With cyber, the absence of decades of stable historical data is complemented by the presence of other forms of information. One of these is the adversarial nature of cyber risk.
The Adversarial Nature of Cyber Risk
Cyber is a unique corner of the insurance industry. The point most often used to illustrate this is the fact that long-term historical data doesn’t exist for cyber underwriting, at least not to the extent that it’s useful for traditional underwriting. That presents some serious challenges for carriers who rely on traditional methods of underwriting -- the basis for hundreds of years of profitable insurance business.
But the absence of decades of stable historical data is complemented by the presence of other traits and forms of information. Analyzed correctly, these can turn underwriting cyber insurance into a different, but no less accurate, enterprise. One of these is the adversarial nature of cyber risk.
What Is Adversarial Underwriting?
Cyber attacks are much less random than opportunistic crimes like car theft. The attackers choose their targets wisely. They have particular methods at their disposal that align to particular technology vulnerabilities, and some organizations are more disposed to that matchup than others. When attempting to model cyber risk, these criminals and their intentions should be at the center of the analysis.
Think of attackers who engage in widespread “spray-and-pray” attacks. They are scanning specific ports, or connection points between an organization’s IT system and the wider web, looking for vulnerabilities. This means there is a logic to the risk patterns, and underwriting models can take into account how criminals are likely to act. Having an understanding of how these risks evolve and how attackers choose their targets can help us, as data scientists and underwriters, to accurately predict risk, and help organizations mitigate and insure that risk.
This is what we call adversarial underwriting: using the tendencies of attackers to our advantage to predict risk in a way that can go beyond the use of broad classifications of an organization.
The reason the adversarial nature of cyber is actionable for underwriting is that the criminal actions involved throw off data. We can learn a lot about how and why attacks happen because traces are left, and all of it is inherently digitized. That makes risk more easily quantifiable with data science. Take the example of the criminals scanning the web for open ports: if we know information about that tendency based on patterns reported in databases of attacks, and we can also scan the IT system of any organization to determine the number of open ports it has, including the type of port, we can assess the risk of that kind of attack quite clearly.
How Can an Adversarial Approach Change Insurance?
All of this together -- the adversarial nature of cybercrime, and the reams of data cyber attacks produce -- means there is less randomness involved in any given cyber attack. And with less randomness to account for, underwriting models need less data to make an accurate assessment of risk. While traditional insurance lines are relegated to using extended historical loss data to make approximate loss projections due to the high levels of uncertainty involved, with cyber, if you have extensive data on the motivations and methods of adversaries you can make very specific quantifications about any organization’s risk of being targeted for an attack.
This capability is not just making up for a lack of better, longer sets of data. It’s actually an advantage when dealing with cyber risk. In a world where attack patterns can change week to week and organizations’ IT footprints are in constant flux, being able to assess risk accurately with data from a compressed historical time frame is a critical advantage. Data gets stale quickly, so revising underwriting consistently is the only way to match insurance coverage to real risks. With cyber risk data, the fresher the better. That’s also why it’s so important to assess an organization’s IT footprint with technology that can analyze the current extent of the systems, rather than relying on potentially outdated information in the form of a traditional questionnaire.
It goes a step further. Because we’re dealing with actors with motivations and targets, organizations don’t need to sit around hoping not to be targeted. In the same way we use data to underwrite, it can be used to inform an active risk mitigation strategy. Understanding how attackers try to get in can help organizations prioritize defenses. By understanding that leaked email credentials are often exploited by attackers in phishing attacks, for example, organizations can monitor for leaked credentials and reset their passwords to stop attackers from capitalizing.
Preventative measures like this can reduce not only the risk of being breached but also the risk of being targeted in the first place since we know attackers are motivated to seek the easiest targets. In this way, informing organizations of risk and prioritizing recommendations for mitigating risk means a new way of deploying underwriting expertise.