Threat Quantification: Determining the Right Cyber Insurance Coverage

  • Cyber Insurance,  
  • Threat Beta,  

As cybersecurity risks continue to mount, with cybercrime costing between $445 billion and $608 billion worldwide in 2017 alone, businesses are increasingly looking to buy insurance to protect themselves.

Detemining the Right Cyber Insurance Coverage

Cyber insurance companies must be able to determine how much or how little coverage to offer potential insureds. If the amount is not reflective of the customer’s real risk, they could pass on risk transfer altogether if an annual premium is too high.  If the coverage is too low, the insurance company could potentially be accepting more risk than it can tolerate – particularly if an insured’s susceptibility to experiencing a cyber event is high, resulting in an insurance claim.

Traditional approaches used by retail insurance to quote for cyber coverage have typically involved ‘back-of-the-envelope’ calculations and rough estimates. These have been based primarily on basic commercial details about the business seeking coverage, such as total revenues, industry sector, number of employees, types of records kept and whether these include protected health information (PHI) or meet payment card industry (PCI) data security standards, and the regulatory fine or cost per record in the event of a successful breach.

This approach does have its limitations, however. For example, just because one company operating within one industry experienced a cyber attack that cost millions of dollars, it is not the case that a peer competitor will suffer an identical fate should it be attacked in the future as well.  Not only are threats and methodologies constantly changing, but such an approach ignores individual cybersecurity culture and the technologies used in these environments. After all, as we like to say, threat actors target technologies, not companies.  If one company experienced an attack based on its use of a particular brand and version of a vulnerable protocol server that was exploited, it cannot be assumed the same result will occur at the second company, particularly if similar services and infrastructure are not even being deployed.

Determine Cyber Insurance based on Real Risk or Real Threat

So, what is the solution to this dilemma?  A way to promote better accuracy of a potential insured’s real risk, or real threat.  In other words, a more precise way to quantify threats. This will do two things: ensure the insured is receiving adequate cyber insurance relative to their tailored threat landscape; and ensuring the insurance carrier is taking on a risk that they can tolerate.

Threat Beta™ – A Predictive Indicator of Risk

To meet this need and new approach, we created Threat Beta, a forward-looking predictive indicator of risk rooted in advanced machine learning and statistical data analysis that aims to better define threat quantification using three fundamental analytical inputs:

  1. Discoverable Network Footprint: Mimicking an external view used by today’s threat actors, we leverage our expertise serving in the national security space to better understand an organization’s attack surface using passive reconasissance and footprinting techniques
  2. Weighted Vulnerability Record: Depth and breadth of discoverable technologies are mapped and compared against thousands of other companies evidencing similar network characteristics and weighted based on variety of factors, such as vulnerabilities and exposures tied to those technologies
  3. Attack Likelihood: Proprietary scoring is assigned to each technology based on attack likliehood, frequency, and severity using a combination of open-source and real-time threat metrics derived from advanced machine learning and automatically mined deep and dark web sources

These three elements are all considered and then augmented with over 125 other data feeds in to arrive at a Threat Beta score, used as a predictive cyber threat barometer and designed like a stock beta normalized on a 0-2 scale.  Using Threat Beta,  customers can understand their score relative to an industry average and can be compared against any subset of data, technologies, and benchmarks.  It also allows cyber insurance and insureds alike to better understand the overall susceptibility of their network environment while also informing a more precise estimation of a maximum probable cyber loss.

Cybeta Improves Cyber Risk Accuracy

Cybeta™ enables insurance brokers to uncover strengths and weaknesses in their potential clients’ cybersecurity capabilities, detect emerging cyber threats, evaluate the clients’ threat level against that of the competition, and make real-time decisions on coverage limits. Threat quantification can also take into account the likelihood of various attack categories, such as distributed denial of service (DDoS), malware or phishing, among many others, providing obvious intelligence on how network defenders should provision resources and defenses against highest probability of exposure.

Cybeta enables insurance companies and their clients to think in terms of over-the-horizon visibility coupled with enhanced peripheral vision. This promises to improve the accuracy of cyber risk estimation, providing a solid basis insurers to set limits and premiums, and for insured companies to gain appropriate coverage for their actual risks.