As the volume and value of customer and corporate data increases, attackers are more determined than ever. This data has value attached to it, which can be insured, much like any asset would be. However, it can be more difficult to assess the value of digital assets, and more importantly, it is much more difficult to assess the risk that the storage and use of digital assets represents to an organization.This uncertainty in risk transfers to the insurance carrier because of the difficulty in calculating.
There are established methods for assessing the security posture of any information infrastructure, for example, penetration testing. While penetration testing does offer insight into an organization’s security technology, at best this can be no more than a point-in-time “snapshot.” The problem is that insurance carriers typically do not have the appropriate quantity and quality of data regarding the security posture of organizations that require cyberinsurance. This makes the setting of insurance premiums more art than science. And this in turn makes insurance carriers hesitant to write very large policies for individual customers.
Target’s maximum potential liability for the breach that occurred last year is potentially in excess of US$1 billion, yet its insurance policies totaled US$100 million. There are serious inefficiencies with respect to both the level of coverage and the pricing of coverage. Some customers are no doubt paying too much, while for other customers, insurance companies are charging too little; there is exposure and guesswork on both sides.
Ongoing, dynamic penetration testing would more accurately establish an enterprise’s security posture. Data from many different sources could then be used by insurers to write accurate, fair policies, and the real risk for an enterprise could be insured against.
One solution would be to have a risk level agreement (RLA) whereby a customer would commit to a given security risk threshold (a measure of its real threat exposure) and in return receive premium benefits. This would benefit both the insured and the insurer as there would be less risk for the policy issuer and therefore a lower likelihood of claims, and the insured would be rewarded with a lower premium.
For more on this subject, download the Analyst Brief by Andrew Braunberg, Mike Spanbauer, and Bob Walder: Ensuring and Insuring Cyber Resiliency.