By Miles Tappin, VP of EMEA at ThreatConnect
The rise of advanced threats, particularly ransomware, has cast a shadow over the cyber insurance industry. As a result, more businesses have been looking for insurance protection in recent years to ensure they can mitigate future threats and protect themselves and their customers. However, both carriers and those seeking insurance lack the inherent ability to automate risk. Likewise, the financial models needed to calculate security improvements and reduce overall response times and exposure.
The escalation in the sophistication of cyber-attacks has led to a climb in demand for policies and increasing costs. Several carriers have raised premiums between 30% and 50% and introduced further restrictive policy terms and coverage limits. Some insurance brokers have reported carriers reducing the amount of coverage offered by millions, and at least one primary carrier, European insurance giant AXA, has dropped ransomware coverage altogether.
Ultimately, the cyber insurance market is facing three significant challenges. Insurance underwriters rely on a highly manual, point-in-time approach to gathering data and assessing a company’s cyber risk exposure. However, these underwriters cannot correlate loss data to vulnerabilities, deficient controls, misconfigured hardware or software, or the ability of an attacker to compromise a critical application or system successfully. Security assessments are conducted just once before binding coverage and not revisited until it’s time to renew the policy. In many cases, security assessments conducted on behalf of an underwriter are never shared with the company seeking insurance. As a result, a critical vulnerability in the industry is evident.
Manual Risk Assessments
It’s hard to believe, but just one year ago, most cybersecurity insurance questionnaires consisted of less than ten questions, and underwriters would give companies 60 to 90 days to get the required controls in place. Today, most applications involve dozens of questions, are still highly manual, and companies only get 30 days to get their security controls in order.
Today’s manual application process means underwriters are writing policies based on guesswork that is only valid on the day it was produced. Thus, the requirement to automate the quantitative process could not be more urgent.
Automated cyber risk quantification is now a reality. Businesses should move quickly to understand their business more accurately and prioritise efforts so that critical business processes, applications, and data are protected. Security Orchestration, Automation, and Response (SOAR) can provide three specific benefits. It enables companies to proactively model and predict risk, mitigate and monitor for changes and see ‘what-if’ recommendations that drive smart actions, mitigations, and response.
Correlation & Accounting for the Attacker
Cybersecurity insurance is different from other forms of insurance primarily because cyberattacks involve two things insurance can’t measure — the attacker and the defences they try to beat.
The struggle to understand loss exposure in cybersecurity isn’t the lack of loss data – it’s the lack of being able to correlate it to a vulnerability, a deficient control, a misconfigured software or hardware, or the ability of an attacker to reach a critical system or application.
Risk quantification automatically enters data into a risk model and automation engine. Those inputs include data from your organisation as well as industry, attack, and vulnerability data aggregated through various sources. That information is then applied to the risk model and automation engine to determine the financial impact of cyber risks and the probability of success of specific attacks.
These calculations drive a variety of other activities within risk quantification that lead to the operationalisation of information across the rest of your organisation, including:
- Prioritisation of vulnerabilities – not only by CVSS score but by relevance in terms of the financial impact to your business.
- ‘What-if’ analysis to help you understand what specific effects certain changes may have on your cyber risk before making those changes.
- Producing short- and long-term recommendations on how specific changes may affect Annual Loss Expectancy (ALE) and provide guidance into any ‘low hanging fruit’ that may exist.
Cyber Risk Assessments
Given the advanced capabilities of cyber adversaries and their tactics, techniques, and procedures, the current cyber insurance model almost guarantees that insurance carriers will be forced to pay claims. As a result, point-in-time assessments that are manual guesswork are inadequate for protecting enterprises from the onslaught of cyberattacks.
Being able to track cyber financial risk over time, understand the impact of budget decisions, and ultimately justify spending is now driving business decisions on which risks to tolerate, treat or transfer.
While the first step is to understand your organisation’s exposure in financial terms, the next is to decide how to mitigate risk. Risk quantification models many different types of attackers and attacks that may infiltrate an organisation, its controls, vulnerability data and critical applications.
Most risk quantification customers have their controls actively updated in the tool to assess which applications are most vulnerable. Still, they also provide vulnerability data that allows risk quantification to provide short-term recommendations on Common Vulnerabilities and Exposures (CVEs).
The capabilities of risk quantification can give insurance underwriters and their clients a clear picture of inherent and residual risk in a dynamic fashion. Not only is the threat landscape and the parts of it that are relevant to your business changing, but the controls, applications, endpoints, and type of data present in your environment are changing as well. Risk quantification enables you to apply these changes instantaneously to your models, allowing cyber risk measurement to move beyond point-in-time assessments and become programmatic.
Once finalised, analysis is put in a report that business leaders, board members, and insurance underwriters can understand.