Are you ready for your cyber insurance company to help guide your risk management program?

Many cyber risk management professionals across the world utilize frameworks such as NIST, ISO, ITIL and COBIT among others as a basis to run their programs. Despite these being excellent frameworks to be utilized as a foundation for a GRC (governance, risk and compliance) program, there are still tricks of the trade that can only be learned by cyber defenders in the school of hard knocks where experience makes risk management a combination of a disciplined framework similar to a science; but in reality, it is also an art.

I recently attended a cyber security conference in which an industry expert spoke about cyber insurance. I asked her if the industry actuaries were able to estimate the chance of being breached and having to collect on a policy based on factors beyond what industry a customer’s business was in. The answer was the industry vertical was the single most important factor in determining the risk of payout on a policy and it was the only factor that they had reliable actuarial data on.

There was still too little evidence that had been gathered showing what other factors contributed to either (1) staying untouched (2) being breached or (3) discovering a breach in the early stages and avoiding catastrophe.

Gemalto reported 1,901,866,611 data records compromised in the first half of 2017. That is 10,507,550 records lost or stolen every day.

487,815 every hour.

7,297 every minute.

122 every second.

In addition, Gemalto published their breakdown of breaches by industry which you would think would be similar to statistics that the cyber insurance companies have observed:

• Healthcare 25%
• Financial 14%
• Education 13%
• Retail 12%
• Government 10%
• Technology 8%
• Other 6%
• Industrial 4%
• Entertainment 4%
• Hospitality 2%
• Non-Profit
• Insurance 1%
• Social Media

Also Ponemon and Accenture worked together on a recent report that stated the average cost for victimized organizations had gone up to $11.7 million per year, up 62 percent from five years ago. The report also mentioned that each company would sustain 130 breaches per year on average.

Insurance companies don’t like to lose money and, over the long run, they will have their actuaries discover what factors will help them make educated decisions on what companies’ cyber programs constitute a reasonable risk.

It is obvious that too many organizations were getting breached and it would be just a matter of time when actuaries were working on gathering statistical data on other factors besides the industry vertical categories.

So, if all things being equal, logically you would think that industries with more breaches would have somewhat higher premiums.

Insurance companies are in the business of making money and they don’t want cyber insurance purchases to be utilized as a substitute for a well thought out and executed cybersecurity program.

There are a lot of other factors that could be put into the actuarial model over time to see if they have any merit in reducing the amount of insurance payouts. Such as:

• Is there a dedicated CISO or CSO to plan and implement security plans on a regular basis?
• Is there a risk management framework that is being utilized in the management of the security program and is it measured for progress?
• How many years of security specific experience and training do your security employees have?
• Do the employees have training and/or certifications?
• Do employees get any security awareness training?
• What brand of endpoint protection is being utilized?
• What type(s) of email security is being utilized?
• Are there security policies in place to protect the business? Are they being enforced?
• Is there a person or team that has training to handle security incidents?
• Is 2FA or MFA (Two Factor of Multifactor Authentication) being utilized across the enterprise?
• Are there regular vulnerability scans and timely patching taking place after discovering vulnerabilities?
• Is there visibility into endpoints and network traffic that would allow security personnel to see if systems have been compromised and/or data is being exfiltrated or manipulated?
• Are there privileged access controls in place?

What can be adjusted in the insurance policy according to actuarial risk measured over many variables like the above?

First premiums then deductibles and if many variables are found lacking in a particular area could this eventually result in a lack of coverage for certain events?

The same could be said for well-run risk management programs that would result in lower premiums and deductibles.

We most likely will see more stringent requirements in reporting to insurance companies over time requiring enumerating factors of interest when signing up for a new policy, as well as, enhanced reporting on specific factors of interest to actuaries that could be required for policy payouts after breaches.

This data could be utilized for the insurance industry as a whole as well as their clients that are attempting to better themselves in their cyber risk management programs.  Could this be one way we can encourage data sharing on cyber risk management and factors that may have lead to a breach?

What risk factors would you like to have actuaries focus upon in the future?