Increasingly, businesses are turning to cyber liability insurance to help manage cyber risks. A recent report from Allianz forecasts that cyber insurance premiums will grow from around $2 billion in 2015 to an estimated $20 billion or more by 2025. This growth undoubtedly presents a tremendous business opportunity for the industry. It also places carriers in a unique position to effect meaningful change. Through financial incentives, knowledge transfer and other means, carriers have an opportunity to actually change insureds’ behavior and thereby improve security and reduce the occurrence of cyber events.
So, how can carriers best help insureds improve cybersecurity?
The answer lies in helping insureds better understand the true drivers of cyber risks and providing them with the tools to manage those risks.
Most businesses today manage cyber risks primarily by investing in technology. The business implements a new firewall, new endpoint protection or whatever “mouse trap” the software or hardware vendors are hawking. This shouldn’t be surprising considering that corporate leaders are often too eager to delegate cyber risk management responsibility to their IT leadership, and IT falls back on what is familiar: technology.
The problem with this approach is that it’s a two-dimensional solution to a three-dimensional problem. History is littered with examples of companies that suffered data breaches even though they had best-in-class technology. J.P. Morgan, for instance, reportedly spent over $250 million a year on cybersecurity in 2014 when it suffered a massive data breach. (See, for example, New York Times Dealbook, “JPMorgan Chase Hacking Affects 76 Million Households,” Oct. 2, 2014.) This nonlinear relationship between investment in technology and cyber event prevention is not surprising to information security professionals who know that technology is not a panacea. No technology is 100 percent perfect, and we should not expect that it ever will be. Indeed, a “root cause analysis” of most data breaches points to organizational culture, governance and operational failures, not technical ones.
This is not to say that technology is irrelevant. It clearly is not. Indeed, IT risks deserve special attention. But all too often companies focus exclusively on technology solutions and ignore other key risk factors. It is critical for carriers to help insureds understand that IT is just one of several risks that require management. Nontechnical factors―such as organizational culture, security governance, business practices and user behavior―also are sources of information security vulnerabilities and need attention.
Dedicated Information Security Team
One of the most effective steps carriers can take to encourage positive cyber behavior is to ensure that insureds have a dedicated information security team—preferably one led by a chief information security officer (CISO) or chief security officer (CSO). Historically, the role of information security was often small enough to be handled entirely by a chief information officer (CIO). But by viewing information security as a mere subset of their responsibilities, CIOs not only failed to devote their full attention to it, they also failed to allocate the necessary quantity and quality of information security personnel.
In today’s perilous business environment, information security has become too vital and too specialized to be performed on a part-time basis. Mobile, cloud computing, big data, the Internet of Things—these business and IT trends have made communication faster and created incredible efficiencies. But behind those new technologies are often hundreds if not thousands of network devices and software applications. Simply keeping these systems up and running has become a massive undertaking.
Notwithstanding the compelling reasons to do so, a startling number of organizations do not have senior managers dedicated to information security. According to PwC’s “The Global State of Information Security Survey 2016,” only 54 percent of businesses have a chief information security officer or chief security officer in charge of their information security programs. The number of organizations with low-level managers devoted to information security is undoubtedly higher, but the fact that only half of all businesses have a CISO is troubling.
Why are there so few chief information security officers?
Part of the answer is underinvestment. Companies’ investment in cybersecurity personnel and technologies has not kept pace with increased cyber risks, though recent studies suggest this trend is shifting. There are also relatively few CISOs because of human capital shortages. Today’s information security job market is insanely competitive. Small and midsize businesses struggle to match the compensation offered by large enterprises.
The lack of CISOs also appears to be the result of resistance from other C-level executives. Threat Track Surveys from 2014 and 2015 report that “while enterprises are increasingly turning to CISOs to head their cybersecurity operations, about three-quarters of respondents overwhelmingly said they do not believe that CISOs deserve a seat at the table and should be part of an organization’s leadership team.” (This was the response from 74 percent of 200 C-level executives at U.S.-based enterprises across industries including finance, media, retail and healthcare in 2014; and 75 percent said this in 2015, according to Threat Track’s latest report, “CISO Role Still in Flux: Despite Small Gains, CISOs Face an Uphill Battle in the C-Suite.”) This attitude is short-sighted and dangerous.
There is tremendous value in having an individual or team focused exclusively on cybersecurity. Organizations with a CISO are more likely to have the governance, operational and technical controls necessary to reduce cyber risks.
Annual Security Risk Assessments
One consequence of the complex nature of the cybersecurity threat is that the particular digital risks an organization faces—and thus needs to manage—are unique and ever changing. The risks vary significantly depending on industry, organizational culture, business practices and IT infrastructure complexity. It is incumbent on each and every organization to gain as much insight into its digital risk profile as possible. Companies that have a deep understanding of their information security risks are unquestionably in a stronger position to effectively manage those risks and mitigate problems.
One important step that carriers can take to help insureds is to encourage them to annually perform an independent third-party security risk assessment. Risk assessments typically evaluate the security threats facing an organization, the vulnerabilities of an environment, the likelihood that a threat will be realized and the impact that a realized threat can cause.
Risk assessments provide organizations with the actionable intel they need to manage security risks. Security risk assessments―when done effectively―take a holistic approach that closely examines governance, operations and technology risk factors. Assessments that focus exclusively on the technical controls, or “checklist” audits that simply confirm whether a particular control exists, are less helpful to risk managers because they ignore key organizational issues that also create security risks.
For example, consider an organization that has a stringent password policy. The policy requires 16 characters, several special characters, and it must be changed every 60 days. On paper, it is a best-in-class security control. In practice, though, that policy may not be enforced throughout the enterprise. Perhaps senior management worries that frequent password changes may frustrate its sales team, which is on the road and up against tight deadlines. As a result, management grants the sales team a “special exemption.” In this hypothetical, the organization may “pass” an audit, which typically focuses simply on whether the control (i.e., password policy) exists. But the risk assessors would miss a great opportunity to observe how the organizational culture (in this case, one that picks convenience over security) creates a security vulnerability.
The cyber regulators also understand the importance of security risk assessments. Consider, for instance, the Security and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE). In September 2015, OCIE published the cybersecurity module that the agency uses to perform inspections. What’s striking about the OCIE cybersecurity module is the emphasis on nontechnical subject matters such as risk assessments.
Finally, carriers should also encourage their insureds to leverage a cybersecurity framework. There are a number of widely accepted security frameworks available, including the NIST, ISO, COBIT and the Center for Internet Security’s Critical Security Controls (CSCs). Cyber regulators are gradually viewing these frameworks as necessary conditions. California’s attorney general, for instance, has argued: “[The CSCs] identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” (https://oag.ca.gov/breachreport2016; emphasis added)
Part of the reason regulators are placing more and more emphasis on frameworks is that they provide a proven structure for cybersecurity risk management. Frameworks help insure that privacy and security requirements are met, and they provide a structure for audit and compliance programs. Frameworks also provide a way for a business to assess its cybersecurity strengths and weaknesses and to measure cybersecurity progress year over year. A business that is able to show that it actively manages cybersecurity risks―through constructs such as a cybersecurity framework―is in a much more defensible position.
Unique Position for Carriers
Whether they realize it or not, carriers are in a unique position to improve the cybersecurity of their insureds. Through financial incentives, knowledge transfer and other means, carriers have an opportunity to actually change insureds’ behavior. The interesting question now is: Will the carriers embrace this new opportunity? Only time will tell.