As the cyber insurance market continues to evolve, cyber attacks make headlines on a daily basis. We spoke with Rotem Iram, co-founder and CEO of At-Bay, to discuss ongoing trends in the cyber insurance market.
Our new report explores the dynamic nature of cyber risk, which is quite different from traditional insurance risks. With cyber, an insured business can have excellent security controls in place yet still go from being secure to fully exposed at a moment’s notice. That volatility is at the heart of the cyber insurance industry’s battle against ransomware.
Overcoming ransomware is really about identifying new vulnerabilities as they emerge and swiftly mitigating those risks before an attacker can exploit them. At-Bay accomplishes this through active risk monitoring, which is a combination of frequent security scans to detect vulnerable businesses in our portfolio and an in-house team of security experts who help businesses and their brokers resolve the issues. Through active risk monitoring, we have seen a dramatic reduction in ransomware in At-Bay’s portfolio, achieving a ransomware claims frequency that is seven times lower than the industry average.
Active risk monitoring allows us to detect hundreds of potential vulnerabilities, though we place a lot of emphasis on open remote desktop protocol (RDP) ports and vulnerable software running on publicly facing devices. These two security issues are among the most common attack vectors, and, together, they account for 65% of all ransomware attacks.
Some insurance carriers depend on a one-time scan at the time of underwriting to assess cyber risk, but we have discovered that an overwhelming majority of security issues arise after a policy binds. Take RDP, for example: Through our active risk monitoring, At-Bay has learned that one-time scans miss 80% of the RDP vulnerabilities that emerge during a policy—and the only way to identify and mitigate that type of risk is with frequent security scans.
Similarly, when a new software vulnerability is publicly disclosed, attackers work quickly to exploit it before a business can patch the software. Research shows that, on average, 80% of businesses will remediate the issue within five months, which gives attackers a large window of opportunity to find and attack them. However, we have shown that, with active risk monitoring, 80% of At-Bay’s insureds remediate software vulnerabilities in just one month. That’s the power of active risk monitoring: frequent scans and an in-house team to support our insureds actually expedites software patching by 5x, reducing the window of opportunity for an attacker and preventing claims.
We are seeing a dramatic increase in pricing and, at the same time, a dramatic depletion of coverage and limits. While ransomware has undeniably increased in both frequency and severity, I believe it only accounts for a portion of the increase in prices. The rest, in my view, is self-inflicted volatility.
The insurance industry takes too long to learn how cyber risk has changed, then overreacts to those changes to compensate for both the delay and accumulated losses, as well as their own lack of confidence in understanding the risk. One of the added benefits of our active risk monitoring is that it also serves as a feedback loop that provides us with immediate security insights. Those insights allow us to be nimble and make better underwriting decisions, which is why At-Bay has achieved such strong results in overcoming ransomware.