Cyberinsurance and data privacy will garner more focus for the remainder of 2018 and beyond. The impending “Equifax effect,” which most of us anticipated, was put forth in late February 2018 by the US Securities and Exchange Commission (SEC) in the form of guidance that states that public companies should inform investors about cybersecurity risk even if they have never succumbed to a cyberattack. The guidance also emphasizes that companies should publicly disclose breaches in a timely manner.
This development perfectly aligns with the (cyber)consumers, providers and regulators (CPR) cycle (see figure 1) I propose in my recent Journal article, which basically necessitates participation from 3 key players—cyberinsurance providers, consumers and regulators. This conglomerative effort not only improves addressing and estimating cybersecurity risk from an insurance coverage perspective but also minimizes cataclysmic breaches. Providers need to be able to identify the right amount of cyberrisk that they are willing to undertake to provide ideal pricing for the coverage. This, in turn, depends on the consumers themselves to quantitatively know how much risk they own.
Figure 1: CPR Cycle
Today, there are numerous ever-evolving cyberthreats (e.g., zero-day, Internet of Things botnet distributed denial-of-service attacks, ransomware attacks) that result in costs that are not inherently covered by most cyberinsurance policies. Above all this, cyberinsurance has always been an add-on policy to traditional insurance policies. Historically, insurance companies relied on abundant data to make decisions on how much auto or home insurance coverage may be offered to a person or entity. In the cyberworld, the common backlash by both the providers and consumers is that there are not enough data to rely on.
Heat maps continue to be a staple resource for IT risk professionals to estimate risk worldwide. In my experience of performing security risk assessments, I always had a disconcerted feeling leveraging heat maps to estimate risk quantitatively. Turns out, there are better and proven statistical and probabilistic methods that can be adopted to quantitatively estimate cyberrisk (in monetary figures rather than in colors of red, yellow or green), especially when there is a dearth of data. An organization’s emphasis should be on addressing the burgundy arrows in the CPR cycle, and my recent Journal article provides an overview of these methods, potential benefits and references in attaining these goals.
The purpose of attempting cyberinsurance CPR is to build a continuously maturing ecosystem comprising:
- Cyberinsurance providers—Who will be able to provide coverage on the amount of risk they think they are undertaking and not providing a surplus
- Cyberinsurance consumers—Organizations having the prowess to estimate risk accurately, which enables them to transfer risk to the insurance providers at optimal pricing while covering bases when a breach ensues
- Regulators—To impose better and more timely breach reporting procedures on providers and consumers and enforce organizations to continuously adopt robust security and privacy practices
Read Indrajit Atluri’s recent Journal article:
“Why Cyberinsurance Needs Probabilistic and Statistical Cyberrisk Assessments More Than Ever,” ISACA Journal, volume 2, 2018.