Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

AXA Partners With SecurityScorecard to Set Cyber Insurance Premiums

AXA Will Use Ratings From SecurityScorecard to Help Set Premiums for Insurance Agreements

AXA Will Use Ratings From SecurityScorecard to Help Set Premiums for Insurance Agreements

Cyber insurance is a problem. It is a new industry with huge potential but great difficulties. Getting premiums right is an example — the cyber insurer needs to fully understand the financial risk it incurs in able to set premiums high enough to cover the risk and still make a profit, but low enough not to kill the market.

Steve Durbin, managing director of the Information Security Forum, describes the problem. “We have already seen that the financial impact of some information security risks is being transferred through cyber insurance,” he told SecurityWeek.

“However, moving forward, I anticipate that several large data breaches will expose aggregated risks and cause insurers to suffer significant financial losses. As a result of this mispricing debacle, several insurers will be forced out of business while others will raise premiums significantly, expand contract exclusions and restrictions, or avoid cyber insurance altogether. This will make cyber insurance no longer financially viable for many organizations, and the market will contract and take several years to recover.”

Quite simply, data breaches are happening with increasing frequency (another 92 million passwords exposed by MyHeritage this week). At the same time, the cost of recovery continues to escalate rapidly, and the quantity and severity of cyber regulations, such as GDPR, is expanding.

The insurance industry traditionally relies on actuarial tables — effectively a database of experience — to set its premiums. While insurance companies are currently busy compiling such data on historical breaches, they have nothing like the depth of, for example, motor insurance actuarial tables.

“Currently, most policy premiums are based on self-assessments,” comments Greg Reber, CEO at consulting firm AsTech. This leads to its own problems. False assessments, even unintentional errors, could lead to reduced payouts in extremis. It is a strange irony that the best premiums will only be obtainable by the organizations that least need to transfer their risk to the insurance industry. At the same time, any companies that seek to rely on insurance alone to handle their risk are likely to come unstuck.

SecurityScorecard and AXA (the world’s largest insurance company) believe they have found a solution to the premium problem. SecurityScorecard is a firm that rates the cybersecurity posture of web-enabled firms. It does not wait to be asked — and the result is a growing database of independent security ratings on the world’s web-enabled businesses. Currently, it continuously monitors more than 200,000 businesses and gives them a security score from A to F. Empirical evidence suggests it works: “Companies that rate as a D or F are 5.4 times more likely to be breached than companies that rate as an A or a B,” claims the company.

Advertisement. Scroll to continue reading.

AXA has now entered an agreement with SecurityScorecard to have access to these ratings, and will use them to help set the premium for its insurance agreements. “The SecurityScorecard platform,” explains Scott Sayce, global chief underwriting officer of cyber at AXA, “will help us rapidly evaluate companies to understand their cyberhealth and provide our underwriters with crucial information needed to evaluate an insured’s risk.”

“AXA and SecurityScorecard are pioneering the cyber insurance industry,” adds Aleksandr Yampolskiy, CEO and co-founder at SecurityScorecard. This partnership demonstrates the value of the SecurityScorecard platform and the trust top business leaders have in our score. Our vision is to create a ubiquitous language for cybersecurity that facilitates collaboration and communication between business partners.”

Rather than relying on subjective, manual self-assessments from the customer, “They’re going to be using the objective, automated, security metrics that we provide to make their insurance decisions,” Yampolskiy told SecurityWeek. “They will feed that data into their algorithms and then decide, do I increase the premium because the customer’s security posture looks risky, do I lower the premium, or maybe in some cases do I just flat out refuse to provide the cyber insurance?”

Our data, he continued, provides “objective measurements to create the scientific basis for making those insurance decisions. AXA plans to start underwriting thousands and thousands of European businesses.” It is the small to medium sized business that most needs cyber insurance. “If you’re an Equifax or a Target and you get hacked,” continued Yampolskiy, “you might survive. But if you’re a small company, you will not. So, AXA is planning to start using our technology to start making those cyber insurance policies that apply to thousands of those businesses,” The advantage for those small businesses is they will be able to realistically set premiums, but will also learn their SecurityScorecard rating. “And that provides a lot of reciprocal benefit,” he added.

Will this relationship be enough to kickstart a serious cyber insurance industry? It will probably happen anyway, but it may take time if left to its own devices. SecurityWeek asked Yampolskiy if cyber insurance might join the ranks of other insurances that are required by law. 

“My belief is, yes,” said Yampolskiy, “at some point in the future. We’ve reached the point where all companies are part of a larger interconnected ecosystem.” He raised the example of Target, a large company breached through a small member of its supply chain. Target lost millions of dollars because of a smaller company, that would not of its own resources be able to provide recompense. “It’s hard to predict the future,” he said, “but I can see a time when all companies are required to have cyber insurance.”

By providing a scientific basis for the insurance industry to use for premium-setting, Yampolskiy believes SecurityScorecard and AXA are moving the market toward the time when cyber insurance is not merely standard, but possibly required.

SecurityScorecard is based in New York. It was founded in 2013, and raised $12.5 in Series A funding led by Sequoia Capital in 2015; $20 million Series B in 2016; and $27.5 million Series C in 2017. Its stated mission is “to empower every organization with collaborative security intelligence.”

Related: European Insurers Discover Cyber Protection Market 

Related: Cyber Insurance Market to Top $14 Billion by 2022: Report 

Related: U.S. Government Cybersecurity Ranks 16th Out of 18 Industry Sectors 

Related: Consortium Promotes Principles for Fair and Accurate Security Ratings 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...