Underwriters, InfoSec officers must close gap on risk management

Standardized method of assessing risk could clarify fuzzy communication between the two sectors

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

There is a major dis­con­nect, on a num­ber of lev­els, between infor­ma­tion secu­ri­ty offi­cers ready to pur­chase cyber lia­bil­i­ty cov­er­age and the insur­ance bro­kers and under­writ­ers eager to meet that demand.

That’s the big take­away from a new study by secu­ri­ty think tank The SANS Insti­tute and insur­ance indus­try researcher Advisen. SANS/Advisen exten­sive­ly ques­tioned 203 secu­ri­ty pro­fes­sion­als and 194 insur­ance indus­try executives.

Relat­ed pod­cast: Guess who’s part­ner­ing up to build actu­ar­i­al tables?

The result­ing report, titled “Bridg­ing the Insurance/InfoSec Gap,” was com­mis­sioned by cyber risk ana­lyt­ics ven­dor Piv­ot­Point Risk Ana­lyt­ics. It found that only 30 per­cent of under­writ­ers and 38 per­cent of infos­ec respon­dents felt they speak the same language.

The resul­tant con­fu­sion has reached the point where about two-thirds of the respon­dents indi­cat­ed they would wel­come assis­tance from reg­u­la­tors in defin­ing stan­dards and due diligence.

There’s one set of jar­gon used in the IT com­mu­ni­ty and a dozen or more sets used at the cyber insur­ance car­ri­ers,” says Dave Was­son, leader of the Cyber Lia­bil­i­ty Prac­tice at Hays Com­pa­nies, an insur­ance bro­ker and risk-man­age­ment consultancy.

Was­son says that even for some­one like him, who reviews insur­ance poli­cies for a liv­ing, the vocab­u­lary dif­fer­ences are mak­ing the job very difficult.

The poli­cies are not struc­tured the same. There’s some shared DNA, but they are very dif­fer­ent prod­ucts from car­ri­er to car­ri­er,” he says.

Two paths to the same goal

Barbara Filkins, SANS analyst
Bar­bara Filkins, SANS analyst

SANS ana­lyst Bar­bara Filkins, pri­ma­ry author of the report, says that in addi­tion to ter­mi­nol­o­gy, the sur­vey found major gaps exist in:

  • Assess­ment frame­works. These are the bench­marks for deter­min­ing min­i­mal lev­els of cyber hygiene. The insur­ance indus­try favors quan­ti­ta­tive over qual­i­ta­tive mod­els. But only 25 per­cent of infos­ec respon­dents employ a detailed quan­ti­ta­tive mod­el. Impre­cise qual­i­ta­tive analy­sis is most com­mon in the infos­ec realm.
  • Com­mu­ni­ca­tion. Inef­fec­tive com­mu­ni­ca­tion is com­mon between InfoS­ec pro­fes­sion­als, risk man­agers and insur­ance com­pa­nies, and between the under­writ­ers and bro­kers with­in the insur­ance community.
  • A lack of trans­paren­cy in under­writ­ing cri­te­ria has result­ed in com­pa­nies mak­ing secu­ri­ty sys­tems invest­ments that are not nec­es­sar­i­ly aligned with mak­ing them more insur­able, nor result­ing in paid ben­e­fits in the wake of a cyber attack.

Under­writ­ers and cyber­se­cu­ri­ty pro­fes­sion­als have the same objec­tives in pro­tect­ing a com­pa­ny from cyber incidents—but the two sides have devel­oped “par­al­lel paths” instead of talk­ing to each oth­er, says David K. Brad­ford, co-founder and chief strat­e­gy offi­cer at Advisen, who con­tributed to the report.

David K. Bradford, Advisen co-founder and chief strategy officer
David K. Brad­ford, Advisen co-founder and chief strat­e­gy officer

As a result, there’s a fair amount of mis­un­der­stand­ing between the two com­mu­ni­ties, par­tic­u­lar­ly lack of real in-depth under­stand­ing of what insur­ance cov­ers and how it works from the stand­point of infor­ma­tion secu­ri­ty,” Brad­ford says. “There’s some­thing of a Tow­er of Babel even with­in the insur­ance com­mu­ni­ty itself.”

Fun­da­men­tal differences

Some of the report’s key findings:

  • Only 48 per­cent of CISOs and oth­ers in InfoS­ec found cyber insur­ance at least ade­quate for a data breach
  • While CISOs are the best at under­stand­ing risk expo­sure, only 5 per­cent have any deci­sion-mak­ing pow­er in pur­chas­ing coverage
  • The gap in the ter­mi­nol­o­gy and risk-assess­ment frame­work has cre­at­ed a com­mu­ni­ca­tion divide not only between the two sides, but also with­in orga­ni­za­tions, between the infos­ec pro­fes­sion­als and the risk managers.
  • The “lack of trans­paren­cy in the under­writ­ing cri­te­ria has result­ed in mis­aligned invest­ments” by insur­ance buy­ers into tech­nol­o­gy and oth­er defens­es they think would make them insurable.

Among the fun­da­men­tal areas of dis­con­nect is the basic def­i­n­i­tion of risk. Cyber­se­cu­ri­ty prac­ti­tion­ers look at risk in the con­text of threats and vul­ner­a­bil­i­ties, and con­se­quent­ly try to elim­i­nate it through tech­nol­o­gy defens­es and poli­cies. Insur­ers, on the oth­er hand, look at risk through the lens of finan­cial con­se­quences to the organization.

The cyber­se­cu­ri­ty sector’s approach to defin­ing risk can be lim­it­ing, says Stu­art Itkin, chief mar­ket­ing offi­cer at Piv­ot­Point Risk Analytics.

Stuart Itkin, PivotPoint Risk Analytics chief marketing officer
Stu­art Itkin, Piv­ot­Point Risk Ana­lyt­ics chief mar­ket­ing officer

Look­ing at threats is impor­tant, but it doesn’t answer what the expo­sure is,” Itkin says. “We need to be able to look at the finan­cial expo­sure, or poten­tial loss­es and con­se­quences of a cyber attack as a com­mon denom­i­na­tor of the mea­sure of risk.”

Emerg­ing cyber field

One major chal­lenge stems from infor­ma­tion secu­ri­ty being a rel­a­tive­ly nascent field. The insur­ance indus­try favors quan­ti­ta­tive data. And typ­i­cal­ly, insur­ance rates are based on decades, or even cen­turies, of his­toric data. Cyber insur­ance loss­es and claims, how­ev­er, only go back maybe a decade or so.

In the InfoS­ec world, a lot of what peo­ple can pro­vide is qual­i­ta­tive in nature because there aren’t any hard num­bers to show,” says SANS ana­lyst Filkins.

The lack of quan­ti­ta­tive data leads to incon­sis­ten­cy in how under­writ­ers approach exposure—and “the infor­ma­tion secu­ri­ty pro­fes­sion­als and the bro­kers are in the same boat,” Filkins says.

Unlike oth­er insur­ance fields, cyber is very dynam­ic because the threats—and the consequences—are con­tin­u­ous­ly evolv­ing. But the under­writ­ing process itself is sta­t­ic, show­ing only a snap­shot, says Ben Bee­son, senior vice pres­i­dent of Cyber Risk Prac­tice at insur­ance bro­ker­age Lock­ton.

Not only that, he says, but under­writ­ers don’t under­stand how spe­cif­ic con­trols used by a com­pa­ny “move the nee­dle on the risk expo­sure rel­a­tive to the threat envi­ron­ment that the com­pa­ny oper­ates in.”

The under­writ­ing process for cyber insur­ance is bro­ken,” he says.

Com­mon frame­work needed

That makes cyber insur­ance dif­fi­cult to nav­i­gate for CISOs like John Sapp. When he joined Orthofix, an ortho­pe­dic prod­ucts sup­pli­er, Sapp almost imme­di­ate­ly got pulled into the con­ver­sa­tion about pol­i­cy renew­al. He says it’s con­fus­ing to under­stand what’s cov­ered, why things are being exclud­ed, and even how to com­plete a claim.

Sapp, like many oth­ers, would like to see a stan­dard­ized method for assess­ing an organization’s risk.

That is why we need a frame­work. It doesn’t mat­ter which one—just pick one,” he says. “Then you can bet­ter quan­ti­fy how you’re iden­ti­fy­ing the lev­el of risk and artic­u­late how you’re reduc­ing that risk.”

The frame­work, how­ev­er, has been the sub­ject of much debate among the esti­mat­ed more than 60 cyber risk underwriters.

There’s a cer­tain lack of trans­paren­cy upfront and lack of con­sis­ten­cy in stan­dards … so it’s a frus­trat­ing sit­u­a­tion for the infor­ma­tion secu­ri­ty pro­fes­sion­als and insur­ance buy­ers,” Brad­ford says.

Despite all the chal­lenges that come with an emerg­ing mar­ket, Itkin says things are work­ing “fair­ly well” and mov­ing in the right direc­tion. Not only are insur­ance com­pa­nies look­ing for new tech­nol­o­gy tools to sat­is­fy their search for quan­ti­ta­tive analy­sis, but there’s more dia­logue between the two sides, Brad­ford says.

Everybody’s objec­tive is to cre­ate bet­ter cyber insur­ance out­comes,” he says.

More sto­ries relat­ed to cyber insurance:
Chal­lenges and oppor­tu­ni­ties ahead for cyber insur­ance industry
NAIC sets mod­el stan­dard for con­sumer rights, cybersecurity
Com­pa­nies tap into cyber insur­ance to man­age busi­ness risk

Posted in Best Practices, Cyber insurance, Cybersecurity, Featured Story