Industry leaders come together to propose a solution
Examining the current limitations in cyber CAT modeling for the SMB segment, the report found that small and medium-sized businesses (SMBs) now represent 45% of cyber market exposure, a 45% increase from five years ago. It also highlighted that the increasing share of SMBs in the cyber insurance market requires accurate measurement of their integration capabilities for effective leverage and risk management.
Understanding cyber risk for SMBs
Discussing the research, report author Jess Fung (pictured left), MD and North American cyber analytics lead at Guy Carpenter, highlighted the noted limitations of current cyber cat models, particularly in relation to accurate assessment of integration risk in SMBs. It's the industry's role to find a way to address that emerging limitation, he said, while Cybercat modeling vendors continue to find better ways to refine their models.
“We have to be aware of the large number of these types of cyber cats that have been brought to the insurance industry to help them understand the pooling of exposures, and help them figure out how much risk they want to take and how much money they want to spend online,” he said. “As we know, SMB is a huge potential growth area for companies that want to enter this vulnerable area. [That’s why] it's very important for webmasters to get it right when it comes to an exposure management strategy for SMBs.
“But the challenge with current online models is that they struggle to respond to SMB exposure accurately and flawlessly. And we sympathize with them because of the lack of reliable data about things like technology dependencies and security postures within these small companies.”
Understanding the differences seen within SMBs
Expanding on the differences seen in SMBs when it comes to their security posture, Yoshi Yamamoto (pictured right), report author and director of cyber risk modeling at At-Bay noted the struggle across the SMB market, which makes up the bulk of At-Bay. – Bay portfolio. The firm has been working for more than two years now trying to better understand what's missing in terms of detail and help push the boundaries of cyber risk modeling.
In terms of the disparity of cyber risk, SMB is the “most unusual” part of the market, he said, not least because SMBs face the most attacks. This is led by the emergence of cyber incidents. Where before, data breaches were the choice of criminals because they could be the information of large companies with a lot of good data, the rise of cryptocurrency and the anonymity of financial transactions has led to ransomware becoming the cyber weapon of choice.
Then on the security side of the equation, SMB companies often don't have the budget and security resources to maintain a healthy security posture while under attack. From cyber security to providing a market perspective, the SMB segment is not an attractive proposition because they don't have the budget to invest much. All of this means that SMB companies don't have enough choices to put in place the right cybersecurity controls to keep themselves safe.
The power of internet insurance revealed
This makes the SMB segment more vulnerable. “Where the imbalance in the SMB segment comes in is that even though the SMB segment is, in general, less secure, those companies that have cyber insurance are generally more secure than others,” he said. “Because, typically, cyber insurance providers require certain cybersecurity components before they write a risk. Therefore, their exposure is much better than the general public.
“And some of these insurance companies provide security assistance to the insured companies, which also makes them more secure. The difference is that SMB companies are generally less secure, but some companies are more secure than others. And this discrepancy is very important to deal with the cyber cat models, in addition to the knowledge of the current models of the sellers. “
Fung added that even among SMBs with limited cyber security budgets, if they have effective security procedures and security controls in place – including firewalls with appropriate settings, endpoint detection and response (EDR), multi-factor authentication (MFA) – this can be more effective in protecting SMB from cyber risk. “That means that being able to clearly demonstrate that the difference in security posture is important for any insurance company's SMB strategy. That is what we want to emphasize with our paper and how we propose a way of looking at making the results of the Internet model more meaningful, better designed for SMBs.”
Suggesting a way to close the exposure gap
Digging into that solution, Fung noted that the main topic from Guy Carpenter's point of view is that his proposed method leads to a very reasonable impact in terms of a 17% reduction in modeled cat losses, in the tail return period. That metric is one of the most important that insurance companies look to measure when setting their cyber risk tolerance level.
Being able to analyze that in more detail if you want to grow your SMB portfolio is important, he said. “The proposed 17% reduction means that, if we don't address SMB exposure properly, then the tail loss could be excessive, and that could lead to biased and potentially misleading conclusions about the distribution of funds online.”
Yamamoto noted that in the joint paper, the teams modeled many additional aspects of SMB security posture and control as outlined by Fung above. He said those parts are important in finding the source, because they are on the company's network. As a result, it is not easy to get information from external sources to get a better idea of the risk from a modeling point of view. Using its connections with the insured, At-Bay was able to obtain this data and add it on top of existing online cat models.
“Basically, we model the behavior of EDR and MFA, in addition to issuing a cyber cat model, and adjust the risk accordingly to match the risk level of the event,” he said. “The 17% reduction is very important to us. With or without that component, our strategy can change to have that component, and being able to properly assess cybersecurity risks is very important for insurance companies. “
Related News
Keep up with the latest news and events
Join our mailing list, it's free!
Source link
