Insurers tap cyber security ratings to limit liabilities

January 8, 2016

When a single cyber attack brought down several major sites including Spotify, Twitter and the New York Times, it highlighted a problem insurers have been puzzling over: how do you predict whether large companies will fall victim to a cyber attack all at once, like houses in a hurricane?

The distributed denial of service attack on Dyn, a provider of domain name services to large companies across the world, showed how companies in different industries and different parts of the world can be reliant on the same infrastructure.

A new generation of cyber security start-ups is trying to solve this problem of a widespread attack, helping insurers analyse the risk of writing cyber security policies for individual companies, how to price them and how to balance their portfolio so they do not accidentally insure the cyber equivalent of all the houses in Florida. With the market for cyber insurance predicted to grow to more than $20bn by 2025, according to forecasts by Allianz, insurers are looking for help to understand the fast-changing threat from hackers.

Stephen Boyer, co-founder of Bitsight, a ratings firm for cyber security, counts seven of the top 10 global cyber security companies among his clients. “I think cyber insurance is probably the most important thing to happen in the cyber security world ever,” he said. “It will be transformational in the way that insurance has transformed building codes and car safety.”

Bitsight recently announced a fundraising of $40m, led by GGV Capital, as it expands to cater for insurers’ desire to know more about the security weaknesses of their potential — and existing — customers.

It collects data on whether companies appear already to be compromised or it can monitor user behaviour, such as an employee found to be downloading from peer-to-peer websites. It also collects information on breaches from freedom of information requests.

Then, it creates a model that rates companies on a scale and insurers use the rating to decide if applicants get coverage. A healthcare company was recently turned down for cyber insurance because Bitsight found it had an X-ray machine compromised by malicious software, according to Mr Boyer. Its analytics help insurers diversify their portfolio by highlighting aggregations of risk — for example, if all the companies depend on one cloud service provider, or on a domain name services provider such as Dyn.

“In cyber insurance, [website] down time is an event you can claim on that lost revenue, so if something goes out that widely across the book, they will have to pay out,” Mr Boyer said.

Bitsight is also working with insurers to monitor insured clients’ security in the same way car insurers put devices in cars to track whether the driver is careful.

Symantec is taking this one step further with its security software. It has been experimenting with insurers to bundle it with their cyber security insurance. The real change could be for small businesses, which have increasingly been targeted by hackers as the most vulnerable.

Read full story…