Risk Based Security: PreBreach Risk Reduction Through Data Analytics

Inga Goddijn, EVP, Insurance Products
The insurance industry has a rich tradition of leveraging data to improve performance, with entire actuarial departments tasked with this mission. The tradition is stronger than ever and has expanded well beyond claim analysis into all aspects of insurance operations. However, when it comes to information security management, cyber insurance companies and their IT departments often lack the type of structured data that actuaries rely on for informed decision making. Answering the need for meaningful data, Risk Based Security provides expansive and actionable security threat intelligence feeds. By focusing on the drivers of data breach activity and comprehensive vulnerability intelligence, RBS delivers solutions that meet the needs of both IT security professionals and the underwriting departments providing cyber security insurance products.

The Cyber Risk Analytics (CRA) service forms the cornerstone of RBS’ insurance practice. Built on a comprehensive database of over 20,000 data breach events, CRA offers an immediate snapshot of an organization’s security posture by combining data breach experience with externally observable indicators of an organization’s security posture. With easy to consume five-star ratings, CRA gives vendor management teams a quick and unbiased picture of the security practices of their suppliers without the time and expense of detailed audits. For cyber insurance underwriting, the same tool can be used for understanding any applicant’s security posture and gaining visibility into the use of popular cloud services and applications that can drive systemic risk across an entire portfolio. The ability for one tool to deliver actionable intelligence across multiple units makes Cyber Risk Analytics a breakthrough product for the insurance industry.

“Our primary focus is listening to and working with our customers, ensuring that we are supplying the most timely, highest quality and most comprehensive intelligence,” describes Inga Goddijn, Executive Vice President, Insurance Products. “That means understanding both the type of information customers need and making it accessible via multiple options. Data breach intelligence as well as the security posture analysis reports we provide, known as PreBreach, can be downloaded from the Cyber Risk Analytics portal or accessed via API.”

RBS is equipping Insurers and their underwriters with fact-based security intelligence and actionable risk management tools

In addition to Cyber Risk Analytics, Risk Based Security is also filling the need for superior vulnerability intelligence with VulnDB. With over 135,000 vulnerabilities tracking more than 15,000 vendors and over 2,000 third party libraries, VulnDB is ideal for all organizations that need timely information on software and hardware weaknesses. Subscribers have access to a comprehensive data source that delivers reliable and timely alerts and recommendations about software vulnerabilities and patch availability. What’s more, cyber insurance underwriters that are concerned about exposure aggregation and systemic risk use VulnDB to understand which applications and services pose the most risk to their portfolio of policy holders.

Looking beyond vulnerability data, in late 2015 Risk Based Security launched the Vulnerability Timeline and Exposure Metrics (VTEM) framework for evaluating product performance. VTEM uses vulnerability timeline data such as discovery, disclosure, and patch availability dates to measure the vendor’s overall responsiveness to correcting vulnerabilities. When this data is aggregated for one vendor across multiple products, it provides powerful insight to how that vendor responds to security issues. All organizations want to work with vendors that care about security and deploy products that won’t increase the risk of a security event. Until VTEM, finding this data was next to impossible, but now with the service embedded into VulnDB, this is readily achieved.

“We are adding new features and product enhancements on a regular basis to meet the evolving needs of our clients and the insurance market. Our U.S. and European operations continue to grow and we are adding partners based in Hong Kong and Canada to expand our CRA and VulnDB service in the Asian, Canadian and Middle East markets,” concludes Goddijn.

Risk Based Security

Richmond, VA

Inga Goddijn, EVP, Insurance Products

Equips organizations with risk management methodologies to establish customized risk-based solutions to address information security and compliance challenges

Risk Based Security