Since we cannot anticipate or mitigate all threats that have the potential to endanger us, we can choose to buy coverage by contract to indemnify or guarantee against potential losses. In other words, we buy insurance to transfer some of the financial risk associated with the negative impact of a variety of incidents. This is true for cybersecurity, as well. But insuring cyber risk is different.
Cyber insurance is growing increasingly more popular as cyber-attacks are becoming more common. Its role is not only to help businesses reduce the financial impact of cyber incidents but also to provide pre-incident expertise to help reduce cyber risk and to provide actual support during a cyber crisis. To date, cyber insurance is to a large extent still not an integral part of many cybersecurity programs, partially because in most organizations, its value is still not correctly perceived.
This is not without reason. Cyber risk is a complex risk to manage, let alone insure. Lloyd’s views cyber as “one of the most complex, current and critical risk businesses face.” Properly identifying the risk is the key to a good insurance cover. According to The Betterley Report, "More than most other insurance policies, cyber-risk requires experienced risk professionals to craft the proper coverage. [...] The products are complicated, making these educational efforts a worthwhile and necessary investment.” Moreover, since every organization is different it is the first law of cybersecurity to reminds us that we “cannot say anything interesting (i.e., significant) about the security of a system except in the context of a particular application and environment.”
The quickly evolving nature of cyber threats, as well as regulations and the increasing rate of technological adaptation in all organizations, including IoT, will change the way businesses are impacted by cyber incidents. They will have to deal with business interruptions, financial and regulatory penalties and reputational damage, in ways they have not done before. These could be serious threats to the organization’s ability to function, to produce revenue, to maintain its share price or even to survive, in extreme cases and for SMBs – even in typical cases.
In theory, the decision to purchase cyber risk insurance should be the result of a risk management process, but in today's market, it is usually not the case. And this situation will get worse before it improves. According to a recent SANS research, there are four primary reasons why this is the case. The first is the Terminology Gap: Insurers and cybersecurity professionals do not speak the same language. Next is the Framework Gap: Underwriting standards and IT risk standards are not the same. Thirdly, according to the Communications Gap, Cybersecurity professionals are not fully aware of the benefits of cyber insurance. Finally, the Investment Gap: There is not a clear alignment between the insurance criteria and cybersecurity expenditures. The decision on purchasing insurance usually needs to come from the top-level management
But there is one more fundamental problem: there is a true difficulty in understanding the business impact of cyber-attacks. In other words, how can one tell how much risk is insured and transferred to the insurance carrier?
Therefore, to properly assess cyber risk, it is not enough to express impact in terms of the “traditional” confidentiality, integrity and accessibility. We need a new mechanism to “translate” threat intelligence (the adversary’s capability and intent) and IT impact into tangible and intangible impacts on the business, such as loss of clients, breach of privacy (PII, PCI, PCI, PIFI), data and software loss, incident response costs, extortion costs, business interruption, multimedia liabilities, regulatory costs and fines, reputational damage, network service failure, physical asset damage and even assessment of death, and bodily injury.
To properly assess cyber risk, we need a new framework that combines four elements into one unified risk map containing the following elements: (1) Adversary Intelligence: Who is trying to harm your organization, and why (capability and intent)? (2) Business Impact Analysis: What is the potential financial (and other business-related) loss of a successful attack? (3) Attack Type and its Complexity: What types of attacks is your organization likely to face? (4) IT Systems Exploitability: How vulnerable is your cyber infrastructure to attack?
Even in medium or large enterprises that are risk-aware, such as financial institutions, managing cyber risks requires multidisciplinary skills, cross-organizational discussions and training, investment of time and money in collecting and assessing threat intelligence, and ongoing assessment of the IT environment for potential risks. This requires considering not only technology but also its relationship to the business processes and environment and the people using them to achieve the organizational, operational and business goals. The decision to purchase cyber insurance should be the result, not the start, of the risk management process. The risk of not properly managing cybersecurity could be grave, not only to the attacked organizations and its management but the insurance carriers as well.
Ram Levi, Founder & CEO of Konfidas & Co-Founder of LCS, served as the secretary for the PM of Israel's National Cyber Initiative