Gauge Attack Risk for Cybersecurity Insurance

It seems like every time you listen to or read the news there is another company dealing with a cybersecurity breach. So, how have insurance policies helped companies handle these breaches? To date, this has not been overly clear. As the Department of Homeland Security National Protection and Programs Directorate explains, traditional commercial general liability and property insurance policies typically exclude cyber risks from their terms, leading to the emergence of cybersecurity insurance as a “stand alone” line of coverage. Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.

With cybersecurity insurance being stand-alone coverage, the market for it is expected to grow to $7.5 billion by 2020 according to PriceWaterhouseCoopers. A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by a) promoting the adoption of preventative measures in return for more coverage and b) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. Many companies forego available policies because of the perceived high cost of these policies and confusion about what they cover. Furthermore, one of the biggest reasons companies hesitate regarding cybersecurity insurance is the uncertainty that they will suffer a cyber attack due to inadequate methods for gauging the risk of attack.

As Forbes points out, this inability to effectively gauge the risk of attack is beginning to be addressed. UpGuard, a startup based in Mountain View, California, recently unveiled its Cybersecurity Threat Assessment Rating (CSTAR), the industry’s first cybersecurity preparedness score for businesses. UpGuard’s CSTAR ranking is a FICO-like score that allows businesses to measurably understand the risk of data breaches and unplanned outages due to misconfigurations and software vulnerabilities, while also offering insurance carriers a new standard by which to more effectively assess risk and compliance profiles.

According to UpGuard’s co-founders and co-CEOs, Mike Baukes and Alan Sharp-Paul, many companies skip insurance policies due to perceived high cost and uncertainty that their organizations will suffer an attack. With countless patches and fixes added onto IT infrastructure to hastily remediate breaches, companies have found themselves with less visibility into their core systems than ever before and no way to understand how at-risk they are for hacks. With CSTAR, Baukes and Sharp-Paul state that businesses are able to regain transparency and take the appropriate steps to bolster their cybersecurity. Meanwhile, insurance carriers can make smarter underwriting decisions while accelerating the availability of comprehensive and cost-effective cybersecurity insurance policies for businesses. It’s a win-win for both the insurance industry and for businesses.

“You need a foundation or a basis of understanding for what you have. I mean we like to say…you can’t secure or fix what you don’t understand. And that’s always missing. Everyone’s trying to rush to this goal of DevOps or moving to the cloud. Everyone wanted to be there but companies and vendors in particular weren’t helping businesses on the journey there,” says Sharp-Paul. “Once you have that base understanding of what you have, then that opens everything else up.”

In the world of corporate IT, applications rarely get retired. Even worse, the people that manage them move on because the life cycle of an employee remaining in a company is not that long. As a result, the institutional knowledge about these applications is lost. “Corporate memory is so short typically. They often get to this point five years down the track where they rediscover this server or this application and everyone’s too scared to touch it because they don’t know what it does. They don’t know how it works. The people with the knowledge just left with it all in their heads,” says Sharp-Paul.

From Baukes’ perspective, “It makes good business sense to quantify the risk in IT systems and report it effectively…giving people visibility, helping them get to the truth of what they’ve got, and how to configure it, and if they’re vulnerable.” With this in mind, hopefully CSTAR or something like it will be adopted sooner rather than later as an industry standard that companies and insurance carriers can use to make critical coverage and cybersecurity decisions.