Cyber Insurance, Security and the Enterprise Challenge
In the evolving world of cybersecurity, enterprises need access to cyber insurance that accurately reflects their current security posture and that covers both direct and indirect expenses. The same challenge, of course, applies to the insurers issuing the policies. Unfortunately, the evolving threat landscape and rising incidents of attacks has created difficulty in matching packages with premiums, and as one chief information security officer has stated, the current state of risk modeling is like “trying to use the count of arrests for a crime to figure out the dollar losses from theft.”
This, in an industry that could grow to nearly $17B in just five years. However, coverage today is still at less than 50 percent and varies widely by industry. And the state of coverage is even lower across the mid-market, a sector subject to 62 percent of all cyberattacks but does not always have the budget or expertise to deploy market-leading solutions.
The result? It’s a proverbial accident waiting to happen, as enterprises are increasingly valued on their intangible assets – assets that can be compromised and even destroyed in a matter of minutes. In fact, according to KPMG’s 2016 Global Consumer Loss Barometer, between 1975 and 2015, the value of intangible assets as a proportion of total enterprise value (among S&P 500 companies) rocketed from 17 percent to 84 percent. Most of these intangibles are currently uninsured, even though damage to organizational reputation from a breach is the single biggest cyber concern of corporate executives.
A New Way Forward
The traditional way of sending out in-depth questionnaires relating to an organization’s security readiness no longer meets the strategy of the digital enterprise. In fact, prospects are many times hesitant to answer unclear technical questions they fear may lead to denial of coverage, higher rates or even denial of future claims. So how can enterprises quickly, automatically, and without error or ambiguity provide evidence of the maturity of their information technology and information security programs?
Looking to other industries, an analogy is the increasing use of black-boxes by auto insurers, tracking customer behavior and raising or lowering premiums accordingly. If the customer has a history of risky behavior, mandating tracking can both avoid further rate increases and lower the chance of another incident.
Or, to draw an analogy, a safe driver can further lower his or her rates by keeping to distance and speed restrictions. Some insurers, such as Prudential, have gone as far as to integrate other metrics into their underwriting, using the FICO score to identify more or less risky car insurance applicants. There is real logic in this, as the FICO score is more of an ‘insurance’ score than a credit score, capturing the risk level of a potential loan. The same approach is now taking hold in health insurance, and with increasing use of big-data analytics, will surely see use in other industries as well.
For cyber insurance, an automated underwriting process based on the actual security posture of the enterprise, and potentially changing dynamically, could be a game-changer. It will create a win-win by matching the enterprise’s compliance reporting requirements (i.e., PCI, HIPAA), their hybrid cloud security posture, and other metrics to the underwriting policies of their insurer. This posture will also permit the policy to better reflect risk across both intangible and tangible assets, the whole spectrum of ‘cyber peril,’ partially neglected by most policies today but increasingly under threat.
What’s needed today is a platform that reflects the organization’s current security posture across the hybrid cloud, spanning on-premises, AWS, Azure, Google Cloud or other public cloud service provider. With such a platform for underwriting, the cyber insurance broker will assess an enterprise client, generating a score based on an evaluation against a wide set of benchmarks and regulations, as well as live monitoring where applicable.
To be optimal, the frameworks that should be included are ISO, SOC2, HIPAA, PCI, NIST, and GDPR – the soon-to-be law of the land. With technical capabilities that better help assessors take this regulation into account as well, an enterprise receiving a score will have in-hand the necessary guidance to conduct remediation action to raise their score, much like a driver is provided with guidance to improve their driving habits.
Since an insurer may instruct the enterprise to deploy this type of solution, it can generate a score and provide it as part of the underwriting process. Alternatively, the insurer can operate the system on behalf of their enterprise clients, periodically or continually re-assessing.
Ultimately, solutions in this particular space will help insurers better match their cyber insurance policies across the full spectrum of assets needing protection, with a goal of saving the enterprise money though better alignment to their business and their actual risk posture.
Jack Kudale is COO of Cavirin, which provides cybersecurity risk posture and compliance for the enterprise hybrid cloud.