Measuring the Cyber Risk Management Capabilities of Companies

By Craig Moss, COO, CREATe Compliance

Craig Moss, COO, CREATe Compliance

The Equifax breach – resulting in the exposure of personal data of 143 million people – offers an example of the challenges of cybersecurity for both insurers and companies. It illustrates that even companies whose entire business is built on data can fall prey to an attack. Despite the cybersecurity controls Equifax had in place, the hackers exploited a vulnerability that resulted when a recommended software patch had not been installed. The latest estimates state that the breach will cost Equifax $439 million, and that their cyber insurance policy will only cover up to $125 million.

The Equifax story highlights two challenges. First, it points to the challenges in having a common understanding of what cyber insurance covers. Second, it points to the importance of realizing that cybersecurity requires the orchestration of ‘people, processes and technology’ to mitigate risks. Were there procedures in place to systematically manage patching? Were people trained and accountable for patching? Was there sufficient network and data segregation to restrict access? It’s likely that Equifax has the answers to those questions now. For insurers and companies, the question is how to understand cyber risk management capabilities before disaster strikes – and how to shift from being reactive to preventative.

Challenges in Understanding Risks
With stories of massive data breaches constantly appearing in the news, it may be a wonder why so many companies still have yet to purchase cyber insurance. A recent study by the Council of Insurance Agents & Brokers (CIAB) found that only 32 percent of respondents purchased cyber coverage in the first half of 2018. Although there has been significant growth in cyber insurance underwriting, there are fundamental issues between companies and insurers that hamper wider adoption.

Cyber insurers face difficulty in designing coverages and setting premiums. Cyber insurance is a relatively new market and the lack of historical data makes it difficult to assess the probability and severity of loss. Equally important, there is no consistent way to measure the maturity of a company’s cybersecurity risk management program. The lack of a maturity metric is compounded because no company is an island when it comes to cybersecurity risk. The insured company may have some controls in place but what about the contractors, suppliers, and customers that have access to their systems?

"Cybersecurity is clearly an area where continual improvement needs to be fully embraced throughout the organization"

Companies are hesitant to buy cyber insurance for a variety of reasons. A survey by PartnerRe and Advisen found that 42 percent of brokers named the biggest obstacle to sell cyber insurance is clients “not understanding exposures.” If a company has not assessed their risks and the possible damage, it’s hard for them to understand their insurance options and determine the value of coverage. Additionally, cyber policies vary from each insurance company, which makes it difficult for potential buyers to understand what coverage they would receive and what plans are best for their needs. Unless there is direct pressure from their major customers, companies often lack motivation to improve cybersecurity programs because they don’t see the return on investment (ROI). They have the misperception that it’s cheaper to react to an incident than to prevent one. They also believe that they are not rewarded with lower premiums if they have a more mature cybersecurity program.

Maturity Metrics:  Bridging the Gap
Insurers and companies considering cyber insurance are both seeking ways to bridge the knowledge gap to create a more predictable experience with cyber insurance. Insurers want a better way to assess the risk posed by a company. Companies want more clarity about what is covered, and what actions will reduce their risk, as well as their premiums. Assessing the maturity of a company’s cybersecurity program is the bridge to this knowledge gap.

A company with a more mature cybersecurity program has embedded cybersecurity into their operations. They have practical policies and procedures. Employees understand their role in preventing and responding to a cyber-attack. Companies with a more mature program are more preventative and better able to react if there is an incident. Higher maturity directly correlates with lower risk.

Companies and insurance underwriters need to agree on what to measure, and they need a calibrated way to assess and compare maturity.

Rather than re-inventing the wheel, the insurance industry should use what exists. The NIST Cybersecurity Framework identifies 98 controls that are important to managing cybersecurity risk. This defines what to measure. Companies are increasingly turning to the NIST Framework to evaluate their own cybersecurity program and that of their suppliers and partners. In terms of a calibrated way to measure maturity, the most widely used scale across all business processes is a simple 1-5 scale (5=highest maturity).

Cybersecurity is clearly an area where continual improvement needs to be fully embraced throughout the organization. Maturity metrics are a proven way to establish a cycle of continual improvement. With the rise of internet-connected devices, artificial intelligence and other trends in cybersecurity and challenges are only going to become more complicated. For insurers and companies alike, taking a risk-based approach will continue to be important – however to fully understand the extent of risks, it’s critical to measure the maturity of programs against leading guidance and standards.



Read Also

Navigating Constant Change: A CIO's Rules of the Road

Navigating Constant Change: A CIO's Rules of the Road

Jason Lichtenthal, SVP & CIO, PURE Group of Insurance Companies
The Key to Startup Matchmaking?

The Key to Startup Matchmaking? "Swipe Right" on Structured Innovation

Terrance Luciani, Vice President of Innovation, MetLife
Where Fear and Opportunity Meet: The Momentum of Insurtech

Where Fear and Opportunity Meet: The Momentum of Insurtech

Steven Jones, Managing Director - Global InsurTech Client Services Lead, Guy Carpenter
The Road to Success in the Insurance Industry

The Road to Success in the Insurance Industry

Caribou Honig, Chairman and Cofounder, InsureTech Connect

Weekly Brief

Top 10 Insurtech Startups - 2019