A new approach to risk assessment for cyber insurance
January 2015 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
The cyber marketplace continues to introduce new products to address emerging exposures and to accommodate exclusions in conventional property and casualty forms. Over $800m in total capacity is available to insureds looking for protection, with policy forms and their coverage features varying considerably. With the economic impact of cyber risk increasing by the day, the cost of inaction and miscalculation could leave enterprises with significant losses and liabilities, and the reputational damage associated with these events can be both severe and lingering.
In the past year, there has been a lot of discussion among corporations, IT professionals, government agencies and the press regarding the limitations of traditional cyber insurance in restraining potential cyber losses. For the industry, challenges arise from applying a legacy, event-based methodology to assess complex and sophisticated threats in a constantly changing cyber landscape. The role of cyber risk assessment for management purposes, as well as part of an insurance underwriting process, is undergoing a fundamental shift. Rather than only providing a limited summary of a company’s cyber security practices for risk transfer purposes, specialty cyber risk assessment firms are contributing much more meaningful analytics of a company’s security posture. In turn, this is further measured against the very best practices from a composite of domestic and global security standards and scored against peer companies in identical verticals.
Due diligence in the pre-binding phase
Cyber threats are ubiquitous and complex, mandating more than traditional endpoint fortifications such as firewalls or antivirus solutions. As a result, the process for quantifying cyber risk is changing. This shift is based on a unique approach that applies comprehensive due diligence to the application phase of insurance, customises an organisation’s security profile based on international and national industry standards, and assesses pre-binding risk based on holistic posture and overall maturity of security practices. The intelligence generated from this in-depth assessment is critical in the underwriting process and instrumental in premium setting. Mary Guzman, senior vice president and cyber practice leader for McGriff, Seibels & Williams Inc., believes that this type of assessment facilitates more confidence from both clients and the markets that are taking on this exposure. This is because the quality and scope of the underwriting is deeper and more measurable, as it should be for this very sensitive risk area. Ms Guzman also believes that building a more collaborative approach assures that all stakeholders gain something from the process. For years, cyber insurance underwriters have relied predominantly on insufficient pre-binding checklists that focus on IT sensors, standard controls and previous security incidents in the decision-making process in order to determine whether a potential insured is provided with a bindable quote for insurance. This traditional methodology is fundamentally flawed and insufficiently examines the impact of all of the organisation’s investments in reducing its most significant risks. Checklists such as these, which are often completed by non-security personnel, are static. They rely on self-reporting, and rarely consider security measures beyond traditional data security controls, or the critical role of human behaviour in defence of cyber security.
The new due diligence approach for cyber insurance involves a pre-binding cyber risk assessment that reviews holistic threats as a means to identify a coverage applicant’s risk posture across the entire enterprise. For instance, a holistic cyber risk assessment would incorporate an organisation’s external business dependencies, such as the vulnerabilities introduced by every supplier, sub-supplier, and vendor into the applicant’s corporate ecosystem. Unlike a checklist review, this type of holistic examination considers other threat vectors that could contribute to a cyber loss event, including threats arising from international travel, intentional or unintentional insider threat, and lapses in physical security measures. Further, this approach is able to appraise how consistently the applicant has adopted, implemented and enforced an engaged cyber culture, with an emphasis on continuous improvement.
As a consequence, this in-depth and comprehensive examination provides both the insurer and the policy applicant with an accurate representation of enterprise risk while producing detailed intelligence into potential vulnerabilities. Using this data, applicants receive information to proactively identify high-priority vulnerabilities before a potentially devastating cyber event occurs. Underwriters can also reflect the applicant’s score in the rating of the risk, and can reward applicants with premium credits for exceptional security strategies.
Due diligence in the post-binding phase
In addition to the pre-binding assessment, post-binding customers can continue to benefit from periodic risk assessments that provide insight into the multitude of evolving risks in the cyber realm. This allows the insured to optimise decision-making about the remediation of its high priority risks. Cyber insurance providers may require that reassessments be conducted annually as part of this coverage in order to verify that policyholders are proactively addressing any vulnerabilities identified during the previous year’s assessment. This provides a reduction in potential financial liability for the insurer, can be an incentive in premium setting, and ultimately can contribute to a more resilient enterprise.
The conventional model for securing cyber insurance has begged for modernisation. With this new approach, cyber insurers are currently leading private innovation in adopting a system that rewards mature cyber security policies, as well as firms that boast strong internal systems and are able to demonstrate enterprise resiliency. As businesses acknowledge the pervasive nature of cyber threats and the dangers they pose to their organisations, as well as accepting that cyber attacks can be both frequent and severe, many are beginning to reassess their position on cyber insurance, especially if the process can be instrumental in both risk prevention as well as risk transfer. As Ms Guzman notes, firms are often “impressed with the output of this unique approach to cyber risk assessment for insurance in a couple of major ways. First, they benefit from a holistic approach that is not just compliance based, and therefore tells them how to re-focus their limited information security resources on areas that proved to be their most significant vulnerabilities. Secondly, organisations will eventually be able to benchmark themselves – anonymously – against their peers in terms of their information security maturity because the methodology uses the same scoring metrics across the entire customer base”.
In order for more organisations to trust the efficacy of cyber insurance, the industry must continue to evolve and serve the needs of the market. Old, static checklists are deficient in accurately assessing an organisation’s cyber security posture, particularly given the diversity of threat vectors and the emergence of new attack strategies by hacktivists, cyber terrorists and organised crime rings. Robust cyber security is marginalised when defaulted to overly simplistic IT-centric controls. By adopting a methodology that utilises comprehensive due diligence at the policy application phase and incorporates holistic risk assessment, insurance companies can better evaluate the cyber risks of their insureds and incentivise them in establishing an adaptive, mature and engaged security culture across their unique enterprise environments.
Armond Caglar is a director at TSC Advantage and can be contacted by email: firstname.lastname@example.org.
© Financier Worldwide