How Our Responsive Policy Drove a 20x Increase in Coverage
Cybersecurity is a highly technical subject, but traditional insurance policies are often disconnected from the cybersecurity standards they rely on. Underwriting decisions are made based on the status quo and benchmarked requirements which fail to consider an organization’s unique value-at-risk. This has led traditional policies to leave value on the table by failing to align with individual companies’ risks.
At Resilience, our approach is different. We help our clients manage their cyber risk from both a technical and financial perspective through our responsive policies linked to a quantified cyber action plan.?
When a client in the finance industry came to Resilience, they had a small IT team who managed their organization’s cybersecurity and several other tasks. Only about 20% of their time was allocated to managing their cyber risk. This left gaps in their security infrastructure, which were noted by Resilience underwriters when offering a policy. Our insurance team could only offer them $250K in ransomware coverage with high sub-limits due to their risk posture at that time.?
The client felt that stronger ransomware coverage would be pivotal to their success. They purchased the Resilience Solution in order to evolve their coverage by making targeted improvements to their cyber hygiene. This process would require ongoing engagement across our security team and theirs to strengthen their cyber risk maturity to obtain improved coverage, limits, and retention at midterm.?
This approach entails three fundamental steps:?
These steps allowed Resilience security experts to establish a strong security infrastructure for the client that would ultimately help them qualify for higher ransomware coverage and reduced sub-limits while quantifying the return on investment (ROI) of their security tools.?
Collaborating to Build a Strategy
Currently, the cyber risk management process is done in silos. Risk Managers are feeling overwhelmed by the complexity of cyber. CISOs are struggling to deliver their team’s shared decisions and convey what they need in financial terms. And CFOs are in the middle, finalizing decisions from both teams for their organization’s budget. Traditionally, these individuals operate independently. They speak different organizational languages, which muddles communication around creating strategy and working toward a common goal. These leaders need a common risk language– this language is dollars and cents.?
领英推荐
Resilience’s client was feeling this divide– and it was impacting their ability to create a financially sound risk management strategy. Their small IT team felt isolated from decisions that were made surrounding risk transfer and struggled to communicate their unique challenges to the CFO in a way that would yield results. When the client enlisted Resilience’s solution, our security team held monthly meetings with the organization’s leadership, which included their IT team and CFO. Resilience’s security team collected and translated security data into actionable threat insights aligned to financial exposures. This helped the client decide whether to accept, mitigate, or transfer these risks.?
Risk Quantification?
To understand what you need to protect, you need to know what you stand to lose. Your value-at-risk represents this amount. Calculating your value-at-risk means translating technical risk into dollars and cents through risk quantification. This requires a strong grasp of the correct method and object of measurement.? Doing this correctly means uncovering your organization’s most expensive risks and determining where you can place capital most effectively to manage this risk.?
To help our client find the right object of measurement, Resilience’s risk quantification experts used data modeling to analyze their level of risk against a variety of scenarios and their corresponding likelihood of occurrence. Data modeling entails compiling data points from various sources to paint a picture of your organization’s unique risk. Resilience security experts compared the client’s risk to other organizations in their industry that were of a similar size. This allowed us to quantify their risk and translate that cyber risk into financial data.?
From there, the client determined their value-at-risk was not adequately transferred by their $250K ransomware coverage. When it was mathematically determined that the client’s coverage was not sufficient to transfer their level of risk, they needed to supplement this by deciding what risk to accept and what to mitigate.
Strategy Implementation through the Resilience Solution
Due to the nature of their industry, Resilience’s client was at the highest risk of a ransomware incident. This meant our security experts would need to leverage a targeted cyber hygiene improvement plan that would alleviate their risk against ransomware and ultimately allow them to qualify for better ransomware coverage.?
Together with Resilience’s security team, the client was able to align our cyber hygiene recommendations with their roadmap for improving their maturity against ransomware threats. After closing several known gaps in their security plan and monitoring progress in addressing critical vulnerabilities and exposures, Resilience also set up ongoing meetings with the client’s IT team to help address any future issues.?
When our underwriting team reviewed their file again at renewal, this client received a full $5M in ransomware coverage. As a result of our risk quantification modeling and internal visibility provided through our State of Your Risk Report, our security team successfully demonstrated to our insurance team that this client should reclaim 20X the value in coverage that they received initially. This is the goal of the Resilience Solution; understanding the value of what you have to lose and how to ensure you are not leaving value on the table.
VP of Marketing at Resilience | NYU Stern MBA
1 年great stuff. awesome to see dollar impact