Monday, December 5, 2022
Home Business Setup Overspending On Cyber Insurance? Leverage Cyber Risk Quantification To Assess Coverage

Overspending On Cyber Insurance? Leverage Cyber Risk Quantification To Assess Coverage

By Yakir Golan, CEO of Kovrr. Looking to bring cyber risk quantification solutions to global enterprises.

When you purchase auto insurance, both you and the insurer conduct an analysis of each other. The insurer checks out your driving history, the car model (what safety features it has) and where you store and drive your car. Meanwhile, you’re deciding how much coverage to purchase. For example, do you really need a low excess, legal expenses cover and breakdown cover?

The same principles apply when an enterprise decides to purchase or renew its cyber insurance. But how do you know exactly how much risk to transfer? What are the best methods for effective quantitative analysis in cyber insurance investment decisions? You can either guess or base your decisions on actual data by utilizing cyber risk quantification (CRQ). (Full disclosure: My company offers these solutions to global enterprises.)

What Does Cyber Insurance Cover?

Some policy providers of traditional property insurance and commercial general liability insurance have started to specifically exclude cyber risks in their terms and to write back the elements that they intend to cover (in some cases, none). For this reason, cybersecurity insurance has emerged as an à la carte coverage option intended to limit and reduce losses from everything from network damage to data breaches and beyond. It offers protection against a broad range of losses related to cyber incidents that businesses can cause to others or suffer themselves, such as:

• Destruction or theft of data

• Extortion/ransom demands 

• Distributed denial-of-service (DDoS) attacks

• Legal cases (fraud, defamation, privacy violations, etc.)

• Regulatory and privacy compliance penalties

Some of the more common cyber insurance claims are triggered by ransomware, fund-transfer fraud attacks and business email compromise scams. 

The Cyber Insurance Decision-Making Process  

How can CFOs make informed decisions about cyber risk transfer and risk acceptance? In the past, financial CRQ was a long, painstaking process. Lengthy workshops, complicated questionnaires and interviews were the only way to reach a conclusion. 

Even despite this rigor, any insight gained was not always based on quantifiable threat data. Also, once the evaluation process was completed, it immediately began to lose its validity. If there’s one thing today’s threat landscape has shown us, nefarious tactics evolve rapidly in scope and sophistication. 

As time goes on, a company’s intrinsic security profile changes along with its relationship to the threat environment. So where do you get clear risk transfer insights? 

The Two Sides Of Cyber Threat Evaluation

Just like auto insurance, the vetting process considers two sides. On one hand, the car itself is evaluated. Does it have airbags, anti-lock brakes and evasive steering assistance? If it does, it’s safer, and this may lower the insurance premium.

The same concept applies to business security. That is, how well protected are you against an attack? How well developed are your security policies and practices? How solid are your firewalls and encryption? Do you have a data backup solution for critical data and system configurations? Have you implemented multi-factor authentication or identity access and management (IAM)? What do your software patching and update planning look like? How do you train your staff to ensure they are not the infiltration point?

It’s critical to evaluate your security readiness when making decisions about buying cyber insurance. Only a clear picture of where you stand now enables you to make the right capital management decisions. 

However, security readiness is only part of the equation. Accurately assessing whether a threat is real and potentially damaging is also critical. Are you going to buy flood insurance in the desert? Of course not. Likewise, having detailed data about current and emerging threats enables you to determine where you need more cyber insurance and where you need less. For some areas, you might not need any insurance at all if your risk acceptance level falls below a certain threshold.

Cyber Insurance And CRQ

Insurance has always been heavily dependent on data, and insurance companies go to great lengths to collect and analyze data. This way they cultivate a viable insurance business model and provide a valuable service.

CRQ aligns with this process by assessing cyber risk based on real-world data. An effective solution provides access to global threat intelligence and financial impact data based on actual cyber incidents and cyber insurance claims. 

Even better, CRQ can often provide the data on demand. This means you have the ability to assess the risk at any time, and the data reflects the current risk scenario, which evolves over time. 

CRQ Assesses The Financial Impact Of Events

Rather than speaking in vague terms about cybersecurity, CRQ provides clear insight into your financial exposure to different types of events. The assessment takes into account your organization’s security readiness, external threat actor activity and potential third-party risk factors. By applying CRQ, your organization can gain intelligence, as illustrated for the following CRQ areas:

• Security Resilience

What security controls do you have in place? How efficacious are they? Given your current status, where are your most important vulnerabilities?

Insights Gained: A company may become aware of previously undetected and significant ransomware risk. Or hidden risk may be identified stemming from a third-party service provider.

• Attack Frequency

What historical and ongoing cyber attack data is available? What new threats are emerging now?

Insights Gained: CRQ provides data surrounding how attacks unfolded in the past plus real-time current threat characteristics and probabilities. This helps identify where real risk is coming from and how it might impact your business.

• Threat Severity

Given the many potential threats, which ones place your organization at the most risk? How great is the potential damage for any given threat?

Insights Gained: Not all attacks have the same potential financial impact. CRQ categorizes threats by the level of potential financial damage, whether attritional, large or catastrophic. For example, year loss table illustrations show the potential economic impact of an event.

Clear Business Language Empowers Decision-Making

It’s not your IT team’s job to make insurance and investment decisions, even when it comes to cybersecurity. For cyber insurance-related capital management decisions, quantitative analysis usage in prioritizing risk is essential. The CFO needs to quickly grasp the data and its conclusions. Accurate and transparent information is critical for sound governance.

Most Popular

Unexpected bill from seniors facility adds stress for grieving Edmonton area family

The family of an Edmonton-area senior is devastated after being hit with an unexpected bill in the wake of their mother’s death. The family...

Kelowna RCMP kick off campaign against impaired driving with roadblock

The Kelowna RCMP kicked off its annual Counter Attack campaign to remind drivers of the dangers and consequences of driving under the influence. RCMP set...

B.C. junior hockey: Rockets fall again, Vees extend win streak, victory for Vipers

Here’s a round-up of Saturday night junior hockey results from the Okanagan and area. Western Hockey LeagueKennewick 5, Kelowna 1It was the fourth consecutive loss...

Santa Bus returns for 20th year spreading cheer in Central Okanagan

The Santa Bus is back on the streets and on board is Saint ‘Nic and his helper Bernard the Elf, spreading holiday cheer through...