Connect with us

Hi, what are you looking for?

Online Business Success

Overspending On Cyber Insurance? Leverage Cyber Risk Quantification To Assess Coverage


By Yakir Golan, CEO of Kovrr. Looking to bring cyber risk quantification solutions to global enterprises.

When you purchase auto insurance, both you and the insurer conduct an analysis of each other. The insurer checks out your driving history, the car model (what safety features it has) and where you store and drive your car. Meanwhile, you’re deciding how much coverage to purchase. For example, do you really need a low excess, legal expenses cover and breakdown cover?

The same principles apply when an enterprise decides to purchase or renew its cyber insurance. But how do you know exactly how much risk to transfer? What are the best methods for effective quantitative analysis in cyber insurance investment decisions? You can either guess or base your decisions on actual data by utilizing cyber risk quantification (CRQ). (Full disclosure: My company offers these solutions to global enterprises.)

What Does Cyber Insurance Cover?

Some policy providers of traditional property insurance and commercial general liability insurance have started to specifically exclude cyber risks in their terms and to write back the elements that they intend to cover (in some cases, none). For this reason, cybersecurity insurance has emerged as an à la carte coverage option intended to limit and reduce losses from everything from network damage to data breaches and beyond. It offers protection against a broad range of losses related to cyber incidents that businesses can cause to others or suffer themselves, such as:

Advertisement. Scroll to continue reading.

• Destruction or theft of data

• Extortion/ransom demands 

• Distributed denial-of-service (DDoS) attacks

• Legal cases (fraud, defamation, privacy violations, etc.)

• Regulatory and privacy compliance penalties

Some of the more common cyber insurance claims are triggered by ransomware, fund-transfer fraud attacks and business email compromise scams. 

The Cyber Insurance Decision-Making Process  

How can CFOs make informed decisions about cyber risk transfer and risk acceptance? In the past, financial CRQ was a long, painstaking process. Lengthy workshops, complicated questionnaires and interviews were the only way to reach a conclusion. 

Even despite this rigor, any insight gained was not always based on quantifiable threat data. Also, once the evaluation process was completed, it immediately began to lose its validity. If there’s one thing today’s threat landscape has shown us, nefarious tactics evolve rapidly in scope and sophistication. 

Advertisement. Scroll to continue reading.

As time goes on, a company’s intrinsic security profile changes along with its relationship to the threat environment. So where do you get clear risk transfer insights? 

The Two Sides Of Cyber Threat Evaluation

Just like auto insurance, the vetting process considers two sides. On one hand, the car itself is evaluated. Does it have airbags, anti-lock brakes and evasive steering assistance? If it does, it’s safer, and this may lower the insurance premium.

The same concept applies to business security. That is, how well protected are you against an attack? How well developed are your security policies and practices? How solid are your firewalls and encryption? Do you have a data backup solution for critical data and system configurations? Have you implemented multi-factor authentication or identity access and management (IAM)? What do your software patching and update planning look like? How do you train your staff to ensure they are not the infiltration point?

It’s critical to evaluate your security readiness when making decisions about buying cyber insurance. Only a clear picture of where you stand now enables you to make the right capital management decisions. 

However, security readiness is only part of the equation. Accurately assessing whether a threat is real and potentially damaging is also critical. Are you going to buy flood insurance in the desert? Of course not. Likewise, having detailed data about current and emerging threats enables you to determine where you need more cyber insurance and where you need less. For some areas, you might not need any insurance at all if your risk acceptance level falls below a certain threshold.

Cyber Insurance And CRQ

Insurance has always been heavily dependent on data, and insurance companies go to great lengths to collect and analyze data. This way they cultivate a viable insurance business model and provide a valuable service.

CRQ aligns with this process by assessing cyber risk based on real-world data. An effective solution provides access to global threat intelligence and financial impact data based on actual cyber incidents and cyber insurance claims. 

Advertisement. Scroll to continue reading.

Even better, CRQ can often provide the data on demand. This means you have the ability to assess the risk at any time, and the data reflects the current risk scenario, which evolves over time. 

CRQ Assesses The Financial Impact Of Events

Rather than speaking in vague terms about cybersecurity, CRQ provides clear insight into your financial exposure to different types of events. The assessment takes into account your organization’s security readiness, external threat actor activity and potential third-party risk factors. By applying CRQ, your organization can gain intelligence, as illustrated for the following CRQ areas:

• Security Resilience

What security controls do you have in place? How efficacious are they? Given your current status, where are your most important vulnerabilities?

Insights Gained: A company may become aware of previously undetected and significant ransomware risk. Or hidden risk may be identified stemming from a third-party service provider.

• Attack Frequency

What historical and ongoing cyber attack data is available? What new threats are emerging now?

Insights Gained: CRQ provides data surrounding how attacks unfolded in the past plus real-time current threat characteristics and probabilities. This helps identify where real risk is coming from and how it might impact your business.

Advertisement. Scroll to continue reading.

• Threat Severity

Given the many potential threats, which ones place your organization at the most risk? How great is the potential damage for any given threat?

Insights Gained: Not all attacks have the same potential financial impact. CRQ categorizes threats by the level of potential financial damage, whether attritional, large or catastrophic. For example, year loss table illustrations show the potential economic impact of an event.

Clear Business Language Empowers Decision-Making

It’s not your IT team’s job to make insurance and investment decisions, even when it comes to cybersecurity. For cyber insurance-related capital management decisions, quantitative analysis usage in prioritizing risk is essential. The CFO needs to quickly grasp the data and its conclusions. Accurate and transparent information is critical for sound governance.

.



Source link

Click to comment

Leave a Reply

Latest

Top Stories

Decentralized autonomous organizations come in all sizes and flavors. Some can seem sweet; others turn sour. It can be fun and interesting to create...

Technology

The big picture: Apple’s debut of the notch on 2017’s iPhone X has significantly reduced the screen space for items on the status bar....

Texas

A Kemp’s Ridley sea turtle, the world’s rarest and most endangered sea turtle species, recently made the Galveston shoreline its home, laying eggs on...

Georgia

Firefighters battled an apartment fire in South Hall Monday afternoon, according to authorities. Hall County firefighters were on scene before 5 p.m. Monday, Aug....

California

The Biden administration will halt the use of a Trump-era policy that forced migrants seeking asylum to remain in Mexico, after a Supreme Court...

Washington

Comment on this storyComment PARIS — French environmentalists will try to move a dangerously thin beluga whale that strayed into the Seine River last...

Advertisement

You May Also Like

Uncategorized

Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...

Advertisement