Prevention or mitigation of a cyber event begins with an organization recognizing its unique vulnerabilities and how to address them through cyber risk management. An increasing number of cyber underwriters are utilizing security scans during the application process to identify these weaknesses. The results are often used to make underwriting decisions, and clients are typically required to favorably address issues prior to binding coverage.
These scans examine external-facing items, such as websites and networks connected to the public internet. Some may also search the Dark Web (the unindexed part of the internet where cyber criminals tend to operate) for evidence an organization’s confidential data has been compromised. Cursory security scans may report weaknesses hackers might exploit, but these scans are not a substitute for more robust internal security assessments by the organization itself. Fortunately, these security scans are evolving in sophistication and scale, increasing value for insureds and the underwriters evaluating them.
Benefits offered by security scans include:
Raising awareness of specific cyber risks.
Scans can open the eyes of business owners to cyber vulnerabilities, particularly for smaller organizations with limited information technology resources. For example, knowing web or email encryption is weak or missing can enable business owners to take corrective action or allocate budget dollars to obtain more comprehensive third-party risk assessments.
Identifying critical external-facing vulnerabilities.
Pinpointing open Remote Desktop Protocol (RDP) ports, which cyber criminals frequently use to hack into an organization’s network can be helpful in addressing weaknesses. RDP ports are commonly used to grant remote access to employees, but they are vulnerable to attack.1 Another example is security for website domains. The domain name system (DNS) functions like a phonebook for the global internet, enabling users to connect to Internet Protocol (IP) addresses by typing in a website name. Because the DNS does not come with its own security, cyber criminals frequently use it to stage attacks. Additional DNS-level security measures are needed to prevent malware, ransomware and other forms of attack from proceeding at a given IP address.2 Scans frequently result in requests by underwriters for the implementation of a secure email gateway, which serves to stop malicious email content from reaching intended recipients. This is important because 96% of organizations in one recent report were targeted by email-related phishing attempts.4
Improved Risk Selection.
With new scanning tools now available to underwriters internally or externally, they no longer rely on just the application when making underwriting decisions. This strengthens risk selection and pricing decisions, particularly as underwriters can now view a risk in real time. Loss control scans also deepen underwriters’ understanding of cyber-risk vulnerabilities so they can better differentiate risks by class and make suggested security improvements to prospective and current insureds.
Validation of existing security settings.
Scans can also confirm the presence of cyber security settings that are known to prevent or mitigate actions that can cause a cyber loss. If an organization with few IT resources has already put certain security measures in place, the scans can validate their efficacy.
On the other hand, there are also several limitations to these scans, including:
A surface-level, external-only view.
Cyber underwriters’ scans are not a deep dive inside a client’s network. Therefore, retail agents and insureds should not consider these scans to be substitutes for more robust risk assessments. Third-party, specialized cybersecurity loss control services go much deeper, on both internal and external systems, and often include penetration testing and thorough network security auditing.
Small and medium-size businesses tend not to contract with third-party cybersecurity experts because those services can be expensive. Instead, most small organizations rely on technology managed service providers (MSPs) as an outsourced IT team that also can oversee their network as well as application and IT infrastructure security. But there are downsides to the MSP approach. Little communication may occur between the client and service provider, and some MSPs may have backlogs in upgrading software or providing secure access to all of their clients’ remote employees. MSPs are also a high-level target for cyber criminals as they have control and possession of a large number of clients’ networks and data. As a result, they too have fallen victim to cyber events; compromising client data and/or shutting down their networks.
Cyber risk management is an imperfect art.
Even though cyber insurance has evolved over the last 20 years, cyber risks are changing more rapidly. Managing those risks is difficult and not an exact science. Errors are possible, even when underwriters use relatively sophisticated scanning technology. It’s not unheard of for an insured to advise that an inaccurate URL was scanned or dispute the findings or scoring of the scan. In such a case, the underwriter may then may have to rewrite the risk, which could result in an adversarial relationship early in the quoting process. In addition, cyber coverage applications tend to leave a wide margin for error and misunderstanding, making it critical that retailers and their insureds seek technical advice from qualified cyber risk specialists.
Not all cyber underwriters release the findings of their scans to a client, particularly if the client chooses not to bind coverage. Because underwriters differ on whether scans are a precondition of quoting, the client may not understand why a market declined to quote their business. Another issue confounding both agents and applicants is the variance between scanning results and the actions taken by underwriting. One insurer may reject a risk-based specifically on vulnerabilities discovered in their scan. Another may quote the risk with no mention of finding any vulnerabilities or without releasing any risk management recommendations. Inconsistent disclosure of scan results can leave an insured confused, or worse - unaware of security issues that could result in a loss. Even when insureds request to discuss IT issues with a carrier’s risk engineers, the opportunity is rarely made available.
False sense of security.
Many insurers utilizing scans issue a “security score,” which may rate a risk in relationship to its industry peer group’s overall level of security or provide a score based on the presence or lack of vulnerabilities discovered in a scan. Interestingly enough, one insurer may issue a sterling security score and offer terms, while a competing insurer may decline the risk after grading it with a failing score based on discovered vulnerabilities. As a result, some insureds may have a false sense of their own cyber security after receipt of a highly-rated score, when in actuality there are serious vulnerabilities not discovered by their insurer’s scans.
Suggested solutions downplayed.
Cyber underwriters who share the findings of scans, may mask corrective actions as “easy to fix.” Depending on the nature of the security issue and the insured’s resources, solving problems uncovered by a scan may actually be time-consuming and costly. Occasionally, the time required to implement a corrective cyber security action as a condition of binding may not be realistic for a potential or existing insured, which means they may be left uninsured or with a restrictive coverage endorsement until such corrective action is completed.
Retailers can take several steps with their insureds to ensure the appropriate use of generally available cyber loss control scans. It’s wise to start by discussing the insured’s ability to meet underwriters’ guidelines, which frequently change in response to market conditions. Retailers should also establish minimum security standards with an insured before seeking coverage. Multi-factor authentication (MFA) and endpoint detection and response (EDR) are now table stakes for most cyber underwriters, but they may have additional requirements. Because cyber exposures – and claims – are growing, what insurers considered acceptable a year ago as minimum security is no longer accurate. Scans can reveal significant vulnerabilities that, when properly addressed, can help prevent large losses. Having adequate cyber insurance in place is another important component of a thorough risk management plan, and retailers should work with a qualified wholesale specialist to find the best available coverage options. Contact your local CRC Group producer to learn more about our ability to help meet your client’s cyber coverage needs.
- Darren Valencia is a Professional Lines Broker responsible for co-leading CRC Group’s Nashville, Tennessee office.
- Mark Smith is Senior Vice President and a Professional Liability Broker with CRC Group’s Seattle office.
- “Is Remote Desktop Protocol Secure? It Can Be,” Threatpost, July 13, 2021; https://threatpost.com/remote-desktopprotocol-secure/167719/
- “DNS-Layer Security: The Ultimate Guide to What It Is and Why You Need It,” Cisco Umbrella, October 5, 2021; https://umbrella.cisco.com/blog/what-is-dns-layer-security
- Top 50 Cybersecurity Statistics, Figures and Facts, CompTIA, January 11, 2022. https://connect.comptia.org/blog/cyber-security-stats-facts
- The State of Email Security Report, Mimecast, 2021. https://www.mimecast.com/state-of-emailsecurity/#:~:tex- t=The%20State%20of%20Email%20Security,became%20more%20treacherous%2C%20not%20less.