Is cyber-insurance now an enterprise security reality?

Less than a decade ago one of the subjects in and around the cloud services industry was that of insurance, and in particular the question of whether it would be possible for business users to insure themselves not just against failures of their chosen hardware or applications software, but also against the pernicious, malicious intentions of cyber-criminals.

Though often dressed up in fine words and good intentions the answer back then was a simple: `No’. Basically there were too many unknowns and too little genuine evidence, in advance of underwriters writing a policy, of how effective any defences a user had might be.

They might have a vast array of anti-virus, anti-malware, anti-everything imaginable systems and tools, but even if all in place and used correctly, were they up to date? Did the user have sound policies on operations and use? And if they did, could they really be certain every member of staff adhered to them religiously? And perhaps most common of all, could anyone be certain all patches were installed as soon as possible?

So many questions when the best possible answer might only be....eerrrr….ummmmm.    

Now insurance underwriters are addressing the issue directly, not least because BitSight’s ability to use both its Sinkhole Network and a wide range of third party data sources to build objective pictures of just how cyber-secure a business is, or not, and where its security weak-points lie. This information makes the actuarial number crunching the insurers undertake to determine the risk so much simpler, not least because it can be based on real cyber-security metrics.

Cyber-insurance carriers today will use security ratings as a data set to help in the underwriting of cyber insurance policies. This is now markedly different from traditional risk assessment methods, which have been based on clients filling out application forms and answering the expected questions on cyber security tools, policies and practices. That, as BitSight VP of Business Development, Jake Olcott observes, was all the information an insurer had on which to write a policy. It was the primary reason most of them walked sharply in the other direction when such a suggestion was made:

Now, carriers use BitSight, in addition to those questions to get more granular information, helping them to address that information gap. They'll use it as part of the underwriting decision and as part of the pricing decision. They'll also use our data to do modelling of what they would call aggregation risk. And that is a really interesting area, too, because a lot of insurance carriers now feel reasonably comfortable about writing individual policies.

This is where the actual risk is dependent upon an intermixing of risk factors, especially where multiple, collaborating users are concerned. Insurers then need to know factors such as are all the users working with the same technology and does it underpin the whole business? This is important because something going wrong with that technology could have a catastrophic impact on a business, and therefore how a policy is written.

The data that BitSight is able to accumulate, from its own Sinkhole Network and third party sources, gives it a view into the technology relationships within a business and also between businesses. This aggregation can have a direct impact the risk to be insured and how the subsequent policy is written:

It means an insurer can use the data to identify where the common bonds are between groups of users and groups of companies. For example, if they are all using one of the major cloud service providers and something happens to that operation, could the insurer be impacted?

Pre-existing

This can be particularly helpful in handling policies taken out prior to working with BitSight. The additional, more detailed information can warn an insurer to re-insure them as the risk levels are higher than originally understood and re-insurance can cover for any subsequent losses.

This is a marketplace where there is increasing activity in modelling insurance risks, and many of the companies in that field are already customers of BitSight. So, it is now possible for both major business users and insurers to work with modelling specialists to evaluate the chances and outfalls from catastrophic failures of, for example, one of the major cloud service providers.

The same approach can be applied to specific products that are widely used, such as Microsoft Office, particularly when coupled with Microsoft Azure cloud services.

Olcott estimates that approximately 50% of the world's global cyber insurance policies are written by BitSight customers, which range from some of the largest public cloud service providers through to major enterprises in manufacturing, finance and pharma. The use of insurance is also now starting to spread, with small and medium sized businesses becoming interested in buying cyber insurance to cover their operations:

What they are not buying is prevention of things like ransomware. But they are buying coverage if ransomware attacks are successful, so it will cover the forensics firm to come on site and help out, or cover the legal fees, and regulatory fines.

Not GDPR

There is, however, one important exception to getting coverage for the payment of fines: GDPR. This is a regulatory subject where the potential for business-damaging fines can be applied by the authorities if companies play fast and loose with their data – and especially third-party data from customers and business partners – and cybercriminals make away with it.

This is now a real archetype of the role BitSight is intended to fulfil. It becomes in the best interests of every company, and every one of its current business partners, to have a clear idea of their cybersecurity status in relation to each other and the rest of the world. Losing third party data in an ever-more interconnected, collaborative environment has become the ultimate crime, and is the one cost of failure that cannot be insured against, notes Olcott: 

Under EU regulations, organisations cannot purchase cyber-insurance to cover GDPR or regulatory fines. EU member states do not want organisations to be able to leverage their insurance policies for regulatory fine coverage, so they can't hide behind that. And that is exactly right.

My take

Cyber-insecurity happens, and even if one company is really good at it the modern world of collaboration and data-sharing means that some other company’s failing can always rebound and affect others. For most businesses, therefore, insurance is an obvious level of protection and at last it is now becoming a more widespread reality. But it will mean being brave enough to have that external, objective, third-party examination of your security outside the firewall, out in the real world.