Why blanket exclusions for common vulnerabilities could harm cyber market

Some cyber insurers are using a digital reference library that tracks known vulnerabilities and exposures to deny coverage for those who fail to patch their systems within a specific period.  

But putting the onus on policyholders to manage every vulnerability can damage trust in the broader cyber insurance market, says Tiago Henriques, chief underwriting officer at Coalition. 

Around 2,000 to 2,500 common vulnerabilities and exposures (CVEs) are discovered and identified in the database every day. But “not all of them matter,” he says.  

“What I mean by that is, out of these 2,500 vulnerabilities that come out every day, only about 1% to 2% are actually ever exploited by hackers.” 

But some insurers have added CVE exclusions to their policies, which specify if policyholders don’t patch vulnerabilities with a score of 8 on the database (the scale is from 1 to 10) within 30 days, their claims will be denied.  

That practice was common during the hard market among U.K and Canadian carriers, and some are still making blanket exclusions as recently as a few weeks ago, says Henriques. 

But for policyholders, identifying, managing and patching all CVEs can be quite challenging. Plus, cyber hackers often conceal their entry points, making CVE attribution difficult.  

“There’s a lot of nuance in vulnerability management that [a] carrier [making CVE exclusions] is essentially ignoring and just saying, ‘Hey, you gotta patch in 30 days, or you’re not covered,’ and that is a problem,” he says. “My fear is that as the hard market comes back, that carriers will start to deploy those types of exclusions [again].” 

He adds: “I don’t want to get back to a market where carriers are doing…exclusions, because it’s never good for our clients.” 

Managing CVEs 

Instead of creating blanket exclusions, cyber insurers must use their expertise to help policyholders patch the most pressing vulnerabilities.

To do that, insurers must adopt modern risk selection techniques and better understand which CVEs actually matter, Henriques says.  

Why innovative customer experience will define the future of personal auto insurance Image

Insights Paid Content

Why innovative customer experience will define the future of personal auto insurance

Technology is helping insurers reimagine how they support personal auto customers — and it starts the moment a collision is reported, say experts at Accident Support Services International.

By 

Sponsor Image

Coalition has an Exploit Scoring System that tries to predict whether a new vulnerability is “going to matter or not,” he says.  

An example of one that matters to Coalition is a recent SharePoint vulnerability that would allow an attacker to compromise a company’s server.  

“We notified our policyholders, and we actually immediately got on the phone with them, because that’s how bad this was,” he says. “We actually caught one of our policyholders that had already been compromised. 

“Our incident response team managed to get the back door removed before ransomware was deployed or data was stolen.” 

On the other hand, a vulnerability in, say, Firefox, is unlikely to be exploited en masse, and so a patch for all clients may not be as pressing.  

“We try to manage this [on a] scale, because we notify our policyholders of the most critical vulnerabilities,” Henriques says.  

“We’re not looking for secure companies; we’re trying to look for companies that are not going to file a claim, and these aren’t necessarily the same thing,” he adds. “You might have a company that, on paper, isn’t secure because they might have a high [CVE score] but if that vulnerability is never exploited, they’re never going to file a claim.” 

Insurers, meanwhile, should see to it their cyber expertise is solid so they can advise clients on CVEs.  

“Insurers need to move on to having actual security experts on their staff that can understand these [nuances], that can build systems that scan for these vulnerabilities and notify the clients as well,” he says.

“It can’t be that we live in a market where the disparity between what a modern carrier is doing [and] a classical carrier is so big as it is today.” 

Alyssa DiSabatino

Alyssa Di Sabatino has been a reporter for Canadian Underwriter since 2021, covering industry trends, market developments, and emerging risks.