October 22, 2024
Spectra
Spectra’s approach to cyber insurance is in many ways unique, yet it is inspired by the decades and sometimes centuries old processes which have been tried and tested across more mature lines of business such as marine or property insurance. Some critical processes including professionally managed security standards, regular and thorough inspections, and detailed customer exposure data collection are common in established lines of insurance business. Not so in cyber.
Self-managed security, the absence of security standards or best practices, the inability to conduct detailed inside-out inspections, and the lack of cyber security exposure data inhibit selective underwriting, granular pricing and provides numerous challenges for portfolio management.
Claims data shows that self-managed security often fails during an incident (self managed back ups are frequently compromised during Ransomware attacks, poorly managed EDR services fail to prevent data exfiltration...). In the fast-paced digital age of innovation and increased complexity, both threats and security tools evolve rapidly and require well trained specialists to handle them.
SMEs are typically not equipped to configure, maintain, upgrade, and patch dozens of applications, nor are they staffed to respond 24/7/365 when an incident occurs. Further, they typically don’t have the expertise to fully utilize the tools they license.
In most lines of business, the owner of the insured asset usually contracts a third-party firm to maintain and secure the insured property. Given the ever-changing maintenance and security requirements and the urgency of incident response, the necessity of this approach is even more obvious when the property in question is systems, network and data.
We do not prescribe a specific technology for any security solution. We encourage tech diversity in the economy and certainly in an insurance portfolio, while monitoring specific tech aggregations. When we certify an MSP’s foundational security, we ensure the technology deployed has been vetted and supports critical features for the solution it is deployed for (e.g., participates in the MITRE Att&ck assessment). Finally we believe the certified MSPs are best equipped to select the tool(s) that best service their customers.
Spectra exclusively works with insurance applicants who have licensed certified security solutions from certified MSPs. The Spectra certification is unique in that it focuses on the resilience of the MSP and the security solutions (BaaS, FWaaS, BEC defense, DRaaS, Endpoint protection) which they license to businesses. Spectra assures the resilience of the above solutions and provides warranties with a refund (annual MSP servicing fee) to customers if the security solution fails a performance metric during a cyber incident.
For pricing hurricane coverage, it is critical to know if a building is in Miami Beach or Atlanta and whether it is made of wood or steel. It is equally important for pricing cyber risk accumulation to understand what data center (physical address), cloud technology, availability zone, back up solution, firewall, endpoint protection etc. is deployed across the policyholder’s network. Using back up solutions as an example, it is critical to understand whether data is securely replicated to geo diverse locations and using different technologies, as this will help understand whether the back up solution design is resilient to the majority of disaster scenarios that lead to claims.
The cyber insurance industry will benefit tremendously from a better understanding of customer posture resilience and gain better visibility (accumulation, PMLs, etc) from customer detailed exposure data.
The Spectra certification process involves detailed cyber security posture inspections, the output of which can be shared with carriers and their reinsurers. Again, it would be unusual for insurers to offer multi millions insurance policy limits in property, marine, aviation etc., without regular and thorough inspections of the underlying asset. We believe attack surface scans have some value but are similar to “drive by” inspections in the property. It might suffice for very small risks, but is insufficient for larger SMEs and more complex corporates. One needs to look behind the firewall at the actual systems and controls and also account for the humans in the loop to provide real insight.
We believe that many of the existing cyber insurance industry challenges would become more manageable if we can adopt the same security and underwriting processes that have already proven to work well elsewhere, and adapt them for the cyber market.
Spectra is a cyber risk platform. We partner with Managed Service Providers, Brokers, and Carriers to deliver tailored risk transfer solutions to channel partners and their customers.
Copyright © 2022-2024 SPECTRA – All Rights Reserved
SPECTRA 90 Pitts Bay Road, Hamilton, Bermuda
