AXA Partners With SecurityScorecard to Set Cyber Insurance Premiums
7.6.18 securityweek Cyber

AXA Will Use Ratings From SecurityScorecard to Help Set Premiums for Insurance Agreements

Cyber insurance is a problem. It is a new industry with huge potential but great difficulties. Getting premiums right is an example -- the cyber insurer needs to fully understand the financial risk it incurs in able to set premiums high enough to cover the risk and still make a profit, but low enough not to kill the market.

Steve Durbin, managing director of the Information Security Forum, describes the problem. "We have already seen that the financial impact of some information security risks is being transferred through cyber insurance," he told SecurityWeek.

"However, moving forward, I anticipate that several large data breaches will expose aggregated risks and cause insurers to suffer significant financial losses. As a result of this mispricing debacle, several insurers will be forced out of business while others will raise premiums significantly, expand contract exclusions and restrictions, or avoid cyber insurance altogether. This will make cyber insurance no longer financially viable for many organizations, and the market will contract and take several years to recover."

Quite simply, data breaches are happening with increasing frequency (another 92 million passwords exposed by MyHeritage this week). At the same time, the cost of recovery continues to escalate rapidly, and the quantity and severity of cyber regulations, such as GDPR, is expanding.

The insurance industry traditionally relies on actuarial tables -- effectively a database of experience -- to set its premiums. While insurance companies are currently busy compiling such data on historical breaches, they have nothing like the depth of, for example, motor insurance actuarial tables.

"Currently, most policy premiums are based on self-assessments," comments Greg Reber, CEO at consulting firm AsTech. This leads to its own problems. False assessments, even unintentional errors, could lead to reduced payouts in extremis. It is a strange irony that the best premiums will only be obtainable by the organizations that least need to transfer their risk to the insurance industry. At the same time, any companies that seek to rely on insurance alone to handle their risk are likely to come unstuck.

SecurityScorecard and AXA (the world's largest insurance company) believe they have found a solution to the premium problem. SecurityScorecard is a firm that rates the cybersecurity posture of web-enabled firms. It does not wait to be asked -- and the result is a growing database of independent security ratings on the world's web-enabled businesses. Currently, it continuously monitors more than 200,000 businesses and gives them a security score from A to F. Empirical evidence suggests it works: "Companies that rate as a D or F are 5.4 times more likely to be breached than companies that rate as an A or a B," claims the company.

AXA has now entered an agreement with SecurityScorecard to have access to these ratings, and will use them to help set the premium for its insurance agreements. "The SecurityScorecard platform," explains Scott Sayce, global chief underwriting officer of cyber at AXA, "will help us rapidly evaluate companies to understand their cyberhealth and provide our underwriters with crucial information needed to evaluate an insured's risk.

"AXA and SecurityScorecard are pioneering the cyber insurance industry, adds Aleksandr Yampolskiy, CEO and co-founder at SecurityScorecard. This partnership demonstrates the value of the SecurityScorecard platform and the trust top business leaders have in our score. Our vision is to create a ubiquitous language for cybersecurity that facilitates collaboration and communication between business partners.

Rather than relying on subjective, manual self-assessments from the customer, "They're going to be using the objective, automated, security metrics that we provide to make their insurance decisions," Yampolskiy told SecurityWeek. "They will feed that data into their algorithms and then decide, do I increase the premium because the customer's security posture looks risky, do I lower the premium, or maybe in some cases do I just flat out refuse to provide the cyber insurance?"

Our data, he continued, provides "objective measurements to create the scientific basis for making those insurance decisions. AXA plans to start underwriting thousands and thousands of European businesses." It is the small to medium sized business that most needs cyber insurance. "If you're an Equifax or a Target and you get hacked," continued Yampolskiy, "you might survive. But if you're a small company, you will not. So, AXA is planning to start using our technology to start making those cyber insurance policies that apply to thousands of those businesses," The advantage for those small businesses is they will be able to realistically set premiums, but will also learn their SecurityScorecard rating. "And that provides a lot of reciprocal benefit," he added.

Will this relationship be enough to kickstart a serious cyber insurance industry? It will probably happen anyway, but it may take time if left to its own devices. SecurityWeek asked Yampolskiy if cyber insurance might join the ranks of other insurances that are required by law.

"My belief is, yes," said Yampolskiy, "at some point in the future. We've reached the point where all companies are part of a larger interconnected ecosystem." He raised the example of Target, a large company breached through a small member of its supply chain. Target lost millions of dollars because of a smaller company, that would not of its own resources be able to provide recompense. "It's hard to predict the future," he said, "but I can see a time when all companies are required to have cyber insurance."

By providing a scientific basis for the insurance industry to use for premium-setting, Yampolskiy believes SecurityScorecard and AXA are moving the market toward the time when cyber insurance is not merely standard, but possibly required.

SecurityScorecard is based in New York. It was founded in 2013, and raised $12.5 in Series A funding led by Sequoia Capital in 2015; $20 million Series B in 2016; and $27.5 million Series C in 2017. Its stated mission is "to empower every organization with collaborative security intelligence."