Tag Archives: mssp

3 Things on Cyber All Firms Must Know

Managed security services providers, or MSSPs, continue to rise in presence and impact—by giving companies a cost-effective alternative to having to dedicate in-house staff to network defense.

In the thick of this emerging market is Rook Security. I spoke with Tom Gorup, Rook’s director of security operations, about this at RSA 2017. A few takeaways:

Outsourced SOCs. MSSPs essentially function as a contracted Security Operations Center, or SOC. Most giant corporations, especially in the financial and tech sectors, have long maintained full-blown SOCs, manned 24/7/365. And so the top MSSP vendors, which include the likes of AT&T, Dell SecureWorks, Symantec, Trustwave and Verizon, are aggressively marketing MSSP services to midsize companies, those with 1,000 to 10,000 employees.

See also: 7 Key Changes for Insurers’ Cybersecurity  

At the other end of the spectrum—catering to very small businesses—you have consulting technicians, operating in effect as local and regional MSSPs. These service providers may have one or two employees. They make their living by assembling and integrating security products developed by others, working with suppliers such as SolarWinds MSP, which packages and white labels cloud-based security solutions for very small businesses.

So what about the companies in between, those with, say, 50 to 999 employees? Security vendors recognize this to be a vastly underserved market, one that probably has pent-up demand for MSSP services.

What MSSPs provide. For midsize and large enterprises, MSSPs deliver an added layer of expertise that can help bigger organizations actually derive actionable intelligence from multiple security systems already in place, such as firewalls, intrusion detection systems, sandboxing and SIEMs. The top MSSPs tap into all existing systems and provide deeper threat intelligence services, such as device management, breach monitoring, data loss prevention, insider threat detection and incident response.

For small businesses, local MSSPs focus on doing the basics to protect endpoints and servers. This relieves the small business operator from duties such as staying current on anti-virus updates, as well as security patches for Microsoft, Apple, Adobe and Linux operating systems and business applications that are continually probed and exploited.

 Who needs one? Every business today is starkly exposed to network breaches. So who could use an MSSP? The calculation for midsize and large organizations is straightforward. The goal is to provide more data protection at less cost, based on thoughtful, risk-based assessments. The most successful MSSPs will help company decision-makers build a strong case for their services.

See also: Quest for Reliable Cyber Security  

At smaller companies, the first question to ask is this: How mature is my security posture to begin with?

Gorup observes: “Is security even on the radar right now? In smaller organizations, you might have just one person, part-time, working IT. Security is kind of secondary. I’d recommend seeking more advisory services to help detect phishing attacks, help build some processes, help understand what technologies you should invest in. This will allow growth to occur. And then you can make a natural transition into building an SOC or seeking SOC services.”

New Approach to Cyber Insurance

The most active players in the fledgling but fast-growing cyber insurance market are hustling to differentiate themselves.

The early adopters and innovators are doing so by accelerating the promotion of value-added services—tools and systems that can help companies improve their security postures and thus reduce the likelihood of ever filing a cyber damages claim.

As more businesses look to purchase cyber liability policies, insurance sellers are striving to dial up the right mix of such services, a blend that can help them profitably meet this pent-up demand without taking on too much risk.

The incentive is compelling: Consultancy PricewaterhouseCoopers estimates that the cyber insurance market will grow from about $2.5 billion in 2014 to $7.5 billion by 2020. European financial services giant Allianz goes a step further with its prediction that cyber insurance sales will top $20 billion by 2025.

This anticipated growth in demand for cyber liability coverage—coupled with the comparatively low level of loss claims—has created strong competition in this nascent market.

The Insurance Information Institute estimated last year that about 60 companies offered standalone cyber liability policies. In total, more than 500 insurers provide some form of cyber risk coverage, according to a recent analysis by the National Association of Insurance Commissioners.

“There are quite a few players, so they are looking for ways to differentiate themselves and find competitive edges,” says David K. Bradford, co-founder and chief strategy officer for Advisen, an insurance research and analysis company.

Insurance companies make adjustments

Insurance carriers hot after a piece of this burgeoning market are beginning to offer value-added services to make their cyber offerings stand out.

See also: 8 Points to Consider on Cyber Insurance  

Rather than growing these services in-house, most are partnering with vendors and consultants that specialize in awareness training, network security and data protection. Services that boost the value of cyber policies are being supplied for free, or offered at a discount.  Typical cyber insurance valued-added services include:

  • Phishing and cyber hygiene awareness training
  • Incidence response planning
  • Security risk assessments
  • Best practices web portals and software-as-a-service tools
  • Threat detection services
  • Employee and customer identity theft coverage
  • Breach response services

One measure of value-added services gaining traction comes from the Betterley Report, which recently surveyed 31 carriers that offer cyber policies. Betterley found that about half offered “active avoidance services,” while nearly all offered some sort of pre-breach planning tools.

Rick Betterley, president of Betterley Risk Consultants, which publishes the Betterley Report, says there is still a long way to go. “There’s much more that can be done to help the insureds be better protected,” he says.

Betterley is a big proponent of adding risk-management services to cyber policies. He calls the approach Cyber 3.0, adding that it’s akin to the notion of insuring a highly protected risk in a property insurance policy. Cyber value-added services, he says, are the equivalent of fire insurance companies requiring sprinklers.

“It’s not required that insurance companies provide the services, but it’s required that they help insureds identify what services are likely to generate a reduction in premiums,” Betterley says.

Sector faces new challenges

That said, the cyber insurance sector is still finding its way. With auto crashes, fire or natural disasters, losses are well defined and fully understood. Cyber exposures, by contrast, are hard to pin down. Network vulnerabilities are extremely complex and continually evolving. And historic data on insurance claims related to data breaches remains, at least for the moment, in short supply.

An added challenge, Betterley says, is that insurance companies are unable to satisfactorily measure the effectiveness of security technologies and services in preventing a data breach.

Advisen’s Bradford agrees. “It’s a rapidly evolving area that changes day to day, and underwriters are definitely wary of recommending a particular vendor or approach,” he says.

Eventually, the insurance industry will figure out how to make meaningful correlations and separate the wheat from the chaff.

“In bringing in these value-added services, we can help shore up some of those areas where we’re seeing human error,” observes Dave Wasson, cyber liability practice leader at Hays Cos., a commercial insurance brokerage and risk management consultancy. “We’ll be at a point where we’ll know what makes a difference, and we can put our money, time and efforts into those solutions.”

Eric Hodge, director of consulting at IDT911 Consulting, part of IDT911, which underwrites ThirdCertainty.com, concurs. One ironic result of the recent spike of ransomware attacks aimed at businesses, Hodge says, is that more hard data is getting generated that is useful for calculating loss profiles.

See also: Another Reason to Consider Cyber Insurance  

Along the same lines, settlements of class-action lawsuits related to breaches of high-profile retailers, such as Target and Sony, is helping amass data that will help the industry flesh out evolving actuarial tables.

“Losses from cyber attacks and data breaches are becoming easier to quantify,” Hodge says. “And market forces are absolutely lining up to reward the wider use of these activities. It’s harder to ignore the fiscal argument for an insurer to go the extra mile in helping the insured organizations make sure that a costly breach doesn’t occur.”

AIG blazes trail

One notable proponent leading the way is multinational insurance giant AIG, which is nurturing partnerships with about a half-dozen cybersecurity vendors.

AIG services—some of which are offered to policyholders at no cost—range from threat intelligence and cyber risk maturity assessments to active detection and vulnerabilities assessments.

RiskAnalytics, one of AIG’s partner vendors, provides threat intelligence services, including a service that detects and shuns blacklisted IP addresses. Any AIG insured with a minimum $5,000 policy can participate at no additional cost.

The company’s partnership is exclusive to AIG, and appears to be very popular.

“We’re bringing in multiyear contracts, and the average sales price is on an impressive trajectory,” says RiskAnalytics Chief Operative Officer Kurt Lee. “It’s all born out of (customers) using that (introductory) service through the policy.”

Recognizing the trend, more vendors are seizing the opportunity to market their services to insurance carriers.

Vendors are willing to jump through the many hoops because a partnership with an insurance company is an opportunity to get a soft introduction to a potential client, says Mike Patterson, vice president of strategy at Rook Security, a managed security services provider (MSSP) that is reaching out to carriers.

Dismantling roadblocks

As with any new approach, broad adoption of cyber insurance value-added services isn’t without hurdles. One major obstacle is the “’this-isn’t-how-we’ve-always-done-it’ way of thinking,” says IDT911’s Hodge. “It’s like trying to change our election processes—people resist altering a system that has been in place for a couple hundred years.”

Another barrier is cost. Insurance companies tend to reserve free or discounted added services for heavyweight clients that spend small fortunes on annual premiums, says John Farley, vice president and cyber risk practice leader at insurance brokerage HUB International.

“Carriers can’t give away a lot of resources, so the smaller premium payers are not getting a lot of these services,” Farley says. “But if they can streamline and automate resources and figure out how to get customizable, usable information to the insurance buyer, that insurance carrier will probably stand out.”

Brian Branner, RiskAnalytics’ executive vice president, says that’s exactly one of the benefits that AIG derives from their partnership.

“If we can get the insureds to use the services we provide, we should lower AIG’s loss ratio because they’ll be safer organizations, and AIG should receive less claims,” he says.

Hidden costs of a breach can affect a large enterprise for years, and prove catastrophic to a small business. So insurance companies in the vanguard are looking to find business clients that are taking information security seriously.

See also: The State of Cyber Insurance  

As more companies buy cyber policies, and use any attendant services, the result could be a halo effect, says IDT911’s Hodge.

“This is certainly something that the insurers are counting on,” Hodge says. “A more secure buyer is a lower actuarial risk to the insurer.”

Meanwhile, policyholders should steadily become better equipped to securely do business in an internet-centric economy riddled with evolving exposures.

Hodge says: “In my experience, the buyer is often pleasantly surprised by the improvement that can come about quickly in terms of knowing their risk, being compliant with their industry standards and being able to indicate to the marketplace that they are taking good care of their customer’s information.”

This post originally appeared on ThirdCertainty. It was written by Rodika Tollefson.