Tag Archives: featured

Cyber Risk Scores vs. Cyber Risk Ratings – Which Is The Right One For You?

  • imgThu, 23 Sep 2021
  • imgCyberwrite

Corporations have typically relied on cyber risk ratings to analyze the risk third parties have on their organization. However, risk ratings miss an important piece of the risk analysis process since they analyze the third-party’s risk in isolation, and do not take into consideration your organization and its unique characteristics of engagement with each third party. 

Risk scores, on the other hand, are a different way of measuring risk which reflects and focuses on the corporation’s own risk due to working with any given third party as opposed to the third-party’s risk to itself.

No business is an isolated island. Whether you work in finance or hospitality, agriculture, healthcare, or any other sector, you undoubtedly interact with various third parties – suppliers, partners, customers, and others – perhaps thousands of them. By necessity, doing so involves sharing sensitive regulated information – whether it’s PII (Personal Identifiable Information), medical records subject to  HIPAA regulation, or credit card details regulated by PCI-DSS. Once the sensitive data is out of your hands and is processed by a third party, you can no longer protect it, but you are still responsible for it. Your interactions with these third parties may also create dependencies that can impact the availability of your services. 

According to one report, in the past 12 months, 80% of organizations experienced a cybersecurity breach that originated from vulnerabilities in their third-party vendor ecosystem. The implications of such a cyber incident for your business could be costly – one recent report found that a compromised third party causes an average of $7.5 million worth of damages. But it could be much more – in 2019, Capital One had to pay $80 million when the former employee of a third-party vendor stole critical information, while a cyber breach at Home Depot, in which employee credentials were stolen from a third party, resulted in $179 million damages. 

How third-party cyber risk is typically computed

Typically, organizations tend to rely on risk ratings to identify the risk of a third party that they deal with. These ratings are usually based on an assessment of either external or internal data, collected by the third-party risk rating companies. External data is taken from open-source intelligence (OSINT) and may include details of the third party’s attack surface, their digital exposure, historical data of actual security incidents and more. Internal data comes from the third party itself and may include details about what countermeasures the third party is taking to reduce their risk. This information forms the basis of the third-party risk rating. 

So what’s the problem?

The issue with risk ratings can be illustrated in an everyday risk we can all relate to: crossing a road. This common activity poses a very different risk to a child, an elderly person or an adult – not because the road is different, but because of the specific characteristics of each of these pedestrians. 

It is the same with third-party risk. A specific third party may pose a higher risk to your organization than it does to others, due to factors such as your business and technological dependency on that third party, the type and amount of sensitive data you share with them, and other factors. To discover the actual risk posed to your organization, it’s not enough to simply look at the risk rating of a third party.  In order to understand a third party’s risk to your organization, your own context, dependencies, and characteristics of engagement with the third party must be considered as an integral part of the risk analysis process.

What risk ratings don’t tell you

First and foremost, risk ratings focus on the third-party’s risk – as demonstrated in the road-crossing example above, it does not account for the nature of your relationship and the risk of working with the third party. The risk posed to your organization might be very different from the risk posed to other companies the third party works with – this is not reflected in risk ratings. 

In addition, risk ratings are in many cases a sort of a balanced scorecard of a company’s external security posture in which, if the third party does everything correctly, they will get a high score – and vice-versa.  In reality – companies who had great security suffered significant breaches since it only takes one security issue for a short period of time to enable mal-actors to gain access to critical systems. In such cases, the risk ratings may not reflect such risk. 

Some risk ratings don’t utilize benchmarking analysis. It may be that an organization that has a good external posture will get a good rating, but organizations with a similar external posture were breached, and this data should be taken into consideration in the risk analysis process. 

Taken in isolation, on a scale of 1 to 100 (higher is better), a rating of 45 appears to be low. But it could be that the median rating of comparable organizations is 33 (due to the risks associated with the sector and geography they operate in), in which case the third party is actually doing better than the industry median. 

It’s also important to bear in mind that risk can never be entirely eliminated. Even a company with a very high-risk rating, reflecting low risk, is not 100% safe from a breach – just one error by an IT professional can cause a breach. Inherent risk scores take this into account and even if the organization has a high residual risk score the inherent risk score still reflects the actual risk of a company suffering a breach based on data of what happened to other similar companies in the past. 

How risk scoring fills in the gaps

Risk scores tailor the risk assessment to the unique characteristics of your relationship with each third party, by considering the actual dependencies with the third party. Risk factors such as what type of data you share with the third party and how many records, how dependent your business is on that third party’s IT systems, and how many employees the third party has – are all taken into account to make sure both that they are benchmarked to similar third parties for risk scoring purposes, but also that the risk score takes into account the relevant context of your relationship with the entity under review.

Risk scoring puts risk into context. It begins by considering both internal and external data to create both an inherent risk score and residual risk score. Inherent risk is based on who they are and what happened in the past to similar organizations. Residual risk takes into account the risk mitigation efforts which the third party carries out. The delta between the two scores represents the actual risk reduction achieved by the third party, providing 360-degree visibility based on both external and internal data, which is critical for the purpose of accurate risk analysis. 

If, for example, the third party under review is a bank, it may have an inherent risk score of 25 (1-100, higher is better), signifying that similar banks had an incident or a breach. But, after completing a risk survey, the residual score calculated is 87 – a much better reflection of their investment in protecting your data. By combining both inherent and residual risk scores, you are enabled to better understand the risk levels posed by the third party and how they mitigate such risk. 

Finally, to provide the highest value to your organization, a risk score should be combined with economic impact analysis. Utilizing a data-driven quantitative approach to predict the economic impact each third party may have on your company, with an actual monetary cost attached, enables you to consider impact as part of the risk analysis process. Once you have an economic impact assigned to each third party, combined with the inherent and residual risk scores, you can now take firm action and focus on those third parties that pose the highest risk to your organization

By using a more nuanced, tailored approach, risk scores focus on what matters most to you – your own risk, while risk ratings focus mainly on the risk posed to the third parties. 

To find out how Cyberwrite enables you to calculate a risk score for any third party, request free access now.

Munich Re’s HSB renews Cyberwrite risk platform subscription

  • imgMon, 28 Sep 2020
  • imgCyberwrite
HSB Provides Tailored Cyber Insurance with Cyberwrite's Cyber Risk Analytics Platform

NEW YORK, Sept. 23, 2020 — Cyberwrite, a leading cyber risk analytics firm, and HSB announced today that HSB is renewing its subscription to Cyberwrite’s cyber risk financial quantification platform to offer tailored cyber insurance policies to businesses across the US.

Amid the dramatic increase in remote workforces and rise in cyberattacks since the start of the COVID-19 pandemic, cyber insurance, which protects businesses against the financial damages of cyber risks, is expected to reach $8 billion in annual premiums by the end of 2020.

Cyberwrite mitigates this gap by providing the capability to quantify, benchmark, and mitigate the financial cyber risk posed to businesses across industries. The cyber risk analytics platform is based on proprietary AI and machine learning algorithms developed by the company as well as state of the art threat intelligence and attack surface mapping capabilities. Cyberwrite’s platform helps businesses globally to quantify the potential damages of cyber risks and provides recommendations for mitigation before they materialize. The Cyberwrite platform also enables insurance carriers to underwrite cyber insurance policies in real-time and manage risk aggregation and accumulation.

The platform requires zero integration which enables fast adoption and is available in multiple languages including Japanese, Portuguese, Italian, and more. 

As part of the agreement with HSB, Cyberwrite has tailored its predictive algorithms to the HSB cyber insurance policy for optimized accuracy. HSB’s Cyber Suite and Total Cyber coverages offer a comprehensive cyber insurance program to provide protection from a wide range of cyber risks. As part of this value proposition, Cyberwrite delivers a simple to understand one-page risk report for the following coverages which HSB offers including benchmarking to industry peers:

  • Data compromise response expenses
  • Data compromise liability
  • Identity recovery
  • Computer attack including business interruption
  • Misdirected payment fraud
  • Computer fraud
  • Cyber extortion
  • Network security liability
  • Electronic media liability

“We are delighted to renew our engagement with HSB for the Cyberwrite cyber analytics platform. Cyberwrite has provided HSB with a tailored solution to HSB’s Cyber Suite and Total Cyber policies to provide businesses with a tailored cyber risk report that reflects their risks and financial exposure to cyber-attacks.” said Nir Perry, CEO of Cyberwrite.

Rami Parient, Chief Data Scientist at Cyberwrite added: “The lack of data and advanced models required to quantify the financial impact of cyber risk is an issue for companies worldwide. For this reason, our financial cyber risk quantification and benchmarking technology is fundamental for the insurance industry and decision-makers everywhere when dealing with cyber risk.”

Steve McWilliams, Cyber Risk Services Manager at HSB, concluded: “Cyberwrite has been a great partner to work with and they have a solid understanding of the cyber risks that all businesses face in today’s world. Their platform helps us to quantify and manage our cyber risks across HSB’s portfolio of customers.”

About HSB
Hartford Steam Boiler (HSB), part of Munich Re, is a multi-line specialty insurer and provider of inspection, risk management and IoT technology services.

HSB insurance offerings include equipment breakdown, cyber risk, specialty liability, and other coverages. HSB blends its engineering expertise, technology and data to craft inventive insurance and service solutions for existing and emerging risks posed by technological change. Throughout its 150 year history, HSB’s mission has been to help clients prevent loss, advance sustainable use of energy and build deeper relationships that benefit business, public institutions and consumers. HSB holds A.M. Best Company’s highest financial rating, A++ (Superior). Connect with HSB on LinkedInTwitter and Facebook.

About Cyberwrite
Since 2017 Cyberwrite’s AI solutions have enabled corporations worldwide to assess and quantify the risk and financial impact of cyberattacks on businesses. The company was founded by cybersecurity and insurance industry veterans and is backed by VC firms SpeedInvest, Plug&Play, and 500startups. Cyberwrite has offices in New York and in Tel Aviv, Israel. For more information visit www.cyberwrite.com.

Cyberwrite Awarded Most Innovative Cyber Risk Modeling Technology Firm by Frost & Sullivan.

  • imgTue, 18 Aug 2020
  • imgCyberwrite
Cyberwrite Awarded Most Innovative Cyber Risk Modeling Technology Firm by Frost & Sullivan.

Cyberwrite’s predictive analytics algorithms calculate the likelihood of a cyberattack specific to the company and predicts the type and amount of financial losses resulting from a cyberattack.

ANTA CLARA, Calif., Aug. 18, 2020 /PRNewswire/ — Based on its recent analysis of the global cyber risk modeling market, Frost & Sullivan recognizes Cyberwrite with the 2020 Global Technology Innovation Leadership Award for its real-time, on-demand Cyber Risk Quantification & Mitigation Platform. The company’s proprietary machine learning (ML)-based algorithms and actuarial science-powered solutions enable real-time and on-demand cyber risk analysis and financial impact assessment using advanced algorithms and a simple-to-understand reporting system suitable for businesses of any size. Cyberwrite’s software-as-a-service (SaaS) solution assesses cyber threats and exposure to first- and third-party cyber risks while proactively enabling data-driven decisions regarding cybersecurity improvements. The technology supports the cyber profiling of businesses of all sizes, including small- and medium-sized businesses (SMBs) and micro-companies.


“In addition to customer-specific data which is monitored and collected in real time, Cyberwrite’s risk models also consider the external and inherent risk factors of a company, including its geography, sector, and operational risks, enabling an analysis of the actual risks posed to the company, not just technical-driven risks offered by legacy cyber risk solutions. Even if a company is not in the pool of companies Cyberwrite has already profiled, it can be added within minutes by any non-technical user, and a simple-to-understand report, including projected financial damages and risk scores, is delivered in real time. It is one of the few solutions that can also profile micro-companies and provide them with a financial loss estimation, even if a company does not have an online presence,” said Vinay Venkatesan, Program Manager at Frost & Sullivan. “Furthermore, as Cyberwrite’s ML technology can include new and updated risk scenarios, its platform remains accurate and relevant over time as cyber risks continue to evolve.

Cyberwrite’s solution automatically collects data from the Internet related to attack surface, the dark web, and proprietary cyber risk and digital risk-based data related to each entity, which is used as classifiers in its exclusive ML models and translated into benchmarked risk scores to similar industry peers, providing visibility of the company’s risk levels for each risk type. In addition, Cyberwrite utilizes data related to historical cyber damages and current regulatory fines and risks that organizations have to manage to construct a comprehensive cyber risk benchmarking report used for use cases, such as cyber insurance, supply chain vendor risk management, and financial analysis of cyber risks for companies of any size.

The multi-lingual platform available in five languages is used worldwide by corporations and insurance companies to assess cyber risks posed to their clients. Multiple insurance firms utilize Cyberwrite’s platform and application programming interfaces (APIs) to underwrite cyber insurance policies for SMBs and corporations in real time and to enable their agents and brokers to explain financial risks to customers for engagement purposes in a simple manner. Moreover, the platform is used for managing aggregated risks on different books of business. By assessing and scoring risks using the advanced algorithms verified by the insurance industry, the solution now enables corporations requiring a third-party vendor risk analysis to understand their exposure to both financial and technical cyber risks.

“As a company operating in an emerging market, Cyberwrite understands the challenges in gaining customers’ trust while providing accurate and actionable data on an ever-evolving environment,” noted Venkatesan. “With its innovative, unique technology-driven solutions, it allows clients to identify financial risks, mitigate those risks in an actionable manner, and understand the potential impact of a cyber incident and budget remediation actions.”

Each year, Frost & Sullivan presents this award to the company that develops a product with innovative features and functionality that is gaining rapid acceptance in the market. The award recognizes the quality of the solution and the customer value enhancements it enables.

Frost & Sullivan Best Practices Awards recognize companies in a variety of regional and global markets for demonstrating outstanding achievement and superior performance in areas such as leadership, technological innovation, customer service, and strategic product development. Industry analysts compare market participants and measure performance through in-depth interviews, analyses, and extensive secondary research to identify best practices in the industry.

About Frost & Sullivan

For over five decades, Frost & Sullivan has become world-renowned for its role in helping investors, corporate leaders, and governments navigate economic changes and identify disruptive technologies, Mega Trends, new business models, and companies to action, resulting in a continuous flow of growth opportunities to drive future success. Contact us: Start the discussion.

Kristen Moore
P: 210.247.3823
E: kristen.moore@frost.com

About Cyberwrite
Since 2017 Cyberwrite’s AI solution have enabled corporations worldwide to assess and quantify the probability and financial impact of cyberattacks. The company was founded by cyber security and insurance industry veterans and is backed by VC firms SpeedInvest, Plug&Play and 500startups. Cyberwrite has offices in New York and in Tel Aviv, Israel.  For more information visit www.cyberwrite.com.

SOURCE Frost & Sullivan

Cyberwrite Awarded Most Innovative Cyber Risk Modeling Technology Firm by Frost & Sullivan.

Get your report copy

* These fields are required.

By submitting this form you confirm that you agree to the storing and processing of your personal data by Conga as described in our Terms and Conditions

Cyberwrite Research for Mastercard Shows: Cyber-Attacks on Israeli Local Municipalities May Lead to an Aggregated 4.5B ILS in Damages

  • imgThu, 27 Feb 2020
  • imgCyberwrite

Cyberwrite Research for Mastercard Shows: Cyber-Attacks on Israeli Local Municipalities May Lead to an Aggregated 4.5B ILS in Damages

February 26, 2020 09:00 AM Eastern Standard Time

StartPath Cyberwrite

TEL AVIV, Israel–(BUSINESS WIRE)–Cyberwrite, in collaboration with Mastercard, shared insights from a recent cyber-risk financial impact research which reveals that cyber-attacks on local municipalities and regional councils in Israel may lead to aggregated damages estimated in 4.5 billion New Israeli Shekels.

Cyberwrite research for Mastercard shows that cyber-attacks on Israeli local municipalities may lead to an aggregated 4.5B ILS in damagesTweet this

Cyberwrite, a leading cyber risk modeling firm which is specialized in the quantification of financial damages caused by cyber-attacks, has utilized its technology to collect open-source intelligence and model the cyber risk municipalities are exposed to using its proprietary AI algorithms. Cyberwrite has recently been selected to participate in the Start Path, Mastercard’s award-winning startup engagement program and is providing its technology to businesses worldwide. The company’s solutions and technology are simple to use and involve zero-integration.

As part of this collaboration, Cyberwrite generated cyber-risk reports for 251 local municipalities and regional councils in Israel which include risk benchmarking and financial damage estimation for different risk types. The study found that 5 of Israel’s largest cities are exposed to potential aggregated damages valued at 650M ILS. The financial damages stem mainly from risks such as theft of residents’ information, loss of information records, digital theft, disabling public services and more.

The study also found that user login credentials of Israeli local municipalities’ employees and contractors were commonly found on the dark web. Municipalities are the first on the list with an average of 17 stolen user credentials, while regional councils had an average of 11 credentials found online.

Nir Perry, Cyberwrite’s CEO, mentioned that: “Municipalities in the United States and Europe are subject to constant cyber threats. In the first nine months of 2019, over 600 successful cyber-attacks on municipalities and urban authorities in the United States were identified. This is a global trend that is likely to affect municipalities world-wide and the privacy of their citizens alike. Many municipalities are also purchasing cyber insurance policies to cover some of the damages in case of a cyber incident.”

Omer Unger, Mastercard’s Israel manager, said: “Mastercard is expanding its cyber services to provide its global customers with the best and most innovative services. This is achieved by collaborating with Israeli Cyber companies, by the global acquisition of cyber companies, and through the establishment of cyber centers around the world, such as The Cyber Centre in Vancouver, Canada, which was announced by Mastercard in collaboration with the Canadian Government during last week’s World Economic Forum.”

About Cyberwrite

Founded in 2017 by cyber risk and insurance industry veterans, Cyberwrite is a leading technology provider enabling businesses world-wide to quantify their financial exposure to cyber risk using proprietary AI algorithms. Using the Cyberwrite solution, companies can predict their potential financial exposure to cyber-attacks and benchmark it to industry peers. Cyberwrite is backed by Austrian VC firm Speedinvest as well as by Silicon Valley based 500 Startups and Plug & Play Ventures. The company has offices in the US and Israel. Visit Cyberwrite at www.cyberwrite.com.

About Mastercard

Mastercard (NYSE:MA), www.mastercard.com, is a technology company in the global payments industry. Its global payments processing network connects consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. Follow Mastercard on Twitter @MastercardAP, join the discussion on the Beyond the Transaction Blog and subscribe for the latest news on the Engagement Bureau.

Cyberwrite Identified as Top 10 Insurtech by Accenture’s Customers in the NY Fintech Innovation Lab

  • imgWed, 13 Feb 2019
  • imgCyberwrite
Cyberwrite Accenture Fintech Innovation Lab

Accenture Fintech Innovation lab identified Cyberwrite as one of only 10 Insurtechs to present to its customers in Feb’ 19.

Out of over 250 candidate companies – Accenture’s insurance customers have Identified Cyberwrite as one of only 10 which presented in February 2019 in NY in front of representatives from the insurance industry.

The FinTech Innovation Lab is an annual 12-week accelerator program that brings together early-stage financial technology companies and the world’s leading financial institutions.

Cyberwrite’s solution for Cyber Insurance digital customer engagement, cyber insurance underwriting for SMB’s and aggregated risk management are used by leading carriers in the US and Europe.

Nir Perry, CEO of Cyberwrite presented the Cyber Insurance Underwriting solution at the Fintech Innovation Lab in New York.