Measuring the Role of Risk Transfer in Cybersecurity Management
Recent events have catapulted cyber threats from a compartmentalized CISO responsibility to a boardroom discussion about director liability.
Recent events have catapulted cyber threats from a compartmentalized CISO responsibility to a boardroom discussion about director liability. How does senior management know when cyber risks are being properly managed?
Many CSOs and CISOs have viewed cyber insurance instruments with indifference since their inception. Arguments against purchasing coverage range from limited insurance scope to a perceived lack of value to confidence that traditional preventive security controls are adequate.
However, cyber insurance purchasing has recently taken hold. The principal driver has been a widespread acknowledgement of privacy breach risk and recognition that insurance solutions for specific exposures present a cost effective and meaningful mitigation tool. Second, as commercial clients increasingly require evidence of cyber insurance as a contractual condition, many firms purchase a policy in order to “check the box” to comply with their client’s acquisition process. Additionally, many boards of both public and private companies have begun advocating for such coverage to fulfill their fiduciary duties.
Organizations increasingly recognize that cyber-risk is no longer limited to the digital domain but now extends across the entire risk spectrum – financial to physical. This new reality requires CSOs/CISOs to partner with their risk management counterparts to execute enterprise-wide cyber-risk strategies that involve integrating surveillance technologies. More importantly, the ultimate goal of a CSO/CISO cannot be to entirely eliminate risk but rather to manage it as effectively as possible. Accomplishing this requires a combination of technological, physical and financial controls. The key is to understand the point of diminishing returns and recognize when resources should be directed to other types of controls.
Today, much of the available cyber insurance covers privacy and data breach risk, with more limited amounts of coverage available for network business interruption losses and the destruction of intangible assets. There have been some recent positive developments, including coverage for loss of future revenue that results from the negative reputational effects of a cyber event. However, there are growing concerns that traditional insurance coverage (such as property and casualty) requires clarification for cyber-precipitated losses due to the presence of vague “electronic data” exclusions. “Check the box” underwriting approaches will neither identify nor mitigate deficiencies that may facilitate a catastrophic loss.
The good news is that new underwriting approaches and quantification capabilities are being developed that provide enterprise-level insight and give the insurance market confidence in understanding a policyholder’s cyber exposure. This is precipitating the emergence of comprehensive, enterprise-wide cyber policies that include coverage for the policyholder’s own financial losses and costs related to a cyber event, all forms of third-party liability and any cyber-predicated bodily injury or tangible property losses. However, there will be a departure from the current market climate wherein heavy competition among insurance carriers and an abundance of offerings for privacy breach coverage has led to the reality that even firms with sub-par security can procure coverage.
This is exactly where the CSO’s/CISO’s leadership becomes critical to the insurance underwriting process. Insurance underwriters prefer to back companies that exude mature risk management capabilities, and this is especially true for a comprehensive product that covers emerging and dynamic cyber risks. Such strategies must prioritize the organization’s critical assets, align with non-IT protections and provide some quantification that risk is actively being managed and covered. Organizations that demonstrate maturity in attempting to understand their enterprise risk and implement converged surveillance solutions, processes and methodologies that cut across internal hierarchies. Converged security monitoring and surveillance activities are systemic in nature, spanning technology, process and culture.
An engaged leadership team understands that the implementation of converged surveillance systems offers greater domain awareness via improved detection, correlation, prevention and mitigation capabilities that preempt catastrophic losses. Cyber insurance objectively supplements an organization’s converged surveillance activities by offering economic incentives derived from risk management-based feedback mechanisms that are derived from an actively managed enterprise-wide surveillance program. In this manner their organization’s balance sheet is protected from cyber-predicated financial loss.
All industries, across all sectors, currently have the opportunity to demonstrate that the market approach is still the best approach in allowing companies to maintain control of their security environment. If we do not seize this opportunity, the government may decide that regulation is the only approach. If such a regulatory path is pursued, cyber criminals will be among the beneficiaries because regulation can never keep pace with the rapidly evolving threats in cyber space.
About the Columnists: Bob Liscouski is CEO and co-founder of Axio Global LLC, an innovative enterprise cyber risk management firm focused on protecting and preserving the value of companies that are essential to our global economy by providing complete cyber risk mitigation and transfer solutions. He is the former Assistant Secretary for Infrastructure Protection for DHS. David W. White is a founder and senior executive at Axio Global. Previously, White worked in the CERT Program at Carnegie Mellon’s Software Engineering Institute, where he provided technical leadership for a portfolio of cybersecurity and resilience maturity models and frameworks and associated research, diagnostic methods and training.