Treating cyber threats like credit scores after Yahoo revelations

Pricing specific risks can be challenging in this new area, but a potential solution has been developed

Treating cyber threats like credit scores after Yahoo revelations

Cyber

By Will Koblensky

Revelations that Yahoo was in fact hacked by Russian FSB agents are shaping the world’s understanding of what cyber risk and its prevention looks like.

One method that is shaping understanding is the FICO Enterprise Security Score, a three digit predictive evaluation of the likelihood a company will get hacked.

“Much like a credit score is a prediction of a future credit default, the FICO Enterprise Security Score is a prediction of a breach event or other debilitating cybersecurity event,” Douglas Clare, FICO’s VP of Security Solutions said, adding that the cyber security score also mirrors credit scores in ranging from 850 to 300.

“Yahoo, for example, would be able to see all the granular level info we were able to collect that would be indicative of risk on their part. They would be able to use that in their remediation plans (if they used the FICO Score).”

Clare said cyber risk and its pricing is somewhat in the eye of the beholder and doesn’t follow hard and fast actuarial standards, making flexibility on pricing specific risks more challenging.

“As the breach and cyber security market matures, there’s going to be a need for the carriers to have more variability in their pricing model and they’re going to need to figure out how to do risk-based pricing in these lines like they do with their other lines,” Clare said.

Want the latest insurance industry news first? Sign up for our completely free newsletter service now. 

“Today it’s resource intensive and quite subjective. I would say this has not been reduced to actuarial tables in the world of insurance. It’s still very subjective and judgemental, with respect to how organizations are evaluated in terms of a cyber security risk perspective. We’re working to bring more empirical tools to the table.”

Monitoring cyber risks as they change throughout the year is another data source that carriers need in the space but are largely unable to get, Clare said.

“There’s a big problem that breach insurers have where they show up at underwriting time, they ask questions, they look under the floor boards, they write the policy and they have no view of risk for 12 months until renewal time,” Clare said.

“They can’t tell how risk among their insureds is evolving, they can’t ascertain pending problems and that’s a problem they’d like to solve - they would like to have an ongoing visibility particularly at a portfolio level.”

Major insurers employ the score for evaluating potential vendors, current ones and themselves to discover cyber weaknesses in their network.

“One use is for self-assessment, for you to have an independent view of your own security, whether you’re a chief information security officer or an interested board member - having a view of your organization’s own risk is important,” Clare said.

“Another is vendor management, understanding risks in your supply chain, whether this is existing vendors or you’re contemplating a new vendor: you’re vetting a vendor for a potential contract.”


Related stories:

Keep up with the latest news and events

Join our mailing list, it’s free!