By Chris Cronin
Cyber security insurance is rapidly becoming a staple for cyber security risk management. Organizations are increasingly transferring cyber security risk to insurance carriers who will cover costs that result from a cybersecurity breach. But cyber insurance is still in its infancy. Carriers are still trying to develop the right actuarial models to quantify the probability and magnitude of cybersecurity breaches, and insurance brokers are struggling to gather the right information from their clients to properly underwrite their risks.
Insurers are acting sensibly when they try to model probabilities of cybersecurity attacks. After all, reducing probability of harmful events is core to managing risk. But the data suggests that there may be far more manageable ways to reduce cybersecurity claims (and the risks that underly those claims). If insurers and organizations focus on the behavior of management rather than the behavior of hackers they may significantly reduce the costs of security breaches.
The data behind this hypothesis comes from annual cyber security breach reports produced by NetDiligence.
| CLAIMS CATEGORY | SMALL & MEDIUM | LARGE |
|---|---|---|
| Crisis Services Costs |
Now take a look at the average claims over the same five years for liabilities-related costs
| CLAIMS CATEGORY | SMALL & MEDIUM | LARGE |
|---|---|---|
| Legal Defense | ||
| Legal Settlement |
| CLAIMS CATEGORY | SMALL & MEDIUM | LARGE |
|---|---|---|
| Regulatory Defense | ||
| Regulatory Fines |
If you’re a small to medium-sized organization and you are sued after a security breach you can expect your insurance company will pay roughly three times your crisis costs than your litigation costs.
Similarly, a large organization should expect their cyber insurance carrier to pay more to cover regulatory costs than crisis costs.
So what does this mean to the cybersecurity community?
We manage potential crisis costs differently than we manage potential liability costs
Crisis costs result from security breaches that may come from something as common as personnel error or as effective as a persistent attacker. We are smart and sensible when we put in place controls to reduce the likelihood or impact of those attacks. But we also know that the struggle will be hard and continuous. So we should expect that moving down crisis costs will always be difficult to do even as we make them less likely with smart controls.
Liability costs result from scrutiny about how well we managed our environment to protect others from harm before a breach occurred. Both regulators and litigators use cost-benefit analysis to determine whether an organization used reasonable controls when operating their organization. Liability goes down when management explicitly plans their cyber security priorities and investments to reduce harm to both others and themselves.
As we apply technical and physical controls such as encryption, access controls, segmented networks, SEIM tools, penetration tests, and vulnerability management we are reducing the likelihood that breaches will occur. But we are likely not reducing the costs that will be incurred when the breach does happen. (Unless those controls eliminate data or make forensic investigation super-efficient).
When we apply administrative controls such as inventories of hardware, software, and data, conducting incident response drills, personnel training, root cause analysis, and risk assessments that evaluate harm to others we are generally not reducing the likelihood of a breach per se. What we are doing is demonstrating to our employees, the public, regulators, and litigators that we were applying due care for others who may have been harmed by a breach. We were taking responsibility for the harm we could have done to others. That’s what regulators and litigators expect of us. And that is what reduces regulatory and litigation costs.
What the cyber security community should do
Insurance carriers can design insurance products that evaluate and distinguish between their covered clients’ cyber security controls and their risk management activities. Organizations that explicitly assess risks to themselves and others and that include in their assessment what controls are reasonable given budgets, priorities, and their mission will pose a lower risk to the carrier in terms of the claim amounts that cover regulatory and court action.
Insurance brokers can add to their underwriting process a few questions about how well organizations manage their cyber security risk based on the likelihood and impact of harm to others, to themselves, and their mission. These brokers can indicate to carriers which organizations will face lower liability when a breach does occur.
And organizations can manage risk to themselves and others in balance, ensuring that their security controls protect others from harm, while not being overly burdensome to the organization or its mission.
DoCRA
Which is why HALOCK contributed Duty of Care Risk Analysis (DoCRA) to the public. DoCRA helps organizations, litigators, and regulators understand what reasonable cyber security controls are by showing whether they balance the public interest with the organization’s mission and objectives. Center for Internet Security adopted DoCRA as the basis for their risk assessment method (CIS RAM) to help organization implement the CIS Controls reasonably.
Read more on balancing security, compliance, and business goals with DoCRA and best practices in managing risk.
Learn more about implementing CIS RAM.
Chris Cronin is an ISO 27001 Auditor and has over 15 years of experience helping organizations with policy design, security controls, audit, risk assessment and information security management systems within a cohesive risk management process. Chris is Chair of The DoCRA Council and the principal author of CIS Risk Assessment Method (RAM). Chris is also a member of The Sedona Conference, Data Security and Privacy Liability – Working Group 11 (WG11).
He is a frequent speaker and presenter at information security conferences and events. Chris earned his Masters of Arts from Case Western Reserve University.
