Cyber insurance and the need for standardisation
March 2022 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
March 2022 Issue
Humans and dogs have co-existed for centuries despite speaking very different languages. Sure, a dog can be taught to sit or stay, and humans can learn when their furry friends need to go outside. But for the most part, the two species have learned to thrive despite their language barrier, communicating as needed to become housemates – and sometimes even best friends.
In many ways, cyber security professionals and insurance companies are different species, as well. Cyber experts do not always understand insurance lingo, or the world that insurers operate in. Insurance carriers, meanwhile, do not generally speak the language of cyber specialists. Yes, they have picked up some of the terminology over the years. But in both cases, neither side may be an expert in the other’s world.
Somehow, though, the two groups have coexisted for decades. Communication takes place, claims are filed and, of course, money exchanges hands. But are the cyber professionals and insurance underwriters truly thriving? Is this the best they can do?
Cyber insurance: where are we today?
The cyber insurance industry historically has operated in simpler situations. What started as insurance to protect the loss of personal information has evolved into writing risk for enterprise IT environments.
These days, a business begins by filling out a form with a long list of questions, many of which are often closed questions, or outdated. Insurance companies review the answers, determine a risk score and decide whether and to what degree the business is insurable.
In recent years, the cyber risk game has changed significantly, and the pandemic has not helped matters. Simple questions such as “Have you had a cyber incident?” are no longer sufficient. There are follow-up questions that should be asked, and in some cases, many levels of follow-up questions. Deeper questions are warranted and should be included when assessing cyber risk. For instance, what are all the systems and assets you are trying to protect and insure? And what is the value of those assets and what purpose do they serve?
Once the profile of the systems and assets is understood, then more detailed questions should be asked to dig deeper as to how organisations are securing them to understand if those protections are appropriate. For example, what defences – such as antivirus, log files monitoring and traffic analysis – does the business have in place to protect its systems. Are the systems up to date with the latest security patches? And what types of security training are provided to the users and administrators of those systems?
The goal is to understand how the organisation’s current information security programme and control environment mitigate the risks associated with those systems.
This type of purposeful multilayered questioning is a key part of pre-risk analyses for organisations that are looking – and oftentimes struggling – to obtain or renew their cyber insurance. It is important to dig deep into the concerns of insurance companies, as well as the realities of a business’s specific situation, so that they may determine how they can address the insurers’ concerns and acquire the level of insurance they require.
Basic forms simply do not get the job done anymore. Cyber security is not supposed to be a simple concept. This is not the 1990s where cyber was an IT issue that got examined in depth once a year. Cyber is no longer part of the business. Cyber is the business, and the cyber insurance evaluation process needs to reflect every bit of that.
While organisations need to ensure they have the proper cyber coverage in place with a streamlined process to getting the necessary cyber insurance, they also must work closely with insurance companies themselves. In turn, insurance companies need to understand an organisation’s strengths and weaknesses, so that they can help it address the key risks it faces.
What are the issues at play?
From a risk assessment standpoint, the insurance industry lacks a universal standard to assess risks for the varying profiles of companies they insure across the globe. Naturally, every company has a different view of risk, and the spectrum of risk thresholds runs the entire gamut. Yet, while those statements are widely accepted, the concept still does not align with how cyber insurance policies are consistently written.
In addition, companies cannot universally agree on one risk evaluation organisation, as everyone has their own approaches to assessing risk. On the surface, it is fine for people to have their own opinions, and it may sound great for companies to use their own frameworks. However, standardisation is needed to get insurers and insureds on the same page to simplify the process, to level the playing field, and to create one universal risk rating system.
The bottom line is that no one framework is perfect, and even if an organisation meets the requirements of the framework, bad things can still happen. We have seen successful attacks against powerful corporations, small businesses, even businesses with best-in-class security programmes. There is always going to be some level of risk. The current problem is that the way to assess and underwrite the risks is not consistent – and that creates headaches for both the insurers and the insured.
Where do we go from here?
Simply put, there needs to be standardisation. Best practice would be a universal framework and language on how to assess cyber risk and underwrite cyber policies. They key is to ensure that insurers and insureds are speaking the same language.
There are many great frameworks and companies that provide inputs into this process. For example, the HITRUST Alliance provides a unified security framework that merges and consolidates many common frameworks used by organisations, such as NIST 800-53 and the Health Insurance Portability and Accountability Act (HIPAA). There are also companies that use data-driven approaches to evaluate a company’s cyber posture and offer an indicator of associated risk. However, these companies are not consistently used.
No matter how you look at it, this process brings together audiences who each come from a unique environment, set of experiences and perspectives that do not readily align or translate. Insurance underwriters are often not technology people who understand the ins and outs of the technology side. In turn, IT folks frequently do not fully understand the nuances of the insurance underwriting process. And let us not forget that the involvement of brokers, lawyers and technical experts can add a layer of complication as well.
The process of standardising would not be simple or easy, but it is clear that existing methods can be greatly improved, including refining underwriting forms to better collect relevant data to assess risk.
A standardised measurement of risk, with universal scoring, through a holistic approach, is where the industry ideally needs to head in order to advance. All parties would benefit from an industry standard that uses available data to produce consistent results that everyone will understand as they negotiate insurance policies.
That is where we should desire to be, as an industry. Of course, we also have to accept that it is going to take a lot of change to get there. It could take years. In any case, we need to create a standardised system that unites insurers, insureds and experts – a language that everyone speaks and everyone understands. A system that saves everybody time, energy and money.
Because in the end, we all want the same thing.
Bernard Regan is a forensic technology principal and Christopher Tait is an information technology principal at Baker Tilly. Mr Regan can be contacted on +44 (0)20 7065 7937 or by email: bernard.regan@bakertilly.com. Mr Tait can be contacted on +1 (414) 777 5515 or by email: christopher.tait@bakertilly.com.
© Financier Worldwide
BY
Bernard Regan and Christopher Tait
Baker Tilly
Q&A: ESG and climate risk management
Keys to a sound and sustainable regulatory reporting programme
Servant leaders, boards and resilience: the management issue of the 2020s
Fraud risk lessons from the pandemic
Managing corporate criminal liability risks arising out of the acts of ‘associated persons’
Cyber insurance and the need for standardisation
Captive insurance grows in importance as a hard market continues