Industry leaders come together to propose a solution.
Exploring the current limitations in cyber CAT modeling of the SMB segment, the report found that small and medium businesses (SMBs) now represent 45% of cyber market exposure, up 45% from five years ago. is It also highlighted that SMBs’ growing share of the cyber insurance market requires accurate quantification of their overall capacity for effective capacity deployment and risk management.
Understanding SMBs’ Cyber Aggregation Vulnerability
Discussing the research, report author Jess Fung (pictured left), MD and North American Cyber Analytics Lead at Guy Carpenter, highlighted the observed limitations of current cybercat models, particularly those gathered in SMBs. Regarding accurate risk assessment. He said it’s the industry’s role to find a way to address this emerging limitation, while cybercat modeling vendors continue to look for better ways to improve their models.
“We must recognize the tremendous value that these cybercat models are providing to the insurance industry to help them understand their exposure pool, and help them determine how much risk they are willing to bear and what they are willing to bear.” But how much do you want to invest,” he said. “As we know, SMB is a huge area of potential growth for companies looking to enter this emerging threat space. [That’s why] It is very important for cyber writers to get it right when it comes to exposure management strategy for SMBs.
“But the challenge with current cyber models is that they struggle to account for SMB exposure in an accurate and granular way. Sympathize with them because of the lack of reliable data.”
Understanding the disparity seen within SMBs
Exacerbating the disparity seen within SMBs when it comes to their security postures, Yoshi Yamamoto (pictured right), report author and Director of Cyber Risk Modeling at At-Bay, noted the struggle in the SMB market, which Forms the stem of At-. Bay’s portfolio. The firm has been working for more than two years now to gain a better understanding of what is missing in terms of granular detail and help push the boundaries of cyber risk modeling.
In terms of cyber risk disparity, SMB is a “very odd” segment of the market, he said, not least because SMBs are so vulnerable to attack. It is led by the evolution of cyber incidents. Where earlier, data breach was the choice of criminals because they could steal information from large companies with lots of good data, the rise of cryptocurrency and the anonymity of financial transactions has made ransomware the cyber weapon of choice. .
Then on the defensive side of the equation, SMB companies often don’t have the budget and security resources to maintain a healthy security posture during an attack. Looking at the market landscape from cyber security, the SMB segment is not an attractive proposition as they do not have the budget to invest heavily. All of this means that SMB companies don’t have enough choices to put in place the right cybersecurity controls to protect themselves.
Revealing the power of cyber insurance
This makes the SMB segment vulnerable. “Where the disparity comes in the SMB segment is that the SMB segment, in general, is less secure, companies that have cyber insurance are generally much more secure than others,” he said. “Because, in general, cyber insurance providers need some cybersecurity components before the risk. Therefore, their exposure is much better than the general population.
“Also, some of these insurance companies are providing security services to the insured companies, which again makes them more secure. The difference is that SMB companies are generally less secure, but certain companies are much more secure than others.” are more secure. And on top of the knowledge of existing vendor models, this disparity in Cybercat models is significant.”
SMBs with limited cybersecurity budgets are also included, Fung said, if they have effective defense mechanisms and security controls in place — including firewalls with the right settings, endpoint detection and response (EDR), multi-factor authentication, and more. (MFA) – These can be. Very effective in protecting SMB from cyber risk. “This means that any insurance company’s SMB strategy needs to be able to accurately reflect the security currency disparity. This is what we want to emphasize with our paper and then we use the results of the cyber model. How do you suggest ways to make it more meaningful, more relevant to SMBs?
Suggesting mechanisms to close the exposure gap
Digging into this solution, Fung noted that the headline from Guy Carpenter’s point of view is that his proposed method makes a lot of sense in terms of a 17% reduction in modeled cat losses over the tail return period. It has a positive effect. This metric is most important when insurance companies are trying to measure when determining the level of risk tolerance around cyber.
That said, it’s important to be able to assess this with more granular detail when looking to grow your SMB portfolio. “The 17% reduction with the proposed methodology means that, if we don’t properly account for SMB exposure, the tail loss could be overstated, and this could lead to a loss of capital around cyber. would lead to biased and potentially misleading results about deployment.”
Yamamoto noted that in the joint paper, the teams modeled many additional components of SMB’s security posture and control as described by Fung above. Those components were important to source, he said, because they are in the company’s network. As a result, it is not easy to extract information from external scans to get a better view of risk from a modeling perspective. Using its relationship with insurers, At-Bay was able to capture this data and add it on top of existing cybercat models.
“Essentially, we’re modeling the behavior of EDR and MFA, on top of the cybercat modeling output, and changing the risk appropriately to accommodate the risk level of the event,” he said. said “That 17 percent reduction is very important to us. With or without this component, our strategy could change so having this component, and then being able to accurately assess the cyber security risk, is important to insurance companies. It is very important.
Related stories
Stay up to date with the latest news and events
Join our mailing list, it’s free!
