For the underwriting toolbox, security ratings from BitSight

By Chad Hemenway on October 3, 2014
ira-scharf200x200

Ira Scharf, BitSight’s chief strategy officer

BitSight Technologies said it has devised a way to rate a company’s cybersecurity performance — allowing insurance companies to make better underwriting decisions.

BitSight Security Ratings for Cyber Insurance is a “first-of-its-kind” solution for underwriters and brokers, said Cambridge, Mass.-based information security firm.

The insurance industry has been asking for a way to model cyber risk. BitSight’s security ratings, ranging from 250 to 900, gives insurers access to a data-driven measurement in order to quantify the risk and adjust coverage and premium.

“Instead of the questionnaires and interviews, insurers will have the ability to view their entire book’s security performance over the last 12 months and compare,” said Ira Scharf, chief strategy officer at BitSight. “Insurers and brokers can average risk and calculate how it has changed over time for a particular company –and insured or an applicant — and compare performance to that company’s peers.”

Scharf said Liberty International Underwriters has signed on to use the ratings and other insurers and evaluating the underwriting tool.

Scharf said BitSight, which is constantly monitoring and analyzing publicly available data gathered from sensors across the globe, can often see signs of breaches before there is a loss — before there is a theft of data. For instance, Scharf said BitSight saw a spike in malicious activity at retailer Target two months before the company sustained losses.

“Insurers will be able to alert policyholders throughout its network of security threats,” Scharf said. “Insurance companies can play a role in averting a theft of insured’s data, preventing a loss claim. That’s a win-win.”

Ratings are updated daily, Scharf said. Users are alerted if a score drops 5 percent on any given day.

With the system, underwriters and brokers are also able to see how a company handles a breach, since duration is considered within the rating.

“How long did it take for a company to mitigate the problem? Now it is possible to see if a company has a plan,” Scharf said. “Then you can compare. Two companies may look the same on paper but one is getting better results. Why?”

BitSight tracks and has security history on tens of thousands of companies. This history includes breaches that have not been publicly disclosed. Ratings are normalized based on the size of the company, since this typically indicates the size of its internet footprint.

If an insurer were to ask about a company BitSight hasn’t tracked, Scharf said the company can create a rating after going back to map a prospective insurance client’s footprint.

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].