C-level executives who read the latest Ponemon Institute Cost of Data Breach Study have to think seriously about whether their organization has sufficient cyber risk-mitigation measures in place – including enough cyber insurance. According to the study, the average organizational cost of a data breach in the US has increased 19.8% since 2014, and the average cost per record breach is now $237. Over that same time interval the likelihood of experiencing a breach involving at least 10,000 records increased by more than 26%. The cause of the increasing cost of doing cyber business? Malicious attacks top out the list at 51% of reported US occurrences.
It should be noted that the Ponemon study does not consider breaches of more than 100,000 records as their costs quickly become astronomical – for example, Target’s total cost from its 2013 POS data breach, not including currently unresolved lawsuits, now stands at $ 291 million. Carrying cyber insurance does provide a measure of mitigation of the risk of a potential breach, but the cost of premiums can be significant and – as Target discovered – the liability limits may be far short of the total damages.
What’s Driving the Cost of Cyber Insurance?
The high cost of insurance is partly due to the increasing costs and likelihood of a potential breach, but there’s more to cyber insurance costs than that. Assessing an organization’s cyber-related risks continues to prove difficult for underwriters for numerous reasons. In part there’s a lack of critical mass of actuarial data concerning cyber security – especially compared to the petabytes of data on claims and risk factors related to car, life, and home insurance.
Another issue is that the insurance industry matured with the implicit understanding that insured entities existed independently from one another and could be considered isolated and discrete for risk-modeling purposes. That assumption quickly falls apart in today’s cyber ecosystem. Insurable cyber entities are highly interconnected and they develop tremendous economic value largely from that connectedness. While this phenomena can readily be acknowledged in our day-to-day lives, the cyber insurance industry has yet to agree upon how to model the associated risks.
Another uncertainty when it comes to underwriting cyber insurance policies is the automatonic nature of cyber environments: Under normal conditions they generate revenues for their operators; thus any failure or downtime must equate to a loss of revenue. Moreover, when systems are compromised by malicious attack, they become threats to other interconnected, automatonic systems.
Low Supply and High Demand
A brief by advisory firm Novarica found that cyber insurance coverage is, understandably, in high demand, outstripping the supply of policies available, and further driving premium prices. To mitigate their inherent risk in writing a policy, insurers must rely on qualitative assessments of the risk culture and risk management procedures of each applicant. Underwriters will review the organizational disaster response plans in relation to the process used to mitigate the organization’s risks associated with its networks, website, assets, and intellectual property. Applicants can expect to be pointedly questioned on how employees, contractors, and vendors access the infrastructure, how applications respond to penetration tests, and any unique issues raised during on-site evaluations. And executives and security professionals will need to quantify the business and technological threats to their organization and discuss their systematic management of the imposed risks.
While a detailed quantitative assessment can be effective, it is time consuming, expensive, and only provides a point-in-time snapshot of an organization’s cyber-performance. Yet insurer risks increase – and consequently so do premium prices – because the threat environment is constantly and rapidly evolving. Even if the cyber insurance industry has not yet agreed on a standard risk-model appropriate for underwriting cyber insurance, the experts do agree that a dynamic approach is necessary.
How to Drive Down the Cost of Cyber Insurance
Clearly cross-industry steps must be taken to bring cyber insurance to the same maturity as other forms of insurance and risk mitigation. Such steps can either be forced upon stakeholders through regulatory mandates – the call for which is increasing from many corners – or insurers and organizations can proactively initiate practical steps to systematize cyber risk-mitigation, and thereby both increase the availability of insurance policies to meet organizations’ various needs and simultaneously drive down the costs of those policies. Whether the changes evolve organically or are mandated has yet to be determined. In any case, driving down the cost of cyber insurance will require, at a minimum, the following:
Insurers and organizations need data-driven tools that provide insight into past and current cyber security performance.
- The static, point-in-time analysis that has matured well for independent, discrete insurable entities simply cannot provide the necessary underwriter confidence that consumer data or PII is appropriately safeguarded in a risk-environment which is majority driven by active, malicious players with strategic objectives and the wherewithal and skills to realize those objectives. Data-driven tools need to provide real-time, dynamic analysis of an organization’s total threat profile and attack surface relative to real-world intelligence on new and emerging threats so that organizations can proactively mitigate identified vulnerabilities prior to exploitation and insurers can develop a real-time understanding of an applicant’s risk-mitigation process.
Risk-based cybersecurity standards must be put in place for all organizations connected to the Internet or other public networks.
- On the insurer side, creating a uniform set of standards based on real-world intelligence and the insured organization’s industry is critical to developing a uniform underwriting risk-model. Insurers need to develop dynamic threat models relative to an organization’s entire cyber ecosystem to understand the applicant’s past, current, and ongoing risk exposure. Organizations, for their part, should implement automated threat modeling tools with high-level reporting functionality which clearly communicate both business and technological risks to be mitigated so that executives and security professionals can align the organization’s cyber-performance and risk-mitigation strategy relative to business goals, regulatory mandates, and underwriting standards.
Organizational risk-mitigation processes throughout each SDLC initiative must be incorporated into the infrastructure risk mitigation strategy.
- Eleven years of the Ponemon study have demonstrated that security breaches are increasing in both frequency and cost. Isolated, static application-level threat modeling is theoretically instructive but has failed to address the existing and evolving cyber threats facing organizations. Effective risk mitigation requires dynamic, automated chaining of threat models and infrastructure vulnerability analysis in order to reveal inherent threats from interactions of applications, infrastructure components, and 3rd party elements. Dynamic chained threat models provide both the organization and underwriters a clear understanding of the organization’s complete attack surface and evolving risk profile.
Cybersecurity must involve the entire organization.
- Organizations need to incorporate cybersecurity into their entire enterprise risk management process thereby fitting the relatively new exposure of cybersecurity into their more mature overall ERM process. Doing so allows insurers to extend existing risk-models across the cybersecurity domain.
Organizations seek affordable insurance as part of their overall risk-mitigation strategy. Insurers seek to provide coverage that both meets applicants’ needs while presenting a minimum exposure to unknown variables or non-uniform situations. While the motivations of the parties on either side of an insurance policy are inherently diverse, both are equally well served by the recent evolutionary developments of threat modeling. By the same means, organizations reduce their threat profile thereby hardening their applications and systems against malicious attack; and insurers have standardized, data-driven, dynamic tools they need to understand and model an applicant’s ongoing cyber-risk exposure. By utilizing the mature threat modeling tools available today, organizations and insurers can align their diverse motives with an anticipated result of finally seeing a decrease in the frequency and cost of data breaches. And that result will lower the cost of cyber-business for everyone.
Want to learn more about minimizing risk and lowering your cyber insurance premiums?