Cyber insurance start-up outlines its “hacker’s point of view” when assessing risk

Cyber insurance start-up outlines its “hacker’s point of view” when assessing risk | Insurance Business America

Cyber insurance start-up outlines its “hacker’s point of view” when assessing risk
A new Silicon Valley-based cyber insurance start-up is looking to shake things up by taking a different view of cyber underwriting.

Adult infidelity website Ashley Madison has just been made to pay $11.2 million to settle litigation over the theft and release of 37 million of its customers’ data. Last month, Anthem insurance settled its data breach suit for $115 million.

Celebrate excellence in insurance. Nominate a worthy colleague for the Insurance Business Awards.

Cyberjack, which launched in “stealth mode” a year ago and will become public-facing in the coming months, have a fresh take on cyber underwriting, especially when it comes to assessing the value of data a company holds.

“What I think underwriters do pretty well is understand the actual exposure,” Cyberjack founder and CEO Rotem Iram said. “They do a pretty good job of assessing the exposure and costs of individual records of different kinds.

“We felt that by building a new insurance company that is essentially built with the DNA of cyber security experts, but leverages the position in the stack of an insurance company, we would be best positioned to solve this issue – better positioned than insurance companies because we have cyber security DNA and better positioned than tech companies because we are taking full ownership over risk.”

Iram has come to insurance from a cyber security background in Israel. Current cyber insurance in the market today does not always delve deep enough into a company before providing coverage, Iram said.

 “Where there is still a pretty significant gap is in assessing the probability of an attack,” he said. “Underwriters are using pretty much kind of standard, generic security best practices that apply to data privacy, whereas we take a much more granular view for every single attack vector that could be relevant. We actually want to know how you store your information, how you keep it secure, who can access it, how they access it.

And delving deep can help with writing the risk.

If stolen data could be perceived as creating “additional harm” to an individual – such as in the Ashley Madison case, where the data included names and information about cheating spouses – that can actually lead to higher payouts. Courts and regulators can potentially take harsher stances against insureds in such cases.

“To us, taking the viewpoint of an underwriter or risk manager, it’s important to assess not only the existence of the [company’s] records, but also the level of their sensitivity, and use that to try and assess the additional exposure,” Iram said.