CISOs and cyber security leaders have long struggled to gain a voice in the boardroom. Shut out of leadership meetings and strategic decision-making, IT security has often been seen as little more than a compliance-driven, check-the-box initiative that requires minimal continuous effort to maintain. Some CISOs simply serve as scapegoats, accepting blame when breaches occur and ignored when the horizon is clear.
But after years of feeling disregarded, under-appreciated and over-stressed, it seems as though this concern is finally being addressed. With increased media and consumer attention turned toward data and privacy protection, more and more companies are making strategic investments in tools and technology to protect their network infrastructure, making the security industry an approximately $80 Billion market by 2015.
In fact, a recent Ponemon study indicated that 76% of respondents who experienced a breach rated the risk of damage from a cyber event as greater to or equal to fire and natural disaster! In addition to technology solutions, organizations are also looking toward options that can help offset the risks of conducting business in today’s interconnected world.
According to Advisen’s 2013 Buyer Penetration Index, purchases of cyber insurance have increased fivefold since 2006, demonstrating that organizations are beginning to devote more resources toward transferring cyber risk. Kirstin Simonson, underwriting director for Travelers Global Technology, estimates that in 2014, US premiums will reach roughly $1 billion. Many organizations now seek large policies that can help cover expenses related to forensic investigations, system down time, crisis management, customer relationship management, legal fees and more.
This growth is attributed in large part to several years of record-breaking breach events: Sony, TJX, Target, Home Depot, JP Morgan Chase, etc. Ponemon recently revealed that 31% of large US organizations currently have cyber insurance policies, while another 39% plan to purchase a cyber insurance policy within the next year. Following the major data breach that impacted Target in late 2013, it was estimated that close to 75% of the initial expenses were covered by cyber insurance policies. Logically, other companies, both within the retail industry and outside, now recognize that they too are at risk and are seeking extensive coverage as well.
Enterprises have a long history of transferring risk in order to minimize the damage caused in a catastrophic event. For example, businesses have used insurance to protect themselves against a host of problems, stemming from legal issues tied to executive misbehavior (D&O policies), all the way to supply chain interruptions caused by a political threat (political risk insurance). It has been good business practice to insure against the issues that are most important to the livelihood of the business. The explosion of interest in cyber insurance could be considered a sign that corporate boards and executives are finally paying attention to this topic. So, why aren’t more security teams happy about this change of pace?
Even though insurance underwriters are some of the best in the business when it comes to assessing and identifying risk, when dealing with cyber risk, measurement is seen as a gray space that has left security practitioners with a bad taste in their mouths. Point in time tests, control-based audits and broad questionnaires conducted by non-security experts can only go so far in measuring the likelihood of a major cyber event, or in understanding how prepared the organization is to face such a threat. These assessments often fail to measure how effective organizations are implementing security measures.
Infosec pros know that security posture can change at the flip of a switch, and insuring against cyber risk does little to change the behaviors in a company to actually foster better security performance. Because of this, some in the infosec community see cyber insurance simply as a paper shield and fear that broader adoption will not lead to the investments in technology, staffing and resources that are necessary to properly protect a network infrastructure.
However, many still see hope that insurance can and will be an effective tool in battling cyber risk. The industry is undergoing rapid change, spurred by technological advancements, which are enhancing the underwriting process significantly. Aided by the big data explosion, it is easier than ever for underwriters to access objective, data-driven metrics that provide continuous insight into the behaviors and performance of a network.
Performance ratings, based on security outcomes rather than controls, can assess how effective an organization is at securing their data. By analyzing evidence of compromise, as indicated by malicious behavior emanating from the network, and looking at configuration status of network certificates for SSL, DKIM, DNS and more, insurers can use ratings to determine the level of risk present in a company.
Furthermore, applying these ratings across an industry allows users to understand how performance varies from sector to sector and whether or not a company is performing adequately against its peers. Perhaps most valuable, and where assessments miss the point, performance ratings provide insight into why two companies with similar security implementations can vary so widely in effectiveness, and provide the insight to allow companies to effectively improve their performance.
Security performance ratings also allow insurers to offer an additional value to organizations. Rather than simply underwrite the risk and walk away until it’s time to renew the policy, insurers are now, in some sense, an extension of the security team. When performance is monitored on a continuous basis, both parties must ensure that a breach be avoided. Alerts to changes in performance can spark a conversation between the insured and underwriter, prompting investigation and remediation of emerging risks, hopefully before a loss event occurs. This, in turn, serves to help make organizations more secure, and debunks the criticism that cyber insurance fails to improve security effectiveness.
Performance ratings also bring a higher level of transparency to the underwriting process, and shed light on security practices inside other organizations, especially when a breach occurs. Business leaders and regulators have long championed for security transparency and faster, more comprehensive breach disclosure laws. As a result, the government is pushing for improved standards for cyber security, and sees cyber insurance as a possible means of achieving mass adoption of those standards.
In the recently updated NIST guidelines, the White House has begun pushing for greater participation from insurance companies in helping to define the framework of security best practices. In this light, insurance companies serve as an objective third party capable of evaluating technologies, policies and controls to help companies implement more effective strategies. Security performance ratings offer another tool to bring such standards to light.
It is clear that cyber insurance alone won’t make a company more secure, but underwriting practices enhanced by the continuous insights that security performance ratings provide certainly offer a step in the right direction. The ability to benchmark performance factors against other companies and industries creates a level of transparency and situational awareness that can only make us more effective. When CISOs are able to bring these metrics to the board and participate in data-driven, risk based decision-making, security teams will finally get the recognition they deserve. Cyber insurance is not the key to the boardroom, but its growing presence as a topic of discussion may surely be the invite security leaders have been waiting for.