A common model and vocabulary can close the chasm between the cybersecurity and cyber insurance communities, but who’s in the best position to bring all the stakeholders together?
A recent paper describing the results of a recent survey conducted by SANS and Advisen identifies “conceptual gaps that often make it difficult for members of the cyber security and cyber insurance communities to find a common basis on which to develop reasonable standards of security and insurability.” Four critical gaps are called out by the author, Barbara Filkins:
The cybersecurity definition of risk is “the possibility of suffering harm or loss” and is based upon a commonly cited equation: risk = threat x vulnerability. Underwriters, on the other hand, define risk as “uncertainty arising from the possible occurrence of given events,” and they consider risk as a tool to gauge the probability of those events that lead to losses and gains.
Strive to achieve a common understanding of cyber risk and the language used to express key concepts among cybersecurity teams, corporate risk managers, insurance brokers, and cyber insurance underwriters.
“The first step in closing this gap must be to establish a common terminology that allows the two communities’ various stakeholders to communicate clearly and accurately about their expectations and actions, especially as they relate to possible regulatory and legal actions.”
Different organizations use different assessment frameworks. Some favor qualitative assessments while others favor quantitative evaluations. In general, cybersecurity organizations tend to use qualitative assessments “where risk is measured against a relative scale (high/medium/low) to determine the probability of a threat exploiting a vulnerability.” Underwriters typically prefer quantitative assessments, which allow “a financial value to be assigned to loss associated with vulnerability.”
Create a common qualitative framework for evaluating and monitoring cyber maturity, expressing the results in well understood and well documented metrics that enable underwriters to use them in specifying reasons for cyber insurance rejection. “Well-known examples of frameworks include NIST SP 800-53, FISMA, CIS Critical Security Controls, COBIT, ISO 27000 and HIPAA. All of these address the need for risk assessment and management.”
“The absence of common cyber security standards, best practices and metrics is cited as a barrier to a robust cyber insurance market. Members of the InfoSec and insurance industries would benefit from a common framework that supports understanding, realistic modeling, and justifiable and affordable actions.”
The survey reveals that (1) boards aren’t necessarily attuned to security issues; (2) that CISOs and risk managers often communicate poorly, making decisions that could be improved with the input of the other; and (3) CISOs are often unaware of what cyber insurance actually covers, and are only infrequently involved in making cyber insurance decisions.
A significant communication gap also exists between brokers and underwriters. “Research from Advisen shows that insurance brokers are frustrated by divergent and sometimes conflicting expectations from underwriters, due to the market’s rapid state of flux and a wide variation in understanding of the criteria to be used to assessing an organization’s cyber risk posture.”
Solving the lack of communication between and among boards, CISOs, risk managers, brokers, and underwriters will require adopting a standardized way to describe the maturity of an organization. It must include qualitative measures that can be incorporated into metrics-based evaluations, and it has to be built around a flexible yet consistent model that encompasses RMF, ISO, and other frameworks.
“Each cyber insurer tends to use different policy language. Two different insurers may think they are covering the same risk, but they may not be because they use different words to describe the risk. As relatively few claims have been made against cyber insurance, we know very little about how the actual interpretation of the words affects the recovery of loss. But we do know that differences in expectations and interpretations between insurers and customers inevitably lead to disputes and litigation.”
Underwriter Reasons for Rejection Reason for Rejection % Response Inadequate cyber security testing procedures and audits 44.7% Inadequate processes to stay current on new releases and patches 40.4% Inadequate cyber incident response plan 38.3% Inadequate backup processes and recovery 34.0% Structure, size and configuration of network 31.9% Inadequate policies concerning the security of vendors and business partners 31.9% Quality of security software 25.5% Quality of employee training on security issues 23.4% Lack of adherence to a published security standard (e.g., ISO 27000) 17% Lack of CISO or similar role 14.9% Inadequate security score provided by third-party service 14.9% Other 14.9% Physical security of data center 8.5%
“Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey” SANS Infosec Reading Room, June 2016, p. 10
Another chasm separates cyber professionals and underwriters who are interested in high ROI investments. CISOs make investments that they believe will make their organization more insurable. Their investments are not the same things that underwriters value, so they don’t seem to affect insurability. The survey results suggest that underwriters are comfortable being active in industries with which they are most familiar, while they more often reject applications from companies in unfamiliar sectors.
Underwriters must become more transparent in explaining the reasons for rejection. The cybersecurity community needs to understand what underwriters are seeking, and they can’t learn more without being about to understand the criteria used by underwriters in their evaluation processes.
“The need for a common language is echoed by both the Advisen Broker and Underwriter surveys. The insurance industry sees room for improvement in communicating with InfoSec professionals about cyber risk. Only 19% of brokers and 30% of underwriters said there is a common language of cyber risk.”
Who’ll Be the Gap Closer?
Given these four interrelated gaps, where can we look for leadership to move all the stakeholders forward? Let’s evaluate the candidates, each of whom is a major player in the future of cyber insurance: the risk manager, the CISO, the underwriter, and the broker.
The Risk Manager wants a better understanding of cyber risk, but he/she may not have the technical background needed to lead a move to close the gaps. Likewise, while the CISO shares concerns about risk along with risk managers, his/her knowledge of cyber insurance isn’t strong enough to bring all the stakeholders together. The Underwriter is in a powerful position but may have little motivation to change the status quo, preferring instead to wait for a solution to emerge.
The Broker lives at the nexus of all the lack of communication gaps and is the most affected by them, acting as market maker, and incentivized to find solutions for his/her client. The Broker maintains relationships with most key stakeholders, including board members, executives, risk managers, and underwriters, contending with all of them to get alignment on a common understanding of risk so that an opportunity will lead to a transaction.
What steps could a broker take to become the gap closer?
- Learn more about assessment frameworks. Understand which is structured best to create both qualitative and quantitative measures that will be understandable to all affected parties.
- Find and promote strategic partners that will contribute cybersecurity expertise and help identify and build effective cybersecurity standards, best practices, and metrics.
- Introduce innovative offerings that incorporate well-accepted standards and practices into the process of selling and preparing for discussions with underwriters.