Demand for cyber insurance policies is growing rapidly, but underwriters face significant challenges in pricing and monitoring risk. Not only are insured organisations increasingly connected with other parties, but also the risk extends throughout those parties and all their onward connections. So how do you understand a complex and highly dynamic set of risks across a web of interconnected organisations?
Pricing risk in cyber insurance is tough, partly because cyber threats are constantly evolving, but also because of the sheer number and variety of data points that must be taken into consideration.
In the digital economy, the boundaries between organisations are much more porous. To achieve speed and efficiency, companies rely on the ability to exchange digital information rapidly and easily with partners, customers and suppliers.
However, this increased connectivity significantly increases the number of potential points of vulnerability. It’s not just that organisations are using more digital systems to do business, or even that they maintain a growing number of integrations with third parties. Rather, it’s the extended network of risk that stretches out across multiple degrees of separation between organisations.
It’s already a major headache for underwriters to get clear information from potential policyholders about those companies’ own systems, users, policies and practices – especially as these can change very significantly during the lifetime of a policy. The challenge becomes exponentially greater when you add in the potential risk from all the connected systems in third-party organisations – and, critically, the systems to which those systems are connected, and so on, almost ad infinitum. And in a world where many businesses use the same third-party systems, the resulting homogeneous technical landscape means that attacks can spread very rapidly through the entire ecosystem.
Allianz has estimated that cyber insurance premiums could soon reach $20 billion, so many insurers are understandably keen to get a piece of the action. And yet entering this market carries significant risk, given both the difficulty in sourcing reliable information on each applicant’s security posture, and the extended network of digital connections beyond. Underwriters certainly know that there are third-, fourth-, fifth- (and so on) party risks inherent in any policy, but they struggle to know what those risks actually are.
To beat competitors to the business, you need to be able to price risk quickly and cost-effectively. You also need strong discipline in how you assess cyber risk. Existing approaches, which typically require applicants to complete detailed questionnaires, are time-consuming on both sides. These methods also rarely provide sufficiently detailed information or the ability to dynamically re-assess risk during the lifetime of the policy. Most important, current approaches have no power to reveal the systemic cyber risk inherent in each potential client’s extended network of partners, customers and suppliers.
The good news is that there’s a highly automated solution that can provide the detailed data and high-speed analytical capabilities you need to assess, price, and continuously monitor cyber risk – even across a complex network of connected parties.
RiskXchange from Northdoor generates and maintains 360-degree cyber risk ratings, using powerful AI to map each enterprise’s security posture and discover connected parties in the broader ecosystem.