Rethinking cyber risk assessment models

Rethinking cyber risk assessment models | Insurance Business New Zealand

Rethinking cyber risk assessment models

Most businesses are grappling with rapidly rising cyber risk, and rapidly increasing cyber insurance claims have caused premiums to surge. According to a report by Fitch Ratings, the number of cyber claims increased by 100% over the past three years, with prices up 130% in the US and 92% in the UK. This rate of increase is much higher than those of other commercial business lines.

With coverage becoming more expensive, Andrew Barnett (pictured above), cybersecurity expert and chief strategy officer of Cymulate, is urging businesses to rethink their current cyber risk assessment models, as they are not working against the rising threat.

“The typical risk assessment is based on reviewing existing documentation and conducting interviews with stakeholders and department leads,” Barnett told Corporate Risk and Insurance. “On occasion, the assessor may ask to see some actual configurations or screen shots. These responses and evidence are then reviewed and scored as ‘yes,’ ‘no’ or ‘partial.’ With dynamic enterprise environments and an always-evolving threat landscape, these types of activities will never demonstrate an organization’s actual ability to detect, prevent and respond to cyber threats.”

Another point that Barnett said businesses should pay attention to is their cybersecurity infrastructure. While some businesses have inadequate cybersecurity tools in place, others have too many tools – more than they can use properly. He cited a report by Oracle and KPMG which found that 78% of respondent organizations used more than 50 discrete cybersecurity products to address security issues, leading to a patchwork response to cyber threats.

“If majority of organizations have over 50 tools, then the chance of something being deployed incorrectly, misconfigured or underutilized is very high,” Barnett said. “Most of these products do not operate well together out of the box and require careful consideration to their deployments and customization to work effectively in an organization’s unique environment. Companies should continuously look for these unintentional errors, or gaps, as we often see environmental drift over time and their security posture regress.”

To avoid critical gaps in cybersecurity, Barnett recommended that organizations make several changes to their cyber risk assessment procedures.

Barnett said that companies should be aware of the regulations they must comply with, but the focus should be on building a security program that is in line with the organization’s risk tolerance.

“Build compliance into your security program so you can demonstrate to assessors what they need to see, but don’t let compliance be the driver,” he said.

In relation to compliance, Barnett said that organizations that have adopted a continuous security validation methodology have a much easier time when the auditors come around. This methodology gives the company’s leaders in charge of cyber the ability to always know what their security posture looks like, leading to fewer surprises during an assessment.

Risk and IT managers should work with top management to understand all of the inherent risks faced by the organization and the cyber implications of those risks.

“When calculating residual risk, use technology (like breach and attack simulation) to measure the effectiveness of your mitigating controls,” Barnett said. “Oftentimes, we make assumptions or guess at how a tool or process is working and its effect on reducing likelihood or impact. This can lead to a false sense of security.”

Lastly, Barnett said organizations must practice dealing with various cyber risk scenarios by setting times for teams to test themselves and run through table-top or “war game” exercises to see how they would respond in the event of a cyber incident or breach.

Moving forward, Barnett expects that cyber risk management will require more vigilance, with an “always-on” or continuous monitoring for risk and compliance.

“It is fairly common knowledge that annual or biannual assessments only provide a small snapshot of what is really going on inside an organization, and this model has never been able to keep up with the pace of changing environments and the cyber risks they face,” Barnett said. “If the purpose of an assessment is to give all those involved visibility and confidence into how an organization is doing, we need to change how and how often we are conducting those assessments.”

Due to the amount of sensitive data many businesses hold, privacy regulations are also expected to become tighter in the future.

“With regulators adding more and more requirements on leaders around cyber, executives and board members will have to take cyber risks seriously,” Barnett said. “As a result, I think we’ll see more innovation and focus on improving and simplifying the approach to compliance and risk reporting. Platforms that help distill very technical data into layman's terms and produce meaningful, repeatable reports will become obligatory for cybersecurity leaders.”