How to Fix Data Deficit on Cyber

The imprecision on cyber vulnerabilities and how to price insurance are unnecessary. Data is readily available -- if you look in the right places. 

Image
Paper with an umbrella and "INSURANCE" written on it next to a laptop

With cybersecurity insurance, as with cybersecurity, ignorance is not bliss. All parties in the contract, insurer and insured, need as much information as possible to make wise choices about coverage, pricing and payouts and to prevent unpleasant surprises. Unfortunately, they too often have more questions than answers.

Insurers frequently issue cybersecurity insurance policies based on estimates or even guesses rather than material data. They often lack the visibility or metrics that expose the policyholder’s vulnerabilities and risks or the controls the client is using to minimize the chances of a breach. 

As a result, these companies may charge the policyholder too much – or not enough, which could result in an increase later on. And without data and documentation showing evidence of properly applied and enforced cybersecurity controls and monitoring, the policyholder may find itself in a tight spot when filing a claim. 

If the policyholder can’t attest to the level of damage a breach has caused and measure its potential liability – whether personally identifying information was compromised, for instance – the policyholder may find itself waiting for the payout while the insurer investigates and determines what it is liable for. And then, depending on the results, the business may get less compensation than expected. 

The dispute that could result won’t be pleasant for anyone, and the claimant may suffer a premium increase that it can ill afford.

The insurance data deficit

None of these problems is necessary. Data is readily available regarding any organization’s cybersecurity posture and maturity, its areas of exposure and vulnerabilities, its cyber risks and the controls needed to mitigate them and more.

But companies may not know where to look for this information, and insurers often can’t advise them on how to find and use it. 

Having worked in the insurance industry and now in cyber threat intelligence, I’ve discovered four key actions that cyber insurance policyholders can take to correct this data deficit. In the process, companies can get the most value from their coverage for the least cost. Insurers could save resources, as well, as they issue policies with confidence in their customers’ ability to mitigate risks.

The cyber insurance dynamic duo: data and controls

Intelligent risk management, which is the essence of effective cybersecurity, involves two main components:

  • Data that demonstrates an organization’s areas of digital exposure – where hackers might try to get in – as well as the odds that each of these vulnerabilities will be attacked and the consequences if a breach occurs
  • Controls the entity puts in place to shore up its vulnerabilities, and evidence that it continually monitors and strengthens them as its threat surface changes.

By paying close attention to these two components, your organization can rest assured that it’s protected against cyber attacks and positioned to confidently transfer some of its cybersecurity risk to an insurer.

For the insurer’s part, it’s helpful to know that its policyholders know their risks and are reasonably secure and able to remain that way. Having this confidence can help insurers stabilize premium prices and better serve customers while protecting their own bottom lines. 

See also: Is Cyber Insurance on Brink of Collapse?

4 must-haves for a great cyber insurance outcome

To correct the cyber insurance data deficit, policyholders need diligence and documentation in these four areas:

1. Compliance with a cybersecurity framework. Organizations have a veritable alphabet soup from which to choose: CIS CSC, CBEST, FFIEC, ISO, etc. Which framework is best for you depends partly on the requirements of the industry you’re in. Many prefer the framework from NIST, the National Institute of Standards and Technology.

Often used for the protection of U.S. critical infrastructure, the NIST Cybersecurity Framework (NIST CSF) can be a helpful framework for any organization. Using the NIST CSF to measure security control compliance is voluntary, unless yours is a federal government agency or doing business with the federal government. On the other hand, not to be NIST-compliant could be risky business, indeed. 

NIST has already done the hardest part for you: provided a common set of rules and controls that can guide your enterprise to greater security. The NIST CSF is written in clear, concise language and is designed so that even those just beginning to use a framework to guide their cybersecurity program may find it helpful.

And because critical infrastructure is a national security concern, NIST compliance can assure policyholders and insurers that controls are in place to guard against the latest threats. What’s more, the insurer can more readily qualify the business for the proper level of insurance, saving time and, perhaps, money for both.

2. A thorough risk assessment. An increasing number of organizations have come to understand the risk-cybersecurity connection in recent years. Yet many fall short of conducting a full-scale cybersecurity risk assessment – one that weighs risks not only in their own organizations but up and down their supply chains.

With increasing threats and attacks directed at the digital domains of poorly protected and aging critical infrastructure, the U.S. federal government has seen the light regarding this need to supply proof of risk reduction. 

The White House’s February 2021 executive order makes a good start in encouraging better risk measures as it directs all public companies to assess their supply chain risks, including the digital supply chain. 

Software supply chain vulnerabilities have made headlines in recent years. In the so-called Solarwinds breach, cybercriminals planted malware in a security software update. The log4j vulnerability made its way into Apache’s software via library-sourced code. Both affected many thousands of businesses. 

From these incidents and others we’ve come to realize how paying close attention to third-party risks is critical to securing an organization’s systems, networks and data.

More recently, the White House in May 2021 issued an “Executive Order on Improving the Nation’s Cybersecurity” that requires providers of software to federal agencies to assess their supply chain vulnerabilities and risks.

These long-overdue mandates stand to affect not only federal contractors but all enterprises. And, although companies may cast a wary eye on the amount of work required, they will certainly benefit from having a more secure supply chain – and from having a better relationship with their cyber insurance company.

3. Quantification of cyber risks. “Risk” can be a nebulous term that means something different to each entity. Enterprise risk assessments tend to prioritize risks with the non-specific “high,” “medium” and “low,” referring to the likelihood of each risk’s culminating in an attack and the severity of the consequences should an attack occur.

But what are the specifics? Where, precisely, does the insured have a presence online – its “digital footprint”? 

How widespread are its vulnerabilities? Where are these weak spots located? How likely are attackers to find and exploit each of them? 

How resilient is the insured – how able to carry on business as usual – in the event of an attack? How much would an attack cost the enterprise? How would it pay these costs?

These questions might seem daunting because there are no easy answers. Yet insurers ponder them all the time for other forms of insurance. 

When writing an auto insurance policy, an agent will consider the make and model of the car, for instance: an expensive sports car is more susceptible to theft than an older utility vehicle and so might command a higher premium. If the owner lives or works in a big city, the likelihood of an accident goes up, and so might premiums. And so on.

Cyber risk quantification is still a nascent field and may seem intimidating. But a quality threat intelligence solution can help: It can not only uncover an enterprise’s vulnerabilities overall but also help entities prioritize which gaps to address. 

By alerting policyholders to any online chatter, threat intelligence can help them determine which business sectors are more at risk and which are less so (and where their organization stands) and whether cybercriminals are targeting a particular business or software, including their own..

If your business is a retailer and the day after the U.S.’s Thanksgiving is approaching – Black Friday, the biggest shopping day of the year – you’ll want to double down on your monitoring of dark web forums and any chatter that may refer to your business. 

Any area of your business or its suppliers could be a target – point-of-sale systems, for instance. If your threat intelligence finds that 100 dark-web forums have posts about plans to target these systems, you’ll want to tighten your security to ensure attackers can’t use them to get into your business systems or steal data from your customers. 

And believe it or not, telling your cyber insurer about threats and showing how you’ve dealt with them can actually reassure them. They’re more likely to feel confident about covering your organization if they know you’re vigilant against potential attacks and can prove it.

4. A good and measurable security awareness policy. How effective is your security awareness program? 

Do you know whether employees, business partners, third-party suppliers and others who are a part of your organization fully understand the need for security, as well as what your security policies and guidelines are, and how to follow them?

Again, policy effectiveness can be tricky to measure – but the proof is in the pudding. Keeping track of cyber events and incidents and how they are handled can tell you how well you’re getting your messages through to your people – who are at once the front line and the greatest vulnerability to any company.

See also: An Often-Overlooked Business Interruption Risk

How to gather the information you need

For cyber insurers, there’s no such thing as too much information. 

Yet you can find yourselves hamstrung when trying to set fair policies and premiums, forced to make guesses that aren’t well-educated. 

Your best bet may be to include my four "must-haves" in policy requirements for cyber insurance applicants, or plan to do the due diligence yourself for each company you insure. As I’ve noted, this model already exists with other types of insurance. Home insurance policies and premiums depend on a number of quantifiable factors, including, perhaps, the age of the home, the materials of which it’s made and where it’s located. Auto insurance, as we’ve seen, can vary in price depending on the type of vehicle, where and how the driver will use it and the driver’s own driving history.

Threat intelligence (TI) is one very effective tool for gathering the data you need to make informed cyber insurance decisions. Today’s best TI software scans three areas of the internet:

  • The public internet, to find where companies are vulnerable to attack
  • The deep web, which comprises email accounts, private messaging and other non-public digital arenas
  • The dark web, the shadowy underbelly of the internet where cybercriminals often discuss targets and tactics as well as sell illicit goods and hacking software.

Each of these areas adds a dimension to your threat picture, for a view that’s truly three-dimensional. This type of threat intelligence lets you see whether your business or that of your client is a cybercrime target. It can show where vulnerabilities and security gaps might be, as well as how much risk they carry, so your company or client can strengthen them. It can reveal which types of data your company or client lost in a breach for more accurate assessment of the damage and how to respond.

Having this 3-D view helps companies fulfill each of the four must-haves in my list. 

  • Auditors will be able to use the data to determine your compliance with security frameworks. 
  • Risk staff can incorporate the data for more thorough and accurate risk assessments of the enterprise and its supply chain. 
  • The information can also help quantify the risks the policyholder faces for more accurate cyber coverage and premium prices. 
  • And being able to see where attackers are trying to enter and how, and whether they’re successful, can provide insight into the effectiveness of your security awareness policies and program.

Giving diligence its due

Insurers doing due diligence on cybersecurity policy applicants and holders need to make intelligence gathering a priority. The same is true for enterprises.

In the end, the results should be a more cyber-secure world and a stronger cyber-insurance industry. Getting there will take not only a lot of work but also mindset shifts on everyone’s part. The results will be worth it, however: bolstered confidence throughout the industry. Isn’t that the best insurance of all?


Christopher Strand

Profile picture for user ChristopherStrand

Christopher Strand

Christopher Strand is the chief risk and compliance officer at Cybersixgill.

He has spent the last 25 years developing business models and cutting-edge market opportunities within a broad range of IT security businesses. At  Cybersixgill, he is responsible for leading the global security risk and compliance business unit, which helps companies and security executives bridge the gap between cybersecurity and regulatory cyber-compliance.

Previously, Strand served as chief compliance officer at IntSights Cyber Intelligence, where he established the first intelligence-based risk and compliance assessment program. Prior to that Strand was one of the leaders at Carbon Black (formerly Bit9), where he drove the successful build-out of their cyber-compliance and security division through to their IPO and acquisition by VMWare.

Strand is trained as a security auditor, is a PCIP and participates in the development of cyber regulations globally. He is an active contributor and participant with ISACA, ISSA,  ISC2 and the PCI SSC, frequently speaking and publishing information with a variety of media advocating for the evolution and alignment of compliance and security frameworks.

Read More