I have lived and breathed natural catastrophe insurance and modeling for many years. At my first cyber risk conference, NetDiligence in Santa Monica (Oct. 4-6), which was attended by hundreds of cyber insurance, legal/regulatory, and technology leaders from all over the globe, it was great to learn that a similar comradery and community exists in the cyber insurance space. However, while similarities exist, there are significant differences. I wanted to use this blog to take a moment and share my reflections on those with those of you that may be taking the same journey I have.
A major distinction is that as threat actors build scalable systems and refine their business and operational models, the insurance industry and the cyber security vendor ecosystem needs to constantly innovate and develop better data to keep up. As a CyberCube colleague said: “Hurricanes don’t do a retrospective on what they could improve next time.”
After entering the cyber insurance world, it struck me how businesses are seemingly powerless to stop attackers — threat actors are selling Ransomware-as-a-service tools for $400, which someone can use with relatively limited technical knowledge!
It was interesting to learn that while the media talk of sophistication in attacks, most initial access is down to preventable ‘human’ errors. Cyber events like phishing, compromised credentials, configuration errors, and so on have had solutions available for years. This highlights how critical education and collaboration with insureds will be to make the industry sustainable.
The pervasiveness of cyberattacks is also driving change in cybersecurity measures and monitoring. A quote that stuck with me was, ‘The perimeter is dead.’ While new to me, this phrase has been bandied about in cybersecurity for years.
With the rise in remote working during COVID-19, it has really brought home (pun intended) the issues of remote identity and access management, as well as authentication in the minds of insurers. Previously, security teams were trying to stop attackers from entering corporate networks. Now it’s a question of when not if.
So the challenge becomes: can we identify and triage anomalous activity before threat actors have done enough recon, exfiltration or encryption to cause losses?
For (re)insurers, CyberCube has two solutions that help on this front.
The first, CyberCube’s Account Manager, delivers a number of pre-breach risk signals and post-breach indicators of compromise, such as details on malware infections already present on a company’s network including known ransomware families. CyberCube constantly pressure tests the cyber risk signals we create for their degree of correlation to cyber risk using an expansive dataset of past cyber events to verify the statistical significance.
By quantifying the relationship between CyberCube’s signals and known cyber loss events, we ensure that we’re providing real indicators of increased risk to help cyber insurers more accurately and efficiently select and price single risks.
Another solution, CyberCube’s Portfolio Manager, uses a detailed cyber “kill chain” probability approach throughout its industry-leading catalog of cyber disaster scenario classes that realistically approximates the sequence of steps threat actors use to take down their targets.
CyberCube have conducted a study to look at the relationships between cyber risk signals and cyber incidents. Download the report for free here — Evaluating Cyber Risk Signals.
Unsurprisingly, recent attacks, such as those targeting SolarWinds, Microsoft Exchange, and even Colonial Pipeline, have resulted in carriers increasing rates, reducing coverage and demanding laundry lists of security controls to grant coverage. NetDiligence panelists said they have seen more underwriting scrutiny in the last nine months than they had seen in the previous nine years.
One of the key areas carriers are asking for more information is in the insured’s IT estate and in particular their technology stack: what digital supply chain software vendors or service providers support their business?
Account Manager and our Single Point of Failure (SPoF) Intelligence Module provide users with easy access to technology dependency information at both the single risk and portfolio levels. This allows users to see the complexity and potential risk accumulations stemming from software developers and service providers.
Check out our SPoF Intelligence Module and see how it can help you view technology dependencies, manage your cyber accumulations, and understand your digital supply chain risk concentrations.
Carriers and brokers need to become far more proactive and advise clients on the controls and configurations required to reduce risk. We are still not there but multiple panelists were asked if insureds would ever be incentivized financially if they arrived fully buttoned up for renewals. No one seemed to want to make that commitment in Santa Monica! Over time, I expect that the industry will be able to show a clearer link between security controls and reduced loss experience.
In the future, I believe the most attractive risks will be companies that can prove resilience in the face of attacks. The best risks will still be subject to attacks, but with measures like real-time detection, network segmentation, offline and encrypted data backup, and recovery solutions, they will be able to avoid complete disruption during attacks.
With the information CyberCube delivers, our clients can start to see trends across dependencies, industries and risk signals to help differentiate their pricing approach, improve underwriting efficiency, and better manage risk aggregations. These are key to unlocking continued growth in the cyber insurance market and incentivizing better controls and security among all insureds!
If you want to learn more about how CyberCube’s solutions help the (re)insurance industry understand, quantify and mitigate cyber risk, get in touch today: Contact us.