How a data-driven understanding of your company’s risk profile can lead to smarter insurance coverage decisions.

Dark Reading Staff, Dark Reading

February 3, 2020

5 Min Read

It’s not lost on security professionals that the role of the CISO today is now expected to look into business liabilities, product schedules, and own the management of anything viewed as a "digital" risk across their organizations. The explosion in scope of responsibilities leaves CISOs lost in a sea of vendors while reporting on (and hopefully reducing) their organization’s risk. Their only constant is a changing threat landscape and expansion of responsibilities as digital risks expand and evolve.

As CISOs, security experts, network architects, and incident responders ourselves, Arceo has seen that the solutions to these problems often only make risks more complex. We end up stacking on products, driving up the number of vendors we have to manage, rather than managing our own cyber risk.

As a cyber insurance company, we are faced with this same challenge at scale, because every customer we assess is a unique risk with different challenges and liabilities. As we grappled with building the first data-driven cyber insurance company, we realized that we had to first provide macro level context around the micro technical view of each company. Second, we had to leverage automation to mature our understanding of new changes in threat trends. And third, our analysis needed to make our insured customer base safer, so insurance losses are less frequent and cheaper for both parties. We call this new approach ‘cyber meteorology.’

Cyber meteorology serves as the basis to insure companies against cyber risks and help them prioritize their security efforts. Most importantly, it enables us to be the first cyber insurance company whose top goal is to make its customer’s safer, not just calculate "a steady rate of return." This is critical as our mission is not to be profitable by avoiding paying claims but to build resilient customers that have the strongest protection, fast response resources, and thorough recovery options.

Arceo’s cyber meteorology combines a company’s internal and external security controls with global and industry level threat trends, to gain a full understanding of risks that matter most to a company’s bottom line such as:

● Threat environment data that includes indicators of high-level global, industry, and organization-specific threats.

● Exposure data that looks at the attack surface both inside and outside an organization.

● Controls data which considers external facing technical assets, as well as internal access policies. 

The combination of all three analyses provides us with a highly detailed picture and unique quantification of the cyber risks faced by an organization, making them easier to mitigate, as well as transfer through insurance.

Here’s how it works in practice. We recently analyzed a mid-sized manufacturing company based in California for a business interruption risk, targeted ransomware. For the sake of anonymity, we have simulated non-public internal controls and their name, so let’s call this company Messy Manufacturer (MM).

MM’s exposure as it relates to targeted ransomware attacks is a product of its IT footprint, its network size, and its Dark Web exposure. Through our external analysis we found its IT footprint and exposure on the Dark Web were larger than what we would expect among its group of peer companies. We also identified several external assets with known vulnerabilities and an alarming number with RDP  (remote desktop protocol)) enabled. These would be enough to flag them as a very high risk among external scanning companies, and with the insurance underwriters who follow them without context.

However, with three questions on internal controls, we begin to see a completely different story. The corporate enforcement of complex password procedures, MFA policies in place, and backup and incident mitigation policies, adjust our model of MM’s exposure to ransomware. When we put this story in context, we also see that the number of manufacturing companies targeted with ransomware has been much lower than other industries.

In the case of MM, our model took into account the fact that most manufacturing companies don’t rely on external facing assets for the vast majority of their business operations. So, even though our external analysis deemed some of MM’s infrastructure to be not as secure as their peers, that alone is unlikely to put the company at risk for a major business interruption loss from targeted ransomware. In fact, with internal security and business processes in place, MM is not at an unusually high risk for this type of incident. But based on commoditized external scanning alone, this context would have been completely lost.

The blended understanding of technical signals, internal controls, and current threat trends allows us rate MM more accurately than other insurance companies and share what they need to prioritize as their top areas of risk. When a company like MM can more effectively measure and reduce its risk, it becomes easier for them to mitigate it and transfer it through insurance.

Insurance risk transfer is a critical security tool for CISOs because not all cyber events are preventable. Good insurance can be a highly cost-effective means in making organizations more resilient by speeding recovery, paying for costly legal expenses, and helping drive better internal hygiene. Tens of millions of dollars in value for less than the cost of one SOC analyst, who will probably move to a new gig after nine months.

Cyber meteorology enables smarter policies by providing a clearer, data-driven understanding of each customer’s risk profile. When both parties have this clarity of the actual risks at hand, everyone can make smarter coverage decisions. 

Arceo’s goal is to make companies more cyber resilient by providing smarter insurance and dynamic cybersecurity protections. This will move the cyber insurance marketplace towards a model where companies will be incentivized to implement better cyber hygiene practices with increased levels of coverage and cheaper rates. It’s no easy lift to move a market, but with this new partnership between security and insurance, we can reduce the complexity of cyber risk (and the CISO’s life) to build a more resilient society.

About The Author:  Vishaal 'V8' Hariprasad CEO, Arceo.ai
Vishaal 'V8' Hariprasad, a former U.S. Air Force and NSA Cyberspace Operations Officer, is the CEO and co-founder of Arceo.ai, a leading data analytics company using AI to dynamically assess risk for the cyber insurance industry.

 

  

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights