How cyber insurers can raise the game in cyber resilience

By | January 13, 2024
How cyber insurers can raise the game in cyber resilience
  • The cyber insurance industry’s role in ensuring a global ecosystem of cyber resilience is undermined by a lack of a standardized framework to measure their cyber resilience.
  • Increased demand for cyber insurance means insurers are positioned and incentivized to influence the implementation of cyber resilience standards as part of an improved risk assessment methodology.
  • Cyber insurers play an important role in improving cyber resilience through collaboration, improvement, monitoring and quality and intelligence.

The 2022 Russia-Ukraine War demonstrates that cyberattacks continue to grow with cyber threat weaponization becoming a tool to maximize impact on multiple businesses and critical infrastructures important to national economies. Ensuring cyber resilience is predicated upon effective risk identification and mitigation. So now, it is more important than ever for organizations to put on a “digital flak jacket.”

The cyber insurance industry has an important role in improving and ensuring a global ecosystem of cyber resilience. However, cyber insurers and insured organizations lack a standardized framework to measure their cyber resilience. Instead, they rely on industry benchmarks for resource allocation and antiquated techniques for quantifying cyber risk.

As cyber incidents increase in frequency and intensify in their disruptive impacts, it is clear that higher cybersecurity spending does not necessarily drive better cyber maturity. Insurers have intimately experienced the effects of immature risk assessment methods when insuring organizations over the past two years, as the top 20 cyber insurers have recently posted record high loss ratios.

With the increased demand for cyber insurance, insurers are now positioned (and financially motivated) to influence the implementation of cyber resilience standards as part of an improved risk assessment methodology.

There are several ways cyber insurers are essential in improving cyber resilience.

1. Collaboration

Cyber insurers can collaborate with governments, regulators and organizations to continuously improve and prioritize actions based on current exposures to attacks as they are uniquely positioned to adopt cyber-resilience best practices and observe good security hygiene and behaviour.

Not only can they provide the right incentives to encourage resilient conduct but they are also financially invested in mitigating society’s cyber risk across sectors and geographies. As a result, their balance sheets are intrinsically linked to the cybersecurity success of others.

Standardizing cyber risk measurement techniques and governance principles is a win-win for insurance and society.

2. Suggesting improvement plans

Cyber insurers can also encourage organizations to follow the order of operations by suggesting improvement plans.

Providers perform assessments of an organization’s security posture to define the premiums. For that, they have access to multiple aspects of internal information such as security incidents, breaches and claims data that may not have been made public.

Based on that information, cyber insurers define their premiums and contracts and could also define improvement objectives that incentivize positive security actions.

Incentives like a review of premiums and discounts for consistently strong security postures for the insured could have a large impact.

3. Monitoring and quality assurance tools

Cyber insurers can apply continuous monitoring practices and tools to ensure enhanced cyber posture through metrics like security ratings.

Continuous monitoring minimizes cyber risks and increases the understanding of the cybersecurity ratings of an insured entity at the time of a breach or incident. Overlaying these kinds of insights and crucial discoveries about the type of breach or incident that occurred and the impact categories outlined in the claims will provide unique insight.

For example, discovering any correlations between an entity type (e.g. industry and size), the entity’s cyber maturity rating, and the impact of the breach on the business that resulted in a claim to the insurer (or multiple insurers in some cases) is an invaluable improvement to our knowledge of risk indicators.

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The centre is an independent and impartial platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.

Since its launch, the centre has driven impact throughout the cybersecurity ecosystem:

  • Training a new generation of cybersecurity experts
    Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible training through the Cybersecurity Learning Hub.
  • Building a global response to cybersecurity risks
    The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, European Network and Information Security Agency, and the US National Institute of Standards and Technology, is identifying future global risks from next-generation technology.
  • Improving cybersecurity in the aviation industry
    Through the Cyber Resilience in the Aviation Industry initiative, the centre has been improving cyber resilience in aviation in collaboration with Deloitte and more than 50 other companies and international organizations.
  • Making the global electricity ecosystem more cyber resilient
    The centre and the Platform for Shaping the Future of Energy, Materials and Infrastructure have been bringing together leaders from more than 50 businesses, governments, civil society and academia to develop a clear and coherent cybersecurity vision for the electricity industry.
  • The Council on the Connected World agreed on IoT security requirements for consumer-facing devices to protect them from cybers threats, calling on the world’s biggest manufacturers and vendors to take action for better IoT security.
  • The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.

Contact us for more information on how to get involved.

Aggregating and anonymizing analytics of claim data should surface strongly correlated indicators, patterns and emerging trends. This data can be used as legitimate leverage during premium negotiations with the insured of both the annual and post-incident kinds.

It is clear that insurers are well-positioned to influence organizations to achieve cyber resilience. They can achieve this through leveraging the possibility of continuous underwriting, where insurers regularly monitor the risk posture of the insured. This type of active oversight can be influential for proactively coaching clients on the best ways to avoid cyber incidents.

Armed with data-driven risk models, insurers can motivate the insured to improve their controls, improving their cybersecurity risk rating and resilience in the context of a constantly evolving risk landscape.

4. Using and sharing intelligence

Cyber insurers can use and share the intelligence with ecosystem players and law enforcement during an incident to speed reaction and reduce recovery times, thereby minimizing risk.

As already mentioned, providers have unique access to security incidents, breaches and claims data that may not have been made public. It would be irresponsible for insurance providers to keep this information from informing regulatory policy, cybersecurity practices and incident response.

Indicators of Compromise (IoCs) are routinely shared among ISACS (Information Sharing and Analysis Centers) in the US, Europe and Asia to aid in the collective resilience of an industry or sector such as oil and gas, financial services or retail/hospitality. STIX and TAXII (now in version 2.1 as of June 2021) are structured data sharing protocols for this purpose.

Perhaps the major firms should seek out similar ways to build communities of insurance practitioners who can benefit from aggregated and anonymized TTPs (Tactics, Techniques and Procedures) and corresponding data for breach events or business disruptions. When more in-depth threat intelligence feeds from security vendors are added to this core of event and threat actor information, we just might be helping give rise to a collective defense capability that is truly resilient and robust.