(Image credit: Adobe Stock.)
The amount of cyber crime is constantly growing. At this very moment, tens of thousands of businesses are undergoing a cyber-attack. Cybersecurity Ventures forecasts that the damage caused by cyber-attacks will rise from $3 trillion in 2015 to more than $6 trillion by 2021. This would represent the greatest economic transfer of wealth in history. Insurance carriers play and will play a crucial part of this act by providing coverage for this damage. So how can they cope with cyber?
Assessing and Quantifying Cyber Risk
The main factors in assessing risk for an organization lie in analysis of a company’s security controls and relevant cyber threats. Let’s take a second to discuss security controls—are firewalls set up properly, do they have malware protection, an anti-phishing solution? Even if the answer is yes to all these questions, there is still a significant amount of cyber risk out there due to external factors. Are there known malware campaigns targeting specific industries, specific nation backed attacks to look for? Take for example, the Equifax breach last September in which hackers swiped the personal information of 143 million Americans including birth dates, addresses, and Social Security numbers. The attack occurred due to a vulnerability affecting the Apache Struts application used by Equifax in one of its portal’s and the inability to patch it within 48 hours. Hackers breached Equifax on May 13 but weren’t caught until July 29th. On this front, they missed security controls from within as well as failed to adapt to influences from outside risk holders. So here comes the real zinger—could their insurer have known?
And the answer is yes, if they took the proper approach when underwriting the policy.
Underwriters currently lack the insight into ongoing activity in the cyber threat landscape, needed to easily assess an opportunity and evaluate identified gaps between their offered coverage and the organization’s security resilience. They need the ability to easily prospect and select risks, grow their book according to risk appetite, and manage their portfolio risks accumulations based on continuous cyber insights. In this case, they could have been forewarned that X percent of users in their portfolio use Apache Struts software which was experiencing a vulnerability that was actively exploited by several cyber attack groups at the time of the Equifax breach.
Quantifying Financial Impact
When it comes to financial risk, while the initial thought after a cyber breach is that it will only affect the cyber policy, it’s important that insurers recognize the silent risk that exists within other policies provided by the insurer as well. In the case of Equifax, their filing clearly stated “our property and business interruption insurance may not be adequate to compensate us for all losses or failures that may occur.” To identify an insurer’s financial exposure, insurers need the capability to map their policies to silent cyber risk triggers. For example, it’s crucial to understand the potential damages caused by transfer of malware to third party system networks, media liability, and Denial of Service (DoS) attacks on critical infrastructure. However, the analysis extends past this as the relevant threat scenarios need to be identified and combined with past claims data, security resilience analysis and operational business characteristics to provide a full picture as to how capital is at risk.
Taking a preventive approach
Lastly, insurers need the capability to provide risk awareness advice to their clients. According to the Chubb Cyber IndexSM clients of theirs have experienced 556,268,788 exposed records in the past twenty years. Insurers can only provide risk awareness if they have the ability to properly assess the threat landscape, deep understanding of sector attacks, vulnerabilities associated and match the risk level to the specific organizations by a full mapping of its tech stack. In an ideal world, insurers would even be able to offer discounts to companies that take proactive actions to deter cyber attacks but before we get there, it would be helpful for all if they could at least forewarn their portfolios of proliferating cyber threats that can compromise their digital assets. And of course, if we wake it back to our initial Equifax example and with hindsight, it would have been wonderful to see Equifax’s insurers empower them with their internal and external insights and ability to assess how much this breach would cost them in the future.