Viewpoint: Transferring the risk
Companies will have to get used to third-party assessments of their information security risk, says Simon Saunders
Cyber insurance is a fundamentally sound proposition: We're all told it's a matter of when we get breached, not if, and the bigger attacks can have a serious financial impact. Transferring the financial aspect of the risk through insurance is well worth considering. It's not always about the hard numbers, but the impact on the recipient.
Organisations increasingly understand the value of information security and the likelihood and consequences of being targeted by an attacker, but management needs to understand that cyber insurance cannot be considered a substitute for appropriate information security. Just as organisations insure against fire, they do not stop taking precautions against it.
In this new market there are challenges for both the would-be insured and the underwriter. How does the would-be insured demonstrate that they are an insurable proposition – and a low-risk one at that? There must be considerable fear of being considered an uninsurable risk. It also opens up the risk of a damaging disclosure and subsequent reputational damage not dissimilar to those at the heart of the recent BBC story where power companies were deemed uninsurable.
If the insurance sector declares a business an uninsurable risk and a significant attack subsequently occurs, there is then little opportunity to deny awareness of an information security problem. This underlying fear may present a challenging barrier for those considering cyber insurance.
For underwriters there is the obvious desire to sell new, profitable policies at an acceptable market rate and without undue risk. Assessing the suitability of an insurance candidate and setting an appropriate premium is difficult given the diversity between organisations. It never ceases to amaze how two similar competitors can fare so differently when their security is placed under scrutiny, let alone the diversity between sectors. Factor in the lack of historical information on the regularity of attacks, their impact, the hacker community wild card and the tendency for secrecy about organisations' information security profile, and the challenge is clear.
Information security assurance reflects the security posture of organisations, and this has primarily been a self-regulating proposition structured around meeting their own risk appetite. More recently the professional services sector has sought to make it easier to demonstrate that they operate an appropriate level of risk to their current and potential clients. But this fledgling concept is only adopted where there is a demanding, information-security aware client base.
Rather than operate information security as an internal proposition, organisations ought to consider making their position more readily presentable to external agents. It won't be entirely public, but it could be better presented for insurance reasons, for clients, for stakeholders, etc. This medium-term shift is not as challenging as it first appears, and as an interim step either the insurance candidate or the underwriter could commission a short external review to get an expert, third-party risk assessment which can support the actuarial risk-profiling of an organisation. This provides reliable evidence of an organisation's position. If it doesn't paint a rosy picture, expertise is available to manage the risk profile to an acceptable level.
Such reviews would focus on both the intended information security measures and the subsequent execution of these. What does the organisation aspire to achieve and do they actually get there in the real world? While the wider information security industry contemplates being more open regarding information security performance, these third-party assessments will continue to prove valuable to underwriters and the end client.