05.19.22

Mike Karbassi

How to Prepare for a Cyber Hurricane: 3 Key Takeaways

What’s the difference between your most overprepared travel buddy and a cybersecurity pro? 

Chances are there are plenty, but they share one thing in common: always anticipating the worst-case scenario. While one may pack bear spray and a winter jacket for a beach vacation, the other believes strongly in incident response plans and follows a “when, not if” philosophy at work. 

Both are good to have on your side, but unfortunately, the cyber experts’ fears may be more grounded in reality. A true cyber catastrophe — of the kind we have yet to witness — would be bad news for insurance carriers and underprepared organizations. Last year, we saw the writing on the wall with Log4j, Microsoft Exchange, Kaseya, and Colonial Pipeline, four events with downstream risk to customers. None were as costly or impactful as they could have been, but they offered glimpses of what “the one” might look like.  

Insurers are looking to get ahead of the cyber hurricane. But how do you prepare for something that’s never happened before? It’s not easy, but some of the smartest minds in the industry are working on just that question. We’ll go over our 3 key takeaways from our webinar with the cyber modeling experts at CyberCube and tell you how we’re overpacking our suitcases to address aggregated risk.

Context: The systemic component of cyber 

Five years ago, cyber insurance was a significantly smaller chunk of an insurer’s overall portfolio. It was profitable, the demand was increasing but not overwhelming, and more organizations were opening their eyes to an unprotected, massive exposure. The cost of going down due to a breach was something organizations couldn’t risk — and general liability add-ons weren’t cutting it alone anymore. While cyber has been around for over 20 years, the coverage we know today has only been available for less than a decade, when we started to see a consequential rise in interest. 

Being such a new line of insurance means its intricacies are just recently becoming better modeled.  It wasn’t long ago that there was debate over if there even was a systemic component of cyber. Being derived out of professional liability, which hasn’t been traditionally modeled for aggregated risk, the thought was that cyber would be a similar one-size-fits-all approach. But now more than ever it’s glaringly obvious that one major event can impact thousands of organizations, causing considerable losses across portfolios. Acknowledgment that there is cumulative risk does confirm that the cyber market has matured significantly in the past decade, but the unknown threat introduces a level of conservatism not seen in traditional lines.

As the market continues to develop, how do we absorb more meaningful losses?

 

1. We can't model every outcome, but we can make educated guesses.

How do you predict the details of an impending disaster if it’s never happened before? With no idea of where it’ll happen, how big it’ll be, who it’ll impact, and what will cause it — you focus on what you’ve seen before and build from there. CyberCube has broken it down into a science through 29 different categories of model scenarios, where they alternate the following:

  • Threat Actor

    • Who perpetuates the attack.
  • Threat Vector

    • The methodology of the attack.
  • The Target

    • The single point of failure. 

The near misses of total catastrophe — like Colonial Pipeline or NotPetya— help us understand how major losses might strike. With just slight changes, any of the noteworthy cyber threats we’ve seen in the past year could have had entirely different (and worse) outcomes. Cloud outages, operating system malware, or significant data breaches are all scenarios to watch and model for.

2. Take lessons from the lines that came before us. 

Natural catastrophe modeling grew out of Hurricane Andrew, one of the most impactful events to hit the industry, resulting in the insolvency of 11 insurance companies. With $15.5 billion in insured losses, there was a general consensus that there had to be a better way to prepare and respond to an event of that magnitude. If not, property insurance as an industry might struggle to recover from any future natural disasters. Enter probabilistic modeling. Property has had a thirty-year head start, but cyber can take their approach of running standardized simulations to predict what losses will look like and how extreme events will manifest.[BLOG] Prioritize Patching - A Risk-Based Vulnerability Management Approach

The challenge is cyber has no geography or zip codes to segment risk by. Property insurers can adjust portfolios when they’re over-concentrated in a specific region without changing rates for an entire city or state — they can diversify where your policyholders are located — and cyber can aim to do the same by industry instead. For example, manufacturing was once not a particularly high-risk sector but has become a popular target for threat actors as a hub of valuable data. Ongoing adjustments to portfolios will help keep cyber prepared for the worst-case scenario.

3. Harness data, then act on it. 

At Corvus, we have unprecedented real-time visibility into the cyber hygiene of every organization that applies for coverage. Our non-invasive scan is run for every quote request we receive and examines externally-facing IT systems for common risk factors like out-of-date software, risky open ports, and unpatched software. With all of this data, we’re able to react swiftly to any signs of negative trends, like a cloud service provider being down or a zero-day vulnerability with far-reaching impact. These insights allow us to quickly alert any policyholders that may be impacted and limit the impact of a catastrophic event through rapid response. We can also implement underwriting rules that address ongoing threats to limit our aggregated risk.

   📌  The impact on policy wordings 

While we’re on the topic of underwriting, we thought we should address how policy wordings have also started to account for a looming cyber CAT. 

  • Some carriers have started to apply widespread event exclusion language into standard cyber offerings to avoid the risks stemming from a single attack or point of failure. 
  • Underwriters may require policyholders to list all of their vendors, although this can get tricky if vendors start to change during the policy period.
  • You will find a rise in the use of sub-limits and coinsurance, especially tied to contingent BI and ransomware coverage. 

There’s no perfect, widely accepted solution to addressing the threat of a cyber catastrophe — but a tech-forward approach is a step in the right direction. We believe thoughtfully leveraged data collection, analysis, and modeling will introduce more confidence in the cyber market, and eventually help us all avoid the fate of past insurance lines who never saw the Big One coming.

[RELATED POST] How Inside-out Insights Shape Cyber Risk Assessment

How Inside-out Insights Shape Cyber Risk Assessment

This week, our team at Corvus was pleased to take part in a major announcement by SentinelOne of its WatchTower Vital Signs Report app in the Singularity Marketplace. For cyber underwriters like Corvus, this app provides a real-time “inside-out” view of an enterprise’s cybersecurity health for improved policy accessibility and reduced underwriting risk. This represents an exciting and needed development in our industry, as insurers contend with major shifts in the nature of organizations’ IT systems and the nature of the threats they’re exposed to, and in policyholder expectations. 

[RELATED POST] A Chilling Campfire Tale of Data Extortion (How Data Theft Happens — In Detail)

A Chilling Campfire Tale of Data Extortion (How Data Theft Happens — In Detail)

Welcome to our (cybersecurity) campsite, where even the forest is going digital. We’ve got the essentials: a warm fire, marshmallows to toast, and some very passionate horror enthusiasts. What’s a cool, fall night in the woods without the retelling of a cybersecurity nightmare? This time, we’ll be following a data exfiltration attack at Parakeet Incorporated, a research-driven pharmaceutical company.