Businessman standing while holding an umbrella showing cyber insurance based on attack surface EASM

How Are Cyber Insurance Premiums Calculated? It’s Complicated, but EASM Can Provide Clarity

Ransomware attacks are on the rise. 2021 saw 1,885% increase in ransomware attacks on governments, according to the SonicWall 2022 Cyber Threat Report. Worldwide, ransomware attacks rose 105%, and 104% in North America alone. In a cyber economy where 97% of top 35 cybersecurity companies house exposed assets on Amazon Web Services, 92% of pharmaceutical companies host exposed databases, there’s a clear need to better defend the digital perimeter.

Enter cybersecurity insurance: a solution CISOs are increasingly leaning on to offset their cyber risk. In Q4 2021, four out of every five insurers reported a spike in cyber security claims, sending premiums soaring upwards of 33%. Skyrocketing premiums are caused in part by a lack of historical data — without it, it’s difficult to build actuary models that accurately account for the likelihood of an event to happen, and ensure cyber attacks are covered by insurance policies. This causes a domino effect: as attacks increase, payouts rise, causing providers to hike premiums to offset their losses.

As a result, enterprise organizations are left with few options to defend against risk calculations. Meanwhile, insurance providers take on more risk with little upside. External Attack Surface Management (EASM) is the natural place to start for both sides. Factoring EASM into the equation means the math is clear for all. Insurance companies can better justify premium prices, while companies can demonstrate their cyber posture when applying for cybersecurity insurance.

Understanding the attack surface gives both insurers and insured a head start

As cyberattacks increase, so does demand for cybersecurity insurance. Insurers raise premiums to cover their losses and costs. Other than regulatory guidelines, the industry has yet to put in place a definitive calculation method to transparently mark premiums. This is in part because calculating cybersecurity risk is a convoluted process dependent on a number of factors.

If you define risk as the potential probability of attack, compared against the exposure of the attack surface, a number of fixed and dynamic dependencies emerge. Fixed variables include type and frequency of historical attacks, as well as a company’s industry and geo location. Dynamic variables cover the size and skill of security personnel managing risk portfolios and asset inventory and — most importantly — exposure level of digital assets.

Despite knowing this, there’s little visibility around how insurers justify premium increases, cost of reinsurance, and other surcharges. All of this leaves enterprise organizations with a reactive approach to protection during an already expensive recovery period. One solution is to monitor the real-time exposures across the entire attack surface of an enterprise organization — including their subsidiaries, supply chain and third party vendors across all environments — on premise, off premise and on the cloud.

Assessing cyber risk is an equation with many variables

The fact of the matter is that risks are not always what they seem. What an insurance company may deem as a risk may not be backed up by the facts.

In examining the cyber security preparedness of an enterprise organization, an outside-in view of the attack surface is the ideal first port of call. Of the contributing variables in a risk level, EASM platforms immediately identify and validate the geography, industry and size of a company in relation to their digital footprint — cloud, hosting providers, subsidiaries, supply chain and third party vendors included.

Though organizations cannot change most variables — like where they’re located, or the industry they work within — what they can change is the potential number of attacks over time by identifying vulnerable assets with EASM.  Security teams do not have to manually track and catalog each asset; nor do they have to verify vulnerabilities or action remediation asset-by-asset. Instead, EASM automatically makes recommendations for security teams to take action.

For example, EASM creates an asset inventory for an organization and classify each assets’ risk level (critical, high or medium). With a thorough asset discovery process that covers both on and offline assets, their OS and SW versions installed, and open services or ports, EASMs accuracy is unparalleled when it comes to identifying associated vulnerabilities.

This information is the foundation of true cyber resilience. CISOs must take time to properly assess the business impact of exposed assets, including the effect on a company’s risk level. Once understood and processed, this information can then be passed onto insurers as proof of minimized cyber risk, slashing insurance premiums for companies and clarifying risk profiles for providers.

For insurers, EASM eases the due diligence process, they can initiate scanning on a prospective client and use this data during negotiation. For both sides, attack surface data can be used to standardize the cyber insurance premium process with clear, actionable insight.

EASM is the core of any cyber risk calculation

As ransomware attacks increase, we can expect the same of the premiums that protect companies, and the demand is only set to continue. Fortunately, there is something CISOs and security teams can do: arm themselves with information and insights about their attack surface in real-time.

Factoring EASM into the equation means the math is clear for all. Insurance companies can better justify premium prices, while companies can demonstrate their #cybersecurity posture when applying for #cyberinsurance. #respectdataClick to Tweet

With direct impact on several factors contributing to a cyber risk profile, like geography, size and industry insights, and indirect support to security teams and the overall reduction of risk over time figures, EASM demonstrably helps companies to minimize risk, vulnerability to attack, and justify lower premiums to insurers. Meanwhile, insurers make the premium calculation process more streamlined and clear to companies, making best practice easier than ever before.


Director of Security Research at Reposify (a CrowdStrike company)