Imagine that you’re responsible for underwriting the risk posed by prospective cyber insurance customers. How would you go about it?
The interest in cyber insurance is growing rapidly as the impact and frequency of highly publicized cyber breaches increases. Insurers lured by a market projected to triple its current $3 billion in revenue by 2020 have moved rapidly to create new offerings that must be underwritten.
How can an underwriter assess relative risk? Identifying the various sources of cyber risk confronting clients is a good starting point. There are many sources, and they fall into categories that we call the 3 P’s of cyber risk: perimeter, people, and partners.
When most of us think about cyber breaches, protecting the organization’s network comes to mind first. Billions of dollars invested in technologies that protect the network perimeter have led to incredible technological advances. A good step for an underwriter might be to assess potential clients by commissioning an external assessment of their network perimeter’s vulnerabilities to external threats.
According to Verizon’s 2015 Data Breach Investigations Report, global threat intelligence providers continually report on over 500,000 malicious websites – and that list of websites turns over every day. External security ratings are based upon an evaluation of a company’s resilience against these threats – at a single point-in-time. Dynamic threat intelligence scenarios evolve quickly, so they are subject to more rapid change than internal defenses. External security scores can get out of sync with reality within weeks or months.
In contrast to external ratings, assessing internal cyber risk defenses against widely accepted standards yields an index with a much longer half-life. While perimeter protection is vital, the most common cause of breaches by far is people. In every high profile breach scenario I’ve seen, an employee or member of the supply chain has been the root cause.
In “Redefining the Cybersecurity Attack Surface,” Charles Leonard made a strong case for moving from counting perimeter threats to counting employees and partners as the most relevant way to estimate vulnerability and manage cyber risk. In “Threat Intelligence, Meet Defense Intelligence,” he then made a strong case for using defense intelligence (knowledge about internal policies, procedures, people, and technology) as the foundational method for gauging cyber risk.
Assessing defenses involves measuring hundreds of internal controls, i.e. processes and assets managed by the organization, and comparing these to accepted standards like the NIST Framework, HIPAA, FFIEC, ISO, and others. By gauging actual practices against the standards, leadership can get a handle on their readiness to weather a cyber attack, and they can better understand which next steps will advance them the farthest toward cyber maturity.
A Combined Approach
When should external vulnerability ratings be used, and when are internal defensive measure assessments more appropriate? Scoring yourself on perimeter vulnerability is a valuable process but is insufficient to reliably represent the whole picture of cyber risk. A better approach is to conduct an internal assessment against standards, and then use external security scores to validate the effectiveness of the measures taken as a result of the assessment.
External security ratings are an important tool in evaluating current network infrastructure vulnerability, but knowing the external risk level falls short of pointing to a solution. Maintaining a deep understanding of existing defensive measures provides a rational way to prioritize actions that will improve the overall defensive posture of the organization and lead to cyber maturity.