Over the last couple of months, we have been meeting and discussing with insurance companies to try to understand what their main pain points are and how Cyberinsurance has been evolving as a business vertical for them.
The way Cyberinsurance works now is very similar to this workflow:
- Company asks for Cyberinsurance;
- Insurer sends an A4 sheet asking some questions (about mergers or acquisitions, basic data exposure and, maybe, if that data is shared with 3rd parties)
- Company gets Cyberinsured.
Immediately, 3 common problems were identified:
No Data: Lack of data that could be used to monitor and assess the companies they insure;
Constant Changes: New vulnerabilities come out everyday, many companies add and remove assets from their infrastructure or structure (many times without proper asset management);
How to Evaluate Cyber?: Figuring out which data points to use, what should really be part of a risk formula is not simple for cyber - it is still a novel industry when compared to all the other industries they have in the portfolio.
Taking this scenario into account, the following image describes how Cyberinsurance works today and how we intend to change it.
For Cyberinsurance to work, organizations will have to go through a transformation! It is a change that is very similar to the one they go through for digitization, as not only will technology have to support the business, but the mindset of the people involved in the different processes will also have to change.
Unlike other types of insurance, Cyberinsurance requires a constant feedback loop between customer and insurer.
For the last few months, BinaryEdge has been working on a digital insurance platform that combines our asset rating and realtime cybersecurity data acquisition experience with blockchain and smart contracts, and that will also allow clients to integrate centrally with different vendors, create their own formulas for rating (they can also use our open source formulas or work with vendors that will do this for them) and constantly monitor their portfolio of companies insured.
The following diagram explains at a high level how this digital platform works:
Let's look at a practical example:
- The customer requests Cyberinsurance: the moment the platform knows the company name (there are verifications steps and more technical details, which we won't go into during this blogpost), we initiate what we call organization mapping
- Organization mapping is an internal service we created where, just based on a name, we are able to find assets associated with that company such as IP addresses, domains, customers and emails.
- After all the assets have been found, we aggregate all the data related with those assets.This will be used to calculate a risk score for that company, which in turn will generate a premium proposal.
- The customer receives an onboard email and premium proposal.
After the onboarding is done and accepted, a new blockchain is created for this customer and a smart contract associated with that blockchain is built. This serves two purposes:
we have an oracle that will continuously monitor the changes in rate over-time for the company and record it on the blockchain when changes happen;
the smart contract will have a set of rules of "actions" that will be enforced in case something happens with the rate stored on the blockchain. These actions can range from "raising a premium", to sending a notification to the customer. Other future possibilities that we want to include is handling payments for claims management.
A few important points about this platform:
It is modular: we want the insurers to be able to work with a plenthora of vendors. From vendors that provide external scanning as we do at BinaryEdge, to vendors like Probe.ly, which looks at the security of web applications or even Troy Hunt's excellent Have I been Pwned.
Other data that will also get stored on this platform is reports from pentests/security assessments. This gives the insurer and the clients a unified platform, where they can view when issues were addressed and how the security hygiene of the company improved over time.
Of course these are options: the insurer can pick which vendors he wants to work with and an integration module for that vendor will be created; at the same time, the company can choose which information it wishes to share with the insurer -the more information shared, the fairer the rate of that company and therefore a better premium (in a way similar to the blackboxes you can put in your car that measure your location and speed and provide that data to insurance companies). This allows for a smoother process in claims management.
Portfolio risk management
Giving insurers a constant over-time view on the risk ratings that represent the risk of the companies in its portfolio enables the insurer to quickly grasp, from a business perspective, what decisions should be made in regards to customer contracts.
By having a combination of vendors and a unified digital platform, the insurer will be able to answer questions such as:
- Which companies have been improving their security rating over the year?
- Which ones represent a high risk and what are their premiums?
- Which companies shall I renew?
The following images show, respectively, an overview of a portfolio risk score stored in a blockchain and a detailed view of a specific company:
While working with our clients, we also hear a lot of "cyber" related problems.
They have a hard time finding companies that do reliable pentesting or good code analysis. Maybe they want to do some secure programming training, but don't know who is the right company for it.
For that reason we feel it's important to have a marketplace, one where vendors that work with the insurance company are able to access RFPs posted by the customers and bid on it with proposals.
BinaryEdge will be partnering with insurance companies on this project. If you would like to have more information feel free to contact us using firstname.lastname@example.org .