At a private briefing held outside the main RSA Conference in San Francisco, a panel of experts discussed the value of cyber insurance and whether it meets the needs of businesses trying to protect themselves against the impact of a cyber breach.
The panel was moderated by John Pescatore. He is currently working with SANS but was previously with Gartner and a member of the Secret Service.
The panellists were
- Devon Bryan, the CISO of the Federal Reserve System
- Ben Beeson, Cyber Risk Practice Leader at Lockton
- Tom Fuhrman, Managing Director of Marsh Risk Consulting
- David Bradford, Co-founder and Chief Strategy Officer for Advisen
For businesses, it’s generally accepted that breach is inevitable. As a result, insurance for cyber breaches seems a must have part of any cyber security program. However, there’s a significant chasm between how insurance companies and technical expert communicate about cyber risks.
Pescatore opened the discussion by presenting some data.
Everyone has access to the same technology. Companies in the same verticals spend about the same money proportionate to their revenue on security but some are more successful than others. What's the difference between the successful and unsuccessful teams?
He says the teams that do best focus on doing the right things first, rather than trying to do all things.
He also notes cybersecurity is relatively new. While other insurance sectors are more mature and have more data cyber requires different assessment tools. While the car and house insurance industries are backed by massive, longitudinal actuarial systems, the same isn’t true for cyber threats.
So, premiums that are paid today may not necessarily reflect risks accurately and may be market, rather than risk, driven.
And, as Fuhrman puts it, "there's a diabolical human on the other side".
According to Bryan, one of the issues is boards want quantitative information based on models that are accepted. This is even more complex for security practitioners that operate within global organisations.
Beeson noted we are now operating in a new world, with the Target breach in 2013 delineating a significant pivot point. This has lead both companies and insurers to particularly focus on the protection of PII and PHI (Protected Health Information) and breaches of individual privacy. Before the Target breach, insurance was focused on an assessment of what tools or controls a company had in place.
Read more: Security: Architecture vs Sprawl
But that approach is no longer adequate. The insurance industry needs to partner with technology companies to model and price the risk.
Another element of the risk equation is aggregation risk – where the breach of one entity might effect many businesses and insurance companies. For example, a single breach at a large cloud services provider might affect dozens, perhaps hundreds, of insured companies and consequently many insurers.
Another challenge noted by Beeson was one of timing. Given many advanced threats may be resident for many months before any data is exfiltrated or there’s any business interruption, what happens if you take out insurance but breach was in place well before incursion without your knowledge?
In other words, a CISO’s view of risk may be very different to insurance industry
Read more: Security leadership and the role of AI
When it comes to communication between insurers, technical people and boards, one of the disconnects noted by the panel was the lack of a common lexicon – each corner of this triangle used terminology in different ways.
Bradford says a data schema for cyber insurance in development, albeit with just 15 terms currently defined. However, this is being done without engagement of the technology community.
He says "There's a long way to go to bridge that chasm".