Cyber underwriting is a unique challenge. New threats appear daily, and formidable adversaries — cybercriminals with dollar signs in their eyes — are often finding flaws in security controls once believed to be sacred. Luckily, Corvus has a team of highly experienced underwriters who are constantly looking ahead to help our broker partners and their clients prepare for what’s next.
The pandemic ushered in a new era of corporate life, where our guest bedrooms and dining tables became temporary (or in some cases permanent) places of business. As most employees basked in the glory of a vastly reduced commute, IT teams were left scrambling to plug any security gaps and minimize attack surfaces that arose from a scattered workforce. The fix? Virtual Private Network (VPN) technologies.
The idea behind VPNs is to provide remote employees with a secure way to access internal resources via an encrypted channel, acting as a bridge between the Internet and a company’s internal network. Predictably, threat actors did what they do best — adapt their business model.
Throughout Q2 2022, there was a 700% increase in initial access through external remote services (remote desktop protocol and VPNs), reports Kroll.
VPNs aren’t immune to the key weaknesses that plague other software: critical vulnerabilities. Through the work of our Data Science team, we found that not all VPNs are created equal. By looking at their history of exploitation by threat actors, we were able to categorize VPNs based on their risk factor (low, medium, and high). Organizations using a high-risk VPN solution are three times more likely to have a security incident than those without a VPN at all.
Our data science, cybersecurity, and tech teams work collaboratively to discover new threats and calculate the security risks they hold for our policyholders. We then insert these findings to our underwriting platform. In the past, we’ve applied this multi-pronged approach to other high-risk areas, like Remote Desktop Protocol (RDP).
"Remote desktop protocol is a leading vector for ransomware attacks,” explains Peter Hannapel, Vice President of Cyber TEO Underwriting. “Once we started scanning clients for RDP, we’d decline when we saw it and explain why. We could help policyholders rectify the situation and it cut down our RDP-related claims to zero.”
We can effectively tackle low-hanging fruit by catching it first. Identifying risky VPNs — ones that even when patched regularly still lead to high exposure — gives us an even more granular view when looking at an applicant’s security posture and aids in risk avoidance.
“Our scan can detect high-risk VPNs, which is then rolled into our underwriting process,” says Kyle Lubin, Assistant Vice President, Cyber Underwriting. “It impacts their score and is then built into the feedback we provide to applicants seeking coverage. If they are a current policyholder, we’ll alert them to the high-risk VPN and offer suggestions for more secure solutions. For example, instead of this high-risk VPN, we recommend Zero Trust Network Access.”
A tiny snippet of code — present on 30% of the web’s 100,000 most popular destinations — might have sizable implications for the cyber market. This 1x1 graphic, known as tracking pixel, has made headlines for its presence on websites in regulated industries, particularly healthcare. The purpose behind pixel tech is straightforward (for the first-party organizations, anyway): Track how users interact with a business’s website to make marketing to specific audiences easier. But the glaring issue is data privacy.
The fundamental concern is over what data is being collected, and how it is being used. Meta’s pixel, for example, sends a user’s browsing information straight from the website they are visiting to Facebook, a third-party. And it’s not just Meta. Google, TikTok, and Linkedin (among many others) are contributing to the pixel phenomenon.
It is not publicly disclosed exactly what data social media giants are collecting, but we know that some of it is personal information: your name, pulled from your Facebook or Instagram account when logged in, your IP address, and your browsing history. Allegedly, even information from password-protected patient portals has been sent to third-party vendors, which can include private health information. After several exposés in the media this summer, announcements of data breaches from healthcare providers and class action lawsuits started rolling in. Then, claims hit insurers.
The widespread popularity of pixel has made it a relatively unique risk facing cyber underwriters. Not only due to the recent uptick in expensive losses, but because so many organizations have pixel implemented on their website. Some businesses are unaware of the potential harm, while others are completely naive to its presence in the first place (left behind by marketing agencies or employees no longer at the company).
Our tech-enabled approach to calculating risk allows us to adapt quickly to address up-and-coming threats, like pixel, without needing to constantly modify a written application.
“We’ve pointed out Pixel to clients that had no idea it was there, which really shows how useful it is to combine a traditional application with the Corvus Scan,” says Hannapel. “You have to think of who ends up filling out the application. Is it a risk manager, who doesn’t know IT super well? Or a new IT guy who doesn’t know they implemented X, Y, or Z technologies before their time at the company? The Corvus Scan helps us address all these factors at scale and fill in any blanks.”
While the healthcare sector is most at risk — the Office of Civil Rights has strict guidelines for how they should handle pixel moving forward — our underwriters and in-house cybersecurity experts work with policyholders in all industries to ensure that they are informed about the risks associated with ad-tracking technology, and are making the right steps to maximize privacy protections for their consumers.
“Partnering with our insureds through the entire policy period is a big difference I see working at a cyber-centric MGU,” says Anne Scott, Vice President, Cyber TEO Underwriting. “Policyholders appreciate us alerting them of new vulnerabilities that are picked up on our Corvus Scan and in turn we appreciate their responsiveness in making updates to improve their cyber security posture.”
There hasn’t been a shortage of opinions on the rise (and fall) of Insurtechs. A common thread: They rely too heavily on digitization without the insurance experience to back it up.
Maybe the non-believers haven’t met us all yet.
“Technology and underwriting expertise pair well,” says Lubin. “What’s beautiful about Corvus is the marriage of strong underwriting backgrounds with a stable of experts coming from technical backgrounds — data science to cybersecurity. The scan, in conjunction with expert findings, helps us make sound underwriting decisions.”
Cyber risk and risk assessment are often spoken about as unsolvable equations. Can something so unpredictable even be insurable? We know it’s possible — if we empower some of the smartest minds in the insurance industry with the right data. Cyber threats evolve fast, fueled by human ingenuity for profit. We need to be equally as innovative.
Insurance experts who know the industry inside-and-out, particularly the nuances of cyber, are here to stay. But the question still stands: How can we build on existing tradition to improve?
“Cyber is the biggest driver and focus here, so we have a lot of resources you may not find in other shops. The way our cybersecurity team works in collaboration with claims, actuarial, and data science to share information and help us identify trends early is unique,” says Hannapel. “I don’t think that level of organization-wide cooperation is possible everywhere.”
To keep up with the speed of cyber, we have to let go of some outdated notions — like only speaking to policyholders on the days leading up to renewal — and replace them with a more modern approach. Proactive alerts and constant threat monitoring upgrade the relationship to a true partnership in risk mitigation planning.
“We work with brokers and their clients to bridge the gap and find solutions. Pairing strong underwriters with strong technology achieves leading results from a profitability, loss ratio, and growth standpoint,” says Lubin.
As an organization, data is embedded in our DNA. To solve the cyber attacks and risk problem, we need to know how to leverage it. By empowering human expertise with the right technological solutions, we’re keeping up with all of the new and evolving types of risks that come our way.
This article and its contents are intended for general guidance and informational purposes only. This article is under no circumstances intended to be used or considered as specific insurance or information security advice.