How cyber insurers can raise the game in cyber resilience

The 2022 Russia-Ukraine War demonstrates that cyberattacks continue to grow with cyber threat weaponization becoming a tool to maximize impact on multiple businesses and critical infrastructures important to national economies. Ensuring cyber resilience is predicated upon effective risk identification and mitigation. So now, it is more important than ever for organizations to put on a “digital flak jacket.”

The cyber insurance industry has an important role in improving and ensuring a global ecosystem of cyber resilience. However, cyber insurers and insured organizations lack a standardized framework to measure their cyber resilience. Instead, they rely on industry benchmarks for resource allocation and antiquated techniques for quantifying cyber risk.

As cyber incidents increase in frequency and intensify in their disruptive impacts, it is clear that higher cybersecurity spending does not necessarily drive better cyber maturity. Insurers have intimately experienced the effects of immature risk assessment methods when insuring organizations over the past two years, as the top 20 cyber insurers have recently posted record high loss ratios.

With the increased demand for cyber insurance, insurers are now positioned (and financially motivated) to influence the implementation of cyber resilience standards as part of an improved risk assessment methodology.

There are several ways cyber insurers are essential in improving cyber resilience.

Cyber insurers can collaborate with governments, regulators and organizations to continuously improve and prioritize actions based on current exposures to attacks as they are uniquely positioned to adopt cyber-resilience best practices and observe good security hygiene and behaviour.

Not only can they provide the right incentives to encourage resilient conduct but they are also financially invested in mitigating society’s cyber risk across sectors and geographies. As a result, their balance sheets are intrinsically linked to the cybersecurity success of others.

Standardizing cyber risk measurement techniques and governance principles is a win-win for insurance and society.

Cyber insurers can also encourage organizations to follow the order of operations by suggesting improvement plans.

Providers perform assessments of an organization’s security posture to define the premiums. For that, they have access to multiple aspects of internal information such as security incidents, breaches and claims data that may not have been made public.

Based on that information, cyber insurers define their premiums and contracts and could also define improvement objectives that incentivize positive security actions.

Incentives like a review of premiums and discounts for consistently strong security postures for the insured could have a large impact.

Cyber insurers can apply continuous monitoring practices and tools to ensure enhanced cyber posture through metrics like security ratings.

Continuous monitoring minimizes cyber risks and increases the understanding of the cybersecurity ratings of an insured entity at the time of a breach or incident. Overlaying these kinds of insights and crucial discoveries about the type of breach or incident that occurred and the impact categories outlined in the claims will provide unique insight.

For example, discovering any correlations between an entity type (e.g. industry and size), the entity’s cyber maturity rating, and the impact of the breach on the business that resulted in a claim to the insurer (or multiple insurers in some cases) is an invaluable improvement to our knowledge of risk indicators.

Aggregating and anonymizing analytics of claim data should surface strongly correlated indicators, patterns and emerging trends. This data can be used as legitimate leverage during premium negotiations with the insured of both the annual and post-incident kinds.

It is clear that insurers are well-positioned to influence organizations to achieve cyber resilience. They can achieve this through leveraging the possibility of continuous underwriting, where insurers regularly monitor the risk posture of the insured. This type of active oversight can be influential for proactively coaching clients on the best ways to avoid cyber incidents.

Armed with data-driven risk models, insurers can motivate the insured to improve their controls, improving their cybersecurity risk rating and resilience in the context of a constantly evolving risk landscape.

Cyber insurers can use and share the intelligence with ecosystem players and law enforcement during an incident to speed reaction and reduce recovery times, thereby minimizing risk.

As already mentioned, providers have unique access to security incidents, breaches and claims data that may not have been made public. It would be irresponsible for insurance providers to keep this information from informing regulatory policy, cybersecurity practices and incident response.

Indicators of Compromise (IoCs) are routinely shared among ISACS (Information Sharing and Analysis Centers) in the US, Europe and Asia to aid in the collective resilience of an industry or sector such as oil and gas, financial services or retail/hospitality. STIX and TAXII (now in version 2.1 as of June 2021) are structured data sharing protocols for this purpose.

Perhaps the major firms should seek out similar ways to build communities of insurance practitioners who can benefit from aggregated and anonymized TTPs (Tactics, Techniques and Procedures) and corresponding data for breach events or business disruptions. When more in-depth threat intelligence feeds from security vendors are added to this core of event and threat actor information, we just might be helping give rise to a collective defense capability that is truly resilient and robust.