“As a Managed Security Service Provider (MSSP), we talk a lot about cyber security, but I’d like people to start thinking about a new term: cyber resilience.” says Stephen Jones, Vice President of Cybersecurity at Dataprise.
The pillars of cyber resiliency include cyber security, incident response, business continuity and disaster recovery. Cybersecurity tools and expertise are not enough to withstand and respond to cyber threats, you really need to be able to understand the worst-case scenario for your business.
What is cyber insurance, how does it work, and why do you need it?
Andres Franzetti, CEO of Risk Cooperative, notes, “There’s been a revolution from both cyber security MSSPs and cyber insurance toward this idea of cyber resilience.” Most of what cyber insurance underwriters are looking for fall into these same four categories that make up your cyber resilience.
At its core, cyber insurance is the ability to transfer the financial risk from the organization to the insurance carrier through policies that can provide a whole host of coverages and areas of support that fit under the cyber resiliency umbrella.
It’s important to know what you should be looking for in a cyber insurance policy, because as ‘cyber’ has grown as both a threat and business opportunity, the insurance options have expanded as well, and they’re not all created equal.
Bundled policies with a cyber component that do not have the full scope of services you need to build cyber resiliency are red flags. Standalone policies are more robust, with the option to build on additional facets and coverages to address coverage gaps. such as remediation costs, first- and third-party liability for data or privacy breaches, and response capabilities to resume operations. Other coverages may include business interruption, reputational harm, extortion or ransomware – risks that not all policies cover.
Jones says, “The vast majority of people really only think of cyber as a breach response mechanism, when there’s really so much more breadth and depth to cyber insurance policies.”
In a world where everyone has a smartphone and a laptop, cyber risk is unavoidable. The question every organization should ask, Franzetti says “Does my business have the cash on hand to take on the cost of the cyber response and recovery myself or should I transfer that risk to the insurers. Insurance is just the more cost-effective option by putting a fixed price and on the uncertainty with recovery resources built into the policy to ensure that you can access them when you need them most.”
Coming to an Equilibrium
“Most cyber insurance policies are purchased by large, complex organizations and the smaller, mid-market firms that make up so much of our economic development have not taken up cyber coverage, leading to disproportionate losses for underwriters. But it’s begun to level off as the underwriters have worked to adjust to the cyber landscape and tightened requirements for coverage,” Franzetti explains.
Jones notes, “The cyber insurance industry has done more over the last few years to incentivize good cyber hygiene than anything else, as they get increasingly granular in their evaluation of security standards. It’s been a positive trend.”
As insurers refine their underwriting assessments, they often conduct proactive penetration testing and, unfortunately, uncover inaccurate information that can inform the risk assessment and pricing.
When firms have a strong relationship with an MSSP that provides core security services, they ensure you’re operating at the highest level of cyber security possible. Additionally, they will have data about your security that can counter the ‘false positives’ and establish your eligibility for top-tier coverage and pricing.
New Horizons: Evolving Cyber Risk for 2024 and Beyond
Cyber risk requires that mitigation efforts must continually evolve as new frontiers like AI become more prevalent. While money, through ransomware and extortion have been a key driver of cyber crime, the next evolution is more focused on disruption. So, what new threats are on the horizon?
Supply chain risk continues to be critical. It continues to be necessary to avoid complacency and human error through training and education. However, legacy systems create vulnerabilities for the broader system, particularly in healthcare.
Artificial Intelligence is poised to become a real factor in the near future, particular by sewing panic and geopolitical risk through deep fakes and misinformation.
Nation-state sponsored cyber attacks create mass disruption – the 4th dimension of war – as the impact of attacks on critical infrastructure in U.S. cities and Ukraine have shown. Unfortunately, organizations are collateral damage in these scenarios, where cyber coverage can help with the response and recovery needed to get businesses back online. As insurers anticipate this trend, they’re placing limitations on payouts due to cyber warfare.
Machine learning is in its infancy, but has the potential to enable attack optimization, with coordinated multiprong attacks that can overwhelm an organization.
As quantum computing matures over the next 5-10 years, so will the potential threat to data encryption and security.
These technologies will be the new frontier as cyber crime evolves, and risks we need to take seriously. To combat them, security providers are working on new approaches to cyber risk.
Zero-Trust is a concept has become a buzzword over the last few years. While our current cyber strategy assumes users, devices, and files that exist in network are legitimate, zero trust requires additional, repeated authentication, limited access to resources, and auditing or review of all activity through a multi-step verification process that occurs constantly behind the scenes. It also has the capability to challenge user actions and access when behavior or patterns don’t align with expectations. This is likely the next level of security to be required by underwriters for insurance eligibility in the next 3-5 years.
Biometric authentications use facial identification or fingerprints to access devices and reduce cyber risk. This may be expanded to other types of physiological or behavioral identifiers, like gait recognition or retinal scans, and used as a component of multi-factor authentications.
Risk assessments help build cyber resiliency by continually monitoring the organization’s cyber health as fast-moving threats emerge. Close collaboration between organizations, MSSPs, brokers, and carriers creates an environment that mitigates risk for insurers while rewarding organizations with better pricing and coverage for maintaining good cyber hygiene.
Conclusion
While many business insurance policies like business owners or liability policies have an endorsement for cyber coverage, these do not have the full scope of services you need to build cyber resiliency. Franzetti cautions, “It’s critical to analyze your insurance and your business, because the interconnectedness and evolution of cyber means that new gaps and new threats require regular reviews and updates to your cybersecurity policies.”