Insurance is all about managing some kind of perceived risk. When you buy health insurance, you’re managing the risk of getting sick. When you buy car insurance, you’re managing the risk of having an accident. Cyber insurance is no different: when you buy cyber insurance, you’re managing the risk of a cybersecurity-related incident.
But there is a question buried in there: how much insurance do you need? You are not the only one to wonder about this: insurance companies ask themselves this question constantly, because it ultimately makes all the difference.
A little thought should make it evident that the amount of insurance you need is proportional to the amount of risk you are exposed to. Insurance companies try to estimate risk through a risk analysis process that they constantly refine. They know what the key factors are that determine risk. A health insurance company will ask you whether you smoke. A car insurance company will examine your age and your driving habits (perhaps by installing a “black box”).
And so it is with cyber insurance: you need a cyber security risk analysis process in order to know how much and what kind of cyber insurance you need in your organization.
Enterprise Risk Management
But first things first: for much of the twentieth century, too many corporations and other types of entities had no formal concept of “risk management” at all. This began to change in the 1990s, as interest in enterprise risk management grew. Even then, though, the idea of risk analysis remained within the narrow confines of the type of insurance-related risk analysis described above, tied to specific types of activities. The limits of this vision became evident toward the end of the nineties when enterprises were buffeted by all kinds of changes that completely altered the context in which enterprises worked and thrived: the economic boom and bust cycles, the increased competitiveness, the drastically evolved technical landscape including Internet. Real estate markets, credit institutes, rating agencies, and investors became more and more aware of the myriad types of risks to which companies were exposed, and demanded that they institute improved internal controls in order to pro-actively identify and manage changes that could affect them –not only to avoid negative impact, but also to exploit change for their strategic advantage.
This insight led to the development of an approach that considers risk management to be an integral part of the overall competitive and strategic framework in which a company operates according to common entrepreneurial practice. This new approach is reflected in the report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) entitled “Enterprise Risk Management – Integrating with Strategy and Performance”. In this report, Enterprise Risk Management is defined as “ … the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value”.
Effectively, then, the model proposed by COSO promotes the paradigm of integrated and holistic management of all types of business risk, to arrive at a kind of global risk profile. This is what gives it a strategic nature, able to positively influence the entire process of creating value for the company.
The Risk Management Process
Now that we have seen the overall context of cyber risk management within the corporation, let’s look at the elements of a risk analysis and management process. At their most essential, they involve the following:
Let us look now at each one of them in turn:
Identify risks. The risks facing you will always depend on what you are trying to protect – your assets. If you are trying to protect your health, a health insurer might identify smoking as a threat to your health. If you are a business trying to protect your profits, you may identify competitive entry as a threat. Then you will need to identify your vulnerabilities to the threats facing you, such as weak passwords. It is no small job to identify all of the risks you face, and requires careful, structured analysis.
Assess risks. A health insurer might identify smoking as a risk factor, but must also decide (assess) how serious it is: what would be the impact of getting lung disease? But the likelihood of an incident also plays a role: some highly effective medicines can have serious side effects, but they are known to be very unlikely to occur. This balance between impact and likelihood is at the heart of risk assessment.
Identify possible mitigation measures. Once risks have been identified, what can be done about them? There are two main categories of measures. Some risks can be mitigated with technological solutions, like having the latest equipment. Others can be mitigated with best practices – for example, not smoking and leading an otherwise healthy life. But there is some risk can cannot be eliminated no matter how hard you try. This important fact is known as residual risk. For example, you can’t do anything about your age (except get older). This will affect your life insurance, your health insurance, and even your auto insurance. The threat of business failure is always with us, there’s not much you can do about that. It is part of doing business.
Decide what to do about the residual risk. What should you do about the risk that is left over after doing everything you can? That depends on you, and how much it worries you. You might decide to just live with it. If you’re entering a new market with the chance of failure but also spectacular success, you may decide that the upside “risk” outweighs the downside risk (remember: in an integrated enterprise risk management context, risk is managed also for competitive advantage, not just for avoiding problems).
Or you might decide to take out insurance against the downside risk. Insurance is all about covering residual risk – it is the “last line of defense” after all of the possible mitigation measures have been identified. Even then, the amount of insurance you take out will depend on how much you are willing to live with that residual risk. But how do the insurance companies know how much to charge you? Well-established insurers have years of experience to help them to make accurate estimates. Life insurers have actuarial tables. Auto insurers have accident statistics. Health insurers know all about hospitalization costs.
Those are the four basic steps in any risk management process, in which insurance forms an integral part. Now let us look at what a cybersecurity risk management process would look like.
The Cyber Security Risk Management Process
In recent years, organizations have come to realize that cybersecurity risk management must be integrated into the overall enterprise risk management context.
A good example of this is illustrated by the Italian National Cybersecurity Framework, shown in the figure. Within this framework, let us see how the four essential steps of risk management are implemented for cybersecurity.
Identify cybersecurity risks. As we saw earlier, mature sectors like healthcare and the automotive industry have years of collective experience to help identify and classify risks. But cybersecurity is a relatively recent area, and this is why much of what you see in the figure concerns this problem. All industries do a certain amount of information sharing (e.g. automotive accident statistics), but in cybersecurity this is especially important, since so much is new and constantly evolving. You can’t be aware of all cybersecurity risks on your own – you need the help of the entire community in the best program of Cyber Intelligence and Information Sharing possible.
Assess cybersecurity risks. The community also has organizations active in elaborating unambiguous criteria for classifying and evaluating cybersecurity risks, so that you don’t end up comparing apples and oranges. It is essential to find out what the costs and frequency of incidents have been for others in the community in order to arrive at more precise assessments of the impact and likelihood of a cyber incident.
Identify possible cybersecurity risk mitigation measures. We learned earlier that there are two principal categories of mitigation measures: technological measures and best practices. Technological measures to combat cybersecurity risks could include the latest encryption devices, the best firewalls, and so forth. But just as important – and often the only measures available – are best practices. This may include a good cybersecurity training program for your personnel to help them avoid dangerous practices like easy passwords. They may include procedures for ensuring and enforcing supply chain security in your organization and its supply network. Part of the mission of cyberwatching.eu is to inform you of the latest technological measures and best practices available to mitigate cyber risk. Estimating how much cyber risk you are still exposed to after implementing all of the countermeasures you can is a challenge. Here, once again, an essential aspect is the information sharing of the community on incidents that still may occur despite implemented measures and best practices. This is where continuous monitoring comes into the picture, to provide an ever-more precise picture of the organization’s cyber risk exposure is at any moment in time.
Decide what to do about residual cyber risk. Depending on the organization’s goals, it may decide to confront residual cyber risk in many different ways. As explained before, a critical element in the decision-making process is a good estimate of the cost of damages due to cyber incidents. Some may be relatively easy to estimate, such as lost operational time. But some costs may be extremely difficult to estimate in quantitative terms, such as “reputation damage”, and may depend on the specific business sector. Deep knowledge of individual business sectors may be required to undertake a reasonable estimation, and deep awareness of the constantly evolving cyber incident landscape will also be important. One of the options that is becoming increasingly available is cyber security insurance. As estimates of the potential damage of cyber incidents become more precise, this type of insurance will become an ever more attractive option.
The above considerations concerning the nature of a cybersecurity risk management process should make it clear that it’s hard to go it alone. The field is simply too immature. You need help to manage this process, both from the community and from qualified organizations. The purpose of cyberwatching.eu is to help you connect to the right people in order to manage your cyber risk processes as well as possible for your protection and for your competitive advantage.