SPECIAL FEATURE - CYBER

Data Security Standard (DSS) or a Report on Compliance               engine. Each input is transformed into a quantitative value.
(RoC).                                                               Each value is weighted depending on its predictive efficacy.
                                                                     Leveraging advanced predictive analytics, an aggregate
   The review of independent assessments would be similar to         risk score is derived for the applicant. The risk score is first
those performed by sophisticated enterprises as part of their        used to determine whether or not the applicant is insurable.
third party service provider oversight or vendor management          Assuming that a predefined threshold for insurability is met,
program today. If an applicant does not possess adequate             the risk score can then be leveraged to determine whether
independent assurances, then a more detailed cyber security          the applicant is quoted a higher than average premium (i.e.,
questionnaire may be used that includes questions that are           a risk premium is applied to the cost of insurance) or a lower
statistically proven to be indicators of the efficacy of an          than average premium (i.e., a risk discount is applied to the
organization’s cyber security program.                               cost of insurance).

   A combination of an independent assessment and a                     To monitor that an insured’s cybersecurity program remains
questionnaire is also an option. Instead of underwriting cyber       robust throughout the life of the policy, insurers may tie future
insurance policies based on general loss history and the contents    premium adjustments to the results of periodic reassessments
of the application, lower premiums can be quoted to applicants       or some form of continuous audit/assessment process. The
with above average cybersecurity programs and higher                 underwriting pricing process of cyber risks will continue to
premiums can be quoted to applicants with below average              evolve as more data becomes available and better underlying
cybersecurity programs. The ability to offer below market            models are developed to evaluate loss frequency and severity.
premiums to organisations that have invested in building
effective cybersecurity programs will result in a competitive           Cyber incident data is the most developed for analysis at
advantage to the insurer utilising this model – both in terms of     this time. While a uniformly specific cyber incident repository
the insurer’s ability to land business as well as having a lower     does not yet exist, incident information is available through
than industry average for losses over the life of these policies.    public disclosure and operational risk management loss event
                                                                     databases, mostly related to financial institutions. Analysis
   In the absence of existing third party audits or certifications,  of this data can provide the foundation for a meaningful loss
an insurer may wish to validate the applicant’s responses to         frequency and severity model.
the questionnaire. They can either add the cost of validating
the questionnaire to the premium or give the applicant the              Insurance claims data is another area rich with information,
option of paying for third party validation. An applicant with       however, this information is just starting to be culled and
an effective cybersecurity program may be happy to pay for           organised for usefulness. Due to the lack of a standard policy
the validation if it results in a reduction to the premium that      form for cyber risk and the consequences and impacts of cyber
exceeds the cost of the validation.                                  incidents which may be included in other policy cover (e.g.
                                                                     business interruption, liability, fraud, etc.) the timeframe to
   Furthermore, if insurers (or at least a few major insurers)       fully analye this data will be longer.
can agree on the model that is used to assess cybersecurity risk,
an entire industry may blossom for independent assessors who            Ultimately, through the partnership of expert IT program
complete questionnaires for applications and/or validate them        assessment, meaningful data analysis and model development,
for insurers (or applicants). The emergence of such an industry      the insurance industry can emerge profitably while also
may be similar to that which arose for Qualified Security            creating a more efficient marketplace for cyber insurance
Assessors (QSAs) after the Payment Card Industry (PCI)               cover, and influencing better overall cyber security processes.
released its Data Security Standard (DSS) for organisations
that handle payment card data.                                       Dr Shaun Wang is the Founder and Chairman,
Cybersecurity risk scoring engine                                    and Mr Mark Terris is the Managing Director of Risk Lighthouse LLC.
The key element of the model is the cybersecurity risk scoring       Mr Bradley Schaufenbuel is Principal - Security Services at
                                                                     Schaufenbuel Advisory Services, Inc.

Back to Contents  SIRC Supplement • November 2015 • www.asiainsurancereview.com 15