According to the recently released 2016 Data Breach Investigations Report (DBIR) digest, produced annually by Verizon to help educate the industry, companies spent hundreds of billions of dollars last year as a result of cybersecurity incidents.
“These costs included everything from public relations and crisis management consulting, forensic investigation costs, outside legal counsel, credit monitoring, notifications, call centers and more.”
And because “cybersecurity related risks aren't covered as part of traditional insurance policies,” companies are relying more and more on cyber insurance to offset the financial risk of data breaches and outages. But how can cyber insurance carriers accurately assess the risk of your particular environment? The report states “While these requirements for coverage vary by carrier, the basic premise is that the insured must have and maintain an adequate IT security program.” But maintaining an adequate IT security program is a subjective criterion and almost certainly relies on the perspectives of individuals such as IT managers and CTOs, all of whom use different metrics to build those perspectives. Knowing something simple, like that server headers are exposed, can be the difference between uptime and disaster.
|"Last year, cybersecurity incidents cost companies hundreds of billions of dollars."||Holy shit.|
|"Cyber insurance has become more and more a factor in incident response planning."||Companies are figuring out they need to protect themselves from data breach costs and consequences.|
|"Generally, cybersecurity related risks aren't covered as part of traditional insurance policies."||What? Computers?|
|"No insurance carrier is going to blindly accept unlimited quantites of risk."||Insurance carriers use non-technical methods of assessment based on criteria such as industry and size. In many ways this is still blind to the actual risk posed by the environment.|
|"While these requirements for coverage vary by carrier, the basic premise is that the insured must have and maintain an adequate IT security program."||In 2015 there was no standard defining what adequate IT security means.|
|"Cyber insurance carriers have played an ever increasing role in driving up security awareness."||Bad security is costing them money.|
|"As this evolution continues, more insurers are adding enhanced customer benefits and/or discounts on premiums based on the insured's cybersecurity maturity."||When they figure out how to actually assess companies, insurers will adjust cost according to actual risk.|
So even though “no insurance carrier is going to blindly accept unlimited quantities of risk,” as the report states, the data currently used to assess that risk is far from precise. When talking about incidents that collectively cost hundreds of billions of dollars in the last year alone, it only makes sense to implement a more quantified, objective measurement to scope cyber insurance in a way that benefits both the carrier and the insured.
CSTAR Standardizes Cyber Risk Assessment
UpGuard’s CSTAR rating compiles the various risk factors that can lead to costly cybersecurity incidents into a single, FICO-like score. By utilizing CSTAR, a company or cyber insurance carrier can present a solid, itemized case for their relative risk of incident.
The Entire Security Footprint
Companies and insurers also need to manage the entire security footprint, which includes obvious parts like updated systems, vulnerability assessments and best practice utilization, but also less obvious things like employee satisfaction, breach history and configuration drift prevention. Employees at all levels should be educated regularly on cybersecurity as well, to reduce the likelihood of a social engineering or *ishing scam exploiting the human element to completely bypass whatever technological security has been put in place.
The CSTAR score is a single, easy-to-understand value representing an organization's aptitude in the areas of compliance, integrity, and security.
While preventative measures are important in gauging your company’s risk, so too are after-the-fact measures: response protocols, post-mortems and communication strategies, if developed in advance of an incident and regularly practiced and updated, these can help minimize the damage done by a data breach or outage and reduce the overall financial impact of the incident on the company and its customers. When cyber insurance premiums are determined by a company’s specific digital resiliency, it provides a clear cost benefit metric for maintaining “an adequate IT security program” that encompasses all of these techniques into a cohesive whole and gives CFOs and other executives a window into IT operations’ importance and business integration.
Also mentioned in the DBIR is that “In addition to monetary loss, breached companies faced other, more intangible ‘losses,’ such as business interruption, reputational damage, litigation and regulatory actions.” With such high stakes, it behooves companies to take the initiative and plan a solid, data-driven resiliency strategy before they are the ones featured as case studies in Verizon’s annual report. Fortunately, cyber insurance “may also include other benefits such as public relations support, investigative response expenses and security audits,” so having that insurance scoped correctly for your business becomes doubly important to help protect against the myriad troubles a data breach can cause.
The Future of Cybersecurity Incidents
Hundreds of billions of dollars is a lot of money. As technology continues its integration into our daily lives and businesses, we will be more and more affected by cybersecurity incidents and the policies that manage them. What trends will the 2017 Verizon DBIR show? Will companies implementing modern resiliency practices evade their share of the data breach cost? Will they have the coverage they need to handle a data breach when it happens? According to a recent article, “the symbiotic relationship of insurance and technology is needed once more.” UpGuard’s CSTAR rating will go a long way in forging that relationship by providing transparency between the complexity of IT ops and the assessment of cyber insurance by carriers.