The cyber threat landscape is evolving from an era of large data breaches (Yahoo, Vodafone) to the modern ransomware economy (banking Trojans such as Emotet, TrickBot and Ryuk).
Understanding this backdrop is crucial as businesses need to think carefully about how they can protect themselves from an attack but also insure their assets. Cyber risks used to be almost uninsurable; however, as the landscape continues to change, cyber insurance is becoming essential for CISOs. Yet insurance also has its limitations and therefore must be integrated into a layered defense strategy to be effective.
Minimum Requirements for Cyber Insurance
Insurers today are primarily concerned with claims emanating from human-operated ransomware attacks, which disrupt systems and operations through encryption and data exfiltration and ransom demands. To purchase insurance cover, companies must demonstrate their ability to defend against threats by deploying controls to block attackers' strategies. Notable strategies include the following:
1. Preventing Attacker Footholds
• Multi-factor authentication for end users and external access
• Endpoint protection and endpoint detection and response (MDR/XDR) solutions
• Cybersecurity awareness training and phishing campaigns
• Email filtering and web security
• Comprehensive patch and vulnerability management policies
• Hardening techniques, including addressing common issues such as remote access, bring your own device, and cloud security configuration
2. Stopping Lateral Movement and Reducing Blast Radius
• Network segmentation and segregation of high-risk/high-value networks
• Privileged access management (PAM) for administrator and service accounts
• Logging, monitoring, and correlation
• Digital and service supply chain risk management
• Cyber incident response planning and testing
• Replacing or protecting end-of-life systems
3. Protecting Key Digital Assets
• Encrypted and secured, tested backups
• Enhanced protections for critical assets (encryption at rest, second-layer authentication, zoning of critical applications)
How to Improve and Obtain Value From Conversations With Insurers
The best insurer relations are developed through regular and open dialogue.
By offering you insurance, insurers make your risk their risk. Good insurers will thus offer what I call "loss intelligence": information relating to the most recent and significant claims in the cyber insurance space.
This free intelligence can help you prioritize your cyber program investments. For instance, I put "multi-factor authentication" first in the list above because insurer data tells us that over 80% of all cyber incidents are malicious and start with a compromise of user credentials.
Another example is looking at what questions insurers focus on. They will ask detailed questions about how you back up your data because they see many insureds suffer data loss, exfiltration, and extortion attacks as a result of poor controls in this area.
Measuring and Protecting Value at Risk
All modern organizations are evolving and transforming digitally, but all do so in a unique manner and at different pace. Measuring how dependent an organization is on its technology for generating revenue, meeting compliance obligations, and avoiding reputational harm is critical.
If an organization's operational resilience is materially the same as its digital resilience -- meaning there is no possibility to revert to paper-based or traditional processes in the event of a technology failure -- then its cyber program is critical. Conversely, if the organization can continue to operate unhindered, then it is not digitally dependent. For most organizations, the degree of dependence can be measured on a sliding scale we can refer to as the "percentage of value at risk."
Regulators are now also aligning to this approach to avoid major disruptions, losses, and harms, as can be seen in DORA, NIS2, and GDPR, all of which look at the criticality of assets under protection as a means for determining control level requirements.
Carrying out a Risk Assessment
To best understand and measure the value at risk, a structured risk assessment should be carried out with some key and distinctive phases. These should look at determining value at risk in the digital domain (impact), quantum of risk exposure (in financial terms), and probability of risk occurrence through expert-led assessments as follows:
• Assess Impact by developing and stress-testing key loss scenarios and areas of exposure. This is a qualitative assessment that looks at the material exposures of a business to technology loss and develops a small number of significant events it wishes to avoid, mitigate, or reduce impact on.
• Quantify Cyber Risk of each material scenario through the use of actuarial methods such as stochastic modeling or other industry standards such as Factor Analysis of Information Risk. This step is critical to compare cyber and digital risk with other strategic risks such as supply chain, environmental, political or competitive risk.
• Expert-Led Controls Assessment via direct and indirect means. Direct, independent, expert-led controls testing through audit, penetration testing, and code review are essential for material control requirements on both first-party and third-party technology implementations. Having this independent attention is crucial should an organization's insurance attestations be challenged during a cyber insurance claim or a regulatory investigation. Indirect methods such as digital, open-source and dark web assessments are becoming commonplace as well, with insurers often conducting their own due diligence to determine if an insured has been compromised or mandating direct scans to detect vulnerabilities as a precursor to offering cyber insurance.
To Transfer or Not
Once an organization has carried out such risk assessment, it is able to determine how much insurance it may need, as well as how likely it is to suffer a cyber incident and what the severity could be.
The organization should have evaluated its cyber resilience to its key scenarios and will be in a position to discuss with insurers the feasibility and cost of insuring certain scenarios.
It is important to understand that insurance may not be the most cost-effective option for transferring risk. For example, if an insured is worried about data being stored and processed in an outsourced HR system, other efficient routes could include negotiating effective risk transfer mechanisms such as contractual penalties, security assurance, and financial liabilities directly with its third-party supplier. Another common approach is to invest in better mitigations as a precursor to cyber insurance if one of the key controls mentioned above is not yet effective.
