Proper Risk Assessment for Cyberinsurance by Natalie Lehr

20/07/2014 08:50

The introduction of cyberinsurance is tempered by the same legacy procedures that have defined insurance since long before cybersecurity existed.

It's a generally accepted truth that change is inevitable and adaptation a necessary requirement for progression. Yet, one of the most mature industries in the world is still struggling to address the new and evolving risks arising from our information-driven world. The introduction of cyberinsurance is a sign of progress, but in some circumstances it is tempered by the same legacy procedures that have defined insurance since long before cybersecurity existed.

With the economic impact of cyberrisk increasing exponentially, the cost of inaction and miscalculation could leave enterprises exposed to significant liabilities – and the opportunity cost to business is considerable. In the past year, there has been a lot of discussion among enterprises, security professionals and the media about the fundamental limitations of traditional cyberinsurance policies as an investment to restrain potential cyberlosses. For the insurance industry, many challenges arise from applying a legacy event-based methodology to measure complex and dynamic cyberthreats. At present, risk assessment in the cyberinsurance landscape is evincing real change in the industry.

Due diligence in the pre-binding phase

Cyberthreats are pervasive and sophisticated, requiring more than investments in the best firewalls, forensics and anti-virus solutions. In response, the process for quantifying risk is changing. This shift is rooted in an innovative approach that applies due diligence in the application phase, customizes your profile based on industry standards, and examines pre-binding risk based on holistic posture.

Natalie Lehr, TSC Advantage
Natalie Lehr, TSC Advantage

[Read what insurers are doing to expand cyber coverage]

For years, underwriters have relied on scant, pre-binding checklists that focus on sensors and controls, as well as previous security events, to decide whether or not a pre-insured receives a policy. But this is a flawed approach that insufficiently assesses the impact of all of the organization's investments in reducing its most significant risks. For instance, the checklists, often completed by non-security personnel, are static and may not take into account security measures beyond IT security.

This new due diligence approach for insurance involves a pre-binding assessment that reviews risk from a holistic standpoint to identify a pre-insured's comprehensive risk posture. For example, a holistic risk assessment will incorporate an organization's external business operations, including the security protocols of every partner, vendor and supplier in the pre-insured's network. Unlike a checklist review, a holistic assessment will also consider other threat vectors such as international travel, insider threat, mobility and many other domains across the organization that could impact the pre-insured's security. Engaged cybercultures and continuous improvements are recognized and measured.

As a consequence, this in-depth, comprehensive assessment provides both the insurer and the pre-insured with an accurate understanding of risk while delivering invaluable insight into potential security gaps. With this intelligence, organizations gain an opportunity to identify high-priority vulnerabilities before an incident occurs.

Due diligence in the post-binding phase

In addition to the pre-binding assessment, existing policyholders can derive benefit from periodic risk assessments that provide insight into new and evolving risk. This enables the insured organization to make better-informed decisions about the remediation of its high-priority risks. Cyberinsurance providers may require annual reassessments as part of a policy to help ensure that policyholders are proactively assessing and addressing vulnerabilities. This serves to reduce potential financial liability for the insurer and helps organizations prevent a cyberattack from occurring in the first place.

The insurance industry has long suffered from a negative reputation. This isn't surprising given the perception that odds are in the insurers' favor, but with cyberrisk, insurers are leading private innovation that rewards mature cybersecurity postures and resiliency. As business leaders recognize the pervasive nature of cyberthreats and accept that their organizations are more likely than not to suffer an attack, they are reconsidering their approach to risk management and realizing the importance of cyberinsurance as a method to not only offset risk, but also proactively reduce it. After all, it's in the best interests of both parties to do so.

In order for more organizations to put their trust in cyberinsurance, the market must continue to evolve to serve the needs of its clientele. The fact is one cannot accurately assess an organization's cyberthreat or security posture with a static checklist. By adopting an approach that moves due diligence to the forefront and incorporates holistic risk assessment, insurance providers are slowly but surely making progress while helping to protect U.S. business against cyberthreats.

About the author: Natalie Lehr is director of analytics at TSC Advantage. She also has experience in the government sector working on the identification, acquisition and development of critical information. In the commercial arena, Natalie led the development of innovative methods to acquire and analyze critical information to protect specific interests and high-value intellectual assets.