Insurers have been blindly moving to expand access and coverage in cyber insurance despite their inability to confidently assess and quantify holistic cyber risk. Visibility of the exposure remains poor, and overstated modeling capabilities have brought unjustified confidence and misleading precision to materials presented to internal underwriting, risk management, auditors and clients.
Cybersecurity is an adversarial challenge — with victims subject to opportunistic and strategic targeting and constantly changing techniques and tactics. As a result, it is nearly impossible to understand the extent of exposure in such a dynamic risk landscape. The current evaluation methods, questionnaires and external scanning, are simply inadequate and the insurance community has embraced false precision in models built upon such limited datasets. This misguided confidence stems from teams and tools that are not focused on actual security methods.
Knowing the difference between preparing for a compliance audit, a maturity model scoring exercise, and an actual risk management program is key. Preparing for hackers is not the same as preparing for auditors. Compliance, or maturity-driven programs, are signs of comparative immaturity. Organizations that are stuck there, as opposed to running real risk-based security programs, expose themselves and their carriers to significant, and potentially systemic, cyber losses. Emerging risk management technology, based on advanced cyber telematics, is the key to closing the gaps and reducing cyber exposure.
Cyber telematics proactively address potential security issues before they become actual problems. Simply put, since things change quickly, they should be observed often. Once visibility is attained, then response actions and processes can occur. At a more mature stage, telematics support continuous control monitoring and validation, and provide actionable intelligence to core business operations. Cyber telematics promises a quantitative risk-based approach to risk assessment that enables accurate underwriting and pricing insight into how an exposure may change over time. This approach is paramount to establishing and maintaining ground truth.
External scanning and assessment forms have too many gaps and limitations. You need to combine data from internal vulnerability scans, external scans, and core internal services. A good example of a core internal service is Active Directory, the identity infrastructure of an enterprise that manages permissions and access for users, which is a major component of most high-profile breaches and loss events — including ransomware — over the past few years. Combining at least these three sources of data is a requirement to drive better fidelity and underwriting. External scanning alone has been used in writing risk for some time, but it is limited to “broken windows” policing of potential insureds, and many attackers already know how to game the system. Most major attacks involve lateral movement to ultimate targets of interest, regardless of whether they started with an insider, external vulnerability or phishing. Almost all attackers seek to gain elevated privileges to take illicit actions.
The structure inside of the shell is more important than the surface scan. External scanning is a component, but is an insufficient indicator of potential exposure and does not provide the complete picture. Modern network architectures have made this even more true over the past five years.
The outside-in techniques utilize the broken windows theory of security. While useful, there are still flaws. Vulnerability management scans are mostly limited to cyber hygiene issues, such as patching, and while security ratings supply valuable signals, they say little about what’s really going on inside. Real attackers chain together exploitable vulnerabilities with privileges in the network. This means thinking about how to move across the network — like Chutes and Ladders — to reach your objective. Simply scanning and looking at lists misses the key part — the graph of what is connected together. The connections in the graph and not the items in the list are the most important part.
Risk questionnaires, which are simply a means of gathering information about prospective insureds to gain a security profile, are also inadequate. Failures arise from the use of confusing language, poor user expertise, limited scope and potential bias in responses.
To effectively assess exposures such as business interruption, it is necessary to score a prospective insured using the mindset of an attacker not that of an auditor. External scanning and risk questionnaires have their place, but on their own they are insufficient for handling cyber risk, and all that it entails on an ongoing and dynamic basis.
How can insurers evolve and gain the intelligence needed to predict exposure and its change?
They need to increase the use of data telematics to drive more dynamic risk management. This allows for enhanced visibility into the ground truth of network security and sets up longer-term conversations around continuous control monitoring and validation that aren’t achievable for most organizations today.
Cyber telematics also offers more real-time data sources to provide insight into ongoing risk throughout the insurance policy lifecycle, offering a more complete exposure analysis and highlighting common attributes across insureds. Common mode failures in IT systems are a real thing, and this directly addresses some of the gaps in current risk accumulation modeling.
The insurance industry is at a crossroads with a critical need to recognize that a different and more mature toolkit is required. Telematics does more than identify vulnerabilities and look for broken windows, it provides a continuous annotated map of an IT environment that can be linked to scenarios.
All players across the insurance industry must understand that with the right data collection and analytics combined into a holistic telematics solution, insureds and carriers will improve their
ability to combat cyber threats and better quantify and mitigate risk of systemic losses.
Crabtree is the CEO of QOMPLX, an intelligent decision platform provider. Prior to QOMPLX, Crabtree most recently was special advisor to the senior leaders in the Department of Defense cyber community.
Was this article valuable?
Here are more articles you may enjoy.