Better risk selection could cut 16% from cyber insurers’ loss ratios – Gallagher Re

Reinsurance broker Gallagher Re has partnered with data and technology firm Bitsight analytics for cyber risk research that assessed security performance data of 62,000 organisations across 67 countries and its own proprietary database containing cybersecurity incidents and claims.

The headline finding was that insurers could reduce their loss ratio by more disciplined risk selection to avoid taking on business that shared some common characteristics.

The study concluded that poor performance in “certain key areas” increased an organisation’s risk of experiencing a cybersecurity incident and subsequent claim.

“This study provides clear, actionable insights for both insurance companies and enterprises on the efficacy of security controls,” Ed Pocock, global head of cyber security at Gallagher Re.

According to Gallagher Re, key predictors of cybersecurity risk, valuable information for enterprise cybersecurity leaders and the cyber insurers that offer policies to cover that risk, included:

• External scanning data could improve insurance loss ratios: By using targeted external scanning data in addition to firmographics to identify and remove the most damaging 20% of risks, insurers could see a loss ratio reduction of up to 16.4%.
• “Cyber footprint” is a strong predictor of claims: The size of an organization’s attack surface – as measured by the number of IP addresses a company maintains – was found to be a strong predictor of claims. This is a significant finding for insurers, who traditionally have focused on firmographics to underwrite policies, like employee count, industry, or revenue rather than using technographic data.
• Single Point of Failure data and third-party dependencies are highly predictive of claims: As the enterprise tech stack grows, so too does the potential attack surface. Observed use of certain technology products materially increased the likelihood of a claim. This data holds great promise for the insurance industry and future risk modeling approaches.
• Cyber hygiene remains critical: From patching speed to the use of HTTP headers, proper deployment of SSL certificates, DNS security, proper endpoint management and more, nine Bitsight risk vectors measuring essential cybersecurity practices were found to be correlated with cybersecurity incidents. Taking care of the basics can measurably reduce risk of incidents.

“Leveraging Bitsight’s data, we’ve not only established a direct link between weak cybersecurity controls and higher insurance claims, but also highlighted additional strategies for insurers to more effectively assess an organization’s cyber risk and potentially improve loss ratios,” Pocock added.

Gallagher Re added that IT security managers could use the same insights to prioritise their own cyber defence investments, lowering the probability of experiencing an incident, benefitting their risk profile when it reaches an underwriter.

“For years, Bitsight analytics have been independently proven to have strong correlation with security incidents,” said Derek Vadala, chief risk officer at Bitsight.

“Gallagher Re’s analysis demonstrates that there is even more to the story – that meaningful, new insights, such as assessing the risk of business email compromise (BEC), can be created through analysing different parts of our massive trove of data,” Vadala added.

Download the study here.

Reputational risk

Hiscox also published its annual Cyber Readiness Report 2024 this week, uncovering a rising tide of cyber-attacks – representing a financial threat and a significant reputational risk.

Key data points, with global and UK-focused results, from the Hiscox report:

• Over two-thirds (global: 67%, UK: 70%) of firms in this year’s study report an increase in the number of times their organisation experienced a cyber attack in the past 12 months.
• A third of firms (global: 34%, UK: 37%) say their organisation’s cyber security measures are compromised due to a lack of expertise in managing emerging tech risks.
• A third of business leaders (global: 34%, UK: 34%) do not feel that their organisation is adequately prepared to handle cyber attacks.
• In addition to this, 64% (UK: 70%) believe they risk losing business if they do not handle client and partner data securely. And these concerns are justified, for organisations that had suffered a cyber attack:
• 47% (UK: 46%) of had greater difficulty attracting new customers (compared to 20% the previous year)
• 43% (UK: 40%) lost customers (compared to 21% the previous year)
• 38% (UK: 37%) faced bad publicity, which impacted their brand reputation (compared to 25% the previous year)
• 21% (UK: 19%) lost business partners (compared to 16% the previous year).