Insurers have been blindly moving to expand access and coverage in cyber insurance despite their inability to confidently assess and quantify holistic cyber risk. Visibility of the exposure remains poor, and overstated modeling capabilities have brought unjustified confidence and misleading precision to materials presented to internal underwriting, risk management, auditors and clients.
Cybersecurity is an adversarial challenge—with victims subject to opportunistic and strategic targeting and constantly changing techniques and tactics. As a result, it is nearly impossible to understand the extent of exposure in such a dynamic risk landscape. The current evaluation methods, questionnaires and external scanning are simply inadequate, and the insurance community has embraced false precision in models built upon such limited datasets. This misguided confidence stems from teams and tools that are not focused on actual security methods.
Cyber telematics proactively address potential security issues before they become actual problems. Simply put, since things change quickly, they should be observed often. Once visibility is attained, then response actions and processes can occur. At a more mature stage, telematics support continuous control monitoring and validation and provide actionable intelligence to core business operations. Cyber telematics promise a quantitative risk-based approach to risk assessment that enables accurate underwriting and pricing insight into how an exposure may change over time. This approach is paramount to establishing and maintaining ground truth.
The structure inside of the shell is more important than the surface scan. External scanning is a component, but it is an insufficient indicator of potential exposure and does not provide the complete picture. Modern network architectures have made this even more true over the past five years.
The outside-in techniques utilize the broken windows theory of security. While useful, there are still flaws. Vulnerability management scans are mostly limited to cyber hygiene issues, such as patching, and while security ratings supply valuable signals, they say little about what’s really going on inside. Real attackers chain together exploitable vulnerabilities with privileges in the network. This means thinking about how to move across the network—like Chutes and Ladders—to reach your objective. Simply scanning and looking at lists misses the key part—the graph of what is connected together. The connections in the graph and not the items in the list are the most important part.
Risk questionnaires, which are simply a means of gathering information about prospective insureds to gain a security profile, are also inadequate. Failures arise from the use of confusing language, poor user expertise, limited scope and potential bias in responses.
In order to effectively assess exposures such as business interruption, it is necessary to score a prospective insured using the mindset of an attacker not an auditor. External scanning and risk questionnaires have their place, but on their own they are insufficient for handling cyber risk and all that it entails on an ongoing and dynamic basis.
How can insurers evolve and gain the intelligence needed to predict exposure and its change?
They need to increase the use of data telematics to drive more dynamic risk management. This allows for enhanced visibility into the ground truth of network security and sets up longer-term conversations around continuous control monitoring and validation that aren’t achievable for most organizations today.
Cyber telematics also offers more real-time data sources to provide insight into ongoing risk throughout the insurance policy life cycle, offering a more complete exposure analysis and highlighting common attributes across insureds. Common mode failures in IT systems are a real thing, and this directly addresses some of the gaps in current risk accumulation modeling.
The insurance industry is at a crossroads with a critical need to recognize that a different and more mature toolkit is required. Telematics does more than identify vulnerabilities and look for broken windows, it provides a continuous annotated map of an IT environment that can be linked to scenarios. All players across the insurance industry must understand that with the right data collection and analytics combined into a holistic telematics solution, insureds and carriers will improve their ability to combat cyber threats and better quantify and mitigate risk of systemic losses.