Page 16 - Digital Edition SIRC Supplement
P. 16
SPECIAL FEATURE - CYBER
Is the insurance industry keeping up
with the rapidly evolving cyber risk
landscape?
Messrs Shaun Wang, Mark Terris, and Bradley Schaufenbuel explain how to objectively evaluate
cybersecurity risk and price cyber insurance policies more accurately in the rapidly expanding digital
economy.
As the digital economy is rapidly expanding, a inclusion of cyber risk in an ERM program.
diminishing percentage of risk professionals and We cannot predict with certainty which organisations will
CFOs feel they have a complete understanding of
cyber risk. Insurers also do not entirely understand cyber suffer a data breach. However, we can certainly determine
risk yet. Underwriting processes to quantify controls are which organisations are more likely than others to suffer a data
not fully developed. Therefore, insurers are not effectively breach with a greater degree of accuracy than the rudimentary
pricing cyber risk policies and charging many customers methods often used by cyber insurance underwriters today.
similar rates without thoroughly evaluating the maturity of This can be accomplished utilising a more sophisticated and
the underlying IT programs, which could lead to complacent predictive data breach risk model. By marrying the growing
cyber security processes once insurance is in place. The body of historical cyber loss data with a model for measuring
need for better pricing and underwriting processes for cyber inherent risk and cyber security program maturity, we can
insurance is heightened with the continued expansion of the predict likely losses for individual cyber insurance applicants.
digital economy.
Objective evaluation and pricing Diagram 1 illustrates the model at a high level. The inputs
How can insurers objectively evaluate cybersecurity risk and into this model include attributes from three primary sources.
thus price cyber insurance policies more accurately? We, as Inherent risk is determined using factors that are largely
insurance modeling, risk, and IT security experts conducted outside of the applicant’s control. This includes historical
collaborative research resulting in the following insights and data breach loss data as well as an organisational threat and
observations. vulnerability profile. The types of attributes that encompass
the organisational profile include the size of the applicant
There are clear relationships between an organisation’s (measured in number of employees, revenues, and market
risk profile, the maturity of its cybersecurity program, and value), the industry the applicant operates in, the number of
the probability that the organisation will incur losses under a unique confidential records the applicant has in its possession,
cyber-insurance policy. For the most part, attackers are rational etc. Historical loss data is derived from databases of publicly
actors. The lower the payoff and the more difficult the target disclosed data breaches and studies conducted by security
is to compromise, the more likely attackers are to move to an researchers.
easier and more lucrative target. There are many factors that
determine the susceptibility of an insured to incurring cyber For example, if the applicant maintains 50,000 unique
losses. These factors include the industry in which they operate, records containing personally identifiable information (PII)
the type, volume, and location of the sensitive information held, and we combine that with the Ponemon Institute’s estimate of
the maturity level of the information security program and the the cost of responding to a data breach at US$202 per record,
the maximum uncontrolled exposure to the insurer in a data
Diagram 1 breach response scenario is approximately $10 million.
Program assessment
Controlled or managed risk is calculated by
assessing the design and effectiveness of the
applicant’s cyber security program and the
level of inclusion in the company’s ERM
program. Examples include measures of
security governance, resource commitment,
technological safeguards, administrative
controls, security awareness, and physical
security controls. Instead of the brief application
form on which many cyber insurers currently
rely on to assess managed risk, the insurer could
leverage better indicators of cyber security
program maturity. This information can be
obtained from independent third party audit
or certification engagements and/or from a
questionnaire.
Examples of independent assessments
include the ISO 27001 certification, an SSAE-
16 SOC-2 Type-2 audit, HITRUST Common
Security Framework (CSF) certification, a PCI
14 SIRC Supplement • November 2015 • www.asiainsurancereview.com Back to Contents
