Moving cyber risk insurance to continuous monitoring

Do you have a firewall, Y/N?

That’s a real question I answered on a cyber insurance questionnaire, and it’s terrible for a number of reasons. First, it’s vague. Where do I have firewalls deployed? On my hundreds of workstations, between my cloud apps and the Internet, internally? Second, it’s oversimplified to the point it’s worthless in defining my actual risk. Cyber risk insurers need better ways to capture quality data in order to effectively price, sell, and manage cyber policy risks; the insureds can also benefit from this data to improve their cybersecurity posture.

Current tools are outdated

The overly simplistic yes/no question arrived in my inbox as an attachment. The document had progressed from our Ops Lead->Senior Engineer->Me (Head of Cybersecurity), and in that labyrinthine flow we populated a document that was a waste of time for both us and our prospective insurer. Here’s where things went wrong:

1. The Ops lead filled out as many questions as he could, including some he guessed at. Not all his guesses were right, and it’s unlikely anybody would catch them since there was no review process. 
2. The lead engineer added technical responses and answered “No” on the firewall question. The company was not, in fact, leaving data exposed. From her very left-brained perspective, though, it was technically correct.
3. On to me, for answers regarding security and compliance. Also, luckily, I caught the incorrect firewall response and answered it correctly. Well, almost correctly. 

Why “almost correctly”? The engineer was technically right – we didn’t use firewalls. We used Security Groups, an AWS-specific implementation of network access control similar to firewalls, but distinctly different. By forcing me to think creatively and answer the spirit of the question rather than the letter, our prospective insurer increased the friction of the interaction and almost ended up with junk data as well.

Illuminating the Black Box of Cyber Risk

Insurance is the biggest quantitative risk management activity ever performed, but cyber risk insurance is effectively a black box because necessary data doesn't exist yet, and expertise is hard to come by. How can insurers better comprehend the risks they’re assuming (and share that data with insureds)? Cyber risk insurance demands a novel approach. 

The cybersecurity profession, whose ultimate goal is cyber risk mitigation, shifted from point-in-time risk snapshots (via audits) to a continuous monitoring paradigm which aims to provide real-time risk visibility. The goal is simple: the ever-changing cyber risk landscape demands more timely countermeasures. 

Insurers need to adopt a similar approach, because the nature of risk they're assuming is highly dynamic. This needs to start with more robust data gathering - yes/no questions and hardcopy applications simply don’t cut it. Some key activities to actualize this approach include:

• Visibility: Get into the risk monitoring game, and leverage that data rather than sending out questionnaires. Partner with risk management firms who provide cyber risk monitoring such as Managed Security Service Providers (MSSPs) and measurement firms (I won't name names, but security scores are increasingly available). Build a big data strategy to identify risk trends, and provide alerts and actionable intelligence to insureds to help them proactively mitigate risk.
• Prevention: Provide value-added risk assessment and mitigation services. Many business struggle to understand cyber risk and how to address it, so consulting services and part time staff-augmentation via trusted partner networks benefit both insureds and carriers. A large insurance company can more easily pay a cyber professional's salary and allow all insureds to share that knowledge, and that salary will be less than the cost of a cyber claim.
• Develop: Participate in risk forums such as Cloud Security Alliance (CSA) and various industry-specific Information Sharing and Analysis Centers (ISACs). Contribute to the formation of objective risk standards for cyber, as well as the tools & processes needed to implement these.

There are no easy solutions to this problem, but two things are clear: we can't wait for the historical data to be generated, and current tools are inadequate. The nature and volume of cyber attacks is not going to decrease. This means static risk assessments are outmoded and inadequate insurers, and there is significant value for insureds in surfacing actionable intelligence from risk data gathered via a continuous monitoring strategy.