How AXA XL identifies where and how companies are vulnerable to Cyber attacks

Authored by Carlos Rodriguez Sanz and José Ferreira Costa

Carlos Rodriguez Sanz, AXA XL’s cyber product manager for APAC & Europe and José Ferreira Costa, SecurityScorecard’s regional director for Southern Europe/LATAM

Today, all companies - regardless of size, industry segment or location - are vulnerable to cyber-attacks. So are governments, public and private utilities, universities, hospitals and non-profit organizations. Moreover, cyber-criminals are continually creating new tools and methods to exploit vulnerabilities in the systems and technologies that power our economies and enrich our lives.

Fast Fast Forward recently spoke with Carlos Rodriguez Sanz, AXA XL’s cyber product manager for APAC & Europe and José Ferreira Costa, SecurityScorecard’s regional director for Southern Europe/LATAM about how AXA XL works with SecurityScorecard to help companies identify where and how they could be vulnerable to cyber-attacks.

Carlos, could you start by outlining what organizations can do to combat this ongoing and evolving threat?

Carlos Rodriguez Sanz (CS): Cyber-security professionals commonly recommend a three-pronged approach:

• Prevention: this encompasses assessments of potential threats along with appropriate measures to protect against breaches and detect them quickly
• Response: having mechanisms in place to limit the scope of the attack and to swiftly restore the data and affected systems
• Mitigation: taking out appropriately structured insurance policies to transfer financial losses.

Like a three-legged stool, all are essential; take one away, and the stool topples over. Or, in the case of cyber, when an organization is the victim of a data breach, the direct and indirect costs, including reputational impacts, can be devastating when one of these elements is lacking.

Prevention is first and foremost. I can’t stress this enough. And that’s why AXA XL has partnered with SecurityScorecard to help companies assess their vulnerabilities and identify where their defenses need strengthening.

Regarding response, our team is ready to help if a breach occurs. We have partnered with leading breach response providers to provide access to a 24/7 hotline to help organizations navigate these sensitive situations. Our cyber coverages also include access to firms specializing in computer forensics, legal issues, public relations, and credit and ID monitoring.

Finally, using insurance to transfer risk. While the pros and cons of different coverage options are topics for another day, I would note that AXA XL is prepared to assess organizations’ cyber exposures and partner with clients in collaborative efforts to reduce and mitigate the threats. Our goal is to help clients get back to business and resolve covered claims as soon as possible.

I would also add that all three prongs—prevention, response, mitigation—must be regularly reviewed and refreshed. Cyber-risk is constantly evolving and mutating as cyber-attackers continually search for vulnerabilities in organizations’ IT systems while developing new tools and tactics to carry out their attacks.

José, what is SecurityScorecard, and how does it help companies prevent cyber-attacks?

José Costa (JC): Founded in 2013, SecurityScorecard is the global leader in cybersecurity ratings and the only service with millions of organizations continuously rated. Our mission is to make the world a safer place by transforming the way organizations understand, improve, and communicate cybersecurity risk to their boards, employees, and vendors. With support from AXA Venture Partners, our offerings now include a comprehensive suite of cybersecurity solutions.

Cybersecurity ratings are analogous to financial credit ratings: just as a poor credit rating is associated with a greater probability of default, a poor cybersecurity rating indicates an organization’s greater likelihood of experiencing a data breach or other adverse cyber event.

SecurityScorecard collects and analyzes global threat signals that give organizations instant visibility into the security posture of vendors and business partners as well as the capability to do a self-assessment of their own security posture. SecurityScorecard continuously monitors 10 groups of risk factors to instantly deliver an easy-to-understand A-F rating. The risk factors include: network security exposures, DNS health, patching cadence, endpoint security, application security, IP reputation, and social indicators like hacker chatter and whether an organization has exposed passwords or credentials.

The ten factor scores are weighted according to their relative severity, and the weighted scores are aggregated to produce an overall score from 0 to 100. We then assign a letter grade from A to F, which provides a simple, intuitive indication of the probability an organization will experience a cyber-attack. At the same time, the individual factor scores help IT teams identify the vulnerabilities that warrant further analysis and, as need be, remediation. In other words, the scorecard is meaningful and actionable for an organization’s IT team and its board of directors and C-Suite executives.

How do companies use this information?

CS: Organizations use our security ratings in several ways. IT teams tend to focus more on the factor scores as an ongoing diagnostic tool to help them pinpoint vulnerabilities. At the same time, the letter grades offer boards of directors and C-Suite executives snapshots of how well protected their organizations are from cyber-attacks, which helps them in their strategic decision-making.

Companies also use the ratings to assess their suppliers. This application is becoming even more relevant as more and more hackers target smaller players deeper down the supply chain and then work their way up toward the primary target. As a result, companies’ extended ecosystems of suppliers or vendors represent an additional vulnerability they need to investigate and monitor.

Lastly, financial institutions and investors use the ratings to understand the types of cyber risk they may inherit.

How does AXA XL use the scorecards?

CS: The scorecards are an invaluable tool for us, and SecurityScorecard’s data are integrated into our underwriting platforms. Not surprisingly, we start with the letter grades; these help our underwriters with risk selection. For instance, if a company receives a C or B, that signals an opportunity to work together to reduce the vulnerabilities and, when addressed satisfactorily, to discuss coverage options.

SecurityScorecard also continuously monitors the threat landscape, which helps us manage larger-scale risk, i.e., the possibility that a single event causes massive disruption. When a widespread cyber event occurs, the SecurityScorecard can help us identify clients that are likely exposed so we can alert them of the need to take preventive measures.

Are there any other points you’d like to make?

JC: While our discussion has focused on prevention, incident response—Carlos’s second leg of the stool—is also becoming increasingly critical. When there is a breach, a company needs to respond swiftly and effectively to stop additional data losses. And once the breach is contained, they should document and record the incident, perform digital forensics and, based on those investigations, fix vulnerabilities and implement necessary measures to prevent further attacks. 

CS: That’s right. Fast, effective incident response is vitally important for clients and insurers. Clients want to limit the impacts and restore their data as quickly as possible. Actions that quickly and effectively contain a breach and reduce the damages will help clients get back in business sooner and with less disruption.