A combined tool approach as part of a best practice approach to portfolio management is key to assessing cyber risk, according to a report by reinsurer Lockton Re.

Its new cyber report – The art and science of cyber risk scoring technologies – evaluates a selection of vulnerability scanning technologies used by cyber risk re/insurers. It warns that increased complexity of digital networks brings with it growth in potential exposure for companies. By 2025, it is estimated that 50% of the world’s data will be stored in the cloud and with that dramatic change, the vulnerability to attack increases each year for companies both internally and through their downstream suppliers, including indirect reliance on services or technologies used by third parties.

Jacqueline Yeo, lead author of the report and cyber analytics lead, Lockton Re, said: “The development of this specialist technology illustrates the pace of innovation taking place in the cyber insurance industry. There is still a wide range of techniques deployed, as well as outcomes delivered, and users should be aware of the limitations of these tools.

“However, when used in conjunction with other underwriting and aggregation methodologies, scanning solutions can provide valuable additional insights. We researched emerging scanning tools Cyberwrite, ISS, Kynd and Orpheus, with an independent data set to create the report.”

Yeo pointed out that scans are not a silver bullet for cyber security, but rather part of a larger set of measures that can be combined to show the overall security position of a company, adding that not all vulnerabilities are equal, and context remains key to understanding risks.

Oliver Brew, co-author of the report and London cyber practice leader, Lockton Re, added: “Cyber risk data providers play a valuable part in assessing cyber security risk. They can provide sensitivity tests for the exposure data used in the catastrophe models, as well as provide a key second view of risk. However, it’s important to use these tools as part of best practices in portfolio management – like those promoted by regulatory bodies and Lloyd’s of London in their regulatory capability matrix – to promote more than one view of risk.”

---