By Yakir Golan, CEO of Kovrr. Looking to bring cyber risk quantification solutions to global enterprises.
When you purchase auto insurance, both you and the insurer conduct an analysis of each other. The insurer checks out your driving history, the car model (what safety features it has) and where you store and drive your car. Meanwhile, you’re deciding how much coverage to purchase. For example, do you really need a low excess, legal expenses cover and breakdown cover?
The same principles apply when an enterprise decides to purchase or renew its cyber insurance. But how do you know exactly how much risk to transfer? What are the best methods for effective quantitative analysis in cyber insurance investment decisions? You can either guess or base your decisions on actual data by utilizing cyber risk quantification (CRQ). (Full disclosure: My company offers these solutions to global enterprises.)
What Does Cyber Insurance Cover?
Some policy providers of traditional property insurance and commercial general liability insurance have started to specifically exclude cyber risks in their terms and to write back the elements that they intend to cover (in some cases, none). For this reason, cybersecurity insurance has emerged as an à la carte coverage option intended to limit and reduce losses from everything from network damage to data breaches and beyond. It offers protection against a broad range of losses related to cyber incidents that businesses can cause to others or suffer themselves, such as:
• Destruction or theft of data
• Extortion/ransom demands
• Distributed denial-of-service (DDoS) attacks
• Legal cases (fraud, defamation, privacy violations, etc.)
• Regulatory and privacy compliance penalties
Some of the more common cyber insurance claims are triggered by ransomware, fund-transfer fraud attacks and business email compromise scams.
The Cyber Insurance Decision-Making Process
How can CFOs make informed decisions about cyber risk transfer and risk acceptance? In the past, financial CRQ was a long, painstaking process. Lengthy workshops, complicated questionnaires and interviews were the only way to reach a conclusion.
Even despite this rigor, any insight gained was not always based on quantifiable threat data. Also, once the evaluation process was completed, it immediately began to lose its validity. If there’s one thing today’s threat landscape has shown us, nefarious tactics evolve rapidly in scope and sophistication.
As time goes on, a company’s intrinsic security profile changes along with its relationship to the threat environment. So where do you get clear risk transfer insights?
The Two Sides Of Cyber Threat Evaluation
Just like auto insurance, the vetting process considers two sides. On one hand, the car itself is evaluated. Does it have airbags, anti-lock brakes and evasive steering assistance? If it does, it’s safer, and this may lower the insurance premium.
The same concept applies to business security. That is, how well protected are you against an attack? How well developed are your security policies and practices? How solid are your firewalls and encryption? Do you have a data backup solution for critical data and system configurations? Have you implemented multi-factor authentication or identity access and management (IAM)? What do your software patching and update planning look like? How do you train your staff to ensure they are not the infiltration point?
It’s critical to evaluate your security readiness when making decisions about buying cyber insurance. Only a clear picture of where you stand now enables you to make the right capital management decisions.
However, security readiness is only part of the equation. Accurately assessing whether a threat is real and potentially damaging is also critical. Are you going to buy flood insurance in the desert? Of course not. Likewise, having detailed data about current and emerging threats enables you to determine where you need more cyber insurance and where you need less. For some areas, you might not need any insurance at all if your risk acceptance level falls below a certain threshold.
Cyber Insurance And CRQ
Insurance has always been heavily dependent on data, and insurance companies go to great lengths to collect and analyze data. This way they cultivate a viable insurance business model and provide a valuable service.
CRQ aligns with this process by assessing cyber risk based on real-world data. An effective solution provides access to global threat intelligence and financial impact data based on actual cyber incidents and cyber insurance claims.
Even better, CRQ can often provide the data on demand. This means you have the ability to assess the risk at any time, and the data reflects the current risk scenario, which evolves over time.
CRQ Assesses The Financial Impact Of Events
Rather than speaking in vague terms about cybersecurity, CRQ provides clear insight into your financial exposure to different types of events. The assessment takes into account your organization’s security readiness, external threat actor activity and potential third-party risk factors. By applying CRQ, your organization can gain intelligence, as illustrated for the following CRQ areas:
• Security Resilience
What security controls do you have in place? How efficacious are they? Given your current status, where are your most important vulnerabilities?
Insights Gained: A company may become aware of previously undetected and significant ransomware risk. Or hidden risk may be identified stemming from a third-party service provider.
• Attack Frequency
What historical and ongoing cyber attack data is available? What new threats are emerging now?
Insights Gained: CRQ provides data surrounding how attacks unfolded in the past plus real-time current threat characteristics and probabilities. This helps identify where real risk is coming from and how it might impact your business.
• Threat Severity
Given the many potential threats, which ones place your organization at the most risk? How great is the potential damage for any given threat?
Insights Gained: Not all attacks have the same potential financial impact. CRQ categorizes threats by the level of potential financial damage, whether attritional, large or catastrophic. For example, year loss table illustrations show the potential economic impact of an event.
Clear Business Language Empowers Decision-Making
It’s not your IT team’s job to make insurance and investment decisions, even when it comes to cybersecurity. For cyber insurance-related capital management decisions, quantitative analysis usage in prioritizing risk is essential. The CFO needs to quickly grasp the data and its conclusions. Accurate and transparent information is critical for sound governance.