Software Engineering Institute

The cyber insurance market is expected to reach $21.4 Billion in revenue by 2025, representing market growth of 27.2%. As this relatively new area for insurance has grown, some companies offering cyber insurance have invested in developing cybersecurity scores to help them make more accurate assessments of policyholder cyber risk and create and offer services with their policies.

Cybersecurity scores like the one we’ve developed at Corvus Insurance provide insights into, and a detailed analysis of, the security posture of any organization. The way they are used for insurance is comparable to the way that a bank uses financial credit ratings to assess a borrower: a poor credit rating is associated with a greater probability of default, just as a poor cybersecurity rating is associated with a higher probability of sustaining a data breach or other adverse cyber event. These ratings are valuable for vendor risk management programs, determining risk premiums for cyber insurance, credit underwriting and financial trading decisions, M&A due diligence information, executive-level reporting, and self-monitoring. Cybersecurity ratings and the extensive information on which they are based are also helpful for assessing compliance with cybersecurity risk standards.

To develop an accurate and useful cybersecurity score, we need a holistic understanding of the risk environment. In this talk, I will discuss the typical avenues companies currently use to determine cyber risk. I will then provide insight into the requirements for accurate cyber risk scoring, including the collection of real-world data to develop, test and evaluate risk. Finally, I will discuss the gap between data and decisions: how we can begin to abstract away low-level knowledge and labor-intensive tasks and develop true insights into our security posture and the cyber risk environment.