Curating Cybersecurity

The future of customized risk assessment and insurance plans.

Good drivers hate knowing their insurance rates are based on the habits of bad drivers. Car insurance rates depend on countless factors, many of which are outside of a person's control - like the rate of accidents in their city. It comes down to statistics, which help insurance companies estimate the likelihood that they will pay for accidents. In areas with many accidents, even drivers with perfect records pay high premiums.

Likewise, companies don’t want to pay for other companies’ security mistakes. As the rate of cyber breaches skyrockets, so does the cost of bailouts for insurance providers. In turn, the costs of premiums for companies rise, regardless of how safe their security protocols may be. This realization is quickly hitting cyber insurance companies, as security breaches continue to increase across virtual platforms.

By 2023, half of all data breaches globally are predicted to occur in the United States. They cost companies an average of $3 - 4 million, in addition to lost time, resources, and reputation.^[1] In order to prevent these breaches, companies need to look to third-party monitoring systems which will soon work in tandem with cyber insurance to manage cyber risk.

The basis of cyber insurance relies on the transfer of financial risk associated with network and computer incidents to a third party.^[2] Its retail price, however, is rooted primarily in market trends, as well as the type and volume of data a company uses. Individual company security practices still play a minimal role in determining the price they pay for cyber insurance.  

Not only do companies work with different kinds of data, but they also implement vastly different security protocols. A company dealing with millions of credit card numbers has a different vulnerability level than a company dealing with thousands of email addresses. And yet, two companies that both manage credit card data with different security protocols have drastically different risks. The latter consideration is not part of standard insurance provider rate considerations but will become more important for determining insurance risk and rates moving forward.

As companies shift to remote or hybrid models of work, cyber insurance is more important than ever. Cyber insurance offers benefits like covering liability issues, digital property loss and theft, loss of income, data damage and loss, and more. But these policies are relatively new to our digital age with untested products and pricing that can appear arbitrary and experimental. This inconsistency reflects the factors that are currently used to set prices, like the volume and average cost of breaches, both of which continue to climb.

With the price of cyber insurance rising across all industries, the future of cyber insurance lies in curating and customizing insurance plans based on individual risk assessments.

Concord is an example of a third-party company that is fostering the future of cyber security by offering customized risk assessment, reduction, response, and system monitoring solutions. By partnering with a third-party security provider, companies can not only reduce their future insurance premiums but also drastically decrease the likelihood of a breach occurring at all.

Companies dealing with big data, or any data for that matter, should know that a real breach is worse than the high rate of insurance. Security breaches cost copious amounts of time and money. Businesses wanting to utilize cyber insurance as a risk management strategy need to understand the risks they are facing. Cyber insurance is only one factor in managing overall risk, and it comes into play when the worst has already happened.

Without a third-party risk assessment that is dynamic and ongoing, changes to a company’s level of security risk are undetectable. By using monitoring assessments, threats can be identified and addressed before a serious breach occurs.

In addition to preventing breaches from happening in the first place, monitoring and response systems are the most apt methods of reducing the cost of a security breach. Without an alert, it's difficult to know when there has been a security breach.^[3] On average, they take a total of 280 days to identify and contain.^[4] If, however, a breach is identified and contained in less than 200 days, it costs companies an average of $1.1 million less. Having a system that alerts companies when there is a risk of breach, and again when a breach has occurred, effectively reduces the severity of the breach itself.

Insurance providers recognize how companies who utilize these proactive security services have a dramatically reduced risk of experiencing security breaches. Providers are even beginning to partner with third-party monitoring companies to offer reduced rates for those who use the services, solidifying the reality that the insurance industry is moving towards customized plans based on individual risk.

While cyber insurance is an important part of any company’s risk management, it does not provide true security. To prevent the likelihood and severity of costly security breaches, companies need to utilize dynamic monitoring systems that assess risk levels on an ongoing basis and alert the company if threats arise or if there has been a breach. These proactive measures work to decrease the occurrence and the disastrous effects of security breaches with the added benefit of potentially reducing cyber insurance premiums.