Maksim Kabakou - Fotolia

Security Think Tank: Understand data assets and risks for insurance success

What should organisations consider if they are to prepare for cyber insurance?

Cyber insurance is on the rise for a number of reasons, one being the need for businesses to mitigate risk by sharing it with other entities.

In the same way that organisations transfer physical risk by getting an insurance in case of fire, natural disasters or other threats to their physical assets, many companies worldwide are looking to understand their exposure to cyber risk to reduce their enterprise risk by minimising threats to their digital assets.

Originally this process was part of organisations’ risk assessment and gap analysis practices, but now cyber insurance is becoming a separate discipline which is focused on identifying and evaluating the vulnerabilities in the (digital) platforms used by businesses. This includes the systems where transactions are made and the devices through which customers and stakeholders interact with the organisation.

To manage cyber risk effectively, organisations need to understand that the threat landscape is always evolving (new threats appearing every day) and, as a consequence, the attack surface is continuously growing.

Not only do organisations have to deal with the risk to their own systems and potential damage to their own assets but, in the world of cyber insurance, they also need to be aware of possible damage to third parties and potential liability.

Another critical aspect is to consider the supply chain, especially in a digital world where software applications and platforms are developed by third parties and service providers and many critical applications are hosted in the cloud.

To address this challenge, organisations need to be asking who is going to be responsible if there is a bug in the software or a coding vulnerability resulting in a security breach. Security guarantees need to be provided in terms of quality assurance, testing and patching to minimise the window of exposure.

Cyber insurers also need to train their teams of underwriters, policy makers and risk analysts to understand the digital environment of the customers who need to be insured. They need to gather detailed information of systems, applications, platforms and digital environments where organisations perform their work.

They also need to gauge the amplified perimeter of the enterprise now that employees carry devices which hold corporate information and are not always safeguarded by basic security standards such as encryption and anti-malware protection.

Asking the right questions

Companies need to understand the value of the assets being insured and, consequently, decide the counter measures required to close the window of exposure to cyber threats.

It is important then to adopt not only a quantitative but also a qualitative approach to risk analysis and start asking “what if?” questions, which would open a world of potential scenarios about what could happen in the event of a cyber security breach.

Let’s not forget that cyber insurers are very good at using the simple yet very powerful risk equation: for risk to exist, there has to be a threat exploiting a vulnerability in the system and a probability of an attack which could have an impact in the business.

Cyber insurers work with these four dimensions (threat, vulnerability, probability and impact) to measure the probability of a threat affecting a company. The issue here is, now that we live in an amplified digital world, not all companies are aware of the four variables on every single asset which contains sensitive business information.

Identifying emerging threats

Cyber insurers are working with a number of organisations which are feeding in data about threats around the world and we think this is instrumental for creating effective cyber insurance policies. Only the companies which are aware of emerging threats and different attack vectors will have the right information to assess the risk of their customers.

A global cyber insurer, for example, will be better prepared to deal with potential attacks only if they get data from several sources and use different intelligence gathering mechanisms and independent analyst teams.

This will enable insurance providers to identify the correlations between information coming from multiple sources: threats disseminated through email, ransomware spread through websites, spam distributed through cloud providers and bugs in applications exposing sensitive data to security risk.

This will empower them with the knowledge to define the right pricing models depending on the complexity of the existing cyber threats and a real understanding of how vulnerable their customers’ critical assets are to these threats.

The importance of best practices and industry standards

Using industry standards to assess risk and to guide IT governance efforts is critical to the success of cyber insurance strategies. Isaca’s Cobit 5 governance framework offers a strong set of guidelines for this, as well as other industry standards such the ISO27000 series and the Nist Cybersecurity Framework.

We have to celebrate companies that are willing to protect and defend their employees, customer information, sensitive data, critical assets and intellectual property since, in the cyber era, this is of utmost importance for the safe sharing of information.

While this seems focused primarily on the technology implications, it is also true that we have to consider the impact of non-technical aspects such as ethics, behaviour, moral, skills and capabilities.

Cobit 5 offers particularly thorough guidelines in this area and it is quite interesting to see that cyber insurers are taking into account cyber risk implications resulting from the use of mobility and always-on connectivity for users, employees and customers.

It is instrumental for cyber insurance to embrace technology by asking the right questions to the right people at the right time.

Some key questions include discovering how exposed we are in the digital arena and how we should adapt new technology to amplify the reach of businesses, while also understanding the perimeter of risk.

Experience and research shows that risk has to be dealt with in four ways: transfer risk, accept risk, do not accept risk and treat risk (with controls and counter measures).

There are times when organisations need to accept risk since it is inherent to life and to every business activity. There are times when risk needs to be addressed with policies, standards, guidelines, processes and technologies.

However, there is a time to transfer some of the potential risk in advance and work with cyber insurers willing to compensate the business if such risk arises by assessing the potential cyber risk exposure of the organisation.

Welcome to the era of cyber insurance.

Ramses Gallego is past international vice-president of the Isaca board of directors and strategist and evangelist in the office of the CTO at Symantec.

Read more on IT risk management