Could a Credit-Like Security Score Save the Cyber Insurance Industry?


In the evolving world of cybersecurity, enterprises need access to cyber insurance that accurately reflects their current security posture and that covers both direct and indirect expenses. The same challenge, of course, applies to the insurers issuing the policies. Unfortunately, the evolving threat landscape and rising incidents of attacks has created difficulty in matching packages with premiums, and as one chief information security officer has stated, the current state of risk modeling is like “trying to use the count of arrests for a crime to figure out the dollar losses from theft.”

Cyber insurance is an industry that could grow to nearly $17B in just five years. However, coverage today is still at less than 50 percent and varies widely by industry. And the state of coverage is even lower across the mid-market, a sector subject to 62 percent of all cyberattacks but does not always have the budget or expertise to deploy market-leading solutions. The result? It’s a proverbial accident waiting to happen, as enterprises are increasingly valued on their intangible assets – assets that can be compromised and even destroyed in a matter of minutes. In fact, between 1975 and 2015, the value of these assets, mostly uninsured, climbed from 17 percent to 84 percent.

What’s the Problem?

A major issue affecting insurance agencies is that cyber insurance coverage is not as universal as one would expect, especially amongst smaller enterprises.  To understand the enterprise technology risk, a questionnaire that is completed by the policy holder enterprise applicant (not always accurate) and major reliance on third-party external ratings of the applicant enterprise that is an outside-in view only (excludes cloud security views which are increasing in importance) may or may not be accurate. 

Smart enterprises and their security service providers are masking their environments from their external third-party rating firms to generate artificially higher scores This is done by implementing firewall rules that drop all outbound traffic to these third-party honeypots and also filters inbound scanning from these third-party firms.  These underwriting processes do not consider the true internal state of the enterprise and are at best limited point-in-time views.  What insurers fail to consider in an ever-changing threat level is that they may lose millions in underwriting policies over time to this constantly changing technology risk paradigm if they continue to rely on outdated approaches.  

In the Public Accounting Industry, when doing a financial audit of the firm (that includes technology reviews) no one relies only on management answers to questions and there is a strong verification process that the numbers are accurate and the controls are in place.  Insurers need to incorporate internal verification processes into their underwriting and on-going premium coverage process moving forward. 

What Next?

To move beyond this current, less-than-optimal state, insurers need more automation as part of their underwriting, streamline the process, better balance between premiums and risk, and make available policies that better cover the full range of assets potentially impacted by cyber peril.  In addition, insurers need to consider moving from point-in-time assessment to continuous assessment of their potential policy holders as the risk changes daily, based on the human factors and the threat landscape.  The individuals completing a large questionnaire (100 to 200 questions) are not 100% sure that their answers are correct, nor that the processes are consistently in place or enforced.  In addition, the third-party external ratings that Insurers use is like driving looking at the rear-view mirror.  All the data that is shown are past views that are reflective of how things were done in the past.  If the company had poor technology (CIO) and security (CISO) management that has been replaced, the external ratings do not reflect the future expected operation. 

External Ratings scoring logic assumes that technology management will not change.  In addition, the External ratings do not look at cloud security directly today as they do not have visibility into those environments unless there is a public facing website.

Introducing a Credit-Like Score for Security

One way to develop this is through the use of a ‘CyberPosture’ score, a security equivalent of a credit score; an easy to understand scoring of one’s current hybrid infrastructure security posture. 

Insurers now have the opportunity to provide the potential policy holder (customer) with an easy to deploy assessment technology (deployment and assessment within hours) that covers on-premises servers, cloud servers and cloud accounts, and containers that provides a detail understanding of their inside-out security level against benchmarks and provides a CyberPosture score it is in their best interest to implement this solution during the underwriting process and over time develop enhanced (more profitable) policies that change premiums and/or reduces coverage as the CyberPosture score changes during the premium coverage period.  The secondary benefit would be that this CyberPosture score would be available to the policy holder executive management team and board members to have an independent view of the cyber risks of the organization.  Today, a majority of the credit cards provide continuous free credit score reporting to their members (this follows that same logic).

In conclusion, enterprises and their security service providers have learned how to game the external third-party risk ratings which do not account for future enterprise risk models since the models do not consider technology/security leadership changes nor look at internal security risks (and/or cloud security risks) which in many enterprises represent the larger risks and potential control failure that generate cyber insurance claims.  It is in the best interest of the insurers to quickly adopt proactive underwriting and continuous monitoring solutions that provide a true representation of the applicant enterprise to minimize risk and maximize profit in new policies that are underwritten moving forward and the CyberPosture score provides one of those paths forward.

About the author:

Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "https://ift.tt/2IPgRSm"

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more