Cyber-insurance can reshape the way organisations do security

The cyber landscape is a chaotic and dangerous place. From state-sponsored hackers to financially motivated cybercrime gangs and negligent data loss, risk is everywhere and liabilities are high.

Recent estimates claim that cybercrime now costs the global economy $600bn annually. With experts now agreed it’s not a case of “if” but “when” your organisation suffers a major breach or outage, the expanding cyber-insurance industry offers a vital way to protect against losses.

Every major risk creates an insurance market, and it always has.  These markets develop in stages similar to people, from childhood to old age. Right now, the cyber insurance business is in its teenage phase – dynamic, rapidly changing, but also awkward, and not yet making optimal decisions. Today’s insurance products are readily available, but they offer a lot less coverage than buyers would like, and are generally driven by incomplete data, often in the form of simple questionnaires.

However, this is changing. As the sector expands, it will mature in the same way that life and health insurance have evolved: getting directly involved in helping people understand how to live longer, healthier lives.  For cyber security, these are exciting times – maturing cyber insurance products offer the hope for real, quantified ROI measurements for security, so that decisions can be fact based and business oriented.

The rise of insurance

The original insurance business was created to deal with the risks of shipping cargo over stormy seas. If your ship came in, you made a fortune, but if it went down you could lose everything — a risk that those invested in the crossing wanted to better manage. Over a few centuries, each new example of a catastrophic risk caused an insurance market to spring up, so that those exposed to major losses could spread out the risks, and now corporations can cover anything from employees injured or killed on the job to freak weather events.

Given the growing impact of global cyber-related incidents, it makes complete sense that the industry has also expanded into this sphere. In fact, Lloyd’s of London warned in a report last year that economic losses from a single “cloud service disruption scenario” could reach as much as $121 billion. They made it clear that this risk, and associated costs, are way in excess of cataclysmic weather events like Superstorm Sandy.  The weather comparison gives a good sense of scale; we can also compare this potential downside to the total being spent on premiums – currently around $3bn-$4bn. Clearly, it’s vitally important to know whether such a $121 billion loss event is something we can anticipate every hundred years, or every year or so – it matters.

The problem with risk

However, there are challenges. One of the biggest issues facing insurers today is the lack of visibility into the cyber health of insured companies, making it challenging for them to quantify and price the coverage products. In an area like manufacturing quality there’s plenty of data for a formal ROI decision. By crunching this data you can work out whether technique X improves quality by Y amount. In cybersecurity, these measurements are hard to come by because many breaches, outages and associated financial losses are kept private and therefore go largely under-reported. Thus, insurers can’t accurately decide what security controls to require as part of the terms of a contract.

The visibility issue isn’t just one affecting insurers. Many firms don’t have the tools to allow them to adequately assess and respond to the rising levels of cyber-risk they’re exposed to.  A report from insurer Hiscox in February claimed that nearly three-quarters (73%) of global firms are “cyber-novices” when it comes to the quality and execution of their security strategy.

What these corporations need is a way to understand how they compare to their peers, in terms of digital resilience and in terms of real losses, but their competitors are understandably unwilling to share such data.  This is where more mature insurance offerings can come in – the insurers end up knowing which kinds of organisations suffer breaches, how often, and at what scale, because they ultimately pick up the tab.

The non-smoker discount

The combined effect of poor situational awareness and organisations choosing not to disclose information on cyber-attacks held back the early days of the cyber-insurance business. But this is changing rapidly as insurers demand and aggregate more information. They want to know three things: how often attacks are successful; how large the claims are; and what types of company succeed in blocking or limiting attacks.

The first two elements are automatically becoming clearer, and as insurers gather more and more data they’re increasingly able to offer greater coverage in areas that even a few years ago were little understood. But the crucial question of how effective specific tactics, techniques and procedures (“TTP’s” in the lingo) are is still a tough one to answer. Why? Because insurers can’t simply take a virtual x-ray of a prospective client’s network to see how resilient it is to attack. This leaves them at a distinct disadvantage, and also means organisations may be left with inadequate coverage in crucial areas.

So what’s the answer? In the health insurance sector, underwriters turned to the medical profession to advise. They were able to tell them which factors matter to life expectancy and insurers were able to develop discounts for groups like non-smokers, or any other behaviours that lower risk. The industry now needs the same kind of expert information in an IT security context, to work out who the “non-smoking” cyber-resilient organisations are.

With the right kind of third-party risk scoring tools, the industry can uncover this precious information, without resorting to lengthy but highly suspect questionnaires. Insurers can begin to work out with some clarity which defensive tactics, techniques and procedures are most effective, and which organisations are most likely to repel attacks, or detect and recover quickly if they are hit. The key for IT bosses is to agree on a standard of measurement which is hard to fake, but which shows you’re running an effective internal security programme, without giving away all of your secrets.

The feedback loop

Insurance companies want to sign-up the non-smokers of the cyber-world. It’s not that such companies have perfect security – none of them do, but then, no people have perfect health either.  Insurers are motivated to find and promote the behaviours that lead to lower claims, just as they do in car, health, or life insurance. By using Digital Resilience Scores to better understand organisations’ security programmes from the outset, insurers can add in various preconditions to their contracts. Poor security controls could invalidate policies or drive up the cost of premiums. No multi-factor authentication in place? No discount.  Likewise, no discount if you can’t produce an accurate and comprehensive map of your organisation – a test failed by a disturbingly large number of businesses.

In so doing, the cyber-insurance industry offers a great way to improve baseline cybersecurity standards by finally making IT an issue the CFO cares about. A discount on an insurance premium in return for improved security controls is a far more attractive and tangible proposition to a finance boss than the opaque ROI most security vendors offer.  This solves one of the greatest challenges for security teams, who suffer in the budget cycle from the lack of tangible proof behind the investments they want to make.

Ultimately, this loop is a virtuous cycle – as insurance practices mature, based on facts and real measurements, insurers can mandate better practices, which leads to fewer claims, which directly permits the insurers to write the larger policies that customers want, which means more risks are covered, data improves, and around we go.

The good news is that the feedback loop is working. Insurers are getting more detailed information from customers, which they’re able to aggregate and crunch to create more in-depth coverage for cyber incidents. This journey is evolving rapidly, and will genuinely change the way organisations look at cybersecurity for the better.


Sourced by Dr Mike Lloyd, CTO, RedSeal.

Kayleigh Bateman

Kayleigh Bateman was the Editor of Information Age in 2018. She joined Vitesse Media from WeAreTheCIty where she was the Head of Digital Content and Business Development. During her time at WeAreTheCity...