Case study: Measuring cyber resilience Marsh McLennan’s Cyber Risk Analytics Center analyzed the BitSight Security Ratings Platform, which helps underwriters develop cyber insurance policies. Boston-based BitSight offers a Security Rating and 13 “risk vectors” to measure how many of a company’s systems are vulnerable and how quickly they are fixed. Marsh McLennan analyzed 365,000 companies’ cybersecurity events, claims, and BitSight security data. Poor performers were linked to cyberattacks. In addition, the study found a statistically significant association between BitSight Security Ratings and risk vectors and cybersecurity incidents. BitSight’s measurements can help insurance officials make informed judgments. For example, endpoint management, malware detection, vulnerability management, secure communications, and user training and awareness have measured correlation. Our study highlighted the relevance of an organization’s patching initiatives, with “patching cadence” associated to the chance of a cybersecurity incident. Asking the right questions about war exclusions in the context of cyber operations In the last several years, reinsurance and insurance markets have grappled with the meaning of the war exclusion in the context of cyberattacks (or more broadly, “cyber operations”). The ongoing Russian invasion of Ukraine, including cyber operations that crashed websites of Ukraine’s defense ministry and two large Ukrainian banks, underscores the need for contract certainty regarding coverage for state-sponsored cyber operations. Yet, legal guidance on the application of the war exclusion to cyber operations remains elusive. This publication from Guy Carpenter suggests that stakeholders ask new questions and explains the problems posed by traditional war exclusions in the cyber context. The report also explains how recently drafted clauses, which markets have increasingly adopted, address these problems. It then considers reinsurance implications, particularly the need for cedents to avoid a gap of coverage between original policy and reinsurance treaty. Overview Environment Social Governance Appendix 2022 ESG REPORT 60