As data mega-breaches dominate the mainstream news headlines, businesses worldwide are necessarily focusing on how to manage and mitigate cyber risk. The Marriott breach is only the latest in a litany of incidents whose repercussions will surely echo for a long time to come, but what needs to be the response? Tom Turner investigates.
Put simply, the current threat environment means that breaches are inevitable. They’re a cost of doing business in the connected world. However, with the average financial cost of a breach now standing at a substantial £934,000, punitive legal consequences and reputational ruin are key factors. Data breaches have the clear potential to negatively affect a company’s valuation. That puts cyber risk firmly on the Boardroom agenda.
In a bid to transfer the risks of a cyber breach, enterprises are now looking very seriously indeed at cyber insurance. It’s a market that has been growing over the past few years and one that’s set to take off as companies seek comprehensive protection. However, there are challenges both for companies trying to purchase the right cyber insurance policy and the insurers aiming to provide it.
What, then, are the critical questions businesses need to ask carriers when assessing a policy? In parallel, what information do carriers need in order to sufficiently measure the security posture of a growing pool of applicants and identify aggregate risk across their book of business?
Risk and regulation
At present, around 80% of cyber insurance policies are held by US businesses. That may seem surprising, given that US and European businesses are exposed daily to the same kinds of cyber threats. The prime reasons for the difference between the two territories relate to contrasting legal frameworks around privacy and the varying appetites for litigation.
The US’ regulatory approach to privacy gives companies clarity around their liabilities and what can be insured against. At the same time, the region’s more litigious mentality has made it worthwhile for them to do so as they seek to protect their reputations and business stability.
In contrast, European companies, when considering cyber insurance, have been more concerned about resilience and business continuity and less about the repercussions of non-compliance with an ageing data protection regime which may not have been viewed as either relevant or enforceable. Operating in a much less litigious environment, European organisations have not had the stimulus to fully explore cyber insurance.
The European Union’s General Data Protection Regulation (GDPR) has changed all of that. The risks to European businesses from data breaches are now quantifiable and high profile, prompting them to try to insure against the legal, financial and reputational damages that a data breach might entail.
The advent of more stringent European regulation comes amidst the escalating threat environment. Cyber crime continues to grow exponentially and all businesses are exposed.
In combination, the above factors place the cyber insurance industry on the edge of major growth.
Insuring a moving target
The insurance industry is expert at assessing and quantifying risk, but cyber insurance presents new challenges. While regulations once they’re implemented remain relatively static, the threat environment evolves at breakneck speed, creating a moving target that carriers and businesses must try to mitigate.
Boards of Directors need to be confident that their insurance effectively transfers risk considering the current threat and regulatory environment. For their part, insurers need a comprehensive view of the organisation’s security posture. This can prove difficult to assess.
Today, insurers rely on questionnaires, penetration tests and on-site assessments for insight into the cyber security posture of their insurance applicants. While these methods can be effective, they’re also time-consuming and expensive and provide only a point-in-time snapshot of performance. This is a weakness given the nature of today’s connected organisations and the impact of third party risk.
The constantly changing corporate ecosystem sees supply chain and mergers and acquisitions activity exerting an ongoing effect on an organisation’s security posture. Without regular insight into how an organisation’s partners are evolving, the insurer is prevented from assessing the real-time risks that the business faces.
In order to streamline the underwriting application process and identify areas of aggregate risk, insurers need more data-driven tools that provide insight into the past and current cyber security performance of applicants.
Lack of ongoing insight
This lack of ongoing insight is also a problem for the business itself. How can the Board make an informed decision to establish the organisation’s cyber risk appetite if it doesn’t have an accurate picture of risk? Businesses need to understand their own security posture and the possible scale of a ‘worse case scenario’ incident so that they have a clear understanding of what’s required from any cyber insurance policy in order to proactively protect against reputational and cost impacts that come with a breach.
In a landscape that changes so quickly, up-to-date and independent risk intelligence is essential for businesses and carriers alike. Solving this issue is the rationale behind Security Ratings. These draw intelligence from the vast quantities of external data that can be examined for security behaviours and security policy implementations. The Security Ratings present an empirical and objective data-driven measure of an organisation’s security performance. More than 120 billion events are collected daily from 120 data sources to map 160,000 companies. The data is validated using both automated processes and human insight and filtered by different risk vectors. This provides companies and insurers with the organisation’s Security Rating.
Low Security Ratings correlate to a higher likelihood of breach. If a Security Rating drops below 400 as compared to an organisation with a rating of 700 or higher, there’s then a five times greater risk of that organisation suffering a data breach.
Security Ratings can be regularly monitored to identify changes in risk such that organisations can remediate accordingly. This data-driven insight is far more valuable than any point-in-time assessment and is increasingly used by insurers to assist in underwriting cyber insurance policies.
Key questions to ask
Having current intelligence about their organisation’s risk rating is a good basis on which to build a cyber insurance strategy, but what practical questions should companies also ask prospective insurance cover providers?
It’s essential to find out what types of incidents are covered, and which are specifically excluded, so that expectation meets reality in the event of a claim. For example, how far does your liability extend in terms of employee actions and what are the security standards that you must meet? You also need to know if there are any regional restrictions if breaches stem from operations in a different country to that of your registered headquarters.
What are the timeframes within which you’re obliged to report a breach, and what speed of response can you expect from your provider? Breaches can take time to come to light and you need to know how your provider will respond to delays in discovery, and also what resources they’ll provide to support you in the event of a breach.
As described above, you need to ask how your provider will respond to evolving threats. What’s the procedure for identifying material threats and modifying policies to ensure appropriate levels of cover are maintained?
If you operate in a highly regulated sector, does the insurance provider possess expertise in that market and can they offer audit and compliance support?
On the insurer’s side, we mentioned earlier that they need comprehensive information on a customer’s security posture and protocols which has typically been gathered through questionnaires and interviews. Insurers should also seek insight into how proactive an organisation is at protecting against evolving threats. Do they use threat intelligence services and threat hunting to keep on top of emerging tactics, techniques and procedures?
Insurers also need to understand the customer’s exposure to third party risk through its extended ecosystem, incorporating both supply chain and M&A activity. They need to be alert to material changes that originate in the wider ecosystem such that they can make informed underwriting decisions.
Future of cyber insurance
As cyber insurance in Europe matures, we should see carriers developing their provision beyond basic risk transfer. They will be offering post-incident services and support for customers that suffer breaches and should also look at providing tools to help businesses monitor risk more accurately as part of a trusted partnership between the insurer and the insured.
Much of how the market develops will depend on how cyber claims and litigation unfold in the real world. Insurers will be closely monitoring the first cases to come out of GDPR breaches to see how the regulation will be interpreted.
Insurers will also be working towards greater clarity in policy wording and exclusions such that companies can be confident they have a policy in place that will meet their expectations in the event of a claim.
As the market evolves, we’ll see more insurers developing products for specific vertical sectors and industries. Success here will depend on having real-time data on the risk profile and cyber exposure of these industries so that insurers can effectively aggregate risk and offer competitive policies.
There’s no question that this is going to be a dynamic market where success will rely on the effective use of data. Most certainly, Security Ratings for businesses, sectors and even countries – given the multi-jurisdictional nature of many organisations – have an important role to play in delivering the intelligence that companies and insurers need to gain an accurate and ongoing picture of evolving risk.
Tom Turner is CEO at BitSight