USD1.3 billion in damages. Last we heard, Merck and its 30 insurers are still in dispute over insurance coverage for claims related to the NotPetya incident.

Many in the law and insurance sphere call these insurance coverage denials as unprecedented, and “never seen before.” NotPetya had showed up the shortcomings of policy underwriting and the many ambiguities of cyber insurance policies.

Today these “unprecedented” acts have escalated to an early May announcement by one insurance company. AXA, has announced that they will end cyber insurance policies in France which reimburse victims who pay out ransomware amounts.

Has AXA France set a chain reaction in motion? Are they just the first of many more who will follow suit?

Cyber insurance companies push back

There have been a series of news reports that explore the possibility cyber insurance policies are actually spurring more ransomware attacks. The logical response to insurance policies that cover ransomware payment to attackers, can be encapsulated in one observer’s statement. He said, “There should not be any coverage for ransomware. Period.”

But it is not as simple as that.

Valery Marchive, editor-in-chief at LeMagIT, a French subsidiary of TechTarget, weighs in with his opinion, “I am deeply convinced that cyber insurance can and does help with fighting, or at least resisting ransomware, and is needed to do so.”

As an IT journalist of 25 years, Valery specialises in cybersecurity, and has closely followed negotiations involving small companies that were clearly in desperate situations.

“They did all they could to cough up the ransom, and it’s painful to watch.” These were not very huge amounts, and Valery observed sums that sometimes were a few thousand dollars, up to USD200,000.

Cyber insurance still has important role

According to Valery, “I am utterly convinced that those companies paid to survive. And if they had cyber insurance, it’s very likely they wouldn’t have needed to pay the ransom to ensure their survival.”

His observations show up the other side of the coin – cyber insurance is still very relevant for smaller businesses, and can have a very vital role in saving them massive loss and costs of paying ransom to attackers.

Significantly, ransomware attacks would still go on regardless if a company was covered by cyber insurance, or not.

In fact, Valery points out that a majority of small- to medium-sized businesses do not have cyber insurance as they usually do not see the need for it, or even know that it exists. “Insurers have not been pushing yet to make cyber insurance a B2B mass-market product.”

Unfortunately, a majority of news about ransomware highlight only the huge multi-national companies (MNCs) and the millions if not billions of dollars loss at stake.

The conundrum the cyber insurance industry is facing is not a simple one to solve.

Pulling back coverage for ransomware, defeats the purpose of insurance which is to mitigate, and in some cases safeguard against financial loss. And especially for SMBs, insurance has this very vital role to play.

Data science to assess cyber risk

According to the Insurance Journal, cyber insurance offerings should be built using data, artificial intelligence, and continuous underwriting that ingest data in real-time to be responsive to an ever-changing threat landscape. This is according to Head of underwriting at Cowbell Cyber, Caroline Thompson.

Valery also talked about some work being done to create cyber ratings that is quite similar to credit rating. “Assessing the cybersecurity posture of a company is a massive challenge,” he acknowledged.

This calls for some heavy batters to come forward to put their expertise and experience to use. America-based Moody’s is known for assigning ratings on the basis of assessed risk and the borrower’s ability to pay interest.

Last May, together with a global venture company, Team8, Moody’s established a joint venture called VisibleRisk to evaluate enterprise cyber risk. An outcome of this, is a Cyber Rating product that develops a global standard for assessing corporate cyber risk.

This holistic and validated set of internal/external factors, combines economic, cybersecurity, and industry data, as well as real-time monitoring, custom reporting, and expert analysis.

The objective is to rank a company’s security posture and quantify its risks in economic terms.

Proving adequate controls and readiness

The idea is to keep businesses, no matter what size they are, still in business when untoward events happen. Some may do so by taking out an insurance policy with insurers.

But, too frequently paying out large ransomware claims, is bad for an insurance company’s business.

To complicate matters, it is becoming incredibly difficult to predict corporate risk due to the nature of the current threat environment.

Currently, policy underwriters determine risk and premium by relying on a client’s self-attestation about their controls and readiness in the event of a cyberattack.

This is not enough, anymore. Cyber ratings like VisibleRisk’s and many more from the likes of BitSight, Cyrating, Cyence, SecurityScorecard, and CyQuant, can help.

Cybersecurity observers have also noted some cyber insurers are using attack surface intelligence, data science, cyber-specific actuarial models, and more to reduce policy premiums.

Businesses have to do all they can to protect their data assets, as well as mitigate and control the effects of a cyber compromise.

Best practices to defend against ransomware

Time needed: 3 minutes.

  1. Third-party risk management

    Vet the cybersecurity programs of companies you want to do business with. They have to prove and demonstrate they are taking a serious stance.

  2. Determine the cybersecurity programme’s efficacy

    Experts say there has been an extreme focus upon vetting cybersecurity programmes of business partner companies. And it does not only happen for large organisations, but smaller and especially professional services firms like law and engineering.

  3. Manage your privileged users

    If attackers gain access via privileged access, they have gained ability to move remotely across different systems. So tight controls of privileged user rights is absolutely critical.