May 16, 2018
The New Cyber Insurance Paradigm
Two big problems: There is absolutely no standardization in the data that cyber insurers collect, and it quickly becomes outdated.
Across industries, many mature organizations have become acutely aware that their industrial-based business models, which strive for control, efficiency and scale, are not designed for speed, innovation or individualized customer experiences. Corporate leaders have no option but to consider using cloud-based platforms, but that introduces new vulnerabilities.
Finding an appropriate balance between cybersecurity and privacy strategy while allowing for innovation is of fundamental importance.
As all businesses will become “data companies” in the digital networked world, the cyber insurance industry needs to adapt to effectively underwrite and manage the most dynamic risk in the world. Everyone wants a piece of the action, as there are more than 70 U.S. carriers and 30 U.K. carriers that offer cyber insurance, and the supply will continue to grow rapidly.
There is, however, one fundamental flaw – there is absolutely no standardization! We don’t capture the same data points, conforming to an industry data classification, so there is no gold standard for coverage.
See also: New Approach to Cyber Insurance
How can the industry appropriately underwrite, analyze and manage the most connected risk in the world if carriers don’t capture the same data points in their underwriting application and there is no common data classification to map toward? Each insurer is analyzing different data.
Perhaps even a greater issue is that the data is captured at a point in time, typically via checkboxes on a paper application. The data quickly becomes outdated. Unless a vulnerability assessment is mandated for some of the larger enterprises to obtain coverage, there is no true validation of the prospects’ security posture.
Insurers are not capturing contextual data to validate their insureds’ policies and controls that ultimately represent the risk. Is it enough to ask, “Do you educate or train users on information security and privacy?”, or would it help to know whether one insured does training once a year during lunch while another insured holds quarterly training meetings with randomly scheduled, unannounced phishing simulations throughout the year?
Cyber insurance needs context and validity; the industry is deficient in both!
In direct, online-to-bind insurance, some carriers only require four to six data points to underwrite the risk and present a quote in a matter of minutes. Is a company’s industry, revenue, address, number of records and a question on any previous claims I’ve had really enough to understand the risk? I understand that we need a seamless customer experience to ensure we don’t lose new business, but requiring so little data looks more like a reckless arms race to see who can capture the most SMB business more than anything else.
There is no validation of the actual inputs from the insured (major issue!) and, in terms of customer experience, we should focus on strategically important issues such as integrating cyber risk mitigation with cyber insurance under the umbrella of an organization’s cyber risk management. Customers need a holistic solution evaluating risk mitigation and risk transfer.
Anyone who has gone through risk and compliance assessments at the enterprise level will agree that they need to be streamlined, with a centralized solution that collects and analyzes information about the cyber program and that quickly reacts to identified vulnerabilities and regulatory requirements. The traditional, siloed approach, where a company completes assessments in confusing, overly detailed Excel documents specific to a regulation (i.e. PCI, HIPPA, NIST, ISO, etc.), keeps resources tied down and focuses on completing each actual assessment rather than truly understanding broad exposure. The approach unfortunately shifts the focus to defense, in complying with regulations, instead of determining actionable insights that enhance cyber maturity.
This manual, labor-intensive process does nothing to solve the snapshot problem, and a company’s cyber exposure or cyber maturity is not nearly the same on Jan. 15, 2018, as it will be on Jan. 15, 2019. Continuous, standardized insight into a company’s cyber risk is required to appropriately assess risk.
Insurers are spending thousands on isolated solutions, such as SecurityScorecard and Bitsight, yet they are only viewing cyber risk through a small prism, as these solutions only provide a snapshot of risk from what’s available on the internet and open-source databases.
What most insurers don’t realize is that successful cyber insurance underwriting comes at the intersection of insurtech and regtech. Insurers need to shift toward a digital platform that standardizes the data capture, has the data immediately available for analysis and is continuously analyzing an insured’s risk throughout the policy period. Both insurers and clients need a standardized assessment that automates the manual processes of traditional risk assessments and allows companies to automate and streamline the IT and vendor audit process by mapping to several security standards, such as NIST, ISO, HIPPA, PCI and the NY DFS Regulation, through one assessment.
In responding to market needs, companies like Cyberfense will prevail. In stealth mode for the last year, Cyberfense is now working with two of the largest cyber insurers to streamline the underwriting process while providing continuous insight into a company’s cyber maturity and mapping a company’s cyber risk to most national and global security standards. Cyberfense helps insurers manage cyber risk by analyzing an insured’s exposure and detailing recommended solutions so the client easily understands how to fill security and compliance gaps.
See also: Promise, Pitfalls of Cyber Insurance
The eRisk hub that many insurers offer now does not provide any added value as it is simply a list of vendors that a client could Google itself. Insurers need to guide their clients with appropriate solutions as early as possible and in a manner that is not too invasive. With standardization and automation, you will then create a brokerage force that can finally understand cyber insurance and is more willing to sell the coverage and act as an adviser to their client.
This is how we effectively underwrite and manage cyber risk.