5 Questions with Cary Tiernan: Simplifying Cyber Risk Through Our Security Report

Last month, we released our new-and-improved Security Report to help brokers get clarity on their clients’ cyber risk. The redesigned report prioritizes easy-to-understand language, clear security suggestions, and relevant industry context.

To learn more about the Security Report, we talked to our Product Marketing Lead Cary Tiernan, who coordinated the redesign effort in collaboration with our cyber analyst, security, product, engineering, design, and actuarial teams.

1. What was the inspiration for redesigning the Security Report?

The idea of a Security Report was relatively new to insurance at the time of its creation. The report was developed around the premise that certain factors are important in determining cyber risk. The Security Report has always communicated some aspects of a business’ security posture, but now it has more nuance and more context, drawn from At-Bay’s ever-expanding understanding of the cyber security landscape. 

We wanted to make the Security Report more user-friendly, contextualizing all data and communicating information in a way that was easy for both brokers and clients to understand. Not every risk is created equal, and the new report clearly demonstrates the various levels of risk a business faces and the potential financial implications of those risks, connecting the dots between cyber risk and insurance coverage.

2. How did you determine the best way to present the information in the Report? 

Every piece of information in the Security Report works toward our overall goal of facilitating conversations between brokers and clients and simplifying cyber coverage decisions. 

Internally, we tapped our own expert knowledge. Our cyber analysts are constantly looking for new vulnerabilities and determining which are most critical, while our actuarial team understands the costs associated with the vulnerabilities based on overall risk, industry, and business size. 

Externally, we interviewed our broker partners to understand how to present highly technical information in the most useful way. These are some key design decisions we made after testing more than 15 report concepts with brokers:

• We positioned the Security Score at the top and front of the report to allow brokers (and clients) to see critical vulnerabilities as soon as they open the report. This way, any action required to bind a policy is immediately clear.
• The second page contains details to facilitate conversations between brokers and clients. It offers context and clear explanations of the top security issues identified plus suggestions on how to resolve them.
• The rest of the report dives into the technical aspects of the business’ risk so that the client has all needed information to pass along to the IT provider. 

The new Security Report presents vulnerabilities in three different ways for audiences of varying technical knowledge. Each vulnerability is broken down into digestible and relevant context — what it is, why it matters to the business, and how to resolve it. 

3. Do you have any tips on how brokers can best leverage the Security Report? 

First and foremost, the Security Report can serve as a conversation piece for brokers to explain a client’s security posture and coverage options. At-Bay won’t insure businesses with unresolved critical vulnerabilities, and this report is an easy way to identify these vulnerabilities and discuss available solutions. 

The Security Report’s first-page summary is a great way to demystify coverage options for clients. Because the information is coming directly from security and insurance experts, it can help brokers demonstrate cyber expertise and build trust with clients.

We also hope brokers will send this report (or at least parts of it) directly to clients. Sharing the report with clients can take some work off the broker’s plate and provide the client with the information they need to improve their cyber security and make informed coverage decisions.

4. What are the three biggest takeaways from this redesign?

We’re tying together security and insurance. This may sound like a no-brainer, but this concept was crucial to the development of the new Security Report. The person buying cyber insurance often isn’t the same person making security decisions for a business. The success of this redesign relies on its ability to clearly communicate cyber security and insurance concepts to all audiences, starting with the broker.

Time-saving tools help brokers. We know brokers are busy. When handling a lot of business, the last thing a broker wants to do is read through a dense report for every quote. That’s why design was so important here: The prominent Security Score and color coding allow brokers to quickly assess all crucial information without having to dig for it.

Investing in the development process is worth it. The insurance industry doesn’t always emphasize concept-testing or product design, but our up-front investment in research and development paid off. Despite the fact that this report is built on complex security and insurance information, it’s presented in a way that’s readable even for those with minimal technical knowledge.

5. How are you measuring the success of the new Report?

The Security Report will be successful if people read it and take action from it — especially if businesses make improvements to their cyber security beyond just crucial vulnerability fixes that are required to bind. These are three markers of success we hope to see:

• Brokers using this tool to explain to clients why and how critical vulnerabilities need to be resolved.
• Brokers and clients having conversations around the important (but not critical) vulnerabilities that may cause coverage differences, such as multi-factor authentication.
• Competitors following our lead and creating their own versions of this report.

Additionally, all feedback on the new Security Report is very welcome. We want to continue honing the report so it remains as useful as possible. Hearing from brokers is a huge part of our product development process — so if you have opinions or suggestions, please reach out! 

Have a specific question about the Security Report? Check out our article How to Read Our Security Report.