3 December 2019
Chris Hedenberg

Adversarial Underwriting is here. What does that mean for the insurance industry?

With cyber, the absence of decades of stable historical data is complemented by the presence of other forms of information. One of these is the adversarial nature of cyber risk.

Cyber is a unique corner of the insurance industry. The point most often used to illustrate this is the fact that long-term historical data doesn’t exist for cyber underwriting, at least not to the extent that it’s useful for traditional underwriting. That presents some serious challenges for carriers who rely on traditional methods of underwriting — the basis for hundreds of years of profitable insurance business. 

But the absence of decades of stable historical data is complemented by the presence of other traits and forms of information. Analyzed correctly, these can turn underwriting cyber insurance into a different, but no less accurate, enterprise. One of these is the adversarial nature of cyber risk. 

What is adversarial underwriting? 

Cyber attacks are much less random than an opportunistic crime like car theft. The attackers choose their targets wisely. They have particular methods at their disposal that align to particular technology vulnerabilities, and some organizations are more disposed to that matchup than others. When attempting to model cyber risk, these criminals and their intentions should be at the center of the analysis. 

Think of attackers who engage in widespread “spray-and-pray” attacks. They are scanning specific ports, or connection points between an organization’s IT system and the wider web,  looking for vulnerabilities. This means there is a logic to the risk patterns, and underwriting models can take into account how criminals are likely to act. Having an understanding of how these risks evolve and how attackers choose their targets can help us, as data scientists and underwriters, to accurately predict risk, and help organizations mitigate and insure that risk. 

This is what we call adversarial underwriting: using the tendencies of attackers to our advantage to predict risk in a way that can go beyond the use of broad classifications of an organization. 

The reason the adversarial nature of cyber is actionable for underwriting is that the criminal actions involved throw off data. We can learn a lot about how and why attacks happen because traces are left, and all of it is inherently digitized. That makes risk more easily quantifiable with data science. Take the example of the criminals scanning the web for open ports: if we know information about that tendency based on patterns reported in databases of attacks, and we can also scan the IT system of any organization to determine the number of open ports it has, including the type of port, we can assess the risk of that kind of attack quite clearly.  

How an adversarial approach can change insurance 

All of this together — the adversarial nature of cyber crime, and the reams of data cyber attacks produce — means there is less randomness involved in any given cyber attack. And with less randomness to account for, underwriting models need less data to make an accurate assessment of risk. While traditional insurance lines are relegated to using extended historical loss data to make approximate loss projections due to the high levels of uncertainty involved, with cyber, if you have extensive data on the motivations and methods of adversaries you can make very specific quantifications about any organization’s risk of being targeted for an attack. 

This capability is not just making up for a lack of better, longer sets of data. It’s actually an advantage when dealing with cyber risk. In a world where attack patterns can change week to week and organizations’ IT footprints are in constant flux, being able to assess risk accurately with data from a compressed historical time frame is a critical advantage. Data gets stale quickly, so revising underwriting consistently is the only way to match insurance coverage to real risks. With cyber risk data, the fresher the better. That’s also why it’s so important to assess an organization’s IT footprint with technology that can analyze the current extent of the systems, rather than relying on potentially outdated information in the form of a traditional questionnaire. 

It goes a step further. Because we’re dealing with actors with motivations and targets, organizations don’t need to sit around hoping not to be targeted. In the same way we use data to underwrite, it can be used to inform an active risk mitigation strategy. Understanding how attackers try to get in can help organizations prioritize defenses. By understanding that leaked email credentials are often exploited by attackers in phishing attacks, for example, organizations can monitor for leaked credentials and reset their passwords to stop attackers from capitalizing.

Preventative measures like this can reduce not only the risk of being breached, but also the risk of being targeted in the first place, since we know attackers are motivated to seek the easiest targets. In this way, informing organizations of risk and prioritizing recommendations for mitigating risk means a new ways of deploying underwriting expertise.of

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video