Cyber underwriting essentials: 3 factors to consider when selecting a cyber data partner
Cyber underwriting essentials: 3 factors to consider when selecting a cyber data partner
By KYND
In this world, nothing is certain — except death, taxes, and the fact that today's cyber risks will differ from yesterday's. Last year alone, 26,447 critical cyber vulnerabilities were discovered. This averages to about 72 each day.
If that wasn’t staggering enough, 75% of new vulnerabilities were reportedly exploited within three weeks. But despite this neck-breaking speed, identifying and containing breaches still took an average of 277 days — 13 times longer than it took to exploit it.
This paints a clear picture: The need for swift and accurate risk assessment has never been more critical, especially for cyber underwriters. With a need to quickly understand an applicant’s cyber risk profile to make the best choices, while combating vulnerability overload, how can underwriters both keep up with today’s ever-evolving threat landscape and ensure they focus through all the noise?
To accomplish this, many turn to cyber risk data vendors for support. But this immediately introduces a new challenge: selecting the right data partner. How do you pick the right one? Which criteria should you look out for? How do you evaluate them?
If you’re pondering these questions, you’ve come to the right place. In this article, we’ll dive into what key factors to consider when assessing vendor cyber data.
The first thing to look for: Does the data pass the sniff test?
1. Data is best served fresh
Unlike revenge, cyber data is best served piping hot. Relying on outdated information in cyber risk assessment is like insuring a property based on an inspection from years ago. Just as a building's condition can change dramatically over time, so too can an organisation's cyber risk profile. Outdated information can lead to misjudgments about the current state of an applicant's security posture, resulting in inadequate coverage or overexposure for you as the insurer.
If that data is served instantly, but you have no way of understanding how up-to-date it is, should it be used in decision making? It’s not a straightforward question to answer, but you can start by exploring a potential vendor’s scanning process.
For one, it’s crucial to ask potential partners about their scanning frequency.
How often do they scan organisations?
Are they all scanned at the same frequency?
Will you know how recent the latest scan was?
Remember, in the dynamic cyber domain, last week's data is already stale... In the constantly changing realm of cyber, prioritising speed over accuracy can result in a false picture of an organisation’s risk landscape. This, in turn, can lead to either an overestimation or underestimation of threats, translating into overly cautious underwriting and missed business opportunities in the former case, or inadequate coverage or potential significant losses due to breaches and claims in the latter.
This isn’t just an issue for underwriters, there are more stakeholders to consider. Take IT or security teams, for example. For them, outdated data can create a false sense of security among management and C-Suite executives, misleading them about the actual state of the organisation’s exposure. The consequence is a higher risk of breaches, financial loss, and reputational damage, all because decisions were made on a faulty understanding.
2. Focus on real risks
While fresh data is crucial in cyber underwriting processes, its true value lies in more than just being fresh. With over 26,000 vulnerabilities discovered last year alone, how do you identify which ones actually matter for informed decision-making? Like folding a fitted sheet, it’s a momentous task if you go about it alone.
Imagine a sailor navigating treacherous waters with a detailed map that shows every rock, reef, and sandbank. However, the map doesn’t distinguish between those that are hazardous above the waterline and those safely submerged, posing no threat. Without this prioritisation, the sailor will waste valuable resources avoiding every potential obstacle — all while his attention is diverted from the real danger below the surface.
As an underwriter, it's essential to work closely with your cyber risk data partner to determine which data points are most relevant to your needs. Will you focus on all potential vulnerabilities, or target the risks that could lead directly to losses and claims?
At this point, it's key to recognise that not all vulnerabilities pose equal risk. As we’ve discussed earlier, of the more than 250,000 Common Vulnerabilities and Exposures identified in the US National Vulnerability Database — and of which over 80,000 are classified as critical or high risk — less than 4% have ever been publicly exploited and, therefore, present a real threat. Moreover, the severity of a vulnerability doesn't always correlate with its likelihood of exploitation. Some “critical” vulnerabilities may be challenging to exploit and often require an extremely narrow set of conditions to take advantage of.
To manage this, you may only want to focus on the 4% that are known to have been publicly exploited, for example. But how would you know? Well, to ensure relevant — and most of all actionable — insights, you don’t only need fresh data, but transparent data.
When evaluating vendors, ask about and research their methods for ensuring accurate attribution and prioritising relevant threats. For example, you can request sample data to better understand its quality. Ensure that you can access transparent data if needed. This means gaining not just complete risk visibility, but a prioritised insight into the risks that really matter..
3. Find the right fit
As a cyber underwriter, you need a data partner who understands your unique needs. Many vendors offer out-of-the-box solutions that are great in their own right, but aren't optimised for underwriting workflows. This results in a forced fit that may not align with your decision-making processes.
Look for a vendor who can deliver clear, accurate, and relevant data that integrates into your underwriting process at the point of risk selection. Are they focusing on actual risks or providing you with an arbitrary risk score? Which option best suits your needs? Consider how the vendor's solution will impact your day-to-day operations. Does it streamline your workflow or add complexity? Are you only able to access the data via a web service or can you use an API? Can it adapt to your specific underwriting criteria and risk appetite, and can the criteria be changed between industry sectors or geographies? A valuable partner will not only provide data but also offer guidance on how to interpret and apply that information to improve your underwriting outcomes.
At KYND, we specialise in delivering cyber insights tailored to the specific risks that underwriters care about, providing timely updates that allow you to navigate the sea of cyber information without being overwhelmed. Our goal is to help you balance risk and opportunity, achieving optimal outcomes for both your organization and your (soon-to-be) insureds.
Get the data you need, for the results you want
Cyber data has a shelf life, after which it becomes obsolete and unreliable. To avoid basing critical decisions on outdated information, you need the right tools and the most current, relevant data available. Timely scanning and prioritisation of significant vulnerabilities are essential for supporting your underwriting process, helping you to minimise exposure levels and, in the long run, reduce loss ratios.
In cyber underwriting, fresh, relevant data isn't just an advantage — it's a necessity. By using the right data, you can enhance risk selection, ensure clients receive appropriate coverage, and protect yourself against avoidable claims in the future.
At KYND, we understand the challenges associated with underwriting cyber risk. This is why we combined our proprietary technology with extensive industry expertise to deliver actionable cyber risk intelligence, empowering cyber underwriters to accurately assess an organisation’s exposure and make better-informed, profitable decisions. If you would like to learn more about how leveraging advanced, tailored cyber insight can help your business and see KYND in action, get in touch with our experts to book a demo.