Tag Archives: RSA

A ‘Credit Score’ for Your Cyber Risk?

It’s safe to say that the vast majority of companies can, and probably should, be doing a lot more to improve the security posture of their business networks.

What most organizations probably do not realize is that there is an entity paying very close attention to just who is consistently following security best practices—and who isn’t.

That entity is BitSight Technologies, a six-year-old risk assessment vendor that does this by analyzing a variety of sources that monitor which companies regularly update encryption certificates, patch system vulnerabilities in a timely manner and generally adhere to other best security practices.

Keeping tabs on security

BitSight goes through all of this trouble to assign a security rating to each company it reviews. Ranging from 200 to 900, a BitSight security rating is much like a credit score. BitSight has issued security ratings for some 80,000 companies, and is adding 500 more each week.

Why does BitSight do this, and, perhaps more importantly, why should any organization care about a BitSight security rating? Two reasons: third-party partnerships and cyber insurance.

See also: Urgent Need on ‘Silent’ Cyber Risks  

First of all, BitSight’s primary customers are large enterprises that factor security ratings into decisions on which third-party suppliers they will choose to do business with, says Jake Olcott, vice president of business development at BitSight.

“Today, if you’re a first party doing business with a third party, the idea of doing cyber diligence prior to entering into a business relationship is certainly on your mind,” Olcott told me, when we met at the RSA cybersecurity conference recently.

Monitoring business partners

Olcott says, “Once you’ve decided to enter into that business relationship, you also care about the cybersecurity performance of that third party during the lifetime of the business relationship. That’s really why a lot of folks are using our ratings today—to continuously monitor their critical third parties mostly throughout the lifetime of the business relationship.”

I asked Olcott if third-party suppliers were clued in to this trend, and thus finding themselves compelled to improve their security postures in order to earn higher security ratings.

“We’re absolutely seeing that,” he says. “Organizations want to represent good cybersecurity hygiene to their customers, and one way to do that is by showing a quantitative, objective measurement of their cybersecurity posture.”

The second reason BitSight’s security ratings are gaining traction is because of the rapidly emerging cyber insurance market. Allied Market Research projects that the cyber insurance market is on track to climb to $14 billion by 2022, representing a compound annual growth rate of 28% during its forecast period of 2016-2022.

Help for insurance companies

Clearly, a lot of companies would love to offset rising cyber exposures by purchasing a cyber liability policy. However, cyber risks are unlike any other business risk to come down the pike previously. Cyber risks are complex, constantly evolving and seemingly impossible to quantify. BitSight is in the vanguard of security vendors focused on solving that problem, something that’s necessary for the cyber insurance market to fully bloom.

“Seven of the 10 largest cybersecurity insurance companies are using BitSight ratings to underwrite cybersecurity insurance policies,” Olcott says. “An insurance company will collect information from the applicant about their cybersecurity posture, and also look at a BitSight security rating. Taking those data points together, they will come to a premium assessment for the applicant and issue a policy.”

See also: Protecting Institutions From Cyber Risks  

I asked Olcott to explain how a good vs. poor rating actually affects premium prices and policy coverages. He said:

“I would say a good rating in our system would be 700 and above, and I would look at it this way: An organization that we rate a 500 or lower is actually five times more likely to experience a breach than an organization that we rate a 700 or above. So if you’re an insurance company, it’s not that you wouldn’t underwrite a policy for an organization that is a 500 or lower. It’s that you want to understand the risk that you’re taking. You don’t want your entire book of business to be of companies that are performing below a 500.”

This post originally appeared on ThirdCertainty.

How to Take a Bold Approach to Growth

In today’s insurance environment, victory belongs to the bold. Margins are under pressure, and competition is heating up; insurers can no longer afford to sit on businesses that are under-performing or sub-scale.

By taking a portfolio approach to their businesses, insurers can start to assess the value and performance of their assets to make bold decisions on whether to grow or go (build or leave the business).

Time for bold decisions

Facing continued low interest rates, growing rate pressures in the property and casualty (P&C) sector and high levels of competition in both the P&C and life sectors, insurers will see margins under pressure for the near future.

Not surprisingly, most have already undertaken massive cost-reduction initiatives. Now, with little room left to cut, some are starting to take a more critical and strategic view of their business as a whole.

Our experience suggests that insurers need to take bold action and make difficult decisions now if they hope to create shareholder value and grow their business. The reality is that too many insurers are carrying businesses that are sub-scale, underperforming or simply distracting for management.

See Also: What is Your 2016 Playbook for Growth?

To help organizations assess their businesses and local operations, we have developed a diagnostic tool that segments businesses in the following way:

Screen Shot 2016-04-13 at 2.49.06 PM

Screen Shot 2016-04-13 at 2.49.34 PM

Taking a portfolio view

We firmly believe that there are significant opportunities to help insurers enhance shareholder value by taking a portfolio view of their assets. And, in doing so, insurance organizations should be able to make clear decisions about whether to go (i.e., leave those markets and businesses that do not meet the strategic objectives of the organization) or grow (i.e., committing to targeted investment to drive transformational change and improvement initiatives
that will allow the business to compete effectively).

Indeed, by looking at non-core businesses as a portfolio of assets, insurance executives should be able to properly assess each businesses’ strategic fit, performance and synergies, which, in turn, will enable them to identify opportunities to improve the business through portfolio realignment.

Taking a portfolio view will also provide insurance executives with the insight needed to prepare a fix, close or sell strategy that drives a clear approach for non-core assets and then move through to a robust execution plan with appropriate governance.

Screen Shot 2016-04-13 at 2.53.58 PM

Screen Shot 2016-04-13 at 2.54.24 PM

GO: A bespoke approach to divestment

In those cases where the assessment process leads to the decision to go, insurance executives will need to develop a smart divestment strategy for the business. Interestingly, our experience suggests that the divestment process has evolved considerably over the past decade.

Whereas in the past, the normal approach to selling a business involved rigid auction processes based on standard checklists and documents such as information memoranda and vendor due diligence reports, most now recognize that this approach may not maximize value.

Instead, insurers are now taking a more bespoke and focused approach to divestment that is largely influenced by four key factors:

— economic conditions
— sellers taking control
— wider buyer populations
— business model changes

Screen Shot 2016-04-13 at 2.55.19 PM

GROW: More than just scale

Insurers need to have sufficient optionality and diversification
to respond to a rapidly changing business environment. And while not all divisions and local operations need to be market-leading, they do need to demonstrate how they can make a contribution to the overall strategic ambitions of the organization.

For some, the answer will come in the form of inorganic growth within their sub-scale businesses. For others, targeted investments to support product growth initiatives or new distribution arrangements offer a lower-risk solution.

However, while many deals have been driven recently by organizations with a (fully understandable) strong focus on costs and efficiency, we often find that scale, in itself, is not a good enough reason to support a deal. Indeed, we believe that acquisitions must also bring complementary capabilities (such as new expertise in specific product lines, increased geographical reach or new distribution models) to create a sustainable platform for future growth.

Screen Shot 2016-04-13 at 2.56.02 PM

GROW: Responding to a changing environment

New technologies, changing customer demands, new ways of doing business and the threat of innovators disrupting the traditional business model are all changing the way that insurers view their portfolio of assets and businesses.

See Also: The Formula for Getting Growth Results

Clearly, understanding and capturing the benefits of innovation is a critical imperative, and there are major opportunities available for companies willing to invest in new technologies. Recognizing this, many insurers are now starting to develop new models and ways of working with the financial technology (FinTech) community.

Key takeaway: Be bold

Regardless of whether the decision is to grow or go, insurers need to start facing up to the difficult decisions that must be made about their underperforming assets.

Interestingly, our experience suggests that — in this rapidly evolving space — outright acquisition may not always be the right answer. As our recent report, The Power of Alliances, demonstrates, many insurers are now exploring the value that could be generated by investing in partnerships, alliances and innovation hubs to broaden their exposure to innovations and technology solutions.

Screen Shot 2016-04-13 at 2.57.05 PM

Simply put, insurers can no longer afford to sit on businesses that are not delivering value; they must make bold decisions and then execute on them to win in this environment.

Reprinted from (Regulatory Challenges Facing the Insurance Industry in 2016,) Copyright: 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of a particular situation.

For additional news and information, please access KPMG’s global website.