The average cost of a ransomware attack is $1.85 million and 22 days to recover. If you’re looking for cyber insurance coverage to protect yourself, download our ebook to learn how to strengthen your cybersecurity program to influence coverage.
Cyber insurance continues to pick up steam, with both smaller and larger entities adopting it. There are several drivers, such as recent supply chain compromises, large ransomware attacks, and the need to limit liability. The immediate and latent effects of a data breach are massive, ranging from loss of business, to degraded brand reputation, and loss of sensitive customer data.
While many organizations look at cyber insurance as a way to transfer risk and mitigate financial losses, the assessment process used by cyber insurers can help shape your security program for the better by understanding how claims are driving the questions they are asking you.
Assessing your security program
Cyber insurance takes a multifaceted approach when it comes to writing and providing coverage to an organization. The criteria is no different than with auto insurance, where it’s not just your driving record that determines pricing and how much liability the insurer is willing to take on. Some of the aspects that impact cyber insurance underwriting include the scale and size of an organization, the number of employees, and annual revenue. Insurers look at how much Personal Identifiable Information (PII), including Protected Health Information (PHI), is held by the company, both for employees and customers. Is the business processing lots of financial data? How reliant is a company on third-party providers for business operations? What controls does the business have in place, and what are the effectiveness of these controls in reducing the risk of cyber attacks?
Cybersecurity controls are assessed through self-attestation and direct observation—trust but verify. Questionnaires, such as those used in a standard Third Party Risk Management (TPRM) program, help inform insurers about what policies, processes, and controls are currently in place, as well as get a sense of whether the company seeking insurance believes they're following the resultant procedures, globally and consistently. The questionnaires usually follow an accepted standard framework, such as the NIST Cybersecurity Framework (CSF) or ISO 27001 and can include controls such as Multi Factor Authentication (MFA) for employee login into company systems or anti-phishing training. Are backups performed consistently and adequately protected from ransomware attacks? What vulnerability management tools are used, how often are they run, how quickly are the most critical vulnerabilities remediated, and how often are exceptions reviewed?
To augment assessments, validating these responses is done via a risk performance measurement tool, which can confirm or invalidate some assessment responses and reveal that what should be a strength is actually a liability. An example of the above would be if a company states that they have strict policies in place for the security of data in transit, but it's found they have many instances of SSLv3 enabled on exposed systems.
Cyber Risk Quantification
Questionnaires and technical observations are helpful for assessing the cyber resiliency of an organization and can even be represented as a quantitative metric. Tying that assessment to the probability and amount of potential financial loss is far more difficult, and it is something that cyber insurers are also trying to measure. It's also the Rosetta Stone for presenting cyber security to non-technical and executive audiences.
While the prevailing Cyber Risk Quantification (CRQ) model is FAIR, it is far too cumbersome for most organizations, requiring a significant effort in identifying:
- Assets and their owners
- Supported services and applications
- The users and roles who have access to the assets, services, and data.
Then, the organization must estimate the losses by estimating the Loss Event Frequency (LEF) and Probably Loss Magnitude (PLM), including identifying the threats against the assets and the controls in place to mitigate them. Many organizations rely on data from reports and polls such as those from Ponemon and IBM Security, which are at best broad averages by industry, to calculate the probability of an event and financial losses.
Bitsight takes a much less labor-intensive approach to CRQ using data that's more dialed-in to the organization while still using many of the heuristic elements of FAIR. Our analysis typically requires the organization to spend about a half-hour to an hour to gather the inputs, which include industries and sub-industries, countries and states of operation, organization size, types and amount of PII held, controls in place, and regulatory and contractual obligations. The inputs are used to select those records that fall into the same demographic and technographic profile from a large corpus of historical incidents, which includes public disclosures from open source feeds, proprietary databases, and anonymized insurance claims—the same data cyber insurers use for underwriting to understand potential losses.
Performing CRQ on your organization can help you not only quantify the financial loss probabilities to report to senior executive management and the board, estimate budget for cyber security and prioritize purchases and activities, but also right-size your insurance coverage and premium, and provide support to help negotiate with cyber insurance carriers.
Cyber insurance is an opportunity
Instead of viewing the underwriting process as invasive and time-consuming, you can look at it as an unplanned cybersecurity assessment and improve your security posture based on the results. Going through the underwriting process and reviewing the results of the various assessment and data validation tools can truly shape and improve an organization’s security by identifying areas for improvement as well as gaps in your cybersecurity program. The process can highlight liabilities ranging from open ports running on older servers that “should be'' offline to old domains that never were deregistered.
The impetus of checking on this data as a result of the aforementioned process most often shows immediate areas of concern that are usually quickly remedied. However, if there is a pattern or tendency toward certain risks materializing instead of being prevented from occuring in the first place, it’s an indication that your security program is not working effectively. This highlights the need to change your security program, starting with an overarching security policy and resulting in process and procedures to support it, as well as governance to ensure the program functions as expected, universally and consistently.