By Miles Tappin, VP of EMEA at ThreatConnect
The emergence of sophisticated attacks, particularly ransomware, has placed a cloud over the cyber insurance market. As a result, in recent years, more firms have sought insurance protection to transfer risk and ultimately safeguard themselves and their customers. However, neither carriers nor those seeking insurance have the capacity to automate cyber risk quantification.
The sophistication of cyberattacks and their frequency has resulted in a rise in demand for policies and rising prices. Several carriers have increased rates by 30% to 50%, as well as enacting more stringent policy terms and coverage restrictions. According to some insurance brokers, carriers have reduced the amount of coverage offered by millions, and at least one major insurer, European insurance giant AXA, has stopped providing ransomware coverage altogether.
Ultimately, the cyber insurance industry is confronted with three major problems. When it comes to obtaining data and analysing a company’s cyber risk exposure, insurance underwriters use a very manual, point-in-time method. However, these underwriters are unable to link loss data to vulnerabilities, insufficient controls, misconfigured hardware or software, or an attacker’s ability to successfully infiltrate a vital application or system. Security evaluations are performed only once before binding coverage and are not repeated until the policy is due to be renewed. Security evaluations performed on behalf of an underwriter are frequently never disclosed with the firm seeking insurance.
Urgent need to automate the quantitative process
It’s hard to believe, but just one year ago, most cybersecurity insurance questionnaires consisted of less than ten questions, and underwriters would give companies 60 to 90 days to get the required controls in place. Today, most applications involve dozens of questions, are still highly manual, and companies only get 30 days to get their security controls in order.
Today’s manual application process means underwriters are writing policies based on guesswork that is only valid on the day it was produced. Thus, the requirement to automate the quantitative process could not be more urgent.
Automated cyber risk quantification is now a reality. Organisations should move quickly to understand their business more accurately and prioritise efforts so that critical business processes, applications, and data are protected. Automated CRQ provides three specific benefits. It enables companies to proactively model and predict risk, mitigate and monitor for changes and see ‘what-if’ scenarios and recommendations that drive smart actions, mitigation, and response.
The Operationalisation of Risk Data
Cybersecurity insurance is different from other forms of insurance primarily because cyberattacks involve two things insurance can’t measure — the attacker and the defences they try to beat.
The struggle to understand loss exposure in cybersecurity isn’t the lack of loss data – it’s the lack of being able to correlate it to a vulnerability, a deficient control, a misconfigured software or hardware, or the ability of an attacker to reach a critical system or application.
Risk quantification automatically enters data into a risk model and automation engine. Those inputs include data from your organisation as well as industry, attack, and vulnerability data aggregated through various sources. That information is then applied to the risk model and automation engine to determine the financial impact of cyber risks and the probability of success of specific attacks.
These calculations drive a variety of other activities within risk quantification that lead to the operationalisation of information across the rest of your organisation, including:
- Prioritisation of vulnerabilities – not only by CVSS score but by relevance in terms of the financial impact to your
- ‘What-if’ analysis to help you understand what specific effects certain changes may have on your cyber risk before making those
- Producing short- and long-term recommendations on how specific changes may affect Annual Loss Expectancy (ALE) and provide guidance into any ‘low hanging fruit’ that may
Tolerate, Treat or Transfer?
Given the advanced capabilities of cyber adversaries and their tactics, techniques, and procedures, the current cyber insurance model almost guarantees that insurance carriers will be forced to pay claims. As a result, point-in-time assessments that are manual guesswork are inadequate for protecting enterprises from the onslaught of cyberattacks.
Being able to track cyber financial risk over time, understand the impact of budget decisions, and ultimately justify spending is now driving business decisions on which risks to tolerate, treat or transfer.
While the first step is to understand your organisation’s exposure in financial terms, the next is to decide how to mitigate risk. Risk quantification models leverage many different types of attackers and attacks that may infiltrate an organisation, its controls, vulnerability data and critical applications.
Most risk quantification customers have their controls actively updated inside the tool to assess which applications are most vulnerable. Also, they provide vulnerability data that allows risk quantification to provide short-term recommendations on Common Vulnerabilities and Exposures (CVEs).
The capabilities of risk quantification can give insurance underwriters and their clients a clear picture of inherent and residual risk in a dynamic fashion. Not only is the threat landscape and the parts of it that are relevant to your business changing, but the controls, applications, endpoints, and type of data present in your environment are changing as well. Risk quantification enables you to apply these changes instantaneously to your models, allowing cyber risk measurement to move beyond point-in-time assessments and become programmatic.