News stories about data breaches are always followed by stories about cyber insurance. And whether you've been shocked at the size of some of the claims or the occasionally eye-watering cost of some premiums, what's obvious is this: Cyber risks aren’t easily quantifiable, and often payouts and premiums don’t match. Insurers need a non-intrusive way to determine premiums that cover their risk. Risk managers need to justify premiums and quantify cyber risk for their C-suite. We're trying to help.
With so many questions around these types of policies, how they're priced and for how much coverage, we've broken down the crucial metrics insurers and risk managers need to know when figuring out the limits of coverage and the costs for cyber liability insurance policies.
1. How many pieces of unprotected sensitive data, such as credit card numbers, are lurking on the organization’s devices?
Thieves are after the personally identifiable information (PII) and payment data on a network. That’s the data that, when breached, is hit with regulatory fines, data clean-up and consumer credit monitoring for each piece stolen by hackers.
Insurers need to consider the financial liability for improperly stored data like social security numbers, birth dates, driver’s license numbers, credit card numbers and even intellectual property to reduce the likelihood of a claim. Company risk managers can use this data to prioritize remediation and note trends over time.
2. How many vulnerabilities are in the network?
Vulnerabilities allow hackers into a network to steal that data for resale, or to cause maximum business disruption by destroying data, halting operations or damaging reputations.
Insurers need to assess premiums based on the quantity of data as well as how vulnerable it is. Risk managers want to know what the vulnerabilities are, and on which devices, so they can improve network protection.
3. How many employees have access to files they shouldn’t?
The number of people that have access to data is sometimes called the “human threat”. Mistakes are more common than malicious intent. Employees save company data in their unsecured cloud storage drives and email sensitive information. An increasing number of breaches rely on “phishing” emails, where targeted employees unknowingly provide usernames and passwords to malicious hackers.
Insurers can use access data to understand whether companies have poor security policies and data management procedures. Risk managers can use access information to increase security awareness and improve data management procedures.
4. What’s the true financial risk?
We call this the Security Number. Putting a dollar value on risk gets organizational buy-in from the highest levels – it is the language of the C-suite. The dollar value also helps prioritize remediation and justify additional resources. And for insurance, it informs both the insurer and the insured what a fair premium should be. Insurers can also quickly identify riskier outliers across an entire book of business from a single view.
MAX Risk Intelligence calculates security numbers based on all three risk factors: the financial liability of unprotected sensitive data is weighted by both the severity of vulnerabilities and the unauthorized user access to the data.
5. How has the financial risk changed over time?
The Security Number charted over time is a continuous indicator of the overall cyber health of an organization. Are policies and actions able to bring the dollar liability down? Have new vulnerabilities opened up to increase the dollar value? Have the devices with the highest liabilities been remediated?
The Security Number is used by risk managers to measure the effectiveness of risk mitigation initiatives and understand their premiums. Insurers use the Security Number to see the overall liability of their portfolio, as well as drill down into each customer’s security number to maintain appropriate premiums.
Do you know your security number? MAX Risk Intelligence is the industry’s first data breach risk intelligence platform that puts a real-time dollar number on an organization’s security risk. MAX Risk Intelligence’s patented discovery process uncovers sensitive data and vulnerabilities, and financially prioritizes the results in reports that speak the language of the C-suite. Find out more about MAX Risk Intelligence