GREY ORBITS Framework for Cyber Insurance

Download PDF

Background

Cyber insurance is trending again, especially after last month's CrowdStrike incident, which triggered one of the most extensive IT outages—The Financial Times pointed out that it was a painful reminder of the systemic nature of cyber risk. It showed how an innocuous software update could cause as much disruption as a malicious cyber-attack. FT added that the insurance industry is braced for losses that could run into billions but may also be the biggest winners , given that such events feed the demand for cyber insurance.

Cyber professionals often claim to be stuck in a “Groundhog Day.” For me, it has been more than twenty years. January 2003, my first real exposure to a cyberattack. My team and I responded to a crisis call from a high-profile Bank experiencing an attack; their SQL servers were exploited by the?Slammer ?worm, which created overwhelming outbound traffic and crashed their routers and firewalls from the?inside. The worm was memory-resident and so small (376 bytes) that it infected over UDP in a single packet (404 bytes of payload with headers), rapidly choking the Internet globally.

Through the years, high-impact malware, ransomware attacks, data breaches, and IT outages have plagued enterprises, eroding customer confidence. I wrote about the Changing Landscape of Information Security . I also discussed how lapses in internal controls resulted in the collapse of a two-hundred-year-old Bank (Barings) in the 1990s. I remember reflecting on Quality as the missing “backbone,” a priority that, if established, could drive successful cybersecurity strategies, control costs, and set a standard for others to follow. I also emphasized the role of Cyber Resilience, Maturity, and Insurance , which are key strategies that every cybersecurity professional should know.

Several insurers offer cyber insurance, covering business interruption, data recovery, incident response, third-party claims, extortion expenses, legal settlements, regulatory penalties, etc. I was, however, surprised to read that cyber insurance has not improved cybersecurity or reduced cyber risks since the late 1990s. Josephine Wolff , Associate Professor of Cybersecurity Policy at the Fletcher School of Law and Diplomacy at Tufts University , observed this. Her book, published in 2022 by the MIT Press, ‘Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks,’ offers a comprehensive history of cyberinsurance. Wolff also argues that cyber insurance is ineffective at curbing cybersecurity losses because it normalizes the payment of online ransoms. In contrast, the goal of cybersecurity is the opposite—to disincentivize such payments to make ransomware less profitable.

Against this backdrop, I propose a framework for cyber insurance that can also help improve cybersecurity, reduce risks, and curb losses.

Framework

Enterprises must determine the extent of insurance needed to protect themselves against cyber risks, and insurers must evaluate the risks involved in underwriting them. In doing so, I have observed excessive reliance on technical metrics such as penetration testing and vulnerability assessment reports, which indicate how easy or hard it might be for the bad guys to compromise an enterprise, including the supply chain of small and medium businesses they connect to. It must also be noted that security accreditations convey an organization's maturity level. If, on all other criteria, two enterprises are evaluated equally, the one with accreditations provides more comfort.

While essential, technical metrics and security accreditations measure only a tiny portion of an enterprise’s susceptibility to compromise. Enterprises need to look wider. Other critical factors that may dilute cybersecurity and increase risks include:

The following section explores these factors in-depth, providing a structured approach to assessing and measuring maturity. The accompanying spreadsheet is a prototype for a software-driven self-attested Risk Assessment Questionnaire that collects detailed information (supported by evidence for confirmation in some cases) to understand an organization's capability and performance in managing these critical factors to reduce cyber risk. It provides a structured approach to assessing and measuring the maturity of these factors. This, in turn, informs the level of insurance premium an organization would need to pay and for insurers to underwrite.

The following are only a few examples to show how one can build decision tables with all the plausible scenarios required. Organizations must adjust the questions' depth and weight according to their business context.

The first example presents a case where insurers may be comfortable underwriting risks by offering a low insurance premium if customers with even a high business entropy and a low tolerance for risk demonstrate a robust management strategy, operational maturity, and technology resilience.

The second example presents a case where insurers may charge higher premiums if they find the technology resilience weak and operational maturity not robust enough.

The third example shows that even with low entropy, high-risk tolerance, robust operational maturity, and technology resilience, insurers are likely to charge a high premium should they observe a weak management strategy.?

Critical Factors

A. Business Entropy

Large organizations are often mired in bureaucracies, leading to inefficiencies, while small-medium businesses, including startups, lack formality and structure. Furthermore, unclear strategy and risk measurement do not impel operational process efficacy or provide the means to build resilience.

Large and small businesses must first recognize what may lead to these situations, indicative of entropy, a scientific?concept most commonly associated with disorder, randomness, or uncertainty. The higher the entropy in your business, the more disordered and uncertain the outcome will likely produce. The questionnaire in this framework recommends capturing the elements likely to contribute to business entropy.

B. Risk Tolerance

Mary Carmichael , President of the ISACA Vancouver Board of Directors, brilliantly explains the difference between Risk Appetite and Risk Tolerance , guided by ISACA’s Risk IT Framework and the paper,?Using Risk Tolerance to Support Enterprise Strategy . Risk appetite is “the amount of risk an organization is willing to accept to achieve its objectives.” In contrast, risk tolerance is “the acceptable deviation from the level set by the risk appetite and business objectives.”?

Furthermore, each organization's risk appetite reflects its internal and external context. For instance, banks are heavily regulated and have minimal risk appetite. A software development firm, on the other hand, is not. It may accept more risk to achieve customer growth while instilling a strong culture of innovation. However, this firm may have little appetite for reputational risk given the potential impact of customer and monetary loss.

The questionnaire recommends calibrating risk appetite and tolerance by assessing the impact of threat scenarios, such as financial loss, data leakage, and disruption of services. Risk appetite defines the impact an organization is willing to absorb to accomplish its objectives, while Risk Tolerance defines the impact an organization can absorb to stay in business. In this regard, risk appetite and tolerance are concentric circles representing inner and outer boundaries that the organization should play within.

C. Management Strategy

Two years ago, when my team and I were helping FinTech start-ups build a resilient cybersecurity posture , I came across a talk show where Heather Adkins , VP of Security Engineering at Google and who is on the boards of BlackHat and CISA , narrated her positive security experience from her early days at Google when it was a startup.

What she said resonated with me. It applies to all organizations, not just startups.

Organizations that strive to create such models

• Prioritize educating their Board, management team, and entire workforce on cybersecurity, testing them with phishing simulations and, in general, bringing everyone up to speed and helping develop a keen sense of the implications of emerging technologies (e.g., AI, Blockchain) in an ever-changing threat landscape accelerated by cybercrime, espionage, terrorism, and warfare, and
• Develop an operating model, adopt industry-standard frameworks and best practices, and pursue security accreditations to assure their customers, partners, third parties, and shareholders.

The questionnaire recommends capturing efforts in these areas, which will help assess and measure the robustness of management strategy and the maturity of its execution.?

D. Operational Maturity

This is about

• Planning and ensuring complete coverage of all assets, maintaining systematic records, and regularly reconciling them,
• Doing things consistently well to the point it gets robotic, like after one learns cycling or swimming, one never forgets; it’s second nature,
• Ensuring backups and planning for disaster recovery and business continuity, and
• Ensuring vulnerabilities are remediated in the quickest possible timeframe.

The questionnaire in this framework recommends capturing the above elements, which will help assess and measure operational maturity. Note that the adoption and diffusion of technologies induce constant change in business processes. Therefore, achieving operational maturity also requires effective change management.

E. Cyber Resilience

It is an arduous challenge for organizations to manage the myriad security processes necessary to protect themselves from the almost daily discovery of bugs (as seen in the?CVE vulnerability database ), breaches, and bad people.

To build cyber resilience, organizations must assume that their protection layers will be compromised and prioritize strengthening their ability to bounce back into shape.

The challenge is establishing visibility into the technical security metrics governing the cyber hygiene of the entire infrastructure and applications environment. Organizations that embrace this challenge stand a better chance of building resilience and bouncing back when they are under a cyberattack.

The questionnaire recommends capturing technical metrics to help assess and measure an organization's resilience to a cyber-attack.

5. References

1.??????? IT outage and cyber insurers (articles from The Financial Times)

2.??????? Slammer worm outbreak

3.??????? The Changing Landscape of Information Security

4.??????? Quality - the backbone driving cybersecurity strategies

5.??????? Cyber Resilience, Maturity, and Insurance

6.??????? Cyber insurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks

7.??????? Difference between Risk Appetite and Risk Tolerance

8.??????? ISACA’s Risk IT Framework

9.??????? Using Risk Tolerance to Support Enterprise Strategy

10.? Cyber security for start-ups!

11.? How to Build a Secure Startup Without Slowing Growth

12.? CVE vulnerability database

#cyber #insurance #entropy #risk #appetite #tolerance #management #strategy #maturity #resilience #framework #assessment #metrics #accreditations #assurance #model

Copyright ? 2024, GREY ORBITS, All Rights Reserved

Disclaimer: All views expressed here are entirely mine.