As the digital economy has matured, so has the recognition that cyber risk cannot be eliminated; it must be managed. Insurance is the mechanism by which we distribute risk so that rare but catastrophic events don't ruin the unfortunate person (or company) that they happen to. Accurately pricing cyber insurance, however, is still in its infancy. Comparing the methods for assessing cyber risk to those used in property and casualty insurance points the way forward for better methodologies.
External and Internal Information
The inputs for calculating the insurability of a person or property can be broadly categorized into external and private information. Things like a person's age, marital status, gender, and location can be gathered unobtrusively and used to assign an insurance class. When writing a health or life insurance policy, though, it is common to also use the power of modern medicine to test for risk factors internal to the insured, like high blood pressure and cholesterol. For property, one would likewise use external information, like the location of the property, as well as an internal inspection to determine what hazards it might present.
Public Cyber Risk
The state of cyber risk assessment to date has focused on publicly available information. A business' size, location, and sector are public facts that can be used to model risk relative to peers. Technology products have taken this approach further by programmatically gathering externally available machine data. For example, external scans may compare a businesses' public IP addresses and email addresses to those that are known to be compromised. Technological solutions have improved on initial actuarial efforts, but remain limited by the scope of the publicly available data.
The Need for Internal Cyber Assessment
As in the examples of property and casualty insurance, having access to internal information can greatly improve the precision of the insurance class assigned to a policy holder. What ultimately determines the extent to which a business' IT systems can be breached is the configuration state of that system, just as the physical health of a person is what causes them to succumb to or resist illness. Demographic data is a useful proxy to correlate similarities across breaches, but it is the state of the system itself that causes it to be vulnerable or secure.
In the case of cyber risk, the complexity of the systems makes internal information even more critical. There are millions of data points within even small IT systems that can allow intrusion if misconfigured. Additionally, the relatively small data set for breaches make external evaluations even less reliable than the analogy to property and casualty insurance would suggest. The best databases record tens of thousands breaches compared to the hundreds of millions of records available for actuaries working in property and casualty. The public data is too sparse and the internal data too important for cyber risk assessment to continue without internal information.
How to do Internal Cyber Assessment
As with a doctor's examination, an internal cyber risk assessment documents the complete state of the system and tests for key indicators of risk. By documenting the complete configuration state of IT systems, retrospective investigation can uncover new patterns. By testing for known risk factors- that is, the configuration items that actually allow intruders to breach systems- a more precise risk profile can be assigned to a business. The requirements for an internal assessment are the ability to efficiently gather all facts about how systems are configured and evaluate them with an extensible battery of tests.
The Benefits of Internal Cyber Risk Assessment
Improving the accuracy of cyber risk assessment has the same beneficial effects as in other branches of insurance. First, premiums more closely reflect the risk a policy holder presents to the insurer, making the system more fair. Second, attributing risk factors to elements within the policy holders control like IT systems, rather than immutable factors like industry sector, provides a path to improving the risk profile. Third, companies that might have appeared too risky to acquire cyber insurance under models based on external data will be able to demonstrate that they present a lower risk than their peers.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >