August 8, 2018
How to Create Resilient Cybersecurity Model
Insurers need tools providing visibility into their insureds’ cybersecurity ecosystems on a continual basis, such as security ratings.
As data breaches increase in type, severity and number, more companies plan to purchase cyber insurance. While cyber insurance premiums in 2016 in the U.S. were $5 billion, projections indicate they will increase to $20 billion by 2020. Complex cyber crimes mean insurers find themselves facing contentiously complex relationships with their insureds. To create a resilient business model, both of these parties need to communicate effectively and understand the overt and hidden risks they face.
The Underwriting Communication Gap
Information forms the basis of strong underwriting. With traditional general liability policies, insurers can easily gather information on a company’s financial solvency by reviewing publicly available documents such as annual financial reports or credit ratings. With cybersecurity policies, attack vectors extend in a variety of directions, making information less tangible for underwriters.
With a compounded annual growth rate of 41%, cyber insurers need insight into the full range of their insureds’ risks. The present model relies on questionnaires from applicants; however, when insureds misrepresent or misunderstand their risks, insurance companies suffer billions in losses. Often, the cost of a breach exceeds the limits of a policy’s liability, meaning that even those companies with insurance find themselves underinsured. Because courts generally agree that general liability policies do not cover cyber loss, business continuity plans require appropriate insurance aggregates to fully cover losses.
Even the most sophisticated companies find themselves unaware of their biggest cyber risks. When insureds lack data, underwriters cannot effectively write policies. Thus, the communication gap poses a risk for both the insureds that remain underinsured and the insurance companies that may be overextending their books of business. Security ratings act as a tool that allow better communication between insurers and their insureds when establishing a cyber security policy relationship, similar to credit ratings in the general liability arena.
See also: Roadblocks to Good Customer Relations
The Claims Communication Gap
Insureds use insurance to protect their internal and external stakeholders. However, the communication gap creates a claims problem for insureds. Coverage litigation costs and a sense of betrayal ruin relationships between companies that share the economic ecosystem.
The Equifax breach offers a contemporary example. Most recent estimates place Equifax’s breach costs at $275 million, but the company retained only $75 million in cybersecurity insurance. A single employee’s failure to patch a known vulnerability in the Apache Struts Java application created an opportunity for hackers. Equifax’s failure to understand its own patching cadence led to its underinsured status and, ultimately, its severe losses.
Information Enables Resilience
The information security community focuses on resilience. When a distributed denial of service attack causes a company to shut down services for days or weeks, the company lacks cybersecurity resilience.
An insurance company’s resilience requires setting aside financial reserves to cover claims costs. Because cyber policies often cover business interruption costs, businesses that lack cyber resiliency too often claim losses and file insurance claims. Security ratings provide insight into an insured’s resilience. Because data breaches are inevitable, even companies with strong security ratings may be hacked, but their continued attention to their environments means they will have strong disaster recovery protocols limiting business interruption. To remain financially stable and resilient, insurance companies need to adequately estimate potential losses so that premiums adequately align with their risk acceptance.
Insurance companies and their customers need shared visibility into the protected cyber ecosystem. Otherwise, insurers continue to dissuade financial safety by overestimating premiums while companies risk their solvency by underinsuring their business. This business model promotes neither economic stability nor resiliency.
Continuous Monitoring Builds Continuous Relationships
Remedying the information and communication gap between insurers and insureds provides the only solution to the current resilience problem. Companies often prove, through audit reports, that they engage in information security, yet those documents show proof of only a single moment in time. Insurers need tools providing visibility into their insureds’ ecosystems on a continual basis, such as security ratings.
Organizations face data security threats from both their IT environments and those of their vendors. One breached vendor creates a domino effect of cyber insurance claims as the damage travels through the supply chain. Insurers and insureds need to be able to communicate both visible and hidden cyber risks. Security ratings continuously monitor insureds’ endpoint security, IDS and antivirus, while also providing a shared language so they can effectively communicate with insurers. Insurers, conversely, can use the shared language of security ratings to communicate to insureds the impact that security vulnerabilities have on insurance premiums and coverage.
See also: The New Agent-Customer Relationship
In the cyber insurance space, increased claim complexity degrades the symbiotic relationship. As insureds shop around for better premiums, insurers lose valuable business. To promote continued business relationships, the two parties can both benefit from automated tools that enable continuous communication about continuous monitoring. Tools to facilitate visibility help establish metrics for the appropriate pricing of risk to cover potential losses and set reasonable premiums.
Insureds must communicate with their insurance companies; however, companies focusing on the daily tasks of conducting business lose track of communication and time. Therefore, insurance companies need to protect themselves by monitoring their insureds. Security ratings are poised to help promote resiliency between, as well as within, industries by offering publicly facing data. With the right continuous monitoring metrics, SaaS platforms can enable continuous relationships that reinvigorate the insurer-insured symbiotic relationship.