Insurance is the refuge we seek when wanting to transfer value at risk. Over the years, the insurance industry has held steady, accepting conventional or extraordinarily non-conventional risks, successfully facing challenges of settling large or small claims and ferreting out fraud and scams.
After the wealth of experiences over the decades, one would imagine the insurance industry would be well equipped to measure cost of risk in all situations. Except that no one was expecting virtual life and things in a virtual space to step out of science fiction into the realm of reality, which is what has happened over the past two decades. The advent of the Internet has changed life as we know it. While the definition of risk may remain the same, its perception and presence have changed.
"To begin with, insurers will have to establish their own security benchmarks because the existing ones will just not suffice."
Moving from insuring in the tangible world to the virtual is not easy. But the nascent cyber-insurance domain has demonstrated some successes. Its short history has been choppy, per reports and according to industry leaders and analysts. It is a product waiting to be accepted by individuals and enterprises, and progress has been tardy. I feel this is due to the slow pace of movement in insurance circles, while the experts take time to understand the risk, reward and implications of selling cyber insurance.
Cyber-insurance has inbuilt quirks that must be addressed by the insurer and the insured, so that the domain matures without the baggage of mistrust and acrimonious litigation. The risk of such an outcome is high since all these quirks are in the realm of individual perception. For example, an enterprise may consider itself secure, having all the controls in place, but they may not pass an audit directed by the insurer, who may find numerous exclusions in their insurance cover. Conversely, the insurer may not be qualified to conduct an audit while selling the cover, or while examining a claim.
Lets take a look at some ground rules and realities when buying or selling cyber-insurance.
For the Insurer
The insurer has a challenge in hand, as it is necessary to ascertain the level of protection enabled by the enterprise. Being certified to an industry standard or being compliant to an industry framework is no assurance to having adequate protection of assets in place. Neither can one claim to be secure if one has "air gapped" networks or deployed the crÃ¨me-de-la-crÃ¨me of firewalls, IDS/IPS/UTMs worth millions.
To begin with, insurers must establish their own security benchmarks because the existing ones will just not suffice. Personally, I believe that, in time, the benchmarks and framework set by insurance companies may become the gold standard. The need is standardization of the ISMS and the control diligence that goes with it. Present standards are not prescriptive, and control effectiveness (or design) is adjudged by the implementer and certified. Standards such as ISO27001 provide guidance, and that's where their responsibility ends - this is not going to be sufficient for an Insurer to place a million dollar bet.
The solution will be in the design of a new framework drawing on the strengths of standards / frameworks / regulations like ISO27001, PCI, NIST, HIPAA, SSAE16, FISMA, etc. The solution has to prescribe a standard method for compliance, priority and periodicity of audit and testing. Insurers will have to ensure the inclusion of awareness, maturity assessments and more.
While this may take care of addressing a quantum of risk at the time of issuing the cover, the insurer will also have to seek guidance to define internal practices and create skills for evaluation of claims, mid-term assessments and training (internal and external). The insurers will have to cater for the dynamic nature of the cybersecurity landscape, where the "experts" age by a decade every 365 days.
For the Insured
At the other end of the spectrum are the insured, who seek to transfer risk. A few good-to-remember pointers are: First and foremost to enable automation of security management, audit and risk management functions in the organization. This will help internal visibility on the maturity and control of the ISMS and allow effective management in all areas. The insured must remember that just an ISO certification cannot justifiably demonstrate that the business environment is well protected.
In the unfortunate event of a claim, the insured will have to demonstrate that everything was done to keep the information systems secure. Alas, any CISO or C-Level manager or IS professional knows this is easier said than done. Information security management is a qualitative domain, and it is one auditor's understanding against another's. A certification body may have awarded the certificate, but will the other body accept that same audit report in toto?
As mentioned earlier, cyber-insurance is as yet a nascent practice and has to be approached carefully by both parties. Experiences in the western world have already burned insurers such as Lloyds, and we have also heard of re-insurers advising caution or capping their exposure in cyber-insurance.
All said, cyber-insurance is here to stay, and a solution will soon have to be found - whether it is by way of a new standard or framework, some accredited GRC management systems, periodic audits by insurers, accredited auditors and more. And it will also need a re-look at risk assessment and valuation due to the inclusion of intangible assets, cross border issues, multiple regulatory liabilities, lack of definitive evidence etc. These are issues that plague the information security domain and will surely be a bugbear for the insurance industry's foray into cyberspace as well.
Bareja is a practising information security professional working in enterprise security strategy. He follows industry trends, taking a common sense and practical look to issues, and is passionate about InfoSec and its real-world challenges. He recently conducted a survey on cyber-insurance in India.