Category Archives: Uncategorized

Cyber Risk Scores vs. Cyber Risk Ratings – Which Is The Right One For You?

  • imgThu, 23 Sep 2021
  • imgCyberwrite

Corporations have typically relied on cyber risk ratings to analyze the risk third parties have on their organization. However, risk ratings miss an important piece of the risk analysis process since they analyze the third-party’s risk in isolation, and do not take into consideration your organization and its unique characteristics of engagement with each third party. 

Risk scores, on the other hand, are a different way of measuring risk which reflects and focuses on the corporation’s own risk due to working with any given third party as opposed to the third-party’s risk to itself.

No business is an isolated island. Whether you work in finance or hospitality, agriculture, healthcare, or any other sector, you undoubtedly interact with various third parties – suppliers, partners, customers, and others – perhaps thousands of them. By necessity, doing so involves sharing sensitive regulated information – whether it’s PII (Personal Identifiable Information), medical records subject to  HIPAA regulation, or credit card details regulated by PCI-DSS. Once the sensitive data is out of your hands and is processed by a third party, you can no longer protect it, but you are still responsible for it. Your interactions with these third parties may also create dependencies that can impact the availability of your services. 

According to one report, in the past 12 months, 80% of organizations experienced a cybersecurity breach that originated from vulnerabilities in their third-party vendor ecosystem. The implications of such a cyber incident for your business could be costly – one recent report found that a compromised third party causes an average of $7.5 million worth of damages. But it could be much more – in 2019, Capital One had to pay $80 million when the former employee of a third-party vendor stole critical information, while a cyber breach at Home Depot, in which employee credentials were stolen from a third party, resulted in $179 million damages. 

How third-party cyber risk is typically computed

Typically, organizations tend to rely on risk ratings to identify the risk of a third party that they deal with. These ratings are usually based on an assessment of either external or internal data, collected by the third-party risk rating companies. External data is taken from open-source intelligence (OSINT) and may include details of the third party’s attack surface, their digital exposure, historical data of actual security incidents and more. Internal data comes from the third party itself and may include details about what countermeasures the third party is taking to reduce their risk. This information forms the basis of the third-party risk rating. 

So what’s the problem?

The issue with risk ratings can be illustrated in an everyday risk we can all relate to: crossing a road. This common activity poses a very different risk to a child, an elderly person or an adult – not because the road is different, but because of the specific characteristics of each of these pedestrians. 

It is the same with third-party risk. A specific third party may pose a higher risk to your organization than it does to others, due to factors such as your business and technological dependency on that third party, the type and amount of sensitive data you share with them, and other factors. To discover the actual risk posed to your organization, it’s not enough to simply look at the risk rating of a third party.  In order to understand a third party’s risk to your organization, your own context, dependencies, and characteristics of engagement with the third party must be considered as an integral part of the risk analysis process.

What risk ratings don’t tell you

First and foremost, risk ratings focus on the third-party’s risk – as demonstrated in the road-crossing example above, it does not account for the nature of your relationship and the risk of working with the third party. The risk posed to your organization might be very different from the risk posed to other companies the third party works with – this is not reflected in risk ratings. 

In addition, risk ratings are in many cases a sort of a balanced scorecard of a company’s external security posture in which, if the third party does everything correctly, they will get a high score – and vice-versa.  In reality – companies who had great security suffered significant breaches since it only takes one security issue for a short period of time to enable mal-actors to gain access to critical systems. In such cases, the risk ratings may not reflect such risk. 

Some risk ratings don’t utilize benchmarking analysis. It may be that an organization that has a good external posture will get a good rating, but organizations with a similar external posture were breached, and this data should be taken into consideration in the risk analysis process. 

Taken in isolation, on a scale of 1 to 100 (higher is better), a rating of 45 appears to be low. But it could be that the median rating of comparable organizations is 33 (due to the risks associated with the sector and geography they operate in), in which case the third party is actually doing better than the industry median. 

It’s also important to bear in mind that risk can never be entirely eliminated. Even a company with a very high-risk rating, reflecting low risk, is not 100% safe from a breach – just one error by an IT professional can cause a breach. Inherent risk scores take this into account and even if the organization has a high residual risk score the inherent risk score still reflects the actual risk of a company suffering a breach based on data of what happened to other similar companies in the past. 

How risk scoring fills in the gaps

Risk scores tailor the risk assessment to the unique characteristics of your relationship with each third party, by considering the actual dependencies with the third party. Risk factors such as what type of data you share with the third party and how many records, how dependent your business is on that third party’s IT systems, and how many employees the third party has – are all taken into account to make sure both that they are benchmarked to similar third parties for risk scoring purposes, but also that the risk score takes into account the relevant context of your relationship with the entity under review.

Risk scoring puts risk into context. It begins by considering both internal and external data to create both an inherent risk score and residual risk score. Inherent risk is based on who they are and what happened in the past to similar organizations. Residual risk takes into account the risk mitigation efforts which the third party carries out. The delta between the two scores represents the actual risk reduction achieved by the third party, providing 360-degree visibility based on both external and internal data, which is critical for the purpose of accurate risk analysis. 

If, for example, the third party under review is a bank, it may have an inherent risk score of 25 (1-100, higher is better), signifying that similar banks had an incident or a breach. But, after completing a risk survey, the residual score calculated is 87 – a much better reflection of their investment in protecting your data. By combining both inherent and residual risk scores, you are enabled to better understand the risk levels posed by the third party and how they mitigate such risk. 

Finally, to provide the highest value to your organization, a risk score should be combined with economic impact analysis. Utilizing a data-driven quantitative approach to predict the economic impact each third party may have on your company, with an actual monetary cost attached, enables you to consider impact as part of the risk analysis process. Once you have an economic impact assigned to each third party, combined with the inherent and residual risk scores, you can now take firm action and focus on those third parties that pose the highest risk to your organization

By using a more nuanced, tailored approach, risk scores focus on what matters most to you – your own risk, while risk ratings focus mainly on the risk posed to the third parties. 

To find out how Cyberwrite enables you to calculate a risk score for any third party, request free access now.

Filippo Passerini, Former CIO of Procter & Gamble, Joins Cyberwrite’s Advisory Board

  • imgWed, 16 Dec 2020
  • imgCyberwrite
Filippo Passerini - Cyberwrite

The move powers the company’s global expansion into the supply chain and vendor risk management market offering corporations the ability to calculate their tailored financial cyber exposure to 3rd party relationships.

December 16, 2020 09:00 AM Eastern Standard Time

NEW YORK–(BUSINESS WIRE)–Filippo Passerini, former CIO and President of Global Business Services at P&G, joins the cyber risk modeling firm’s Advisory Board, supporting the company’s global expansion into the supply chain and vendor risk management market.

“Filippo brings decades of experience in IT, data science, innovation, and corporate risk management.”Tweet this

Passerini has over 35 years of IT management experience, and currently serves on the board of multiple traded companies including United Rentals and Integer. At Procter & Gamble, Passerini powered the Global Business Services of the consumer goods giant with innovative models and capabilities. His strategies, principles and ideas have been the subject of numerous books, articles, and Harvard Business Review publications.

“I have been following Cyberwrite’s evolution for some time, and I am excited to support this team of innovators. As a CIO, I have seen first-hand the challenges organizations are facing with cyber risk and the impact it has on business. This platform is a game-changer that enables organizations to assess vendor risks in financial terms, not just scores,” said Passerini.

“We are thrilled to have a top executive of such magnitude joining Cyberwrite,” said Nir Perry, CEO of Cyberwrite. “Filippo brings decades of experience in IT, data science, innovation, and corporate risk management.”

“Many companies struggle with quantifying cyber risk caused by 3rd party relationships due to the use of generic risk scores. This is further compounded by the fact that the same vendor may pose a different risk to different organizations but is scored the same by security risk scoring companies. Using Cyberwrite, companies can quantify risk in financial terms they can understand and act upon, as well as getting a tailored risk analysis for each 3rd party relationship. Generic security scores leave organizations in the dark with regard to business impact and Cyberwrite solves exactly that. Insurance companies have been using our award-winning financial risk models for several years worldwide. We have now made these models available to corporates to enable better 3rd party risk management,” says Perry.

Cyberwrite’s solution enables risk managers to make sense of an immense amount of data related to 3rd parties in an automated manner and to sort the risk according to potential financial damage that may be caused to its operations. The platform is intuitive to use, requires zero-integration, and provides risk benchmarking based on both external and internal data, as well as inherent and residual financial risk analysis of companies worldwide.

About Cyberwrite

Cyberwrite provides cyber risk quantification solutions for corporates worldwide. In 2020, Cyberwrite was awarded the most innovative cyber risk modeling firm by Frost and Sullivan and was named a Gartner Cool Vendor in 2018. Cyberwrite’s technology is also used by multiple insurance companies to underwrite the impact and potential financial damage of cyber-attacks on businesses of all sizes. The platform is available in multiple languages.

Cyberwrite Research for Mastercard Shows: Cyber-Attacks on Israeli Local Municipalities May Lead to an Aggregated 4.5B ILS in Damages

  • imgThu, 27 Feb 2020
  • imgCyberwrite

Cyberwrite Research for Mastercard Shows: Cyber-Attacks on Israeli Local Municipalities May Lead to an Aggregated 4.5B ILS in Damages

February 26, 2020 09:00 AM Eastern Standard Time

StartPath Cyberwrite

TEL AVIV, Israel–(BUSINESS WIRE)–Cyberwrite, in collaboration with Mastercard, shared insights from a recent cyber-risk financial impact research which reveals that cyber-attacks on local municipalities and regional councils in Israel may lead to aggregated damages estimated in 4.5 billion New Israeli Shekels.

Cyberwrite research for Mastercard shows that cyber-attacks on Israeli local municipalities may lead to an aggregated 4.5B ILS in damagesTweet this

Cyberwrite, a leading cyber risk modeling firm which is specialized in the quantification of financial damages caused by cyber-attacks, has utilized its technology to collect open-source intelligence and model the cyber risk municipalities are exposed to using its proprietary AI algorithms. Cyberwrite has recently been selected to participate in the Start Path, Mastercard’s award-winning startup engagement program and is providing its technology to businesses worldwide. The company’s solutions and technology are simple to use and involve zero-integration.

As part of this collaboration, Cyberwrite generated cyber-risk reports for 251 local municipalities and regional councils in Israel which include risk benchmarking and financial damage estimation for different risk types. The study found that 5 of Israel’s largest cities are exposed to potential aggregated damages valued at 650M ILS. The financial damages stem mainly from risks such as theft of residents’ information, loss of information records, digital theft, disabling public services and more.

The study also found that user login credentials of Israeli local municipalities’ employees and contractors were commonly found on the dark web. Municipalities are the first on the list with an average of 17 stolen user credentials, while regional councils had an average of 11 credentials found online.

Nir Perry, Cyberwrite’s CEO, mentioned that: “Municipalities in the United States and Europe are subject to constant cyber threats. In the first nine months of 2019, over 600 successful cyber-attacks on municipalities and urban authorities in the United States were identified. This is a global trend that is likely to affect municipalities world-wide and the privacy of their citizens alike. Many municipalities are also purchasing cyber insurance policies to cover some of the damages in case of a cyber incident.”

Omer Unger, Mastercard’s Israel manager, said: “Mastercard is expanding its cyber services to provide its global customers with the best and most innovative services. This is achieved by collaborating with Israeli Cyber companies, by the global acquisition of cyber companies, and through the establishment of cyber centers around the world, such as The Cyber Centre in Vancouver, Canada, which was announced by Mastercard in collaboration with the Canadian Government during last week’s World Economic Forum.”

About Cyberwrite

Founded in 2017 by cyber risk and insurance industry veterans, Cyberwrite is a leading technology provider enabling businesses world-wide to quantify their financial exposure to cyber risk using proprietary AI algorithms. Using the Cyberwrite solution, companies can predict their potential financial exposure to cyber-attacks and benchmark it to industry peers. Cyberwrite is backed by Austrian VC firm Speedinvest as well as by Silicon Valley based 500 Startups and Plug & Play Ventures. The company has offices in the US and Israel. Visit Cyberwrite at www.cyberwrite.com.

About Mastercard

Mastercard (NYSE:MA), www.mastercard.com, is a technology company in the global payments industry. Its global payments processing network connects consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. Follow Mastercard on Twitter @MastercardAP, join the discussion on the Beyond the Transaction Blog and subscribe for the latest news on the Engagement Bureau.

Cyberwrite selected by Mastercard to join StartPath Program

  • imgSat, 07 Dec 2019
  • imgCyberwrite
Cyberwrite StartPath Mastercard

Mastercard Start Path Welcomes Seven Fintechs to Help Build the Future of Commerce

Jen Langione | December 4, 2019 | Industry News

Investment in fintech has reached new heights with more than $39 billion invested globally last year. New opportunities abound to bring innovative technology to market through strategic partnerships – what may arise from a customer need, pain point or desire can become a reality through co-creation with corporations that can benefit from new ways of thinking and in turn offer funding and scaling opportunities.

In Miami, seven elite startups from around the globe that are mitigating the financial impact of cyber risk for businesses, providing ecommerce platforms for women’s health and personal care, offering pay-on-demand solutions for casual dining restaurants, and much more will join the Mastercard Start Path network of companies that have gone on to work with the world’s largest banks and renowned organizations.

Mastercard Accelerate gives fintechs access to everything they need to grow quickly and offers a simple, single entry point to Mastercard’s wide portfolio of specialized programs, including its award-winning startup engagement platform Start Path. Start Path invites later-stage startups to participate in a six-month virtual program, providing opportunities to scale and secure strategic investments.

Each year, Start Path evaluates thousands of startups around the world and carefully selects about 40 companies that offer the most promising technologies and show a readiness for scale. More than 200 startups have participated in Start Path since its founding in 2014, and those companies have collectively gone on to raise $1.5B in capital.

Group pic Start Path Wave 15 news breif

After searching 210 countries and beyond, Mastercard has selected the following companies to receive tailored programs, operational support and commercial engagements within the Mastercard ecosystem:

  • BharatPe is a digital bank that enables small- and medium-sized merchants in India to accept payments.
  • Cyberwrite’s Cyber Risk SaaS platform discovers, quantifies and helps mitigate the financial impact of cyber risk on businesses worldwide.
  • Eureka AI is enabling mobile operator-to-enterprise partnerships by applying AI.
  • Hydrogen quickly builds cutting-edge digital financial applications anywhere globally using one platform.
  • Kasha is an ecommerce platform for women’s health and personal care in Africa.
  • mmuze is a voice-shopping platform for retail businesses.
  • Ziosk is a pay-on-demand solution for casual dining restaurants, enabling guests to order and pay and go when ready.

Innovation is at the heart of Mastercard’s 50-year history, and the cutting-edge technologies being pioneered by the latest group of Start Path companies align to the innovative, value-driven approach Mastercard takes to the solutions it creates and services it offers. The newest Start Path companies will be connected to a global ecosystem of banks, merchants, technology partners and digital players that are partnering to deliver transformative solutions to drive growth.

Cyberwrite cherry-picked to participate in the NY Fintech Innovation Lab 2019 cohort

  • imgThu, 04 Apr 2019
  • imgCyberwrite

This year’s program includes five Insurance technology companies selected by Accenture customers and other financial institutions in the US out of hundreds of applicants.

We are very proud to announce that Cyberwrite has been selected to be one of only five Insurtechs to take part in the Fintech Innovation Lab in NY this year by the NY Partnership Fund and Accenture. This is an additional strong validation to the interest large corporates have in the Cyberwrite cyber insurance solution.

The selection process has been long and started with online applications. Hundreds of Insurtechs from all around the world have applied. This was followed by a face-to-face pitch to the program leaders and sponsoring corporates and finally a selection day expo in which the top 10 startups presented and of which only 5 got accepted to the program.

Cyberwrite Fintech innovation lab 2019! Meeting the Corporates!
Startups meeting the corporate sponsors at the Fintech innovation lab.
Cyberwrite mention on Forbes Money:
“On the security front, Cyberwrite was chosen for the lab because it provides an easy to understand report benchmarking the risks and financial impact a cyber attack would have on small and medium-sized businesses. The data is in real-time and on-demand. It used for customer engagement, improved underwriting and to manage risk.”

Cyberwrite Identified as Top 10 Insurtech by Accenture’s Customers in the NY Fintech Innovation Lab

  • imgWed, 13 Feb 2019
  • imgCyberwrite
Cyberwrite Accenture Fintech Innovation Lab

Accenture Fintech Innovation lab identified Cyberwrite as one of only 10 Insurtechs to present to its customers in Feb’ 19.

Out of over 250 candidate companies – Accenture’s insurance customers have Identified Cyberwrite as one of only 10 which presented in February 2019 in NY in front of representatives from the insurance industry.

The FinTech Innovation Lab is an annual 12-week accelerator program that brings together early-stage financial technology companies and the world’s leading financial institutions.

Cyberwrite’s solution for Cyber Insurance digital customer engagement, cyber insurance underwriting for SMB’s and aggregated risk management are used by leading carriers in the US and Europe.

Nir Perry, CEO of Cyberwrite presented the Cyber Insurance Underwriting solution at the Fintech Innovation Lab in New York.

Cyberwrite Named a 2018 Cool Vendor in Insurance by Gartner for its Cyberrisk Profiling Technology

 

Vendors selected for the “Cool Vendors” report are innovative, impactful and intriguing.

San Francisco, California, and Tel Aviv, Israel – May 15th, 2018 – Cyberwrite today announced it has been included in the list of “Cool Vendors” in the “Cool Vendors in Insurance”[i] by Gartner, Inc. The InsurTech innovator has been recognized for its cyberrisk profiling technology for cyber insurance.

In the report Gartner writes, “Gartner’s Cool Vendors in insurance apply a broad range of emerging technologies to provide innovative products and services and support new business models. Life and P&C insurance CIOs can use this research to keep themselves and their business peers ahead of the competition.”

Cyberwrite’s cloud-based SaaS solution gives insurers and brokers unique insights that enable them to tailor cyber insurance policies to meet the specific needs and budget of individual small and midsized businesses (SMBs). The solution is based on machine learning technology for translating raw cyber risk data into cyber coverage risk scores and financial impact estimations.

Cyberwrite enables coverage to be tailored to the specific risks of SMB’s, rather than the “one size fits all” approach currently offered. The solution is already being used by some of the world’s largest insurers, with reports run so far for over 50,000 companies globally.

Because Cyberwrite profiles and analyzes the cyber insurance risk of businesses in real time and on demand, it helps both insurers and their customers to understand the probability and financial impact of a cyber event for that specific business. This is presented in a one-page, simple to understand report, which serves insurers and brokers when they sell and underwrite cyber policies as well as business owners so they can purchase the right coverage. It is especially useful and clear for those who are not cyber experts.

In addition, insurance companies integrate Cyberwrite’s data into their system using Cyberwrite’s APIs for underwriting and catastrophe modelling purposes.

“Cyber insurance policies offered to small and midsize businesses are typically very broad and untailored, resulting in businesses paying extra for unneeded coverage while not being covered for the actual risks they face, and we are out to change this,” said Nir Perry, CEO, Cyberwrite. “We are very proud to be included in the prestigious Gartner report. We believe that Cyberwrite is set to shake things up in the coming years for the insurance industry.”

According to the US National Cyber Security Alliance 60 percent of small companies are unable to sustain their businesses six months after a cyber attack.

“Cyber insurance is becoming essential to businesses as the only product that compensates them after an attack, when technology cannot provide total protection. We expect high demand for this type of insurance among small and mid-size businesses because of the high and growing number of damaging cyber attacks,” added Perry. Allianz projects the cyber insurance market is set to grow to $20B in annual premiums in the next 7 years.

Cyberwrite is one of only four insurtech companies globally to be recognized by Gartner, as a Cool Vendor, whose insurtech database covers more than 1,000 startups.

Gartner clients can access the Gartner report here.

¹Gartner, Cool Vendors in Insurance, Sham Gill, Kimberly Harris-Ferrante, Jeff Haner, Laurie Shotton, Richard Thomas Natale, Juergen Weiss, 26 April 2018

 

 

About Cyberwrite

Cyberwrite was founded in 2016 by a team of cyber risk experts and insurance veterans to address the $20B market of cyber insurance.

The company has customers in the United States and Europe and is backed by Austrian venture capital fund SpeedInvest, as well as senior insurance executives and angel investors from the United States and Israel. Among the company’s advisors are Shmulik Regev, one of the founders of Trusteer and Inbar Raz, a thought leader and speaker in cyber intelligence research. Visit Cyberwrite at www.cyberwrite.com or on LinkedIn and Twitter

Gartner Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Speaking with Judy Selby – a leading expert on Cyber Insurance consulting to corporates and insurance companies.

Cyber Insurance Interview

Hi Judy, thank you for joining us today.

Hi Nir, thank you for having me.

What can you tell us about your background?I was an insurance coverage lawyer for 25 years, handling large, complex coverage matters, usually on behalf of insurance companies.  I was fortunate to have had substantial trial and international arbitration experience. When litigating coverage claims, it becomes readily apparent that the precise wording of the policy is crucially important. Many cases are decided on the basis of a single work or on the absence or inclusion of punctuation.  This background has been extremely helpful in my consulting practice, where I assist companies to get better coverages, improved alignment of their insurance policies, and increased clarity of policy language to avoid coverage disputes. I also help companies to better understand their requirements and conditions under the policies so that they can avoid missteps that may jeopardize coverage.

How did you start dealing with Cyber Insurance?

I began dealing with cyber insurance when data breaches and regulatory requirements concerning data protection and privacy began gaining prominence. I already had a strong insurance background, but I also took a number of courses through the Massachusetts Institute of Technology (MIT) on cybersecurity and related issues to assist with counseling my clients about coverage for cyber risks. It must always be remembered, however, that although cyber policies raise new technology and privacy-based issues, they are still insurance contracts. Even cyber forms are relatively new, many of the terms in cyber policies, and the rules of policy construction have been the subject of decades, or more, of specialized insurance jurisprudence. I believe its very important to understand those issues when selecting a cyber policy.

 What is your position on Cyber Insurance policy wording process?

It’s challenging.  There are no standard forms and each carrier’s form is different. This makes policy comparison difficult. It’s vitally important to review every word of a policy before it’s purchased.  The good news is that because the cyber insurance market is soft, insureds often have the opportunity to negotiate for more favorable policy terms. They just need to know what issues to raise with their brokers and/or insurers.

What are some of the challenges you see insurance companies have to deal with when offering a new cyber product?

There certainly are issues when it comes to underwriting new cyber risks. Many insurers have done a good job of creating new coverages to deal with today’s constantly emerging new cyber threats. But unlike with other more traditional risks, insurers do not have decades of data on which to base underwriting decisions.

 Do you see many claims? Can you share an interesting example you have seen?

 In my experience, the vast majority of claims are paid. But I have seen claims denied when an insured violates a policy condition, such as not obtaining prior consent before making expenditures after an incident. Going forward, I suspect that we may see more insurers challenge claims when they believe the insured provided inaccurate information to the insurers when obtaining coverage. That’s why incredibly important for companies to ensure that any information they provide to an insurer is accurate. They can’t just wing it or guess at responses to insurer questions. It likely will be necessary to get input from a cross-section of stakeholders, include third party service providers, to respond accurately to insurer questions. And if a company doesn’t understand an insurer’s question, it should seek written clarification before responding.

 

What is your prediction for the market in the next few years?

I expect to see the uptake of cyber coverage continue to increase, both in the US and elsewhere.  New regulations, such as the GDPR, increase the stakes for today’s companies, and many small and midsize companies are not well positioned — technically or financially — to deal with a cyber incident or the regulatory fallout. An appropriately designed cyber policy can help these companies successfully take and survive a cyber punch.

 

Thank you for your time Judy.

Thank you Nir. 

Cyberwrite won the UK TexChange Award for Cyber Innovation

  • imgSat, 24 Mar 2018
  • imgCyberwrite

Cyberwrite is among few Israeli companies selected to join an exclusive delegation to London, for an immersive delegation to the UK including vast networking, business and investment opportunities and access to top industry leaders in London.

According to the UK embassy in Israel: “…only the top 12 startups who applied were selected to join our exclusive delegation to London this September and enjoy an immersive three-day programme including vast networking, business and investment opportunities and access to top industry leaders in the UK from companies and organizations including the National Cyber Security Center, Aviva Insurance, BT, K&L Gates, Taylor Wessing, Goldman Sachs, RBS and Visa.

https://www.ukisraelhub.com/2017/07/announcing-winners-texchange-2017/

Nir Perry and Inbar Raz on Cyber Insurance Challenges and Solutions

  • imgFri, 23 Mar 2018
  • imgCyberwrite

Cyber Insurance for SME’s – Challenges and Solutions

By: Nir Perry, CEO of CyberWrite, Cyber Insurance Technologies, and Inbar Raz, Advisor to Cyberwrite.

Inbar is a leader in cyber intelligence research, worked in cyber intelligence for Israeli Defence Forces for over 15 years and lead CheckPoint’s (Nasdaq: CHKP) cyber research division.

Inbar Raz – Advisor to Cyberwrite

The impact of Cyber-attacks on small and medium businesses and enterprises.

 

Small and Medium Enterprises are the backbone of our economy, yet they are mostly unprepared to face modern cyber threats. Tailor-made Cyber insurance could help this huge market to mitigate some of the inherent risks in doing business in the digital world, but only if certain challenges are resolved.

Looking at the latest cyber-related headlines, one might mistakenly think that cyber-attacks only target enterprises such as Equifax ,Yahoo, and recently Alteryx, a marketing analytics firm, whose breach exposed sensitive information on over 120 million U.S. households. But in reality, smaller businesses are being targeted in increasing numbers, and with growing impact. They are not big or famous enough to make the headlines, but they sure do end up in the statistics.

In recent years 43% of all Cyber attacks targeted small businesses. 51% of small businesses had sensitive information exposed or stolen according to Symantec and 60% of small companies that suffer a cyber-attack are out of business within six months. SMBs are targeted as much as bigger enterprises but are less prepared to deal with this menacing threat. Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as “highly effective”.It is therefore not surprising that SMEs have become the focus of cyber criminals, since these businesses are less prepared for preventing attacks and responding to them. 

During the last year, we’ve witnessed a new global phenomenon: Ransomware,  a malware that encrypts data on infected devices and promises to release it in exchange for ransom – usually in Bitcoin. These attacks have been hurtful for SMEs, with more than one-third of businesses suffering a ransomware attack in the last year, and more than one in five (22%) of these impacted businesses had to cease operations immediately, according to Malwarebytes.

 

The reasons for SMEs high exposure

 

SMEs are a preferred target by cyber criminals as they are less secured by nature. Various surveys show that cybersecurity maturity among SMEs is still fairly low compared to that of larger enterprises – although this situation is slowly improving. Even when  SMEs acknowledge cyber risks, they still face serious challenges which set them apart from enterprises and impairs their ability to properly mitigate cyber risks:

  1. Costly Investment: Enterprise-grade cybersecurity solutions involve costly licensing, substantial setup investment and high maintenance costs, that are usually outside the reach of SMEs.
  2. Lack of skilled manpower and Technical Expertise: Sophisticated security systems require skilled and experienced IT experts, who are difficult to recruit and place a heavy burden on payroll expenses.
  3. Minimal protection capabilities offered to SMEs: Security solutions tailored for SMEs (some of the free version of security tools) simply do not offer the same level of protection as High-end solutions.
  4. Lack of guidance and standards: In some areas, clear standard are available (such PCI-DSS compliance), but hardly any industry-wide standards are available, at least not such that SMEs can interpret by themselves.

 

With ever-growing sophistication of cyber criminals and businesses adopting new technologies, the small and medium companies will continue to be an easy target for the foreseeable future.

 

How can cyber insurance help SMEs mitigate the risk

 

According to a recent article, Cyber Insurance is one of the fastest growing coverage for U.S. companies. In fact, according to Fitch Ratings, one of the world’s largest credit rating agencies, the market for cyber insurance grew thirty-five percent. The cost of a potential breach and the need for insurance coverage are some of the factors impacting purchasing decision as illustrated by Hiscox, a large insurance provider:

And yet, adoption of Cyber insurance among SMEs is low, with some estimates of a penetration rate as low as 5 percent or less. Below are some of the reasons for current low adoption rate:

Trust

According to a recent survey by Hiscox – trust in cyber insurance policies and underwriters is currently low with almost a third of responders say they are not sure they will be paid in the event of a cyber breach. Some industry statistics do show discrepancies between the direct costs and insurance payouts.  Another factor hampering trust is that insurance policies are perceived as too complicated for the customers. More than one in six (17%) of those who have no plans to take out cyber insurance stated this as the main reason. Many cyber insurance policies include multiple exclusions that reduce the value of the policy and deter potential clients from purchasing these policies, as these reduce the trust that underwriters will actually pay when a breach occurs.

Complexity

Cyber insurance policies are complex and include many exclusions. They are hard to understand for non-technical readers and even worse – the agents who sell them lack, in most cases, the know-how on how to sell the product to customers. In addition – different types of customers have different coverage needs. Current policies are usually a “one size fits all” and are not tailored to each business, with standard sub-limits offered to all customers. This is a problem since for some customers, for instance, confidentiality is more important than availability due to possible business impact. This is not currently addressed well.

Lack of regulation

Cyber insurance is not mandatory. Many business owners who don’t see the value will rather invest elsewhere until required to by law or regulation. In addition, cyber insurance is a fairly new product in its current version, and is not fully understood by many business owners. Following the same mentality as other non-mandatory insurance policies, many will only purchase it after the first breach or incident they suffer.

Perceived risk vs. Cost of insurance

Perhaps one of the bigger hurdles on the way to mass adoption of such policies is the fact that ordinary people know very little about cybersecurity, and cannot estimate the actual risk (or exposure) they face from cyber activities. When the risk is not fully understood or is not tangible enough (at least not when compared to everyday insurance like car and health), the value of the insurance meant to offset it is harder to quantify, thus making the insurance seem expensive.   

 

Some of these reasons, such as trust and complexity, can be addressed by a tailor-made underwriting process which will take into consideration the customer’s needs and adapt the coverages, exclusions, and sub-limits to fit the customer. Such policy offering will improve customer satisfaction and will also enable better control of risk levels for the insurer.

CyberWrite has set out to solve the underwriting and digital customer engagement challenges related to SME’s.

Challenges for engaging business owners and managing the underwriting process are a barrier to win the market. CyberWrite – a company dedicated to the creation of cyber insurance technologies is offering a solution for SME underwriting. Here are some of the challenges:

Classic risk assessment process is old-fashioned and non-scalable.

Most client risk assessments are conducted in an old-fashioned manner. On-site evaluations conducted by expert teams are a reasonable approach when assessing large enterprises with big IT departments and multiple assets, but are impractical when aiming at smaller clients. SMEs are interviewed over the phone or answer questionnaires over email, in a process conducted by insurances agents that are not cyber experts. Both methods have their downsides – the need to send a team of experts impacts the cost of the underwriting process, the time it requires and the burden on the client. Sending a questionnaire over email is cheap but results in an inherently inaccurate and qualitative assessment which is hard to benchmark. Both are human-centric and suffer from inherent biases and inaccuracies.

Risk assessment process is too generic and lacks historical data analysis process suited for cyber.

In addition to being conducted manually, the assessment process is generic and does not take into consideration important factors that affect the clients’ exposure.

Research shows that many carriers lack sufficient historic or credible data. This results in a “flat rate” used by many insurers, use a Base Rate with Modifications (client size, turnover, etc.) or use Industry Classification (in an attempt to control for risks to the insured based on the industry in which the client operates).

Risk score presented to the client is a generic cyber-risk score, not a cyber insurance-centric one

The would-be clients are presented with a cyber risk score, but that is not an easily understandable tool for explaining their exposure, nor do they understand how it is tied to the proposed policy. It is a cyber security score and as such uses cyber terminology and data they can’t understand or relate to, and certainly not make an educated decision regarding the required cyber insurance to match the risk score.

The Cyberwrite solution:

Cyberwrite tackles the issues above using a combination of cutting-edge technology and business model. The platform Cyberwrite developed allows underwriters to conduct very quick, accurate assessments, with little to no input required from the client. This frictionless, scalable approach is quite the opposite of sending a team of experts and interviewing the client’s IT manager. In a nutshell, Cyberwrite’s system collects open-source information available on the client, cross-references it with the clients’ geography and business sector and rapidly arrives at the following:

  1. Coverage scores
    An accurate benchmarked cyber insurance score (as opposed to a generic cyber-risk score). This coverage score is presented to the client, showing it the areas where exposure is more likely to occur, and therefore should be offset by adequate insurance coverage per that business-risk. This tailor-made approach provides the insurer with an analytic tool to match the coverage to the risk, using machine learning algorithms to connect cyber-risk parameters to insurance coverages. 
  2. Expected monetary damage
    The system calculates the expected damages for the company in the event of a breach, enabling to set sub-limits according to client size, business area, and perceived risk.
  3. Fine-tuned coverage
    By scoring the coverage and calculating the expected monetary damage – both the client and the underwriter can adjust the policy to best suit their needs.

This data-driven approach provides a granular assessment, which in turn translates into a tailor-made policy and reduces the need for exclusions. Fewer exclusions mean that the client is more confident and will be more likely to purchase the policy.

The Cyberwrite technology allows to conduct numerous concurrent assessments and quickly map clients on a risk scale.

Another benefit of the system is that it creates Standardization across all business types and sectors- inaccurate assessments (due to missing client information, insufficient time to assess, human biases, etc.) are a thing of the past, and both underwriters and clients can feel confident that the policy fits the actual exposure of the client, is properly quantified and will provide the needed coverage in times of need.

 

Cyber insurance is a growing market with a huge potential. To date, underwriters have not been able to achieve significant traction within the largest segment of the commercial sector- the Small and Medium Enterprises, mainly due to their reliance on outdated evaluation techniques which led them to offer “cookie cutter” policies that are not considered comprehensive or valuable enough for the end clients. By using data-driven approach and utilizing the latest in machine-learning and big data technologies, underwriters can improve their evaluation process, offer tailored policies to a much larger audience and grab a larger share of this huge, underserved market.