Cybersecurity has become a concern for near about all the companies which are dependent on the internet and their own popularity to stay in a particular business. In the age of information, the decrease in popularity rating become widespread very fast and the negative impacts become visible almost instantaneously. A company which has not protected its books and market cap against the risk related to cyber, and the age of information, might actually face the threat of extinction. In these type of situation, an obvious solution would be to just transfer the unmanageable risk onto someone else like a cyber insurance provider, which is in a way transferring a part of your wealth from a no-lose state to a loss state, so that your premiums will get converted to coverage with insurance company coming to aid in breach scenario and help recover a company from potential annihilation. The reason why not everybody is going with cyber insurance is that of the low maturity of the cyber insurance policies available in the market.
Cybersecurity insurance is provided by a detailed procedure of underwriting wherein cybersecurity-related information about a company is collected and processed by underwriters, and they then estimate the distributions of claims for different periods and create policy terms which would make the risk transfer profitable for the insurance company. The problem in this process is the absence of a mechanism which processes the collected cybersecurity data and assists in the estimations of different distributions. The cyber insurance policies can be created based on historical data which forms prior estimates, but to pick a policy for a client one needs to reformulate the policies according to their requirements, security status, defence capabilities, etc. An improper selection of policies for a client will lead to more frequent and unmanageable claims. The process of reformulating prior estimates to account for these requirements are actually not matured enough, if not non-existent, to be of use to the insurance underwriter. This leads to the creation of a plethora of one-size-fit-all policies which are not fit for any client.
The need of the day is, therefore, a measurement tool and a model which converts the cybersecurity information for a whole company into a number which has a number of properties including the sensitivity to the vectors critical for a breach, is continuously available, and is precise, so that the underwriters will be able to depend on this information to adjust the prior estimates and enable the insurance company to offer policies which are fit for the client in question.
There are a number of caveats in offering a cyber policy to a company including but not limited to the adverse selection, moral hazard, failed disclosure of complete information on cyber incidents resulting into a loss, difficulties in root cause analysis, reusability of claim data to improve estimates in future underwriting, etc. All of these problems will require a metric having the following properties:
- The metric should indicate a sensitivity towards the major breach patterns thereby indicating the cyber defence of an organization,
- One should be able to gather data for this metric through sensors and produce near real-time scores,
- The metric itself should be precise and independent of the data collection process.
- The metric should be up-to-date with the current and the emerging threats.
- The metric should consider not just the technology but also people, policies, and the security products maintaining the security for the organization.
- The metric should itself be capable of re-adjusting itself in a timely manner with the changes in the threat landscape.
- It should be customizable to a company’s need and should be transparent and traceable.
- The metric should be able to separate the “good” cases in the tail of its distribution, so that good from bad becomes easily identifiable.
Above are a few requirements of a security metric that can enable an insurance policy which is fair to both insurer and the insured. The insurance policy is a way to transfer the wealth of an insured from no-loss state to a loss state. This is done by transferring risk onto the insurer for a fee. In the case of cyber insurance, the valuation of the risk itself is too difficult to identify the proper fee or premium for the transfer for a certain type of risks. The above metric will have a potential to enable a risk transfer that is,
- Done with the identification of companies which are cyber risk averse as opposed to cyber risk seeker as showed by their cyber defence,
- Done with due consideration to avoid moral hazard in the insured with a real-time monitor,
- Done with full security information that is complete with respect to the security-related data associated with individuals, procedures, security products, and finally the technology enabling the business goals of the company requiring risk transfer,
- Done as a fair trade where the transferred risk becomes the residual risk after the security efforts and not the unnecessary risk taken by the virtue of the security provided by the risk transfer.
This fair trade of risk is induced when neither the insurer nor the insured loses out because of technicalities. These technicalities arise where neither insurer nor insured understands what is the exact meaning of maintaining a safety standard. With a model like above the insurer can just add to the policy a standard based on this model for the insured to follow, and therefore can maintain a good hygiene on the insured’s premise preventing themselves and the insured the unnecessary hassle of facing the appeals and lawsuits instead of working towards a solution.