Cyber Risk Assessment: A challenge for the insurance sector

Cyberattacks such as NotPetya or WannaCry and individual incidents such as the Equifax data breach in september 2017, or the cyberattack that caused the US pharmaceutical company Merck damages of 260 million dollars, have caused companies of any size to start to consider the option of contracting a cyber-risk insurance as a measure to mitigate the economic losses caused by a information cyber incident.

The need for cyber insurance

The threat involved by a cyber risk is as real as physical threats to a company's tangible assets. This is why it is understandable that companies consider transferring the risk they can´t control; for example by hiring a cyber insurance

Cybernetic and technological risk assessment

The estimation of both, the technological risk, which affects  to the business processes continuity, and the cyber risk related to intangible aspects of the companies, such as their reputation or users data, is not an easy task.

Traditionally insurance companies calculate premiums on insurance policies from mathematical models based on historical data. In the case of cyber risk, the lack of historical data on cyber incidents, their impact and the exploited attack vector is evident; since we are dealing with a very young casuistry with relatively few registered data, which is aggravated by the reluctance in the business sector to notify and share data on incidents and threats.

This difficulty for risk assessment is also suffered, although in a different way, by IT Security Auditors. Traditionally, and in general terms, the risk is calculated with the following formula:

 risk= probability x potential loss

 The resulting value offers an instant risk view, which is not adapted to the changing and unpredictable nature of the new threats that we find in cyberspace. Therefore, it is evolving towards dynamic risk analysis (DRA) and dynamic risk management (DRM) methodologies. Whose objective is to assess the security risk in order to act more agilely, despite not having completely recreated the entire risk management process.

Insurers position

In order to face the challenge of risk assessment, we find different approaches within the insurance sector. The proposals are directed mainly to cover the needs of large companies; but it is true that many of them also try to solve SMEs, since they make up the majority of the Spanish business fabric, and they are also directly affected.

The most basic way used to assess risk is through a measures or good security practices questionnaire. Other insurers go further, and require a series of  requirements among which you can find the following:

• To have an antiransomware capable of stopping a cyber attack
• To have a backup policy
• Having passed an external security audit
• Audited adoption of a framework of good security practices through internationally recognized management models

Even some insurers make discounts depending on the maturity level in customer information security.

In short, it is about the customer being able to demonstrate that it takes a series of minimum measures to prevent security incidents, and therefore reduce the risk of suffering them.

Proving security level

Leet Security's cybersecurity rating can help both organizations and insurers during the process of contracting the policy in the task of assessing cyber risk for several reasons:

• It makes the cybersecurity capabilities diagnosis of the services or business processes.
• It guarantees the maturity level over time within the dynamism of current threats through periodic reviews.
• It accredits to third parties (for example, insurance companies) its maturity level in cybersecurity through an independent evaluation and an objective and mappable scale with specific requirements.
• It accredits compliance with different regulations (ISO 27000, NIST 800-53, ENS, PCI) in a single process.

All you need is LEET

Subscribe to our communications from this link