How cyber insurers can raise the game in cyber resilience
Cyber insurers are uniquely positioned to encourage standards. Image: Unsplash/Towfiqu Barbhuiya
- The cyber insurance industry’s role in ensuring a global ecosystem of cyber resilience is undermined by a lack of a standardized framework to measure their cyber resilience.
- Increased demand for cyber insurance means insurers are positioned and incentivized to influence the implementation of cyber resilience standards as part of an improved risk assessment methodology.
- Cyber insurers play an important role in improving cyber resilience through collaboration, improvement, monitoring and quality and intelligence.
The 2022 Russia-Ukraine War demonstrates that cyberattacks continue to grow with cyber threat weaponization becoming a tool to maximize impact on multiple businesses and critical infrastructures important to national economies. Ensuring cyber resilience is predicated upon effective risk identification and mitigation. So now, it is more important than ever for organizations to put on a “digital flak jacket.”
The cyber insurance industry has an important role in improving and ensuring a global ecosystem of cyber resilience. However, cyber insurers and insured organizations lack a standardized framework to measure their cyber resilience. Instead, they rely on industry benchmarks for resource allocation and antiquated techniques for quantifying cyber risk.
As cyber incidents increase in frequency and intensify in their disruptive impacts, it is clear that higher cybersecurity spending does not necessarily drive better cyber maturity. Insurers have intimately experienced the effects of immature risk assessment methods when insuring organizations over the past two years, as the top 20 cyber insurers have recently posted record high loss ratios.
With the increased demand for cyber insurance, insurers are now positioned (and financially motivated) to influence the implementation of cyber resilience standards as part of an improved risk assessment methodology.
There are several ways cyber insurers are essential in improving cyber resilience.
1. Collaboration
Cyber insurers can collaborate with governments, regulators and organizations to continuously improve and prioritize actions based on current exposures to attacks as they are uniquely positioned to adopt cyber-resilience best practices and observe good security hygiene and behaviour.
Not only can they provide the right incentives to encourage resilient conduct but they are also financially invested in mitigating society’s cyber risk across sectors and geographies. As a result, their balance sheets are intrinsically linked to the cybersecurity success of others.
Standardizing cyber risk measurement techniques and governance principles is a win-win for insurance and society.
2. Suggesting improvement plans
Cyber insurers can also encourage organizations to follow the order of operations by suggesting improvement plans.
Providers perform assessments of an organization’s security posture to define the premiums. For that, they have access to multiple aspects of internal information such as security incidents, breaches and claims data that may not have been made public.
Based on that information, cyber insurers define their premiums and contracts and could also define improvement objectives that incentivize positive security actions.
Incentives like a review of premiums and discounts for consistently strong security postures for the insured could have a large impact.
3. Monitoring and quality assurance tools
Cyber insurers can apply continuous monitoring practices and tools to ensure enhanced cyber posture through metrics like security ratings.
Continuous monitoring minimizes cyber risks and increases the understanding of the cybersecurity ratings of an insured entity at the time of a breach or incident. Overlaying these kinds of insights and crucial discoveries about the type of breach or incident that occurred and the impact categories outlined in the claims will provide unique insight.
For example, discovering any correlations between an entity type (e.g. industry and size), the entity’s cyber maturity rating, and the impact of the breach on the business that resulted in a claim to the insurer (or multiple insurers in some cases) is an invaluable improvement to our knowledge of risk indicators.
How is the Forum tackling global cybersecurity challenges?
Aggregating and anonymizing analytics of claim data should surface strongly correlated indicators, patterns and emerging trends. This data can be used as legitimate leverage during premium negotiations with the insured of both the annual and post-incident kinds.
It is clear that insurers are well-positioned to influence organizations to achieve cyber resilience. They can achieve this through leveraging the possibility of continuous underwriting, where insurers regularly monitor the risk posture of the insured. This type of active oversight can be influential for proactively coaching clients on the best ways to avoid cyber incidents.
Armed with data-driven risk models, insurers can motivate the insured to improve their controls, improving their cybersecurity risk rating and resilience in the context of a constantly evolving risk landscape.
4. Using and sharing intelligence
Cyber insurers can use and share the intelligence with ecosystem players and law enforcement during an incident to speed reaction and reduce recovery times, thereby minimizing risk.
As already mentioned, providers have unique access to security incidents, breaches and claims data that may not have been made public. It would be irresponsible for insurance providers to keep this information from informing regulatory policy, cybersecurity practices and incident response.
Indicators of Compromise (IoCs) are routinely shared among ISACS (Information Sharing and Analysis Centers) in the US, Europe and Asia to aid in the collective resilience of an industry or sector such as oil and gas, financial services or retail/hospitality. STIX and TAXII (now in version 2.1 as of June 2021) are structured data sharing protocols for this purpose.
Perhaps the major firms should seek out similar ways to build communities of insurance practitioners who can benefit from aggregated and anonymized TTPs (Tactics, Techniques and Procedures) and corresponding data for breach events or business disruptions. When more in-depth threat intelligence feeds from security vendors are added to this core of event and threat actor information, we just might be helping give rise to a collective defense capability that is truly resilient and robust.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Cybersecurity
Forum Stories newsletter
Bringing you weekly curated insights and analysis on the global issues that matter.
More on CybersecuritySee all
Kate Whiting
December 12, 2024