The tremendous growth in cyber insurance is being fueled in part by the desire of companies to cede some of the risk of a cyber breach to insurers.
In many cases insurers are eager to take on this risk—provided they can objectively quantify and understand the risks they are underwriting.
However, is it enough to only look at the cyber risk of the insured? Increasingly companies are being attacked through their third-party vendor networks; one study by the Ponemon Institute reported 23% of data breaches are attributable to third party vendors. As companies share critical customer information with vendors, they expose themselves to a breach through these extended networks. Criminals have even started to target small to medium sized companies as a way to access the sensitive information of the larger firms they serve.
One case of this new tactic is documented in a recent New York Times article in which a mischievous attack was perpetrated by inserting malware into a Chinese take-out menu favored by employees of the targeted company. Last December, when Target Corp was breached and hackers stole credit card data for 70 million customers, the attack was traced to malicious code getting into Target’s network through a heating and air conditioning vendor.
For an insurer, these risks are very real and pose a potential blind spot in the risk assessment process. When a breach occurs through a third-party vendor and involves the loss of sensitive data on behalf of a customer, the financial and reputational damage that ensues falls primarily on the owner of the data—and their insurer. While insurers today are grappling with the task of evaluating the cyber risk of the insured themselves, often there is little thought given to the cyber security of the insured’s third-party vendors.
Some underwriters are asking prospective clients to list their critical vendors in policy applications, but this is primarily to identify areas of risk aggregation—where a large percentage of insureds are all relying on the same set of vendors.
Identifying risk aggregation is an important part of overall risk assessment, however simply enumerating critical vendors and identifying potential aggregation issues fails to identify whether those vendors are secure.
In order for underwriters to overcome this obstacle, objective cyber risk metrics can be used to both assess the insured AND their critical vendors. Ratings can be a valuable tool in identifying problem areas within an insured party’s internal network and extended ecosystem. Identifying and mitigating these problems before a breach occurs can help both client and insurer avoid costly monetary losses and damage to their reputation.