First and foremost, we are looking forward to seeing everyone in Tampa at this year’s Risk Management Conference (4/4 – 4/5)! Second, given cyber is and will continue to be a hot topic, we thought this month’s article in the PEO Insider on Cyber Hygiene was apropos. If interested while at the conference, we would love to discuss with you what we see from a cyber perspective (trends, products, etc.).
GOT CYBER HYGIENE? HOW CYBER INSURERS USE CYBER SCORING TO UNDERSTAND RISKS
PEO RISK: CYBERSECURITY
BY PAUL HUGHES
While there is not an exact definition of cyber hygiene, I summarize it as a set of formal and habitual practices that ensure the safe handling of critical data and securing networks. Cyber hygiene must be institutionalized, as any weak link can cause issues to all on a given network or distribution. It is a communal exposure that needs to be addressed in a communal manner.
“Did you brush your teeth?” A simple yet very important question for parents teaching personal hygiene to their children. While we do not anticipate needing to smell our children’s breath to confirm, we also do not expect the equivalent in a business transaction. Unfortunately, that is exactly what is happening in the world of cyber insurance underwriting. In past years, PEOs completed long applications showing their cyber-protection postures. Now, without anyone’s knowledge, consent, or often understanding of the model used, these questions are being answered by underwriters, not through the application process.
Cyber scoring models available in the market can see your system from the outside, without your approval—the good, bad, and the ugly. See Figure 1, for example. Identifying and correcting the issues that underwriters will identify before they see them helps facilitate a stable and predictable cyber insurance application or renewal. The reality is that many underwriters and brokers do not know what these issues mean, and therefore are somewhat powerless to discuss the magnitude of them. Without Google, I would not know what “Diffie-Hellman1” meant, never mind how to guide a client to solve the issue. Each and every server and “touch” a PEO has with the Internet is analyzed. Some specific areas of concern are:
- Sender Policy Framework (SPF);
- DomainKeys Identified Mail (DKIM);
- Secure Sockets Layer (SSL) certificates;
- SSL configurations;
- Open ports;
- Web application headers;
- Patching cadence;
- Insecure systems; and
- Server software.
Through proprietary algorithms built by the various cyber scoring companies, in this case BitSight, as shown in Figure 2, a weekly cyber security score is calculated. Being a member of the service allows you to receive a current score to make sure you have appropriate cyber hygiene, and if not, where you need to focus and why. Additionally, if a client or vendor has you set up as someone to track within their “cyber scoring ecosystem,” an updated score with an alert goes out to that interested party. While there are many other cyber security models that are live or in the development stages, the lead cyber software platform vendors that supply the services above to the insurance industry are BitSight, Security Scorecard, and CyberCube. Each has its own unique value proposition, but each plays a role in understanding the security concerns associated with a targeted cyber risk. BitSight and Security Scorecard tend to be more focused on the scoring element for underwriters, and CyberCube brings into play the limit needed based on potential breach amounts for the brokers. I think all would argue the science behind these models is the latest and greatest, but that in itself is very fluid based on lack of historical data at present, never mind where the world brings us going forward. This could apply to any business, from IBM to your smallest client company, each with its unique cyber hygiene grade very comparable to a credit risk score.
These ratings are compared to similar companies in the same North American Industry Classification System (NAICS) category. Figure 3 shows a school’s security ratings. Unfortunately, the NAICS for a PEO is not as clear-cut and therefore encompasses other employment-related models that are very unlike PEO, such as talent and placement agencies. The issue of a PEO not having its own NAICS code confuses the true exposure of a PEO here, like in other places, knowing PEOs have different relationships as employers than placement or temporary staffing services would have. That said, the important part of this is to show week-over-week scores to identify any dips that need to be addressed and to keep improving those areas that would further better cyber hygiene/scoring regardless of the peer class being compared to.
WHAT RECORDS DO THE MODELS WORRY ABOUT?
In short, all of them. While there is notable focus on those records that contain personally identifiable information, the models evaluate cyber hygiene holistically.
Within each of the ratings/scorings given, the causes of the scores are detailed. If you do not do something and state you do on an insurance application, insurance underwriters will find out quickly and accurately without your knowledge. Championing this process prior to renewal is all important so any potential exposures are addressed prior to an underwriter’s review. Applicant exposure, vulnerability assessment, and cyber hygiene verification are today’s world. The scoring provided by the models being used is paramount to the documentation of insurability and price in the cyber underwriting file.
CYBER DEFENSE
These are five facts that should help lead our cyber defense, for ourselves, our businesses, and society:
- The COVID-powered shift to remote work had a direct impact on the costs of data breaches. The average cost of a data breach was U.S. $1.07 million higher when remote work was a factor in causing the breach.2
- Social engineering attacks are the gravest threat to public administration, accounting for 69 percent of all public administration breaches analyzed by Verizon in 2021.3
- The most common cause of data breaches was pilfered user credentials. As a commonly used attack vector, these were responsible for 20 percent of breaches, with these breaches costing on average U.S. $4.37 million.4
- Cryptocurrency has been the preferred payment method for cybercriminals for a while now, especially when it comes to ransomware. As much as U.S. $5.2 billion worth of outgoing Bitcoin transactions may be tied to ransomware payouts involving the top 10 most common ransomware variants.5
- There has been a significant increase in overall costs of remedying ransomware attacks. While in 2020 the cost was U.S. $761,106, in 2021 the overall cost of remediating a ransomware attack skyrocketed to U.S. $1.85 million.6
ARE THESE CYBER RATINGS A BIG DEAL?
Yes. How cyber insurance is currently being priced will affect business financial credit ratings going forward. In September of 2021, Moody’s invested $250 million in BitSight, an independently owned cyber security modelling company. BitSight is Moody’s foundational partner to integrate credit and cyber scoring by industry class (as seen in Figure 4) and clientele. As with most graphics of this type, big (volume) and red (severity) = exposure.
Security Scorecard also provides an excellent model, great advice, and detailed information. The company’s website provides a wonderful exhibit on cyber security metrics to keep an eye on to ensure cyber hygiene for your partners and vendors.7 Their hygiene directly impacts yours, and collaborative monitoring of cyber-hygiene within given business ecosystems is already happening—and needs to be more prevalent in both the PEO and insurance industries.
CONCLUSION
Due to the exponential growth in cybercrime, coupled with the pandemic not allowing much face-to-face interaction between underwriters and insureds, business is not being underwritten and placed on a handshake, but instead based on rigid cyber scoring algorithms providing scorings, outputs, and results that directly impact insurability, deductibles, and pricing. Once the application is submitted by the broker, the cyber scoring model of the carrier and/or reinsurer taking the risk goes into action. This end score directly impacts if insurance is available and at what price. We are in the most uncertain of times in a new and fairly unknown line of insurance when the level of education of those involved is not at the level anyone would like, if for no other reason than it is a whole different language against an ever-changing landscape. Make sure you evaluate your cyber exposure before those that offer you insurance do it for you. Your investment in preparation will pay off in reduced premiums.
PAUL HUGHES
CEO
Libertate Insurance LLC
Orlando, Florida
References:
- Diffie-Hellman is a key exchange algorithm used for securely exchanging cryptographic keys over a public communications channel.
- IBM Cost of a Data Breach Report 2021, www.ibm.com/security/data-breach.
- Verizon 2021 Data Breach Investigations Report, www.verizon.com/business/resources/reports/dbir.
- IBM Cost of a Data Breach Report 2021.
- FinCEN Report on Ransomware Trends in Bank Secrecy Act Data,www.fincen.gov/news/news-releases/fincen-issues-report-ransomware-trends-bank-secrecy-act-data.
- ENISA Threat Landscape 2021,www.enisa.europa.eu/publications/enisa-threat-landscape-2021.
- https://securityscorecard.com/blog/9-cybersecurity-metrics-kpis-to-track.
Join the Conversation on Linkedin | About PEO Compass
Contact Professional Employer Organization (PEO) Expert, Paul Hughes
Paul Hughes has been working with the Professional Employer Organization (“PEO”) industry since 1995 and data management since 2005. He is responsible for the day to day operations of both Libertate Insurance Services, LLC and RiskMD, which reports into the overall Ballator Insurance Group family of companies. Learn more about Paul.
Specializing in PEO Services: Workers Compensation, Mergers & Acquisitions, Data Management, Insurance Focus on: Employment Practices Liability (EPLI), Cyber Liability, Health Insurance, Occupational Accident, Business Insurance, Client Company, Casualty, and Disability Insurance.
