By Jonathan Fairtlough, Managing Director, Cybersecurity and Investigations, Kroll –
As the daily news cycle churns out story after story, media outlets and the entertainment industry remain squarely in the crosshairs for hackers. Story lines are leaked only to result in a more dangerous kind of spoiler alert: Instead of the early peek at a character’s demise or the premature revelation of the identity of a suspect, these alerts spoil the confidential nature of digital assets, network security, and personally identifiable information of employees and subscribers. As the battles are fought on screen, Hollywood stakeholders must figure out how to build a defensible approach to their data.
The goal is it implement security steps that are relevant to the data being protected, yet customized to the workflow and risk profile of the business. Most security breaches can be limited with the implementation of good security measures, such the use of multifactor authentication or implementing a consistent system patching process.
To identify the measures most relevant to an each organization, it is critical to get an assessment of the company. This assessment is not a simple technical audit checklist – it is an examination of how the company protects, store and uses critical data from the perspective of a cyber attacker. It seeks to build a protective approach to key data that makes security part of the way in which the company works. While no assessment of cyber risk can ever completely eliminate the potential of a breach, it can ensure that a company can detect issues early, respond effectively and mitigate any harm.
Assessment process: Cyber insurance’s sidekick
The assessment process offers a sneak peek into enterprise-wide vulnerabilities and affords an organization the opportunity to take immediate action to protect valuable assets, such as pre-release content, the Holy Grail in the entertainment industry. In addition to taking inventory of organizational readiness, cyber assessments provide critical analysis for cyber insurance. For a cyber insurance policy to be issued, an underwriting application must be completed. Underwriting questions can be answered with data from cyber assessments to ensure that coverage matches risk.
While there are numerous insurance companies underwriting cyber insurance, the policies do vary considerably. However, the common theme is that usually these policies cover most of the modern threats, including but not limited to insider threat, network intrusions, data leakage or loss, ransomware attacks, and virus and malware infestation.
Cyber insurance provides another unique advantage. As part of the product offering, insurance companies are vetting the cyber experts that can respond to the modern threats. The purchase of a cyber policy can lead companies to experts, such as Kroll, they may not otherwise know about or have access to, and can even provide discounts via the insurance company relationship. Cyber insurance is a bespoke product that offers proactive and reactive remedies dictated by the critical security controls instead of just financial reimbursement.
While underwriting, by definition, is the assessment of risk, cyber underwriters do not have the benefit of the same actuarial data that other lines of insurance have relied upon for decades. The automobile insurance risk formula, for example, which focuses on the age of the driver and amount of years of driving experience. Cyber insurance often focuses on factors such as security policies in place—including VPN usage, authentication methods and implementation of the top 20 critical security controls.
Both underwriters and organizations trying to procure cyber insurance will be well served to assess risk in a practical manner and expand upon the answers from underwriting applications. In addition to asking traditional underwriting questions such as size of revenue, sectors, and number of employees, underwriters ask questions related to critical security controls.
The combination of targeted questions and risk assessments drive more accurate underwriting, develop coverage that is more adequate and provide more appropriate pricing. An assessment also ensures that an entities answers are accurate- ensuring the long-term validity of the policy.
Risk assessments: Casting heroic characters
Historically, cybersecurity was defensive in nature, focused on how to respond to attacks already underway. Today, risk assessments provide organizations with an understanding of potential cyber threats they may encounter, with an advanced model designed to prevent or mitigate attacks before they happen. An organization needs the information gathered from these assessments to defend against potential threats and put an offensive plan in place.
Awareness of the malicious activity and motivations driving those activities can help mitigate potentially catastrophic events.
The convergence of underwriting applications and risk assessments necessitate the building of a tactical team to prepare for this battle. The stakeholders that need to participate include the IT team, general counsel, risk managers, HR, marketing, CFO, insurance underwriters, brokers, cyber experts and outside counsel. The insurance underwriting process may trigger the fulfillment of these roles.
As a result, we are witnessing a paradigm shift in the way that organizations factor in insurance premiums into their balance sheets. Instead of insurance being viewed merely as an operating expense, cyber insurance is taking its position next to cybersecurity in the investment column, which is consistent with investments in other types of corporate preparedness such as training or the addition of new technology.
Risk assessments are conducted in several ways depending on the scope of the assessment. For example, they may be written questionnaires, interviews, the deployment of monitoring tools or day long tabletop exercises. The development of actionable intelligence from the dark web might also constitute a proactive assessment.
Assessment results may be used for various purposes and defensible actions. If utilized by a company, the wealth of information could assist in a multitude of proactive defense mechanisms to thwart off malicious cyberattacks. If used by an underwriter, the results can be factored into crafting an appropriate coverage program.
Cyber insurance is maturing rapidly and can benefit the information security community if the insurance companies and clients work collaboratively. If a cyber insurance company were to require a risk assessment prior to binding a policy, risk assessment results could be delivered into usable formats for underwriters and should be reliable data points.
The more the insurance companies gain knowledge of the status of the cyber security of their clients, the more likely those policies can be further customized to organizations. Leveraging these benefits can give policy holders not only a better security, but also premiums that reflect their true potential risks. As companies are assessed, the process may identify potential risks or vulnerabilities of which they may have been unaware, allowing Management to invest in necessary security changes to before the threat materializes.
Once the preview is over, the audience has the option to watch the entire production. In our analogy, the preview may serve to re-write the script and the production may never come to fruition. A risk assessment may alert the writers that the plot has changed and there is no longer a role for a hacker.