‘Insurers setting standards that they cannot meet themselves could damage the credibility of those insurers whole,’ says insurance solutions director

More than a quarter of the top UK insurers could “struggle to get cyber insurance for themselves”, new data from SecurityScorecard has revealed.

In a statement release today (20 June 2023), the firm highlighted while 74% have a B or higher risk rating, some 26% had “such poor cyber ratings” with a risk rating of C or below.

Chris Scott, insurance solutions director at SecurityScorecard, explained that “most insurers would use C as a minimum case for progressing to quote”.

“With a C grade, you would expect a lot of scrutiny around control maturity and implementation as well as a high chance for significant subjectivities or co-insurance clauses,” he added.

“Insurers setting standards that they cannot meet themselves could damage the credibility of those insurers whole.”

SecurityScorecard analysed the top 50 insurers active in the UK market by gross written premium.

Charles Clarke, director of insurance sales in the EMEA, said: ”With insurers being seen as the leader – or teacher – rather than the student, it’s surprising that 26% are below a C grade.”

Digital supply chain

This came as SecurityScorecard revealed that 42% of the third-party vendors that the top 50 insurers work with sat at C grades or less.

And it claimed that half of the insurers were exposed to third-party entities that have experienced a domain breach since 26 January 2023.

Scott said that third-party due diligence was a “big focus topic for underwriters and this demonstrates a disparity between how insurers approach deployment of capital and manage their own risk”.

“This will likely be a big focus of regulation, so they need to think about how they address this at scale,” he added.

The firm’s intel team also found that 52% of all major breaches throughout 2022 were due to a breach of a third-party vendor within the digital supply chain.

“We are seeing a real upswell in interest from the insurance market into third- and fourth-party supply chains, particularly critical vendors that may share highly sensitive data – [including] payments, security creds, bank details, [and] health records,” said Clarke.

“After all, you’re only as strong as your weakest link, and that does seem to repeatedly be within a supply chain product.”