The following is an excerpt from my article on quantitative cyber risk assessments and cyber insurance that was initially published in the ISACA Journal Volume 2, March 2018. Two years and one pandemic later, it has only become more applicable.
From a business risk standpoint, the most important question to be answered is to know the adequate cyber insurance coverage for an organization to cover its bases in case of a breach. Similar to most cybersecurity problems the answer is not binary. This entirely depends on several variables, including the risk posture of the organization and the insurance provider, who can, in most cases, is not willing to offer a package that would cover what the business anticipates, due to a variety of reasons. This article proposes ways to attain harmony and satisfy both parties.
Cyber Risk Insurance Landscape
Cyber insurance, along with cyber risk, has become a very common agenda item in the boardroom discussion list in recent times1. Both enterprises and insurance companies are finding it difficult to quantify the controls in place and the amount of risk each of the parties is undertaking. Cyber insurance has undergone a substantial evolution from a coverage perspective as there are several new risk factors that were not witnessed or considered before (such as cyberextortion, espionage and privacy breaches)2.
Cyber insurance coverage is additional to the liability, property and theft insurance that has been traditionally offered. But the challenge here is twofold3. Insurers do not have a set baseline or robust setup to evaluate the organization’s cyber risk to determine insurance premiums. Today, most of this is done by leveraging basic questionnaires to evaluate the current state of cyber risk. This practice may result in owning a high risk that could negatively impact the insurance company. On the other hand, if the questions are misinterpreted by the organization, this may result in higher premiums. The post-incident insurance implications are adverse if the organization overstated the controls while acquiring the policy.
Traditionally, auto or home insurance companies provide insurance based on variables such as the driver’s age, type of car driven, year a home was built, and proximity to fire and police services. This risk-aware decision-making is possible primarily because the data and metrics have been available for several decades. Similar maturity and metrics are not available for IT risk management, which implies there is a lot of uncertainty. This is where statistics and probability can help. Figure 1 illustrates that the dearth of data triggers the vicious cycle of cyberinsurance4,5. In fact, it is actually the inability of both the provider and consumer to mine just enough data to estimate the cyber risk that triggers this vicious cycle.
Figure 1: The Vicious Circle of Cyber Insurance
Fitch Ratings Inc. reported that the Insurance Data Security Model Law was adopted by the US National Association of Insurance Commissioners6 to promote more rigorous cyber risk management practices. They point out that limited historical data loss, varying policy language, and terms and challenges in quantifying risk aggregations present considerable uncertainty for insurers. Any slight reduction in this considerable uncertainty would enhance the current state. Statistical and probabilistic methods are leveraged when uncertainty is involved. This article provides evidence that statistical and probabilistic risk assessments can help both parties arrive at a conclusion as to how much risk is being transferred in quantitative terms.
“Statistical and probabilistic methods are leveraged when uncertainty is involved”
The Cyber CPR Cycle
In lieu of the vicious cycle of cyber insurance mentioned previously, a (cyber)consumers, providers and regulators (CPR) cycle in figure 2 is proposed, and it can enable robust cybersecurity and risk practices if harmony is attained and maintained. The triangle illustrates that the cyberinsurance providers, customers and regulations such as GDPR, Payment Card Industry (PCI), US Health Insurance Portability and Accountability Act (HIPAA), and US Sarbanes-Oxley Act (SOX) are interdependent and together can contribute to improve the state of cybersecurity and insurance. Increases in the number of breaches often result in new regulations that drive insurance providers to raise the cost of coverage. This is conspicuously evident in the case of the upcoming GDPR rollout7. In a different vein, new regulations also drive cyber insurance customers to adopt more stringent security controls (possibly reducing future breaches), and with insurance coverage rising, they are forced to accurately estimate potential risk. This would stabilize the coverage price and enforce providers to optimize coverage level.
Figure 2: Cyber Consumers, Providers, Regulators (CPR) Cycle
The US Department of Homeland Security emphasizes that a robust cybersecurity insurance market could help reduce the number of successful cyberattacks8. Accurately estimating the potential cyber risk is a good place to start for a security and risk professional. From a security program perspective, the burgundy arrows in figure 2 should be the top priority to reap the benefit of better coverage at optimal cost and to reduce the number of breaches in the long haul.
Due to recent data breaches, more CISOs have been hired globally in recent times, and some of these individuals have finally procured their long-craved seat at the boardroom table. This simply means that the CISO has an increased responsibility to inform the board of the current risk state and share meaningful security metrics so the board is well informed to make the right decisions. Making the right decisions has paramount importance as enterprises may be able to avert major financial risk and possible reputational damage or even prevent going out of business. This includes securing a robust cyber insurance policy that covers any cataclysmic risk. When decisions are primarily based on risk assessments, it is critical to use methods that function and, most importantly, measure how well these risk assessment methods work. After all, one cannot manage what one cannot measure. Before all else, a baseline for common cyber risk language needs to be established.
“When decisions are primarily based on risk assessments, it is critical to use methods that function and, most importantly, measure how well these risk assessment methods work”
“Risk,” “vulnerability,” “threat” and “asset” each have a contextualized meaning and are often used interchangeably with one another. For example, malicious insiders, weak passwords, nation-state actors, cybercriminals, hacktivists and network shares are not risk. But the taxonomy in most organizations today concerning risk is that most of these are misinterpreted as a potential risk. Risk practitioners need to have a nomenclature consensus and adept understanding of the difference between a threat, threat agent, vulnerability, asset and risk. A common vocabulary harmony needs to exist not only within organizations, but also among insurance providers, law enforcement and corporations, which greatly assists in executing the cyber CPR efficiently. This is best attained by practice and training. Further guidance can be found in the Factor Analysis of Information Risk (FAIR) book9.
Quantitative Cyber Risk Assessments That Matter
Change is an unwelcome nemesis anywhere in any form. The priority of organizations, especially dealing with cybersecurity, should be to drive a change in the thought process around adopting probabilistic quantitative risk assessments and clear any misconceptions. The blatant fact here is that quantitative risk assessments based on probabilistic models need to be adopted as a standard to help make better decisions. Unfortunately, most leading frameworks and consortiums still use heat maps.