Q&A: Meet insurance underwriters newest obsession — vulnerability assessments

By Byron V. Acohido

From very early on, cyber criminals have been smart enough to focus their attention on vulnerabilities – the endless coding weak points arising from our increasing dependence on complex software and software-run systems.

Finally, the good guys are doing the same. One security vendor I recently spoke to — Risk Based Security – is among the innovative vendors involved in helping companies identify, assess and patch vulnerabilities.

Related article: Insurance giant Zurich partners with Deloitte cybersecurity

Obviously, a comprehensive understanding of the vulnerabilities your organization is exposed to, at any given time, is a vital layer of defense. What’s really interesting is that the insurance industry has come to recognize this, and has begun using vulnerability assessments as a key measure for qualifying companies looking to offset cyber risk via a cyber insurance policy.

Jake Kouns, CISO at Risk Based Security, walked me through the context of this emerging trend. Here are excerpts of our conversation, edited for clarity and length. For a deeper drill down, please listen to the accompanying podcast.

LW: How do you go about keeping track of vulnerabilities?

Kouns: We have a top notch research with folks that  have been doing vulnerability research  for 20 years or more; they are  constantly tracking any time there is a new vulnerability.  We monitor anything  we find, and then we do manual research to make sure it’s a legit  vulnerability, and then we tag it and put appropriate risk data around it.

LW: So you have some fresh metrics to share?

Kouns

Kouns: Yes, we recently published two different reports. The first shows that just under 10,000 new vulnerabilities were released by midyear (July 2017). These are flaws with a software product that could allow for misuse and could be taken advantage of. We on a huge pace this year, it is actually 30% more vulnerabilities than last year in the same time frame.

LW: So these are fresh risks discovered in operating systems and business applications?

Kouns: Exactly. We hear about these things in news events like WannaCry. Many times the root of the issue is a vulnerability in some sort of software that allows an event to happen right. Even with all the focus on security we are still seeing vendors ship products that have vulnerabilities in them that can lead to a compromise and lead to a data breach.

LW: What’s the other metrics did you just release?

Kouns: It’s kind of a broken record. Things are not getting better. We’ve already had over 2,200 individual data breaches reported, where unauthorized access led to some sort of data going  missing.  So we’ve lost over six billion records as of mid-year. So, to put that in context, we lost 4 billion records in all of last year.

LW: How do these two metrics relate to each other?

Kouns: Hacking is still the biggest breach type out there. And when you have software with  known vulnerabilities, that’s  a prominent way to hackers can get in and cause problems that create liabilities.

LW: The insurance industry is on to this; can you walk us through what you’re seeing?

Kouns: Cyber insurance is a hot topic now. We believe strongly that cyber insurance is an amazing way to handle risk. When you think about dealing with risk, you can accept risk, you can avoid risk, you can mitigate risk, or, finally, you can transfer risk. All companies transfer risk when they buy property insurance. There is a legit market where you can buy insurance for unauthorized access; if you have a data breach and your most critical data assets get stolen or compromised. You can buy insurance for this.

LW:  Cyber liabilities clearly are much more complex than  any other liability a company has previously addressed.

Kouns: That is where we come into play. We license our data and we work with our clients so that they can understand how breaches are occurring. This helps the underwriting process. They can determine what good vs. poor risks looks like; who are the organizations worth insuring; what types of different businesses may be too high hazardous, or need to be charged higher premiums.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone