Cyber insurance is one of the unsung victims of these last years’ combination of the commoditization of malware and the massive expansion of attack surface. This post introduces an innovative way to leverage continuous security validation techniques and tools to bridge the gap between the estimated security posture and the real one. It will also show you how to use that accurate data for underwriting purposes.
The Cyber-Insurance Context Today
On the Darknet today, cyber-attackers of all types can happily shop for Malware-as-a-Service solutions, sometimes of nation-state cyberweapon levels and often with AI/ML capabilities, which considerably reduces the entry level for a cyber-crime career. Thanks to the massive and last-minute plan migration to remote working starting in 2020, the growing number of cyber-attackers can target a substantially increased attack surface. When adding the constant changes in the environment resulting from agile development and the endemic skilled cyber professional shortage, it is no wonder that cybersecurity breaches are becoming a regular staple in the news. The surge of nation-state attacks that accompany the Russia-Ukraine conflict is likely to make the cyber landscape even more perilous.
For the still young cyber-insurance sector, this is a double-edged situation. On the one hand, the increased risk and growing institutional requirement for resilience is leading to a marked increase in demand, while on the other hand, the cyber-insurance market since 2020 is a loss environment with a deterioration of profits, while reinsurance costs are rising.
How Can the Cyber-Insurance Underwriter Reduce Its Risk Exposure and Improve Revenue?
The first step is to understand the technical reasons behind the disconnect between risk evaluation and actual risks:
- Today’s typical risk evaluation is based on assessments relying on abidance to best practices. Though abiding by best practices is an excellent start, it does not equate to providing security. In its 2021 Cybersecurity Quarterly Winter (p. 18), the CIS (Center for Internet Security) admits that even 100% abidance to CIS Controls only stops 86% of the known TTPs. In other words, best practices need to be complemented to fit specific environments.
- The yearly or bi-annual pen test may satisfy compliance regulators, but it only provides a snapshot of reality that is valid for that time and is ill-equipped to provide a continuous evaluation of the insured security posture that is in constant flux due to:
– The emergence of new threats
– The constant new deployments in its environments that have become the norm in the age of agile development
- The tendency to add more detection and response tools to increase the array of attacks detected and stopped through automation leads to tool sprawl. The result is an onslaught of data that only covers what the solutions know to detect. Even if all this data is properly analyzed, it fails to cover the entire kill chain flow.
Even a cyber-insurance underwriter with extended cybersecurity knowledge will be unable to effectively assess the insured party’s security posture and risk level in-depth and over-time with these elements.
The second step is to look at the required capabilities to enable a data-driven, comprehensive, and continuous evaluation of the insured party’s security posture.
What is Needed for an Underwriting Enhancing Assessment
The main factor in obtaining information about an insured party’s security posture is to shift the perspective 180°. Instead of evaluating the value of the defensive measures, it pays to look at the odds an attack will succeed and how far it could go.
When integrated, security validation and security posture management, such as the Cymulate Exposure Management and Security Validation platform basket of technologies, continuously run comprehensive arrays of production-safe attacks, including emerging threats, and produce reports showing exactly how many attacks were detected and if and when they were stopped. As an Exposure Management and Security Validation platform is typically connected with the environment’s SIEM and SOAR tools, it provides detailed information about how to improve these tools’ configurations to optimize their efficacy and provides actionable mitigation guidance to improve the security posture over time.
As the integration of emerging BAS technologies into a unified platform is, by definition, a nascent technology, odds are most cyber-insurance applicants will not have it installed, but cyber-insurers could already use the available capabilities to run an initial assessment and require regular reassessments.
The Cymulate platform provides quantified security scores, both global and granular, post-binding clauses that make the continued coverage conditional to maintaining the security score in a predefined bracket, and/or adjusting the premium and coverage extent according to predefined standards.
The combination of the platform’s ease of use, especially for assessment purposes, and its quantified security scores – based on actual resilience to attacks instead of exclusively on the correlation between detected CVEs and their respective CVSS scores – means that gathering accurate and comprehensive information about the insured party’s security posture for underwriting purposes requires little to no existing cybersecurity knowledge and could potentially be partially automated to streamline the underwriting process.
For a more in-depth analysis of the way continuous dynamic cyber-insurance underwriting could benefit both insurers and insured parties, download our “Are Cyber-Insurance Models Broken? Bridging the Gap Between Cyber-Insurance Models and Reality” extensive research on the topic.
Is It Possible to Accurately Estimate a Breach Total Cost?
Despite the meteoric rise of cyber-insurance premiums, Marsh Mc Lennan’s 2022 Global Risk Report indicates that paid claims reach three times the amount initially claimed after a breach.
This means that accurate risk assessment across the entire kill chain is key to evaluating the extent of the potential damage in case of a breach.
For example, the damage resulting from a successful ransomware attack can vary between a zero to momentary business interruption requiring no ransom payment to a catastrophic breach where the ransom payment cost is dwarfed by the added cost resulting from business interruption, data theft ranging from users PII – plus potential legally awarded damages – to intellectual property – and potential loss in competitivity -, the resulting damage to the brand name, etc.
When assessing the entire kill chain, getting a clear and comprehensive view of the depth of escalation or lateral movement paths available to the attacker provides actionable data to evaluate the risk of cascading effects. Cymulate’s Q3 2021 Ransomware Study clearly shows that prepared companies have a far easier time recovering from ransomware attacks, and one of the crucial preparation elements is integrating all the emerging Breach and Attack Simulation (BAS) techniques.
So, though it is still elusive to estimate a breach’s total cost, the ability to estimate the risks that could transform an initial breach into a catastrophic one does exist.
The cybersecurity market is always dynamic and fluctuates. The current situation with the not-so-unreasonable risk of nation-state-sponsored cyber-attacks makes it even harder to predict and quantify risk. Together with the already rising cost of damages, the demand for cyber-insurance rising fast, and premiums ballooning can be a make or break a cyber-insurance department.
In this climate, continuous end-to-end validation is critical both to quantitively evaluate risks and, ideally, should be leveraged to reduce risks and prioritize patching.
The technology to achieve both is available. For more information about how to use this technology to optimize the cyber-insurance underwriting process >>