Cyber insurance companies need to focus more on risk profiles – and less on security ratings scores | SC Media
Third-party risk

Cyber insurance companies need to focus more on risk profiles – and less on security ratings scores

April 23, 2021
FBI Director Christopher Wray speaking in Washington, D.C. Today’s columnist, Tom Richards of GroupSense, writes that the FBI reported a 400% increase in ransomware attacks during the height of the pandemic. Richards argues that this rise has a dramatic impact on a company’s risk profile and one reason why security ratings scores are not always useful. FBI CreativeCommons CC PDM 1.0
  • Ratings are a point-in-time evaluation: A security rating evaluation happens at a particular point in time – it can’t offer insight into what might happen in the future. And it may not even accurately reflect that point in time. As just one example, perhaps when the security ratings evaluation was conducted, an organization in the company’s supply chain company had already been breached without knowing it.
  • They don’t account for the evolving threat landscape: The FBI reported that in 2020 because of the pandemic, ransomware attacks skyrocketed 400% over the previous year, with ransom payments moving from thousands to millions of dollars. No one could have predicted this scenario. A single change like this in the threat landscape completely changes the risk equation of any company. It’s a vital component to any company’s risk exposure that they must account for, but security ratings don’t.
  • Ratings are not the right kind of benchmark: Cybersecurity threats are very dynamic and the strategies to combat those risks can vary widely from industry to industry, making it extremely challenging for insurance companies to calculate risk profiles for any given company. For example, the auto insurance industry can tap decades of data across hundreds of millions of drivers to create risk profiles for each individual person. They know that if their customers are between the ages of 16-19, the likelihood of a certain number of accidents has been well-documented and the premium reflects that. There’s no equivalent to this type of benchmarking in the cyber insurance industry, so security ratings represent a tempting substitute because of their ease of use and “instant gratification” with security scores.
prestitial ad