How Continuous Data Collection Drives Better Risk Selection
👋 Welcome back to the Cyber Savvy Broker Newsletter. Every month, we use this space to explore new and relevant topics for brokers in the cyber insurance world.
Most cyber insurance providers will tell you all about their “scans.” They look for weaknesses in your clients’ digital perimeter, compile the findings, and make broad-sweeping assertions about the company’s security posture.
The problem is that these scans just look for known vulnerabilities and exposures in the abstract. They’re built on generic data and designed to be one-size-fits-all. No word has done more to undermine the sophistication and innovation exploding out of the cyber insurance industry. Plus, everyone does “scans” now. So what?
At Coalition, we try to use the term sparingly because it’s an oversimplification of our approach to assessing cyber risk. Now, do we use technology to determine a business’ risk at the time of quoting and throughout the policy period? You bet. And do we monitor the entire global internet for new and emerging threats to help protect our policyholders? Of course!
Having access to a vast array of data is essential for accurate risk assessment and risk selection, but the data is only as good as what we do with it.
Because we sit at the intersection of cybersecurity and insurance, Coalition can connect the dots between vulnerabilities and claims data. We know which vulnerabilities threat actors are actually exploiting to cause losses — something even the best threat-hunting and assessment tools can't do without access to our proprietary claims data.
And it’s all made possible by the Active Data Graph, our purpose-built data collection and analysis engine that provides us with a global view of businesses and their assets, as well as specific insights into individual cyber risk profiles, allowing us to price cyber risks faster and more precisely.
Mitigating real-time risks, monitoring long-term trends
Coalition is a root collector of cyber data, which means that we define the cadence and depth at which the data is collected. Unlike others in our industry, we’re not buying this data from third parties, nor are we beholden to outside decisions on how and when it's collected.
Our data collection comprises two key aspects: continuously scanning (see, we still say it) the entire IPv4 space and parts of the IPv6 space, as well as maintaining a network of honeypots and sensors to help discover new vulnerabilities.
“Continuous data collection gives us a more holistic view of cyber risk, helping us understand not only policyholder technology stacks but also threat actor behaviors,” said Tiago Henriques , VP of Research at Coalition. “The immediate benefit is that we can test against our signals at any moment while also being able to contextualize trends over time.”
As a root data collector of data, Coalition can observe cyber events in real-time, which allows us to make quick decisions based on threat actor behaviors and identify patterns in technology and business decision-making:
Is the threat actor compromising a machine or using a cryptominer?
Are they deploying ransomware or trying to steal data?
Does the business regularly update its software?
How long does it take them to patch when a new vulnerability is reported?
“We’re not just looking at vulnerable software. A cyber attack can start just as easily from an employee leak or a laptop being stolen from a parked vehicle,” said Henriques. “There’s such a broad spectrum of threats in cyber, which is why businesses need to employ different defenses — and why we need to collect so many different types of data.”
Cutting through the noise, finding a needle in a haystack
On average, Coalition honeypots generate 9.5 billion events over a 30-day period, providing invaluable insights into threat actor tactics when a new vulnerability emerges. Yet, a majority of the data is benign, making it even harder to identify malicious traffic.
Sifting through billions of honeypot events, alongside tens of thousands of Common Vulnerabilities and Exposures (CVEs), is like finding a needle in a haystack. So, we created a risk scoring system, the patented Coalition Exploit Scoring System (ESS), that leverages artificial intelligence (AI) to cut through the noise surrounding new CVEs.
“Only between 2% and 5% of all CVEs are actually going to be used by threat actors,” said Henriques. “As humans, we have limitations in our ability to look at such an immense volume of data and make sense of it all. AI and other machine learning tools help us detect patterns and trends that get bubbled up to human experts, who then make the important decisions.”
Whenever a new CVE is published, CoalitionAI is programmed to look at its characteristics, find comparable vulnerabilities that threat actors may have exploited before, and assign the CVE a score. Creating a hierarchy of priority based on the probability of exploitation, Coalition ESS assigns dynamic scores so businesses can make better decisions about which vulnerabilities deserve the most attention.
“There's also a need to explain these risks in an understandable way. Security researchers can look at raw data and understand the risk immediately, but we need to make sure less technical folks understand, too,” said Henriques. “Large language models help us communicate and contextualize the trends we see, which helps ensure brokers, business owners, and other insurance decision-makers are all on the same page.”
Incorporating risk insights into insurance methodologies
Applying these risk insights and proprietary data is where the rubber meets the road in cyber insurance. The goal is not necessarily to start from scratch but to incorporate all of the facts from our continuous data collection into an underwriting model.
As part of our Active Risk Assessment, every business is assigned a risk quintile when generating a cyber insurance quote: 1 is the lowest risk, and 5 is the highest. If we determine a business has a risk quintile of 5, the model knows the account has a higher likelihood of experiencing a cyber event and should be priced accordingly.
“We know our pricing model is working when we see businesses with a quintile of 5 having a higher frequency and loss cost than those in lower quintiles,” said Austin Aten, ACAS, Head of Cyber Pricing at Coalition. “The dynamism of pairing continuous data collection and human cyber expertise drives toward improving risk selection — and it carries through the policy period.”
The methodologies that inform our risk selection process don’t end once a policy binds. Coalition helps policyholders identify new threats and often sees things that might otherwise be overlooked. Our data-backed insights give us a strong enough signal to reach out to policyholders, alert them to new threats, and help them mitigate issues that are likely to result in an attack.
“Improving risk selection and security throughout the policy period not only helps protect policyholders but also has a material impact on the health of our portfolio,” said Aten.
Partnering with brokers to drive down losses to zero
Risk selection is a vital part of cyber insurance. Optimizing for good risks can bolster the health of a cyber insurance provider’s portfolio and help prevent a bloated loss ratio.
Coalition uses publicly available data to track if the businesses that, for whatever reason, chose not to bind coverage ultimately experienced a cyber event. In 2023, we determined that 281 businesses that did not take action on Coalition’s security recommendations at the time of quoting were hit with cyber events totaling $141 million in potential losses.
These statistics certainly validate that our continuous data collection drives better risk selection. But for the future growth of our industry, we must strive to bring this number to zero. We depend on our brokers, as risk advisors, to champion Coalition risk mitigation strategies and security recommendations to help more businesses proactively address these risks and avoid cyber incidents altogether.
“If your client doesn’t bind a policy with Coalition and chooses to go elsewhere, please encourage them to still follow our guidance,” said Henriques. “Just because they aren’t a requirement for another policy doesn’t mean they’re unimportant. The security findings and recommendations that accompany every single cyber insurance quote from Coalition are vital pieces to help businesses protect themselves.”
Thanks for reading the Cyber Savvy Broker Newsletter. Join us for future editions as we continue to explore the most up-to-date and noteworthy topics in the cyber insurance industry. Click the Subscribe button to receive the Cyber Savvy Newsletter directly in your inbox.
Want to start working with Coalition? Click here to become an appointed broker.
This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.
Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc. (“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company (“CIC”) a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers. Copyright © 2024. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.