In the evolving world of cybersecurity, enterprises need access to cyber insurance that accurately reflects their current security posture and that covers both direct and indirect expenses. The same challenge, of course, applies to the insurers issuing the policies. Unfortunately, the evolving threat landscape and rising incidents of attacks has created difficulty in matching packages with premiums, and as one chief information security officer has stated, the current state of risk modeling is like “trying to use the count of arrests for a crime to figure out the dollar losses from theft.”
Cyber insurance is an industry that could grow to nearly $17B in just five years. However, coverage today is still at less than 50 percent and varies widely by industry. And the state of coverage is even lower across the mid-market, a sector subject to 62 percent of all cyberattacks but does not always have the budget or expertise to deploy market-leading solutions. The result? It’s a proverbial accident waiting to happen, as enterprises are increasingly valued on their intangible assets – assets that can be compromised and even destroyed in a matter of minutes. In fact, between 1975 and 2015, the value of these assets, mostly uninsured, climbed from 17 percent to 84 percent.
What’s the Problem?
A major issue affecting insurance agencies is that cyber insurance coverage is not as universal as one would expect, especially amongst smaller enterprises. To understand the enterprise technology risk, a questionnaire that is completed by the policy holder enterprise applicant (not always accurate) and major reliance on third-party external ratings of the applicant enterprise that is an outside-in view only (excludes cloud security views which are increasing in importance) may or may not be accurate.
Smart enterprises and their security service providers are masking their environments from their external third-party rating firms to generate artificially higher scores This is done by implementing firewall rules that drop all outbound traffic to these third-party honeypots and also filters inbound scanning from these third-party firms. These underwriting processes do not consider the true internal state of the enterprise and are at best limited point-in-time views. What insurers fail to consider in an ever-changing threat level is that they may lose millions in underwriting policies over time to this constantly changing technology risk paradigm if they continue to rely on outdated approaches.
In the Public Accounting Industry, when doing a financial audit of the firm (that includes technology reviews) no one relies only on management answers to questions and there is a strong verification process that the numbers are accurate and the controls are in place. Insurers need to incorporate internal verification processes into their underwriting and on-going premium coverage process moving forward.
To move beyond this current, less-than-optimal state, insurers need more automation as part of their underwriting, streamline the process, better balance between premiums and risk, and make available policies that better cover the full range of assets potentially impacted by cyber peril. In addition, insurers need to consider moving from point-in-time assessment to continuous assessment of their potential policy holders as the risk changes daily, based on the human factors and the threat landscape. The individuals completing a large questionnaire (100 to 200 questions) are not 100% sure that their answers are correct, nor that the processes are consistently in place or enforced. In addition, the third-party external ratings that Insurers use is like driving looking at the rear-view mirror. All the data that is shown are past views that are reflective of how things were done in the past. If the company had poor technology (CIO) and security (CISO) management that has been replaced, the external ratings do not reflect the future expected operation.
External Ratings scoring logic assumes that technology management will not change. In addition, the External ratings do not look at cloud security directly today as they do not have visibility into those environments unless there is a public facing website.
Introducing a Credit-Like Score for Security
One way to develop this is through the use of a ‘CyberPosture’ score, a security equivalent of a credit score; an easy to understand scoring of one’s current hybrid infrastructure security posture.
Insurers now have the opportunity to provide the potential policy holder (customer) with an easy to deploy assessment technology (deployment and assessment within hours) that covers on-premises servers, cloud servers and cloud accounts, and containers that provides a detail understanding of their inside-out security level against benchmarks and provides a CyberPosture score it is in their best interest to implement this solution during the underwriting process and over time develop enhanced (more profitable) policies that change premiums and/or reduces coverage as the CyberPosture score changes during the premium coverage period. The secondary benefit would be that this CyberPosture score would be available to the policy holder executive management team and board members to have an independent view of the cyber risks of the organization. Today, a majority of the credit cards provide continuous free credit score reporting to their members (this follows that same logic).
In conclusion, enterprises and their security service providers have learned how to game the external third-party risk ratings which do not account for future enterprise risk models since the models do not consider technology/security leadership changes nor look at internal security risks (and/or cloud security risks) which in many enterprises represent the larger risks and potential control failure that generate cyber insurance claims. It is in the best interest of the insurers to quickly adopt proactive underwriting and continuous monitoring solutions that provide a true representation of the applicant enterprise to minimize risk and maximize profit in new policies that are underwritten moving forward and the CyberPosture score provides one of those paths forward.
About the author: Joseph (Joe) Kucic is Cavirin’s Chief Security Officer, bringing to Cavirin over 20 years of enterprise and security experience. At Cavirin he is responsible for hybrid cloud infrastructure security strategies with CSOs, CIOs and CISOs and their teams across both enterprises and managed service providers / global system integrators.