The number of security breaches and cost of cybercrime continues to increase over time. Evolving targets, impacts, and techniques are contributing to the increase with a total value of risk from cybercrime. Companies must utilize risk management strategies to identify and treat security risks by avoiding, mitigating, transferring, or accepting risks. Cyber insurance is a method that companies utilize to transfer risk to insurance carriers.

The ability to measure cyber security risk is a valuable risk management practice used by companies in making risk treatment decisions and by carriers in pricing cyber insurance policies. Carriers face challenges, however, in pricing cyber insurance policies. Carriers must scope and quantify security risks, taking in consideration of evolving targets, impacts, and techniques and the prevalence of systemic risk while efficiently and effectively assessing security postures.

The purpose of this paper is to evaluate the feasibility of enhancing current underwriting practices using existing security risk quantification and measurement frameworks utilized by insureds. Such activities could contribute to the following three areas of underwriting:

• Improve a carrier’s ability to scope policies to reduce systemic risk and allow insureds to ensure adequate coverage based on identified security risks.
• Allow a carrier to more accurately price policies and offer insureds premium options within their risk tolerances.
• Provide carriers more assurance in evaluating an insureds’ security posture and allow insureds to acquire cyber insurance more efficiently.

For each area listed above, this paper:

• Evaluates the current practices used by carriers today.
• Provides a recommendation of an existing security framework to address challenges with an overview of each.
• Applies the recommendation in a practical example using a fictitious company.