February 1, 2023
Don’t be fearful of risks. Understand them, and manage and minimize them to an acceptable level.
– Navid Abdali
Risks are a byproduct of an organization’s business strategy. Every decision carries some degree of risk (and/or reward). Cyber risk is no different. Organizations can select appropriate risk management strategies to control their exposure to cyber risk. This can be in the form of risk reduction by investing in improved security controls, processes, and training or transferring out the risk by selecting a suitable cyber insurance policy or simply risk acceptance. In reality, it is likely to be a combination of all three.
In this blog we briefly discuss the state of the cyber insurance market, the role played by cyber insurance as a key component of the overall risk management strategy, and how organizations can leverage the investments made in their security posture to appear as a ‘good risk’ to an insurer or broker. This in turn would result in procuring competitive premium rates and appropriate coverage of risks.
Cyber risk is still a relatively new risk for insurers. Technological advancement, complex and interdependent digital ecosystems, rising geopolitical tensions, and the constantly evolving tactics and techniques used by cyber adversaries all contribute to the evolving and evasive nature of this risk. In this context, cyber insurance has become a key challenge for organizations of all types, with difficult market conditions making it harder to secure appropriate and affordable coverage. There are a number of reasons for this:
The insurance industry has responded to these challenges by increasing premiums, introducing more stringent underwriting and policy terms, and by a reduction in capacity. In acute cases, coverage has become prohibitively expensive. Most organizations are faced with increased premiums though there are signs emerging that rates are potentially stabilizing.
Cyber insurance purchasing decisions are now a Board level conversation. Increased premium rates and restrictive coverage have prompted senior management and Boards to reconsider the role and value of cyber insurance. It is increasingly viewed as a ‘backstop’ which can provide cover in an extreme event, and is in place alongside (and not instead of) other cyber risk reduction and management initiatives.
In a number of cases, organizations are now assessing if self-insurance (or risk retention) is the preferred way forward given the significant increase in premiums being quoted. They are now comparing the RoI of various security investments (including insurance) and considering the optimal solution given their individual risk appetite. If an organization does decide to go down the route of risk retention via self-insurance, cybersecurity posture management becomes extremely important.
To make an informed decision on the level, type, and appropriateness of cyber insurance for the organization, Boards are now asking:
To answer this question, the organization has to perform a cyber risk quantification (CRQ) exercise. CRQ enables the organization to understand the likelihood and impact of a cyber-attack. If done properly, it decomposes the loss into key drivers that will allow an organization to select a tailored cover that reflects its risk profile and appetite.
The Balbix advantage: The CRQ exercise should ideally be an asset-centric exercise that takes into consideration the cybersecurity, IT, and business context of the assets and therefore reflects the organization’s cybersecurity posture. The focus on asset-centric risk assessment is crucial as it would enable the organization to estimate the risk stemming from mission-critical assets or applications which in turn would lead to a targeted insurance purchasing decision. Balbix has a multi-pronged asset-level risk calculation that considers various factors to ensure that the calculation is in line with real-world expectations and is defensible. The image below provides details of the risk calculation:
Insurers have significantly tightened the underwriting requirements in light of adverse claims experienced over the last few years. In particular, there is now greater emphasis on demonstrating awareness of key risks within the business and on evidence of how controls have been implemented within the organization. Typically, the underwriting process will vet if minimum cyber hygiene is in place and operating effectively. These would cover evidence that controls such as multi-factor authentication (MFA), network segmentation, robust management of End of Life (EOL) systems and patch management processes, employee training, and BCP/Disaster Recovery plans, etc. are in place.
The Balbix advantage: A customer using Balbix has access to a real-time view of their risk. In particular, key risk issues such as software vulnerabilities and misconfigurations are flagged in near real-time along with prioritized risk remediation recommendations. Balbix not only tells you what the risk issue is, and how relevant and critical it is to your organization, but importantly, what you can do to mitigate these issues. The level of detail surfaced can be at an asset level, a group of assets representing an application or business unit, or at the enterprise level. These details along with trends in key metrics such as Mean-Time-To-Patch (MTTP) and Mean-Time-To-Remediate (MTTR) enable a customer to evidence complete awareness of key vulnerabilities across the entire estate and more importantly, demonstrate risk ownership to the insurance market.
Our SaaS platform, the Balbix Security Cloud, is the only solution that:
If you would like to learn more about the Balbix CRQ model and methodology and the benefits it brings to your cybersecurity posture management, please do get in touch.