The cyber insurance industry is in turmoil as more and more businesses seek insurance protection against the onslaught of advanced threats, particularly ransomware, while both carriers and those seeking insurance lack the ability to automate risk and financial models to calculate security control improvements, improve response times and reduce exposure.
The increasing sophistication and cost of cyberattacks have led to a massive jump in demand for policies, while many carriers are raising premiums (by 30% to 50%) and instituting more restrictive policy terms and coverage limits. According to several insurance brokers, many carriers have reduced the amount of coverage offered from $10 million to $5 million or less. At least one major carrier, European insurance giant AXA, dropped ransomware coverage altogether.
A deeper investigation into the forces behind the changes taking place in the cyber insurance market reveals three major challenges:
- Insurance underwriters rely on a highly manual, point-in-time approach to gathering data and assessing a company’s cyber risk exposure.
- Underwriters lack the ability to correlate loss data to vulnerabilities, deficient controls, misconfigured hardware or software, and the ability of an attacker to successfully compromise a critical application or system.
- Security assessments are conducted once before binding coverage and not revisited again until it’s time to renew the policy. In many cases, security assessments that are conducted on behalf of an underwriter are never shared with the company seeking insurance.
Challenge 1: Manual Risk Assessments
It’s hard to believe, but just one year ago most cybersecurity insurance questionnaires consisted of less than 10 questions and underwriters would give companies 60 to 90 days to get required controls in place. Today, most applications involve dozens of questions, are still highly manual, and companies only get 30 days to get their security controls in order.
The manual application process in place today means underwriters are writing policies based on guesswork that is only valid on the day it was produced. The requirement to automate the quantitative process could not be more urgent.
Automated cyber risk quantification is now a reality, and businesses should move quickly to gain a better understanding of their actual business risks and prioritize mitigation efforts so that critical business processes, applications, and data are protected. ThreatConnect’s Risk Quantifier (RQ), supported by a Threat Intelligence Platform (TIP) and Security Orchestration, Automation, and Response (SOAR) provides three specific benefits:
- Enables companies to proactively model and predict risk
- Establishes a baseline to mitigate and monitor for changes
- Shows ‘what-if’ recommendations that drive smart actions, mitigations, and response
Challenge 2: Correlation & Accounting for the Attacker
Cybersecurity insurance is different from other forms of insurance primarily because cyberattacks take into account two things insurance can’t (or won’t or doesn’t yet) measure — the attacker and the defenses they have to beat.
The struggle to understand loss exposure in cybersecurity isn’t the lack of loss data – it’s the lack of being able to correlate it to a vulnerability, a deficient control, misconfigured software or hardware, and the ability of an attacker to reach a critical system or application.
ThreatConnect RQ automatically enters data into the RQ Risk Model and Automation Engine. Those inputs include data from your organization’s technical environment as well as industry, attack, and vulnerability data aggregated by ThreatConnect through various sources. That information is then applied to the risk model and automation engine to determine the financial impact of cyber risks and the probability of success of specific attacks.
These calculations drive a variety of other activities within RQ that lead to the operationalization of that information across the rest of your organization, including:
- Prioritization of vulnerabilities not only by CVSS score but by relevance in terms of financial impact to your business
- ‘What-if’ analysis to help you understand what specific effects certain changes may have on your cyber risk before actually making those changes
- Producing short and long term recommendations on how specific changes may affect Annual Loss Expectancy (ALE) and provide guidance into any ‘low hanging fruit’ that may exist
Challenge 3: Cyber Risk Assessments
Given the advanced capabilities of cyber adversaries and their tactics, techniques, and procedures, the current cyber insurance model almost guarantees that insurance carriers will be forced to pay claims. Point-in-time assessments that are manual guesswork are inadequate for protecting enterprises from the onslaught of cyberattacks.
Being able to track cyber financial risk over time, understand the impact of budget decisions, and ultimately justify spending is now driving business decisions on which risks to tolerate, treat or transfer.
While step one is to understand your organization’s cyber risk exposure in financial terms, the next thing an organization must think about is how to mitigate that risk. ThreatConnect RQ models many different types of attackers and attacks that may infiltrate an organization, as well as an organization’s controls, vulnerability data, and critical applications.
Most RQ customers not only have their controls actively updated in the tool to assess which applications are most vulnerable, but they also provide vulnerability data which allows RQ to provide short-term recommendations on which Common Vulnerabilities and Exposures (CVEs) reduce the most risk by dollar amount.
The capabilities of RQ can give insurance underwriters and their clients a clear picture of inherent and residual risk in a dynamic fashion. Not only is the threat landscape and the parts of it that are relevant to your business changing, but the controls, applications, endpoints, and type of data present in your environment are changing as well. RQ enables you to apply these changes instantaneously to your models, allowing the measurement of cyber risk to move beyond point-in-time assessments and become programmatic in nature.
All of this analysis is then put in a report that business leaders, board members, and insurance underwriters can understand.