Rising data breaches and increasing compliance concerns are increasing interest in insurance against cyberattacks, but taking out cyber-insurance policies can be complex and uncertain. How can companies make it easier?
At the 2017 SecTor conference last November, we sat down with Dave Millier, founder and CEO of security services company Uzado, to talk about a framework that could bring companies peace of mind.
The problem with cyber-insurance is that it’s a young industry, explains Millier. Insurance companies like to assess risk by ploughing through lots of data, and when it comes to cyberattacks, there’s not much of it around.
Chubb has only had 3000 claims in its 20-year history, which makes it difficult to quantify risk in new contracts. It’s also difficult to get the relevant information from many companies wanting to take out these insurance contracts, or even to understand what the relevant information is.
The uncertainty and confusion around cyber-insurance can make a lot of claims contentious. The National Bank of Blacksburg recently sued Everest National Insurance after the insurance firm refused to cover most losses from two phishing attacks, arguing that only one of the policy’s riders protected it from the attacks, and this wasn’t enough to cover the losses.
This isn’t the first time that insurers and companies have fought over claims. The State Bank of Bellingham successfully sued insurance firm BancInsure, and law firm Moses Afonso Ryan sued its insurer after failing to get a payout for $700,000 in lost billable fees after a ransomware attack.
From COPE to CyberCOPE
In the bricks and mortar world, insurance use a concept called COPE to measure an organization’s level of risk. It stands for Construction, Occupancy, Protection and Exposure, and it is well understood when dealing with insurance policies that protect businesses from fire and theft, say.
Insurance companies must map those principles into the cybersecurity realm, but insurance companies and cybersecurity experts come from different backgrounds and need a common language to position cybersecurity readiness in the insurance world.
When Chubb initially released its CyberCOPE advisory in 2016, it was an attempt to normalize that by mapping the traditional COPE categories to new ones. Instead of the traditional components of a COPE analysis, CyberCOPE looks at Components, Organizatoin, Protection and Exposures.
CyberCOPE explores several components, including the number of endpoints and network connections that a company has, the software versions that it uses, and the locations of its data centres.
The framework also looks at the maturity of the the organization’s profile. It examines the policyholder’s industry, the quality of the company’s IT and security-related policies, the budget that a company allocates for security and its adherence to industry standards.
The coverage explores protection measures such as data retention policies, monitoring procedures, encryption and incident response readiness.
Then, there are exposures, such as a company’s common threat vulnerabilities, the type and amount of sensitive information that they handle, and their compliance and regulatory requirements.
CyberCOPE provides a standard approach to underwriting cyber-insurance, but policyholders still face a challenge when answering questions to satisfy insurance companies. Cybersecurity are often more nuanced and subjective than ‘how tall is your building’. Understanding the right questions to ask and where to find the answers is a key barrier in taking out a cyber-insurance policy.
At SecTor in November 2017, Uzado launched a framework that combines CyberCOPE with industry best practices, enabling companies to better answer these questions. It aligns CyberCOPE to a cybersecurity cybersecurity lifecycle taking in governance and risk management, metrics and reporting, and continuous improvement. It also maps the Chubb structure to industry standards including the NIST cybersecurity framework.
By using the framework, companies can score their cyber-insurance readiness according to a numerical maturity model and can also use it assess specific kinds of cyber-insurance that they may need to concentrate on.
See Millier explain the concept in more depth here.