Cyber Insurance: Lower Your Premiums

C-level executives who read the latest Ponemon Institute Cost of Data Breach Study have to think seriously whether their organization has sufficient information security risk-mitigation measures in place – including enough cyber insurance. According to the study, the average organizational cost of a data breach in the US has increased 19.8% since 2014, and the average cost per record breached is now at $237. Over that same time interval the likelihood of experiencing a breach involving at least 10,000 records increased by more than 26%. The cause of the increasing cost of doing business across the Internet? Malicious attacks top out the list at 51% of reported US occurrences.

Note, however, that the Ponemon study does not consider breaches of more than 100,000 records as their costs quickly become astronomical – for example, Target’s total cost from its 2013 POS data breach, not including currently unresolved lawsuits, now stands at $291 million. Carrying cyber insurance does provide a measure of risk mitigation relative to a potential breach, but the cost of premiums can be significant and – as Target discovered – the liability limits may be far short of the total damages.

What’s Driving the Cost of Cyber Insurance

The high cost of insurance is partly due to the increasing costs and the likelihood of a potential breach, but there’s more driving the prices than that. However, the significant difficulty for cyber insurers today continues to be quantifying cyber risk. This, in part, is a result of a lack of critical mass of actuarial data concerning cybersecurity – especially compared to the petabytes of data on claims and risk factors related to car, life, and home insurance.

Another issue is that the insurance industry matured with the implicit understanding that covered entities exist independently from one another and can be considered isolated and discrete for risk-modeling purposes. That assumption quickly falls apart in today’s networked environment. Information systems are highly interconnected, and they develop tremendous economic value largely from that connectedness. While we can readily acknowledge this phenomenon in our day-to-day lives, the insurance industry has yet to agree upon how to model the associated risks.

Another contributing factor when it comes to underwriting cyber insurance policies is the automatonic nature of those interconnected environments: Under normal conditions, they generate revenues for their operators; thus any failure or downtime must equate to a loss of income. Moreover, when systems are compromised by malicious attack, they become threats to other connected systems.

A brief by advisory firm Novarica found that cyber insurance coverage is, understandably, in high demand, outstripping the supply of policies available, and further driving premium prices. To mitigate their inherent risk in writing a policy without quantitative scheme, insurers must rely on qualitative assessments of the risk culture and risk management procedures of each applicant. Underwriters review the organizational disaster response plans in relation to the process used to mitigate the organization’s risks associated with its networks, website, assets, and intellectual property. Applicants can expect to pointed questions on how employees, contractors, and vendors access the infrastructure, how applications respond to penetration tests, and any unique issues raised during on-site evaluations. Furthermore, executives and security professionals will be asked to quantify the business and technological threats and their impact on their organization in their discussion of their systematic management of the imposed risks.

Quantifying the Impact of Cyber Threats

Quantifying an organization’s critical cyber threats and the associated risks is nearly impossible for underwriters because the task has proven Herculean for CISOs and other senior managers. With the daily volume of newly introduced potential threats surpassing the 100,000 mark and most SDLC initiatives moving to an Agile development methodology, the capacity of traditional threat modeling methodologies to provide real-time quantitative data on an organization’s threat exposure and the related impacts is severely strained, if not totally overwhelmed.

Quantifying Technological Threats

Security professionals are already well aware of the physical damage which the database server or other IT infrastructure could receive by a cyber attack. Many, however, report challenges in actually tracking it. Quantifying the risk profile through the implementation of an operational threat model would improve the ability of security and ERM executives to generate data-driven, real-time information needed to both assess their current infrastructure risk profile and to understand the impact which emerging threats pose.

However, cyber attacks have also demonstrated the capacity to damage non-IT specific systems. Security professionals, ERM executives, and cyber insurance underwriters need to expand their review to include all the organization’s physical assets and operational systems that are controlled or affected by the IT systems. What would happen, for example, if a computer controlled cooling system was disabled? The unmanned steel mill in Germany that experienced such an attack suffered “massive” damage when the blast furnace could not be shut down. Stakeholders need to consider the potential losses related to cyber threats across the company’s entire PP&E asset class, not just the IT infrastructure.

Quantifying Business Threats

While the understanding of how a cyber attack could impact a company’s technology and property is developing, the potential business impact is better understood. Stakeholders can reference and sort through a decade of general data by company size, industry, or other relevant criteria. For example, the Global State of Information Security 2016 report by PricewaterhouseCoopers (PwC) provides the typical impacts and financial costs of information  security incidents:

What underwrites lack, however, is quantifiable information on how a particular organization's information security measures compare to its industry peers. Quantifiable data useful to cyber insurance underwriting should be an output of an organization’s threat modeling practice:

Common Auto Insurance Factors

What you Drive

-Vehicle safety rating

-Vehicle age

-Likelihood of theft

How you Drive

-Driving history

-Driving activity

Where & Why you Drive

-Area population

-Driving purpose

Potential Cyber Insurance Factors

What is the attack surface

-Application characteristics

-Operating ecosystem

What are the exposures

-Top 10 threats

-Data assets on hand

What is the Threat Portfolio

-Probable attacker profiles

-Likely attack vectors

-Overall threat profile

Threat Modeling can Lower Cyber Insurance Costs

Clearly, much work remains to bring cyber insurance to the same maturity as other forms of insurance and risk mitigation. If and when that happens, though, is well outside the sphere of influence of any one organization.

However, individual organizations can do much to impact their cyber insurance premiums, just as they would do with other forms of insurance and risk mitigation. A threat modeling practice based upon the VAST methodology allows organizations to effectively address five key areas of importance to cyber insurance providers:

1. Establish proactive system hygiene - The majority of insurable cybersecurity events are driven by active, malicious players with strategic objectives, who have the skills and resources to realize their goals. Underwriters seek data-driven evidence that applicants are actively monitoring and protecting confidential consumer data and PII appropriately. Operational threat models - which explicitly consider the threats relevant to the organization’s infrastructure design and operations - provide real-time analysis of the attack surface and data exposure.
2. Develop a comprehensive risk-reduction plan - Underwriters will want to see the organization’s plan to incorporate relevant cyber risks into the overall ERM. Essential to this is the contextual prioritization of potential threats regarding business and technological impact. Conceptually all threat modeling methodologies provide for the identification and enumeration of relevant threats, and some methodologies provide certain measures of risk analysis.
3. Map out the organization’s comprehensive cyber-risk profile - Insurers need to understand the applicant’s past, current, and ongoing cyber-risk profile. In particular, they need to view this the perspective of the highly interconnected and automatonic nature of the cyber ecosystem. A single application threat model, or even a portfolio of threat models, cannot map out an organization’s full associated risk profile unless each of organization’s threat models can be chained. Only in this way can threats generated by application interactions, shared infrastructure components, and 3rd party elements be accurately identified and enumerated.
4. Contextually prioritize threats and assess related risks - An organization’s threat modeling process should provide both senior executives and security teams the actionable output they need to address the organization’s full portfolio of potential threats and the associated risks. Decision makers and underwriters will benefit from a threat modeling practice that provides, in real-time, the enterprise top-ten threats and the overall threat portfolio.
5. Effectively mitigate potential threats before risk exposure - Eleven years of the Ponemon study have demonstrated that the frequency and cost of security breaches are increasing. Traditional threat modeling processes provide some limited benefits in identifying relevant threats. They are less effective in that capacity, however, if they cannot scale or seamlessly integrate into the organization’s Agile software production methodology. Underwriters want to see a scalable threat modeling process that is integral to the SDLC initiative to be assured that the associated risks are effectively and pre-emptively mitigated during application design and development.

Organizations seek affordable insurance as part of their overall risk-mitigation strategy. Insurers seek to provide coverage that both meets applicants’ needs while presenting a minimum exposure to unknown variables or non-uniform situations. While the motivations of the parties on either side of an insurance policy are inherently diverse, both are equally well served by the recent developments in threat modeling methodology. With a well-tuned threat modeling practice organizations can work with their insurer to create a win-win scenario for both - which will mean in lower cyber insurance premiums for the organization.