Cracking the Code on Cyber

At-Bay recently published a report on ransomware. Can you summarize the findings for us?

Our new report explores the dynamic nature of cyber risk, which is quite different from traditional insurance risks. With cyber, an insured business can have excellent security controls in place yet still go from being secure to fully exposed at a moment’s notice. That volatility is at the heart of the cyber insurance industry’s battle against ransomware.

Overcoming ransomware is really about identifying new vulnerabilities as they emerge and swiftly mitigating those risks before an attacker can exploit them. At-Bay accomplishes this through active risk monitoring, which is a combination of frequent security scans to detect vulnerable businesses in our portfolio and an in-house team of security experts who help businesses and their brokers resolve the issues. Through active risk monitoring, we have seen a dramatic reduction in ransomware in At-Bay’s portfolio, achieving a ransomware claims frequency that is seven times lower than the industry average.

What type of vulnerabilities are you looking for, and how do you mitigate those risks?

Active risk monitoring allows us to detect hundreds of potential vulnerabilities, though we place a lot of emphasis on open remote desktop protocol (RDP) ports and vulnerable software running on publicly facing devices. These two security issues are among the most common attack vectors, and, together, they account for 65% of all ransomware attacks.

Some insurance carriers depend on a one-time scan at the time of underwriting to assess cyber risk, but we have discovered that an overwhelming majority of security issues arise after a policy binds. Take RDP, for example: Through our active risk monitoring, At-Bay has learned that one-time scans miss 80% of the RDP vulnerabilities that emerge during a policy—and the only way to identify and mitigate that type of risk is with frequent security scans.

Similarly, when a new software vulnerability is publicly disclosed, attackers work quickly to exploit it before a business can patch the software. Research shows that, on average, 80% of businesses will remediate the issue within five months, which gives attackers a large window of opportunity to find and attack them. However, we have shown that, with active risk monitoring, 80% of At-Bay’s insureds remediate software vulnerabilities in just one month. That’s the power of active risk monitoring: frequent scans and an in-house team to support our insureds actually expedites software patching by 5x, reducing the window of opportunity for an attacker and preventing claims.

Where do brokers fit into At-Bay’s equation?

Brokers play a crucial part as risk consultants to our insureds. Oftentimes, customers leverage the broker’s knowledge of insurance products and lean on the broker to tell them which product they should choose, especially when it comes to a technical policy like cyber. It’s important for us to have brokers articulate to the insured the consequences of major breaches from both a technical and financial perspective.

What are your thoughts on the current hardening market?

We are seeing a dramatic increase in pricing and, at the same time, a dramatic depletion of coverage and limits. While ransomware has undeniably increased in both frequency and severity, I believe it only accounts for a portion of the increase in prices. The rest, in my view, is self-inflicted volatility.

The insurance industry takes too long to learn how cyber risk has changed, then overreacts to those changes to compensate for both the delay and accumulated losses, as well as their own lack of confidence in understanding the risk. One of the added benefits of our active risk monitoring is that it also serves as a feedback loop that provides us with immediate security insights. Those insights allow us to be nimble and make better underwriting decisions, which is why At-Bay has achieved such strong results in overcoming ransomware.