Cyber risk rating reports versus threat intelligence - what is ‘the best tool’ to analyse firms’ cyber security?

Aggressive – it’s the word that comes to mind when considering how cyber crime has developed over the past few years.

In turn, the demand for cyber security professionals - such as security engineers, security analysts, security managers, security architects and security consultants - has also increased.

According to report published by the Department for Digital, Culture, Media and Sports (DCMS) and Ipsos, entitled Cyber security skills in the UK labour market 2022 and published in May 2022, there were 4,400 core cyber security job adverts posted in each month of 2021 - this is a 58% increase compared to 2020.

The report also found that there are around 7,500 new entrants into the UK cyber security labour market each year.

However, with around 4,600 Brits also leaving the cyber security labour market each year, DCMS and Ipsos’ report estimated ”a total UK cyber workforce gap – the annual shortfall in cyber security personnel – of 14,100”.

Typically, businesses find it “difficult” to evaluate their own cyber security, explained CFC cyber development leader Lindsey Nelson.

According to Nelson, one option brokers and insurers can utilise to evaluate organisations’ cyber security status is the use of cyber risk rating reports – these are designed to make cyber security assessments simple and “easy to understand”.

Cyber security rating platform BitSight described a cyber risk rating as an objective, data-driven measurement of an organisation’s security performance against key risk vectors.

Brokers can use the data from these rating reports when collecting quotes or renewing clients’ cyber insurance policies.

Now, however, there is a “problem” with the use of cyber risk rating reports.

Nelson explained: “[The] narrative has shifted [around] these reports, [from] saying ’here’s a useful tool to identify some of the company’s vulnerabilities’, to now purporting to be the authoritative voice on how secure an organisation is and how likely it is to suffer a cyber attack.

“Security professionals are struggling with how these rating reports are being presented, as they can be misleading given the quality of the report is entirely contingent on the data used to produce it.

“While we use scanning technology ourselves to detect vulnerabilities and alert customers to potential issues throughout the course of the policy, we know that ‘point in time’ risk reports are incredibly dangerous as a true authority of vulnerability because, more often than not, they do not give the full picture.”

Losing clients

In terms of whether cyber risk rating reports are reliable, CFC argued that the underlying data used may not have full visibility of a firm’s IT assets.

For example, many SMEs outsource large parts of their network to a cloud provider, like Amazon Web Services, which can “go completely undetected on scans” and “may or may not be secure”, Nelson noted.

She continued: “As a result, there is a high potential for many SMEs to have a false sense of security from an inaccurate rating report.

“Equally, a report could downplay the security of an organisation – which may in fact have excellent controls in place – just because [it] couldn’t be seen by the rating agency’s scans.” 

Nelson revealed that one of CFC’s broker partners recently lost a client due to concerns around the “credibility” of the information within a cyber risk rating report.

The reason why? The broker “inadvertently” presented the client with two risk reports, which both contained “completely opposite statements about the company’s vulnerability and risk posture”, she said.

Fred Eslami, associate director at credit rating agency AM Best, added: “Cyber risk ratings are a challenging undertaking as each company’s cyber profile is constantly changing at the same time threat actors are becoming more sophisticated”.

“It’s not easy to monitor, therefore, reliability can be a concern.” 

Echoing Eslami’s sentiments, Aviva’s head of cyber Stephen Ridley highlighted that a current challenge when evaluating cyber security performance is “keeping up with the ever-evolving cyber threat”.

“Cyber criminals are a bit like a river – they will always follow the path of least resistance. If something blocks the path that they are on, they will carve a slightly different route,” he said.

Underwriter Michela Moro – cyber underwriting manager, regional unit, London at Allianz Global Corporate and Specialty (AGCS) – noted that cyber security assessment tools are a “helpful indication” by “an organisation’s cyber security team to monitor externally facing systems or to monitor third party vendors”.

However, “at the same time, we can all appreciate that the view provided [in cyber risk rating reports] is partial in nature and needs to be complemented with information provided directly from our clients”, she added.

So, how can the cyber insurance market mitigate the challenges posed by cyber security risk rating reports?

Opportunity for brokers

According to Nelson, proactive cyber insurance provision in partnership with threat intelligence or knowledge that allows security teams to prevent or mitigate cyber attacks – which must not be confused with vulnerability scanning – is key to successfully protecting policyholders.

It is also “important” that brokers understand the differences between threat intelligence and vulnerability scanning when explaining cyber cover to clients.

Nelson explained that proactive cyber insurance means both “scanning cyber customers for specific risk factors and vulnerabilities actively being targeted by cyber criminals”, as well as “alerting customers to the specific threats impacting their business in real-time and working with [them] to mitigate the issue – prevent the attack before it happens and thus prevent a claim”.

This approach can be supported by threat intelligence, which can help to predict a cyber claim.

Compared to vulnerability scanning, “which is basically like looking for an open door or window to an insured’s property – in this case, that property is a company’s internet facing assets”, threat intelligence does not “rely solely on identifying an insured’s potential weak spots from the outside”, explained Nelson.

Instead, “it combines the vulnerability scanning data with a host of other data from a combination of sources – including law enforcement, government and a cyber insurer’s own data – to identify which customers are on an attack list”, she added. This means insurers can ”get to each and every customer before criminals do”.

Ridley, meanwhile, believes that the use of threat intelligence can help insurers ”tailor cover to a greater degree”.

In turn, this ”can help customers to spend money on the areas that are most important to them without having to carry additional cost for items that are less relevant, [while] also allowing insurers to better manage their potential systemic exposure”, he said.

Ridley added that there is a “real opportunity” for brokers to provide advice to “add value for their customers” using threat intelligence.

“Being able to get ahead of questions or red lines that are likely to exist from insurers will allow them to get businesses in the right shape to come to market and then present the risk in the best light – this will result in a more secure client and the best possible terms from the market – a win-win,” he continued.

‘Best tools’ for the job

Moro added that a “successful [cyber] strategy hinges on sufficient investment in specialised talent and effective controls – including threat intelligence”.

She continued: “The insurance industry’s other main contribution is thought leadership. As insurers, we can learn from losses notified to us and share trends with our insureds.

“In the SME space, we definitely see [an] additional need for pre-breach support – driven by the size of the organisations insured and their level of cyber security resources.

“This pre-breach support is multifaceted and includes awareness training, regular scanning of the network, automated alerts regarding new vulnerabilities and attack vectors.”

Christopher Graham, senior industry analyst at AM Best, said: “Threat intelligence, along with sharing that intelligence with insureds, is one of the best tools insurers have at their disposal.

“Alerting insureds to threats and allowing those insureds time to install patches in [their] software, much like a hurricane or other storm warning, allows property owners and renters time to board windows and take other necessary precautions.”