Analogettes

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months.

It looks entirely possible you will have ‘adequate’ security dictated by your insurers, so it is your job to understand the risk based yardstick they’re using to define that. Quoting this recent article on the subject, aimed at the banking industry:

“When there are security breaches, where companies have failed to comply with [industry best] practices – otherwise known as negligence – then you have lawsuits,”

That’s written by a lawyer and he is almost audibly rubbing his hands with glee. ‘Best practice’ … ‘Negligence’ …based on what benchmark? Time to ask yourself how you would defend your security strategy if an insurer says company controls are just not good enough?

Cyber Security Insurance or CSI…a handy co-incidence, as Jan Winter pointed out with enthusiastic supporting commentary from Stuart (@stegopax) and Claus Houmann. The result is a tongue-in-cheek tweet-size analogy with a hard centre.

There’s much discomfort about this. Twitter critics have been vociferous, but I’ve also had correspondence with a couple of CISOs unsure how to tackle beauty contests with eager brokers. The bottom line – they may be offering good or bad deals at the moment, neither you nor they know.

It’s all about forecasting the likelihood and scale of a breach. Doing that needs sufficient good quality historical data to begin to pin down root causes and trends. That historical incident info (the accurate stuff) and a workable model to monetise identified risks, just doesn’t exist as yet.


I’m not a cyber insurance expert, but I know security risk and that’s what this is all about. I am however inviting anyone reading to call out inaccuracies, other good sources of information and alternative perspectives. How to get in touch.


Inputs

  1. Lack of quality historical data about notifiable incidents – Mandatory notification of breaches and incidents has been patchy, both in terms of requirements and in terms of the quality of data provided upon notification. Here’s TechCrunch on latest US proposals for a blanket requirement to report breaches. Freedom of Information requests, where a public interest can be proven, do reveal some useful details (notably following HIPAA, ICO, SEC, or other investigations), but there is no general standard for investigation and reporting.
  2. Lack of quality historical data about other publicised incidents – As evidenced by the usual attribution-go-round, when another big breach hits the news, root cause investigation is often not a straightforward task. The upshot is piecemeal or incomplete data, even when the media circus dies down. Hardly the stuff of statisticians’ dreams.
  3. Lack of quality historical data about internal incidents – Internal risk event notification and incident management is also hugely variable from firm to firm. Starting at one end of the scale with nothing being formally logged, to the typical historical situation with only outages being recorded, then on (at the other end), to firms who robustly log the full range of security incidents and near misses,

Even at that better practice end, there will be the same wide variance with incident identification, investigation, root cause analysis, risk estimation, aggregation to find trends and monetisation of impact.

Methodology

  1. Identification – What proportion of incidents have historically gone under the radar? A selection of those may get spotted in future if useful threat/vulnerability monitoring and reporting becomes the norm. The heightened focus on cybersecurity will support the business case for that, but it doesn’t stop the historical dataset being (at best) patchy and at worst utterly useless to enable any predictive modelling.

    For an alternative perspective, think about the recent rash of public figures brought up on historical child abuse charges. There was a cultural tendency not to report such things and shocking issues with appropriate handling of reported incidents. That and other bases for bias can seriously skew statistics. The situation with cyber incidents will be no different.


  2. Investigation  – There is vast variance in the quality of investigations into incidents. Particularly trying to identify all parts of a kill chain involved in quiet exploits executed over time (APTs, by some definitions). A significant linked challenge is uncovering the social engineering and human error related contributions to a breach. As capability improves and matures there will be a rise in the quality of aggregate data (the newest NIST standard is heavy on incident response guidance as is content on most security focused sites) but that, as I call out with identification, doesn’t help us with prediction. Models need to settle and if the type, quantity and quality of data indicating what makes a breach more likely (or more impactful) changes, it constantly stretches the time before worthwhile conclusions can be drawn.
  3. Impact assessment – So the above is about the number and frequency of incidents. This is about the severity and cost. Hands up who has a way to accurately assess, monetise and aggregate the impact of internal security incidents? Yes? Great. How about the impact on company reputation? It’s not just the intangibles that are hard to put a figure on, it’s the cumulative impact of many small incidents (e.g. lost laptops, or one-off low cost fraud). Things I look at in more detail in my Tripwire State of Security article ‘Cybersecurity Risk – The Unvarnished Truth’.
  4. Actuarial modeling – This is where my knowledge base is too thin. So rather than me inexpertly potificating about this, why not have a look at the diagram below from KPMG (illustrates factors that can influence accuracy and success of risk modelling) and read a couple of the below articles.

Actuarial-and-Insurance-services

CYBER COVERAGE AND THE ACTUARIAL CHALLENGE

CYBER CATASTROPHE

CYBER LIABILITY INSURANCE: UNDERSTANDING WHAT YOU HAVE AND WHAT YOU MAY NEED

MATCHING CYBERSECURITY RISK TO INSURANCE COVERAGE

SOCIETY OF ACTUARIES RELEASES NEW MORTALITY RATE TABLES TO IMPROVE ACCURACY OF PRIVATE PENSION PLAN ESTIMATES  The latter is purely to demonstrate the frequent changes needed to ensure risk models remain accurate. Even the best documented datasets evolve over time. Now, bearing in mind what you do (or don’t) accept in this article, how close can insurers be to:

  1. Understanding global and industry views of cyber risk accurately enough to provide an adequate level of cover and set generally fair premiums
  2. Understanding the risk of a breach and how much security control is enough to minimise that risk, for your specific company.

It’s entirely feasible that more secure companies will be slapped with one-size-fits-all premiums, padded to protect insurers against uncertainty created by their lack of accurate risk data. So all of that leaves companies with a range of interrelated challenges:

  • Top down and sales pressure – Insurers see a still open market (it’s actually over a decade old). With fresh breach intensified demand they are energetically chasing market share. Insurance is something the C-suite understands. In combination that will put pressure on security leaders to make decisions sooner rather than later.
  • Government evangelism – The government has thrown it’s weight behind this market. On 23rd March it published it’s report into the role of insurance in mitigating UK cyber security risks (a good summary of key points). It’s the kind of missive that will find fans in the boadroom. There’s been a long relationship between the government and cyber insurers. Suppliers to the state are required to become Cyber Essentials certified. The Cyber Risk & Insurance Forum (CRIF) were key consultants on the creation of CE and optional certification for the charity sector comes with an insurance policy attached – baby steps to making cover mandatory?
  • Initial sweeteners – Insurers know their limitations and will be less risk averse at first to get competitive advantage. This will make deals attractive.
  • Creeping coverage loss – Insurers will add more uncertainty quashing conditions and exclusions after getting your business if the trend towards breaches doesn’t slow (unlikely), or their risk models remain too inaccurate to comfort them about covering their losses (extremely likely).
  • Potential government backup – That may not matter if inaccuracies in premium estimation and levels of cover are in your favour and/or the government (as predicted at the end of this article), moves to provide a financial backstop for overexposed insurers.
  • Do you have a risk leg to stand on? – Businesses with immature or moderately mature risk cultures will be defenceless to benchmark the appropriateness of premiums and policy coverage against their specific risk exposure.
  • Not a security panacea – Overestimating coverage or underestimating risk exposure could lead to inappropriate reliance on insurance as a strategy for managing risks. Transferring risks with insurance is an entirely valid risk management option, but cover has to be right for you and is only intended to deal with risks not economic, or (based on a defensible risk argument), not strategically sensible to mitigate.
  • Come claim time will all be well? – As inferred by Gary Smith in the below tweet, claims may bring nasty surprises if company security turns out not to be as robust as it appeared when premiums were set:

Security standards dictated by insurers & copywrite risks?

Who Watches The Watchmen by Stan-W-D http://goo.gl/iinZYC

Ignoring the challenges individual business will face, insurers are doing all they can to up the quality of available data and reduce their risks. The two main ways they are doing this are:

  1. Demanding evidence of some defined standard of security control from potential clients
  2. Gathering incident data from client companies as part of setting ‘fair’ premiums.

The section title outlines my concerns. Could we end up with the insurance tail wagging the business dog, with security strategy and implementation driven by firms tasked with picking up the pieces if security controls fail? Further to that, insurers may end up being the first businesses with enough aggregate risk data to work out what a strategic security priority looks like. Data they will not be sharing freely, or foregoing profit to reflect with reduced premiums for firms who can prove they’re doing a good job.


Women (and men) paid the price when it became illegal to use gender to calculate premiums. If even proven risk levels fail to secure proportionate rates, how will you avoid having to jump through insurer defined hoops to get the the right coverage at the right price? Will you be forced to gold-plate some controls and ignore others you know are locally important?


What, in your opinion, is wrong with that picture? I realise that does next to nothing to damp down discomfort, but as things currently stand, calling out the challenges is the best I (we?) can do. Except for heeding the sage counsel offered by our business ancestors: Caveat Emptor and remember…it’s a buyers’ market

7 replies »

  1. “For my part, because board members often have far better understanding of insurance and audit than they do of security, I remain extremely concerned about the dynamic this may create. Yes the insurance market will evolve to weed out the weakest actuarial links, but in the mean time how much credibility and autonomy will security functions have lost? Security functions staffed by people with deep knowledge of local environments who are likely to be getting lots right in the context of their specific networks, processes, people and business objectives (despite often being rubbish at communicating that – a problem I work hard to solve). It would be great to give those people a useful voice rather than making them serve yet another profit motivated and potentially dictatorial master and introducing yet another layer of politics to battle through.”

    In organizations which deserve better treatment by insurers these dynamics will work more smoothly instead of less. This is part of the spectrum of elements that insurers should be seeking to validate in their process of determining risk. Where there is contention between executive management and security operations, risks to insurers (and of course the enterprise itself) will be higher than where there is positive cooperation and alignment of interests at all levels.

    There are of course various ways to codify these management structures, but for our part in our work with insurers or enterprises we use this rote guideline as part of the overall process of helping organizations determine if their management structures align with appropriate interests:

    http://all.net/Arch/SecManagement.html

    Where executive management alignment is appropriate for the context of the organization, security management and operations find themselves: more able to identify the targets they are tasked with working towards; better able to obtain resources to achieve those targets; and with a clear path to escalate issues to levels where executive decisions can be made (such as whether to attempt to transfer or mitigate residual risk).

    “All that aside I want to thank you again. Social media is all too often contentious for contentions sake these days and your comment was an informed and welcome change”

    Very much the same to you. There is no need for contention about issues that are simply challenges to be addressed. I understand the passion that often arises, however. It arises because folks care deeply about achieving a better state in our profession. While the contention itself does not typically forward the goal, it is much better to have that passion than ennui among security teams.

    Thanks for driving the conversation!

    Like

  2. “Time to ask yourself how you would defend your security strategy if an insurer says company controls are just not good enough?”

    Insurers need to develop the questions they ask to determine the risk they are accepting. When incidents occur, the only question will be “Did you tell me us the truth?” If so, then the risk they accepted they own.

    “The bottom line – they may be offering good or bad deals at the moment, neither you nor they know.”

    There is a soft market at the moment, where there is always some insurer willing to accept a poorly defined risk. This will sort itself out as the inevitable consequences of those poor choices are more frequently realized. It is where these choices by insurers were poorly founded that there will be contention. Both insurers and insured will find greater value in better defined risk definition and coverage as these factors play out.

    “1. Lack of quality historical data about notifiable incidents ”

    Actuarial data does not currently exist. There is no empirical reason to believe that any protective measure has a measurable value. This is a larger issue than insurance – enterprises have no security ROI to work from – and has to be solved. The motivations of insurers is the best driver to accumulate this knowledge.

    There is more than indicent information required. The context that incidents occur in is required to make use of incident information.

    “3. Lack of quality historical data about internal incidents ”

    Insurers can require their clients report incidents to the insurer as part of policy. This allows insurers to develop actuarial visibility.

    “Even the best documented datasets evolve over time.”

    The issue of change over time is one where insurance is better suited than standards and regulation. Risks and controls will certainly change over time, so the models insurers use to assess risk will change over time as well. Standards and regulations will always be much slower to change in reaction to evolving situations and therefore will almost always play a “least diligence” backstop role in both managing insurance risk and in delivering actual security.

    “Further to that, insurers may end up being the first businesses with enough aggregate risk data to work out what a strategic security priority looks like.”

    They most certainly will. There is very little of that available today through any other means, and very few reasonable mechanisms to define it. Frameworks and standards are developed by consensus opinion rather than empirical data. The experiential aspect of actuarial processes is the only realistically achievable mechanism to accomplish this goal.

    “Data they will not be sharing freely, or foregoing profit to reflect with reduced premiums for firms who can prove they’re doing a good job.”

    This is an important issue, and there are efforts underway to address it. What actuarial data will insurers be willing/forced to share for the greater good of societal stability?

    “Caveat Emptor and remember…it’s a buyers’ market”

    Precisely. This sword cuts both ways:

    – Enterprises can save money in the short term by buying poorly defined coverage, and risk losing everything when they find themselves arguing in court.

    – Insurers can find themselves making money in the short term, and risk losing everything when they find themselves arguing in court.

    Both enterprises and insurers are at risk in the current market, and only as insurers more sharply define their requirements and coverage will those risks become more manageable.

    We have to remember as well, however, that all of this compares to the current state where there is no reason to believe than anything an enterprise does will have any benefit in limiting their risk. The issue is not whether insurance will be able to play a positive role in advancing realized and predictable security, but rather if we will reach that goal by any means.

    -best

    -chris

    Like

    • I really appreciate the time and thought that went into that reply Chris. It is incredibly valuable to have this kind of honest view from someone with long and deep experience of the trade and experience co-operating with cyber insurers to grow and stabilize the market.

      I am not, as I hope I made clear in the article, against using insurance to transfer uneconomic to mitigate risks. I’m also acutely aware of the poor quality (or frequent lack) of risk data currently available internally and at an industry level to firms. Without being sycophantic I also agree there’s no other force driving that necessary evolution of security risk assessment and management. Something that frustrated many of my governance efforts over the years.

      The main fact that remains therefore, is the one that I call out last. The one that you acknowledge needs thought and collaboration to land positively for all involved…will information on risk that is gleaned and honed get shared? In being so equitable with your response this forms a good grounding for the robust debate this needs.

      For my part, because board members often have far better understanding of insurance and audit than they do of security, I remain extremely concerned about the dynamic this may create. Yes the insurance market will evolve to weed out the weakest actuarial links, but in the mean time how much credibility and autonomy will security functions have lost? Security functions staffed by people with deep knowledge of local environments who are likely to be getting lots right in the context of their specific networks, processes, people and business objectives (despite often being rubbish at communicating that – a problem I work hard to solve). It would be great to give those people a useful voice rather than making them serve yet another profit motivated and potentially dictatorial master and introducing yet another layer of politics to battle through.

      To that end I am currently talking to a couple of risk firms who are working on much of the same data that cyber insurers have. They are also garnering inputs from client companies who donate it in return for getting better industry views of relevant risks. That will continue to be my preferred route to knowing priorities for a business. Rather than an insurer who, at least for now, can’t or won’t explain their workings out.

      On a less security focused, but no less important note, please can you pass on a message to contacts in the insurance trade: The infomercials are in the main packed with FUD and rhetoric that is obviously designed to play to CXO fears. At the same time security professionals (ones worth their salt) know insurers are not a whole bunch more informed than they are. Marketing firms are going to alienate and impact credibility of a whole swathe of professionals with currently scarce security skills if they carry on. That will not serve businesses well.

      All that aside I want to thank you again. Social media is all too often contentious for contentions sake these days and your comment was an informed and welcome change.

      Like

  3. This is a great article.

    As I’ve said about this many times before, the end result is going to be one – or both – of two things:

    1) The insurance companies, once they’ve taken a bath in handing out settlements to companies that simply can not be or just were not protected adequately, will jack up premiums until the cost is basically the same as what the companies should have spent in the first place on security.

    2) Insurance companies will require strict security programs that will end up costing the same as what the companies should have spent in the first place on security.

    Both means companies will take a bath on security spending AND high premiums. This is historically how insurance companies have operated.

    Cybercrime is not the same “continuity” or “disaster” insurance. Cybercrime is a growth industy whereas disasters are random.

    Like

Want to add to the discussion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s