View Posts

Cyber Policies: The Challenge of Assessing Risk

 

The high risk associated with a cyber policy gives the insurance company’s CISO a leading role in designing the risk assessment strategy and calculating the cyber policy.

With the increase in cyberattacks and cyber threats, insurance companies have expanded their product offering by creating cyber policies so that organizations can cover the risks associated with cybersecurity incidents.

However, what may be a product capable of integrating the offer of Insurance Companies into a digital environment that will be the basis of the market in the medium and long term also constitutes a business risk that may jeopardize the short-term sustainability of the sector.

For this reason, the design of a cyber policy requires establishing the processes to create a product of controlled risk and sufficient profit.

Cyber Policies: A Challenge for Insurance Companies

Cyber policies are a double challenge for insurance companies:

  • Insurers cannot miss the opportunity represented by cyber policies. In a business environment where the digital part is beginning to have more value than the analog part, to renounce to cover their risk through a policy is to renounce having a relevant business object in the short term and to be a leading player within the insurance sector in the medium term.
  • Insurers must shield their cyber policy offer from the risk to the business of covering the damage caused by a cyberattack on an organization. The proliferation of cyberattacks, the high amount of heterogeneous damage they cause, and the difficulty of assessing the cybersecurity status of an organization to calculate coverage and price of its cyber policy make cyber policies a product that must be designed with a large degree of security. to prevent it from becoming a risky product for insurers.

According to IBM’s Rising Costs of Data Breaches Report, data breach costs increased by 13% from 2020 to 2022. Rising Costs of Data Breaches Report, This cost will continue to grow in proportion to the growth in the sophistication of cyberattacks.

In addition, the damage caused by a cyberattack is heterogeneous, and its probability and scope are difficult to quantify.

For this reason, the rigorous and continuous assessment of the risk of a cyber policy becomes the key element to achieving the product’s profitability.

The role of the CISO in assessing the risk of cyber policies

Traditionally, the work of the CISO of an insurance company has had the same scope as his colleagues in other sectors: to be ultimately responsible for the management and supervision of the company’s information security, the design of the corporate cybersecurity strategy and the confidentiality, integrity, and availability of the insurer’s systems and data.

However, with the advent of cyber policies, the scope of responsibility for an insurer’s CISO has expanded to the product. In the context of cyber policies, the CISO plays a critical role in assessing the risks to which the organization that wishes to take out the cyber policy is exposed and in determining the appropriate coverage and price.

The CISO’s experience and know-how are critical to designing a correct strategy for assessing the risk of a cyber policy. Their understanding of cyber threats and vulnerabilities, as well as security best practices and cybersecurity solutions, allows for the implementation of a more accurate assessment of the client’s risks and an appropriate selection of the coverage that the insurance company can offer. It is the CISO who must establish the guidelines to evaluate cybersecurity strategies, the questions that must be asked, and the tests that must be carried out. Also, the CISO proposes the scoring and its relationship with the clauses that can be included in a cyber policy to cover the product risk in all cases.

Fronts to be considered by an insurance company’s CISO

There are two main fronts that the CISO of an insurance company must take into account when establishing the risk assessment strategy for cyber policies:

  • Obtaining objective data on the organization’s cybersecurity status to be insured when taking out the policy.
  • Obtaining objective data on the insured organization’s cybersecurity status throughout the cyber policy coverage.

The reliability and objectivity of the data will depend on the solutions and processes chosen by the CISO to obtain this data. That means the effectiveness of the risk assessment strategy of the cyber policies he designed.

Solutions for the risk assessment of a cyber policy

The first step in figuring out solutions and processes is to make sure, in coordination with the product team, the specific objectives of the insurance company in terms of the risk assessment of the cyber policy. This involves conveying the types of digital assets that need to be protected, the associated digital risks, and the relevant security standards and regulations. Thus, the CISO can determine the risk assessment solutions that best fit the specific needs and characteristics of the insurance company.

There are several solutions available for assessing cyber risk:

  • Vulnerability assessments: These solutions identify and assess vulnerabilities in an organization’s systems and networks. They can scan and analyze technology infrastructure for weaknesses that could be exploited in a cyberattack As they are intrusive, they need the client’s permission, making it difficult to maintain them for the entire cyber policy contract.
  • Penetration testing: These tests simulate real cyberattacks to identify security gaps. Security experts attempt to exploit discovered vulnerabilities to assess the effectiveness of existing defenses and determine potential attack vectors. They are intrusive, so they need the client’s permission to be carried out, which makes the valuation process difficult, especially in time.
  • Risk analysis: These studies make it possible to evaluate and quantify the risks associated with the insured company’s digital assets. Usually, the data they use is provided by the client through questionnaires, so it is not data with the reliability and objectivity sought. This generally leads to an inaccurate assessment of the risks.
  • Compliance Assessments: These certifications help the insurance company verify whether the company being studied complies with applicable safety regulations and standards. These assessments show the state of cybersecurity at specific moments: when the certificate was obtained and renewed.
  • Continuous real-time monitoring of the organization’s external perimeter: Next-generation AI-based XTI Cyber Intelligence solutions allow an organization’s vulnerabilities to be monitored in its external perimeter in a non-intrusive way, without the need for the customer to give any permission. With them, the insurance company obtains objective and reliable data on the customer’s breaches and vulnerabilities when taking out the cyber policy and, also and very importantly, throughout the contract and coverage.

Final steps of the risk assessment strategy

Once the solutions and risk assessment processes of a cyberpolicy have been implemented, the last step in closing the design of the cyberpolicy valuation strategy also belongs to the CISO. At this point, the CISO will establish the guide for the interpretation and analysis of the results obtained by the insurance subscription teams in charge of determining the conditions of the cyber policy. In addition, it will provide recommendations on necessary and enforceable control measures to the insured to maintain the contracted conditions, mitigate risks, and improve the insurance company’s safety posture.

From then on, the insurance underwriting teams of the insurance company will have the appropriate tools and processes to assess the risk of cyber policies rigorously.

 

If you need more information and want to know how the XTI Cyber Intelligence of External Threats can reinforce the risk assessment procedure of a cyber policy, you can download our brochure for Insurance Companies or our Whitepaper about Third-Party Risk Assessment.