Cyber Insurance Primer For Insurers & The Insured

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/cyber-insurance-primer-for-insurers-insured-p-1946

Insurance is the refuge we seek when wanting to transfer value at risk.
Over the years, the insurance industry has held steady, accepting
conventional or extraordinarily non-conventional risks, successfully facing
challenges of settling large or small claims and ferreting out fraud and
scams.

After the wealth of experiences over the decades, one would imagine the
insurance industry would be well equipped to measure cost of risk in all
situations. Except that no one was expecting virtual life and things in a
virtual space to step out of science fiction into the realm of reality,
which is what has happened over the past two decades. The advent of the
internet has changed life as we know it. While the definition of risk may
remain the same, its perception and presence have changed.

Insuring the Virtual


Moving from insuring in the tangible world to the virtual is not easy. But
the nascent cyber-insurance domain has demonstrated some successes. Its
short history has been choppy, per reports and according to industry
leaders and analysts. It is a product waiting to be accepted by individuals
and enterprises, and progress has been tardy. I feel this is due to the
slow pace of movement in insurance circles, while the experts take time to
understand the risk, reward and implications of selling cyber insurance.

Cyber Insurance has inbuilt quirks that must be addressed by the insurer
and the insured, so that the domain matures without the baggage of mistrust
and acrimonious litigation. The risk of such an outcome is high since all
these quirks are in the realm of individual perception. For example, an
enterprise may consider itself secure, having all the controls in place,
but they may not pass an audit directed by the insurer, who may find
numerous exclusions in their insurance cover. Conversely, the insurer may
not be qualified to conduct an audit while selling the cover, or while
examining a claim.

Lets take a look at some ground rules and realities when buying or selling
cyber insurance.

For the Insurer

The insurer has a challenge in hand, as it is necessary to ascertain the
level of protection enabled by the enterprise. Being certified to an
industry standard or being compliant to an industry framework is no
assurance to having adequate protection of assets in place. Neither can one
claim to be secure if one has "air gapped" networks or deployed the
crème-de-la-crème of firewalls, IDS/IPS/UTMs worth millions.

To begin with, insurers must establish their own security benchmarks
because the existing ones will just not suffice. Personally, I believe
that, in time, the benchmarks and framework set by insurance companies may
become the gold standard. The need is standardization of the ISMS and the
control diligence that goes with it. Present standards are not
prescriptive, and control effectiveness (or design) is adjudged by the
implementer and certified. Standards such as ISO27001 provide guidance, and
that's where their responsibility ends - this is not going to be sufficient
for an Insurer to place a million dollar bet.

The solution will be in the design of a new framework drawing on the
strengths of standards / frameworks / regulations like ISO27001, PCI, NIST,
HIPAA, SSAE16, FISMA, etc. The solution has to prescribe a standard method
for compliance, priority and periodicity of audit and testing. Insurers
will have to ensure the inclusion of awareness, maturity assessments and
more.

While this may take care of addressing a quantum of risk at the time of
issuing the cover, the insurer will also have to seek guidance to define
internal practices and create skills for evaluation of claims, mid-term
assessments and training (internal and external). The insurers will have to
cater for the dynamic nature of the cybersecurity landscape, where the
"experts" age by a decade every 365 days.

For the Insured

At the other end of the spectrum are the insured, who seek to transfer
risk. A few good-to-remember pointers are: first and foremost to enable
automation of security management, audit and risk management functions in
the organization. This will help internal visibility on the maturity and
control of the ISMS and allow effective management in all areas. The
insured must remember that just an ISO certification cannot justifiably
demonstrate that the business environment is well protected.

In the unfortunate event of a claim, the insured will have to demonstrate
that everything was done to keep the information systems secure. Alas, any
CISO or C-Level manager or IS professional knows this is easier said than
done. Information security management is a qualitative domain, and it is
one auditor's understanding against another's. A certification body may
have awarded the certificate, but will the other body accept that same
audit report in toto?

As mentioned earlier, cyber insurance is as yet a nascent practice and has
to be approached carefully by both parties. Experiences in the western
world have already burned insurers such as Lloyds, and we have also heard
of re-insurers advising caution or capping their exposure in
cyber-insurance.

All said, cyber insurance is here to stay, and a solution will soon have to
be found - whether it is by way of a new standard or framework, some
accredited GRC management systems, periodic audits by insurers, accredited
auditors and more. And it will also need a re-look at risk assessment and
valuation due to the inclusion of intangible assets, cross border issues,
multiple regulatory liabilities, lack of definitive evidence etc. These are
issues that plague the information security domain and will surely be a
bugbear for the insurance industry's foray into cyberspace as well.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!