CERT PODCAST SERIES: SECURITY FOR BUSINESS LEADERS: SHOW NOTES

How Cyber Insurance Is Driving Risk and Technology Management

Key Message: Business leaders are increasingly using cyber insurance to mitigate security risks and prioritize technology investments.

Executive Summary

Every day another story arises about a significant breach at a major company or Government agency. Increasingly, cybersecurity is being viewed as a risk management issue by CEOs and boards of directors. So how does corporate America address risk? Insurance, since like a natural disaster, a company cannot completely avoid cyber attacks, the next best option is to mitigate the impact these attacks can have. [1]

In this podcast, Chip Block, Vice President at Evolver, discusses the growth of the cyber insurance industry and how it is beginning to drive the way that organizations manage risk and invest in technologies.


PART 1: CYBER INSURANCE AS A RISK MANAGEMENT STRATEGY

Business Drivers

A recent study by Advisen states that there has been about a 50 percent increase in cyber insurance demand due, in large part, to recent high-profile breaches (Target, Home Depot, Sony, and the U.S. Office of Personnel Management).

Business leaders are increasingly viewing the management of security breaches as a risk management problem (like weather events) as opposed to a technical problem.

Risk is a primary topic for most CEOs and boards of directors and is often addressed via insurance.

Quantifying Attack Loss Data and Coding Risks

Companies like Verizon, NetDiligence, and Advisen are capturing data on the impact of cybersecurity attacks. They are beginning to be able to state This type of attack results in this type of loss using quantifiable numbers. With these types of numbers, the insurance industry can determine premiums and claims for cyber insurance products.

Chief Risk Officers are beginning to code first party risks, for example, business interruption, restoration costs, and cyber extortion – and assigning potential losses to each type of risk. For example, if a purchasing system is down for two days due to an attack, a business can calculate how much loss occurs and work with their insurance provider to determine how much and what type of insurance to purchase to offset this loss.

Internet of Things

Currently, the cyber insurance industry is addressing breaches, loss of data, and misuse of credit cards and Social Security numbers contributing to identity theft.

The Internet of Things (connectivity of and access to many types of technologies and mobile devices) introduces risks of physical harm and potential loss of life. Examples include the ability of attackers to affect automobile software, medical devices, and even elevators.

This is becoming a higher priority topic of discussion for affected businesses and the insurance industry, addressed, in part, as riders on current business insurance policies.


PART 2: FUD, RISK QUANTIFICATION, AND A $10 HORSE

Shifts in Technology and Insurance Investments

The current business model for selling technology is fear, uncertainty, and doubt (FUD), where vendors try to scare the CISO into buying a new technology that is better at addressing the latest vulnerability or type of attack than their last purchase. This tactic is not sustainable.

Insurance is a much more effective approach. If a business leader can put a number on business disruption loss, they can then determine how much and what types of technologies can best address this – along with insurance.

Spending $50,000 to protect against a $1M loss may make good business sense but it doesn’t make sense to put a $100 fence around a $10 horse.

Coding risks helps both buyers and sellers of technologies and insurance by focusing on risk exposures and how much protection against loss makes sense.

Measuring Risk

There are a growing number of capabilities and tools to measure risk in a quantifiable way, including, for example, frameworks like the CERT Resilience Management Model (CERT-RMM) and the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

It is critical that organizations do what is commercially reasonable, that is, if they are breached, did they take proper, accepted actions to protect their assets and avoid damage so as not to be considered negligent?

The CERT-RMM and the NIST CSF may help provide an industry-standard definition of “commercially reasonable.”


PART 3: SECONDARY SERVICES; EMERGING DRIVERS

Secondary Markets

Going forward, it is likely that natural growth of the cyber insurance secondary market will occur, similar to those industries that support the normal insurance market (for example, vehicle repair and adjusters for the auto insurance industry and actuaries for insurance in general).

For cyber insurance, examples include forensics and vulnerability assessment. Insurance companies are starting to provide these types of support for their customers that experience a security breach.

Emerging Drivers

There are recent court rulings affecting whether or not you can sue an organization if you experience damages due to a security breach. So far, unless you can prove direct harm, you cannot sue for loss of data. That said, class action law suits may emerge from big data breaches, which can be mitigated, in part, by cyber insurance.

There is a recent case where the U.S. Federal Trade Commission can sue a company for not having proper control of their data (referring back to the discussion of commercially reasonable.)

Court cases and new legal precedents will change the risk relationship among cybersecurity, security technologies, and cyber insurance.

Resources

[1] Block, Chip. And Then the Accountants Showed Up: How the Insurance Industry Will Drive Cyber Security. Evolver, May 7, 2015.

CERT Podcast: Cyber Insurance and Its Role in Mitigating Cybersecurity Risk, January 2015.



Copyright 2015 Carnegie Mellon University