15 Days of Cyber Insurance: Probability times impact
The Council of Insurance Agents and Brokers recently released the results of its second semi-annual Cyber Insurance Market Watch survey. 56 member firms answered questions about the cyber insurance market and their clients’ decisions and habits. The results indicate that the cyber insurance market is growing; of clients who purchased cyber insurance in the last 6 months, about a third of them purchased it for the first time. Of those who renewed, about a third increased their level of coverage, and none decreased it. Still, though, only a quarter of clients carry cyber insurance. Half of respondents indicated that rates for cyber insurance policies had stayed the same over the past six months, but almost 90% thought insurance companies are unable to fully quantify cyber risk. Some cited the limited data available on previous events and case law when explaining why the market is still not mature.
Estimating cyber risk involves estimating the value of any cyber assets and business processes that could be affected by cyber attack, and estimating the likelihood of attack. One of those — estimating the value of assets — is substantially easier, because those assets are likely already partially valued by your business. Some assets, like health records, are subject to additional fines if lost, so a true calculation of their value will have to include those potential losses, but revenue obtained through a website, the cost of operating a data center, or the value of customer data are likely known to a business. The value of reputation can be estimated by a benchmark percentage of market value. How, then, to evaluate the probability of a breach?
Empirical data, such as that collected by the center for risk and reliability at the University of Maryland can give an idea of the types and frequency of attacks bouncing around the web at any given time. The World Economic Forum has also worked to quantify and model cyber threats based on categories of threats and vulnerabilities, and aggregated data. Monte Carlo simulations are run to get a sense of the variability in outcomes, and behavioral modeling is used to stress the importance of human vulnerabilities in cybersecurity. The resulting model is admirably thorough, but some inputs, like the number of unpatched vulnerabilities, are by definition unknowable. If we’d known Heartbleed was an unpatched vulnerability before it became a problem…it would never have become a problem. Testing can reveal some useful statistics; the number of vulnerabilities discovered per test can give an organization a sense of how often vulnerabilities are added to their system, or how many might be present in the entire system if only a portion of it was tested.
One option to estimate the number and type of threats facing your business is setting up a honeypot. A honeypot is a site or data trove that appears to be a valuable part of a business’s network, but is actually a standalone trap designed to monitor and report on attackers. Knowing that many attacks go undetected for months, honeypots can also work to mitigate intruders’ ability to stay on a network, by sending a warning when they are accessed that allows networks to go into lockdown mode while determining where they have been infiltrated. A honeypot that looks and behaves realistically is a valuable tool that serves as a canary for sites expecting to be attacked but unsure where those attackers will strike.
Red-teaming, and particularly employing an external and sophisticated group to perform a penetration test, can provide insight into vulnerabilities that can be fixed, and give a good estimation of how long it takes to identify a certain number of vulnerabilities, and how vulnerable a system is. A red team tasked with testing the vulnerability of your house to break-ins will observe your current security system, attempt to obtain a copy of your key through social engineering or surveillance, note how many breakable windows you have and the responsiveness of your neighbors or local police, and how often your home is left unattended when you’re at work or at vacation. They’ll try easy strategies like jiggling doorknobs, and difficult strategies like calling your landlord and pretending to be a housesitter who locked himself out. Analogous strategies will be employed by remote and on-site penetration testers.
At this stage of maturity of the cyber insurance market, almost all research provides valuable and formerly unknown information. For example, while the common perception of a cyber threat is an external hacker — possibly wearing a balaclava while typing menacingly—the majority of cyber insurance claims are the result of insider activity, either as a result of mistakes, losing equipment, or leaking data. Security research helps build complex, sophisticated products like honeypot networks, but it also addresses basic questions like, how many hackers are active globally? The more data we have about past cyber attacks, responses and litigation to those breaches, and the state of current security, the better our ability to quantify cyber risk.