Overview

A key driver for organizations that seek to obtain cyber insurance is to limit risk of financial loss in the event of a cyber breach. Cyber Insurance enables organizations to transfer some of the financial risk of a data breach by providing coverage to compensate for financial losses. As the costs associated with data breaches continue to rise, insurers are becoming more diligent with risk assessments both for cyber insurance applicants and those insured during the term of the policy. Underwriters want to ensure that organizations have a mature program to address risks posed by cyber exposure. Identifying and mapping the owners, stakeholders and processes, enables underwriters to quickly understand the extent of the exposure and risk to business operations if there is a breach to determine liability to the organization.

Cyber insurance underwriters need to have supporting evidence demonstrating the strength of the applicant’s cybersecurity and risk management programs. This Cyber Exposure Study provides guidance through the following primary focus areas of the Cyber Insurance Report that are critical to any risk assessment program.

  1. Asset Discovery and Assessment
  2. Risk Prioritization
  3. Vulnerability Management
  4. SLAs and Remediation

The Tenable Cyber Insurance Report provides measurements for the foundation of a cyber risk program for organizations. This data helps facilitate risk analysis based on vulnerabilities discovered using the Tenable Vulnerability Management platform, which provides information about the organization’s cyber risk exposure. Tenable Vulnerability Management provides organizations the ability to demonstrate risk management maturity with insurance companies.

Most organizations have some form of vulnerability management program, usually mandated by one of the myriad compliance standards or Service Level Agreements (SLAs) with third parties. Security frameworks and benchmarks such as the NIST SP 800-53, or the CIS Benchmarks provide consensus guidance that organizations can use to ensure their vulnerability management program is aligned with industry standards. Cyber Insurance underwriters do not impose any new or special requirements above what organizations are already required to follow.

Vulnerabilities are exposures that can be exploited. They can be in the form of a software defect, configuration error or basic human error. Vulnerability management programs provide some level of assurance that assets are scanned, patched, and risk exposure is reduced to acceptable levels. The Tenable Cyber Insurance Report enables organizations to easily generate supporting evidence data required by cyber insurance underwriters that demonstrates the strength of their cybersecurity and risk management programs. Insurance companies that issue cyber insurance policies have varying questionnaires and rating services that may not provide a complete picture of the organization’s cyber risk.

The Cyber Insurance Report provides measurements for the foundation of a cyber risk management program for organizations. This data helps facilitate risk analysis based on vulnerabilities discovered using the Tenable Vulnerability Management platform, which provides information about the organization’s cyber risk exposure. Organizations must know the existence and location of critical assets to ensure that assets are monitored and protected based on the business risk rating of each asset. Identifying assets facilitates vulnerability scanning and remediation by ensuring that scans are configured to probe for common weaknesses in the platform or application

Risk Treatment is a strategy to appropriately manage threats to maximize profit and minimize financial loss. Cyber risk is associated with a level of severity of identified vulnerabilities that could potentially cause financial loss to the organization. Severity can be adjusted by accepting risk or adjusting vulnerability severity levels. This report has been configured to only report statistics on vulnerabilities and assets detected during the last 180 days. The report also takes a static approach by using the CVSSv3 Base Score to measure severity. The CVSS Base Score is divided into severity levels, 0 for Informational, 0.1-3.9 for Low, 4.0-6.9 for Medium, 7.0 to 9.9 for High, and 10 for Critical. These severity levels are used throughout this report.

Note: This report does not take into account recast or accepted risk.

The Cyber Insurance Report leverages the Tenable Asset Criticality Rating (ACR), which rates the criticality of an asset to the organization. The ACR is expressed as an integer from 1 to 10, where higher values correspond to the asset being more critical to the business. For more information on editing an asset’s ACR rating, please refer to the documentation page titled Edit an Explore Host Asset’s ACR.

CVSS Base Score is the mainstay of most vulnerability management programs as the primary metric to compare and prioritize vulnerabilities. The base score does not change over time, and is not dependent on any other compensating factors. Tenable recommends combining the CVSS base score with temporal, environmental, and other factors for a more accurate view of business risk.

The Cyber Insurance Report has read-only widgets that cannot be modified by Tenable Vulnerability Management users that provide underwriters insight into an organization's cyber risk posture. This report benefits both insurers and applicants seeking to demonstrate proactive risk reduction actions. Tenable Vulnerability Management users are not able to modify the report by adding additional filters using Tags or Custom Assets. The report displays all assets discovered using the sources Nessus, Nessus Agent, Tenable Nessus Network Monitor or third parties.