Tom Turner, CEO, BitSight, discusses the growing importance of risk transfer and cyberinsurance, with breaches putting cyber-risk firmly on the boardroom agenda.
As data mega-breaches dominate the headlines, businesses worldwide are focusing on how to manage and mitigate cyber-risk. The Marriott breach is only the latest in a litany of incidents whose repercussions will echo for a long time to come.
Put simply, the current threat environment means breaches are inevitable; they are a cost of doing business in the connected world. However, with the average financial cost of a breach now at £934,000, punitive legal consequences and reputational ruin are key factors. Data breaches have clear potential to negatively affect a company’s valuation. That puts cyber-risk firmly on the boardroom agenda.
In a bid to transfer the risks of a cyberbreach, enterprises are looking seriously at cyberinsurance. It’s a market that has been growing over the past few years and is set to take off as companies seek comprehensive protection. But there are challenges both for companies trying to purchase the right cyberinsurance policy and the insurers aiming to provide it. What are the critical questions businesses need to ask carriers when assessing a policy? And likewise what information do carriers need in order to sufficiently measure the security posture of a growing pool of applicants and identify aggregate risk across their book of business?
Risk and regulation: The evolving cyberinsurance industry
At present around 80% of cyberinsurance policies are held by US businesses. That may seem surprising, given that US and European businesses are exposed daily to the same kinds of cyberthreats. The reasons for the difference between the two territories relate to contrasting legal frameworks around privacy and the varying appetites for litigation.
The US’s regulatory approach to privacy gives companies clarity around their liabilities and what can be insured against. At the same time the region’s more litigious mentality has made it worthwhile for them to do so, as they seek to protect their reputations and business stability.
In contrast European companies, when considering cyberinsurance, have been more concerned about resilience and business continuity and less about the repercussions of non-compliance with an ageing Data Protection Act which may not have been viewed as relevant or enforceable. Operating in a much less litigious environment, European organisations have not had the stimulus to fully explore cyberinsurance.
GDPR has changed that. The risks to European businesses from data breaches are now quantifiable and high profile, prompting them to try to insure against the legal, financial and reputational damages that a data breaches entail.
The advent of more stringent European regulation comes amidst the escalating threat environment; cybercrime grows exponentially and all businesses are exposed.
In combination, the above factors put the cyberinsurance industry on the edge of major growth.
Insuring a moving target
The insurance industry is expert at assessing and quantifying risk, but cyberinsurance presents new challenges. While regulations once they’re implemented remain relatively static, the threat environment evolves at breakneck speed, creating a moving target that carriers and businesses must try to mitigate.
Boards need to be confident that their insurance effectively transfers risk considering the current threat and regulatory environment. Insurers need a comprehensive view of the organisation’s security posture. This can prove difficult to assess.
Today, insurers rely on questionnaires, penetration tests and on-site assessments for insight into the cybersecurity posture of applicants. While these methods can be effective, they are time consuming, expensive and provide only a point-in-time snapshot of performance.
This is a weakness given the nature of today’s connected organisations and the impact of third-party risk. The constantly changing corporate ecosystem sees supply chain and mergers and acquisitions activity exerting an ongoing effect on an organisation’s security posture. Without regular insight into how the organisation’s partners are evolving, the insurer is prevented from assessing the real-time risks that the business faces.
In order to streamline the underwriting application process and identify areas of aggregate risk, insurers need more data-driven tools that provide insight into the past and current cybersecurity performance of applicants.
This lack of ongoing insight is a problem for the business itself too. How can the board make an informed decision to establish its cyber-risk appetite if it doesn’t have an accurate picture of risk? Businesses need to understand their own security posture and the possible scale of a ‘worst case scenario’ incident, so that they have a clear understanding of what is required from any cyberinsurance policy in order to proactively protect against reputational and cost impacts that come with a breach.
In a landscape that changes so quickly up-to-date, independent risk intelligence is essential for businesses and carriers alike. Solving this issue is the rationale behind BitSight security ratings. These draw intelligence from the vast quantities of external data that can be examined for security behaviours and security policy implementations.
The ratings present an empirical and objective data-driven measure of an organisation’s security performance. More than 120 billion events are collected daily from 120 data sources to map 160,000 companies. The data is validated using both automated processes and human insight and is filtered by different risk vectors. This provides companies and insurers with the organisation’s rating.
Low ratings correlate to a higher likelihood of breach; if a security rating drops below 400 as compared to an organisation with a rating of 700 or higher there is a five times greater risk of that organisation suffering a data breach.
This rating can be regularly monitored to identify changes in risk so organisations can remediate accordingly. This data-driven insight is far more valuable than point in time assessment and is increasingly used by insurers to assist in underwriting cyber insurance policies.
Key questions to ask – as CEO and cyberinsurer
Having current intelligence about their organisation’s risk rating is a good basis on which to build a cyberinsurance strategy, but what practical questions should companies also ask prospective cover providers?
It’s essential to find out what types of incidents are covered and which are specifically excluded, so that expectation meets reality in the event of a claim. For example, how far does your liability extend in terms of employee actions and what are the security standards that you must meet? You also need to know if there are any regional restrictions if breaches stem from operations in a different country to your registered headquarters.
What are the timeframes within which you are obliged to report a breach, and what speed of response can you expect from your provider? Breaches can take time to come to light and you need to know how your provider will respond to delays in discovery, and what resources they’ll provide to support you in the event of a breach.
As described above, you need to ask how your provider will respond to evolving threats. What is the procedure for identifying material threats and modifying policies to ensure appropriate levels of cover are maintained?
If you operate in a highly regulated sector, does the provider has expertise in that market and can they offer audit and compliance support?
On the insurer’s side we mentioned earlier that they need comprehensive information on a customer’s security posture and protocols, which has typically been gathered through questionnaires and interviews – sometimes days in length. Insurers should also seek insight into how proactive an organisation is at protecting against evolving threats – do they use threat intelligence services and threat hunting to keep on top of emerging TTPs?
Insurers also need to understand the customer’s exposure to third party risk through its extended ecosystem, incorporating supply chain and M&A activity. They need to be alert to material changes that originate in the wider ecosystem so they can make informed underwriting decisions.
The future of cyberinsurance
As cyber insurance in Europe matures, we should see carriers developing their provision beyond basic risk transfer. They will be offering post-incident services and support for customers that suffer breaches and should also look at providing tools to help businesses monitor risk more accurately as part of a trusted partnership between insurer and insured.
Much of how the market develops will depend on how cyber claims and litigation unfolds in the real world and insurers will be closely monitoring the first cases to come out of GDPR breaches to see how the regulation will be interpreted.
Insurers will be working towards greater clarity in policy wording and exclusions, so that companies can be confident that they have a policy that will meet their expectations in the event of a claim.
As the market evolves, we will see more insurers developing products for specific vertical sectors and industries. Success here will depend on having real-time data on the risk profile and cyber-exposure of these industries, so that insurers can effectively aggregate risk and offer competitive policies.
There’s no question that this is going to be a dynamic market where success will rely on effective use of data. Security ratings for businesses, sectors and even countries – given the multi-jurisdictional nature of many organisations – have an important role to play in delivering the intelligence that companies and insurers need to gain an accurate, ongoing picture of evolving risk.