Scanning tech is no silver bullet: Lockton Re

It’s important to remember that scanning technologies used by cyber risk re/insurers are not a silver bullet for cybersecurity, but rather part of a larger set of measures that can be combined to show the overall security position of a company. Vulnerabilities need to be interpreted with care—not all vulnerabilities are equal, and context remains key to understanding risks.

That is according to a new report by Lockton Re, titled “The Art and Science of Cyber Risk Scoring Technologies”, that evaluates a selection of vulnerability scanning technologies used by cyber risk re/insurers. 

It notes that the increased complexity of digital networks brings with it growth in potential exposure for companies. By 2025, it is estimated, 50 percent of the world’s data will be stored in the cloud and with that dramatic change, the vulnerability to attack increases each year for companies both internally and through their downstream suppliers, including indirect reliance on services or technologies used by third parties.

The report stresses that in the uncertain world of cyber modelling, incorporating different tools for a more comprehensive view of risk is an important way to benefit from the technological developments in vulnerability scanning, while avoiding some of the pitfalls of over-reliance on one model. 

But it points out that historically, the natural catastrophe world has seen several examples where outsized losses have occurred where models were found to be missing potential exposure.

“Scanning solutions can provide valuable additional insights.”

Valuable insights

Jacqueline Yeo, lead author of the report and Cyber Analytics Lead, Lockton Re, said: “The development of this specialist technology illustrates the pace of innovation taking place in the cyber insurance industry. There is still a wide range of techniques deployed, as well as outcomes delivered, and users should be aware of the limitations of these tools. 

“However, when used in conjunction with other underwriting and aggregation methodologies, scanning solutions can provide valuable additional insights. We researched the following emerging scanning tools with an independent dataset: Cyberwrite, ISS, Kynd and Orpheus, to create the report.” 

Oliver Brew, co-author of the report and Cyber Practice Leader, London, Lockton Re, said: “Cyber risk data providers play a valuable part in assessing cybersecurity risk. They can provide sensitivity tests for the exposure data used in the catastrophe models, as well as provide a key second view of risk. However, it’s important to use these tools as part of best practices in portfolio management, like those promoted by regulatory bodies and Lloyd’s of London in their regulatory capability matrix, to promote more than one view of risk.”

For more news from the Rendez-Vous de Septembre (RVS) click here.

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.