​Quantifying risk: Closing the chasm between infosec and cyber insurance

At a private briefing held outside the main RSA Conference in San Francisco, a panel of experts discussed the value of cyber insurance and whether it meets the needs of businesses trying to protect themselves against the impact of a cyber breach.

The panel was moderated by John Pescatore. He is currently working with SANS but was previously with Gartner and a member of the Secret Service.

The panellists were

  • Devon Bryan, the CISO of the Federal Reserve System
  • Ben Beeson, Cyber Risk Practice Leader at Lockton
  • Tom Fuhrman, Managing Director of Marsh Risk Consulting
  • David Bradford, Co-founder and Chief Strategy Officer for Advisen

For businesses, it’s generally accepted that breach is inevitable. As a result, insurance for cyber breaches seems a must have part of any cyber security program. However, there’s a significant chasm between how insurance companies and technical expert communicate about cyber risks.

Pescatore opened the discussion by presenting some data.

Everyone has access to the same technology. Companies in the same verticals spend about the same money proportionate to their revenue on security but some are more successful than others. What's the difference between the successful and unsuccessful teams?

He says the teams that do best focus on doing the right things first, rather than trying to do all things.

He also notes cybersecurity is relatively new. While other insurance sectors are more mature and have more data cyber requires different assessment tools. While the car and house insurance industries are backed by massive, longitudinal actuarial systems, the same isn’t true for cyber threats.

Read more: ​Security leadership and the role of AI

So, premiums that are paid today may not necessarily reflect risks accurately and may be market, rather than risk, driven.

And, as Fuhrman puts it, "there's a diabolical human on the other side".

According to Bryan, one of the issues is boards want quantitative information based on models that are accepted. This is even more complex for security practitioners that operate within global organisations.

Beeson noted we are now operating in a new world, with the Target breach in 2013 delineating a significant pivot point. This has lead both companies and insurers to particularly focus on the protection of PII and PHI (Protected Health Information) and breaches of individual privacy. Before the Target breach, insurance was focused on an assessment of what tools or controls a company had in place.

But that approach is no longer adequate. The insurance industry needs to partner with technology companies to model and price the risk.

Another element of the risk equation is aggregation risk – where the breach of one entity might effect many businesses and insurance companies. For example, a single breach at a large cloud services provider might affect dozens, perhaps hundreds, of insured companies and consequently many insurers.

Another challenge noted by Beeson was one of timing. Given many advanced threats may be resident for many months before any data is exfiltrated or there’s any business interruption, what happens if you take out insurance but breach was in place well before incursion without your knowledge?

In other words, a CISO’s view of risk may be very different to insurance industry

Read more: ​Security: Architecture vs Sprawl

When it comes to communication between insurers, technical people and boards, one of the disconnects noted by the panel was the lack of a common lexicon – each corner of this triangle used terminology in different ways.

Bradford says a data schema for cyber insurance in development, albeit with just 15 terms currently defined. However, this is being done without engagement of the technology community.

He says "There's a long way to go to bridge that chasm".

Join the CSO newsletter!

Error: Please check your email address.

Tags John PescatoreSan FranciscoGartnerSANs#RSACcyber insurancecyber breachesRSA Conference 2016CSO Australia

More about GartnerLeaderMarshRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts