What your cyber risk profile tells insurers

A cyber risk profile is a complex measure of an organization’s security posture. It paints a picture of your risk related to technical aspects such as network and system security liability and network interruption, as well as more organizational aspects such as cyber defense maturity.

Although many organizations develop their own risk profiles for internal uses — like improving security — cyber insurance carriers use cyber risk profiles as a tool to determine risk when writing policies. A carrier takes the results of an organization’s assessments and creates its own profile, incorporating additional information that develops a deeper understanding of that organization’s risk.

Creating a cyber risk profile

The first step in creating a profile is performing a baseline audit of hardware and software and then performing a business impact analysis (BIA) to understand which applications contribute the greatest financial or reputational exposure. Along the way, defenses and the strength of technical controls must be reviewed, which can involve vulnerability assessments, penetration testing and the like, to assess both inside and outside threats. Organizations must also look closely at their security policies and user training, and how those align with compliance and operational goals.

According to Julian Waits, CEO of cyber risk advisory firm PivotPoint Risk Analytics, “The first thing an insurance company does when building a cyber risk profile [on a prospective insurant] is to determine if the house is on fire or not. Are there things that are obviously wrong with a given environment from a security perspective, from an end-user training perspective, from the maturity of the executive perspective that says we should be leery of covering a risk in this environment?” If the house is on fire, that is, if an organization has been breached and is suffering damage to the business, the chances of being approved for cyber insurance are obviously low. The problem is that breaches can take weeks or months before being detected. An organization that believes it’s in good shape might apply for cyber insurance, only to find out during the profiling process that the opposite is true.

According to the 2016 SANS Cyber Insurance Survey, most organizations perform a qualitative rather than a quantitative risk assessment, but insurers need quantitative results. The survey states that InfoSec professionals “don’t have enough accurate historical data to calculate the probabilities and magnitude of risks [the way] an insurance activity would.” Performing a quantitative risk assessment is a huge undertaking that is frequently beyond the abilities of small and mid-size businesses. They simply don’t have enough staff to crunch the numbers or are not sufficiently knowledgeable about how their data translates into risk probabilities. And many organizations find they have to update their policies and/or technical controls to get adequate cyber coverage. The survey reported that only 9 percent of respondents made no modifications, while 41 percent did.

Several risk frameworks are available to guide organizations through the process of developing a cyber risk profile. For example, the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity uses a four-tier model that describes how cybersecurity risk is managed by an organization. This framework helps organizations measure and prioritize risk while factoring in business needs. The Cybersecurity Assessment Tool from the Federal Financial Institutions Examination Council (FFIEC) helps directors of financial institutions identify and mitigate risk and determine cybersecurity readiness. This tool also lays out a map to the NIST framework.

Information from threat intelligence (TI) services can also be used to benchmark an organization’s cyber risk. TI services rank threats according to severity, reputation of data source and relevance of a threat to a specific organization, among other factors. Many services now provide reports on whether an organization’s intellectual property — credit card or protected health information (PHI) records, for example — is being traded and sold on the Dark Web. “Threat intelligence is a component of overall cyber hygiene and set of defenses to guard your environment,” says Waits. “I think it’s crucial.”

Many cyber policies, no set standard

The problem with cyber insurance today is that there are many different types of policies, based on type of loss. “The first thing to understand about cyber insurance is those two words together are kind of a misnomer,” says Waits. “Insurance carriers slice up the market with, say, 20 different loss types. For each loss type, they create a black box: ‘Here’s what I’ll accept for risk and here’s what I won’t accept for risk.’” This approach doesn’t always align with an organization’s needs.

Also, there is no single standard that insurers can use as a measuring stick. Although the NIST cybersecurity framework and the FFIEC assessment tool are popular, ISO 27001, Federal Information Processing Standard (FIPS) and several others are available. Neither organizations in general nor insurance companies have settled on which framework to use.

The catch-22

Because cyber insurance is a relatively new thing in the insurance industry, carriers do not yet fully understand the various types of risk that organizations face. And insured parties don’t always understand the language in insurance policies and what their fine print means.

“When customers make claims, less than 50 percent are paid out completely because of fine print. But it’s incumbent on customers to understand what their risks are,” says Waits.

Essentially, the customer needs to understand its risks and the types of insurance limits it needs (in dollars of exposure) before engaging with insurance companies. With this information, the customer goes into insurance negotiations with leverage. It’s also better for carriers because they understand exactly what they are insuring. The problem lies in gathering the right information and asking the right questions in the first place. Failing to do so results in coverage gaps that are often exposed only after a claim is made.

Companies like PivotPoint educate their customers on cyber insurance matters, help them create a corporate profile and “translate that into something insurers can use.” For example, let’s say a company that accepts credit cards from customers is seeking cyber insurance. Its annualized risk of exposure for financials is $1.5 million. About $500,000 is associated with extortion, and $1 million is designated for data breach, due in part to PCI DSS requirements for storage of credit card records. The company can then visit an insurance broker, knowing the type of cyber insurances and limits it needs, and negotiate more strategically on how it wants the policies to work.

Getting more value over time

The value of a cyber risk profile isn’t only in getting insurance initially, but also in renewing policies down the road. In this respect, Waits compares cyber insurance to car insurance. If a driver can demonstrate a good driving record, and that his or her behavior is improving, the driver can use that as a tool to get a rebate or lower his or her insurance rate over time. Organizations should apply the same principle to cyber insurance from the perspective of return on investment (ROI). Improving their security posture while lowering financial and reputational exposure should put them in a position to negotiate a better deal as they and their insurers get to know each other.