Next Generation Cyber Insurance Defined
Ideally, an insurer will take a proactive role in monitoring, mitigating and responding to cyber threats before, during and after an incident. However, when it comes to cyber insurance for the middle market, most insurers do not take an active role beyond providing educational resources. Most insurers leave the prevention and detection up to the insured. Policy holders often need to hire additional IT staff or contract-out security monitoring services to a third-party provider. With most current cyber insurance policies, it is totally up to the insured to determine if they have been a victim of a cyber-attack. Only after it has been determined an incident has occurred can the insured party make a claim. Response times to a claim will vary depending on such factors as defined waiting periods, time to perform an initial investigation, and securing the services of the experts needed for a response.
A new, “next generation,” approach to cyber insurance has emerged that employs proactive threat detection and continuous, real-time responses to cyber-attacks – this is called Managed Detection and Response (MDR).
Managed Detection and Response
MDR is an outsourced service that provides organizations with threat hunting services and responds to threats once they are discovered. It also involves a human element: Security providers provide their MDR customers access to their pool of security researchers and engineers, who are responsible for monitoring networks, analyzing incidents, and responding to security cases.
MDR addresses significant problems that plague modern businesses. The most glaring issue is a lack of security skills within organizations. While training and setting up dedicated security teams that can perform full-time threat hunting may be feasible for larger organizations that can afford it, most companies will find it a difficult proposition given their resource limitations. This is especially true for middle market organizations that often find themselves being the target of cyber-attacks but lack the resources or manpower for such teams.
Even organizations that are willing to spend both time and money might find it difficult to actually acquire the right personnel. In 2016, there were 2 million unfilled cybersecurity positions, a number that is expected to rise to 3.5 million by 2021.
An often-overlooked issue when it comes to cybersecurity is the sheer volume of alerts security and IT teams regularly receive. Many of these alerts cannot be readily identified as malicious and have to be checked on an individual basis. In addition, security teams need to correlate these threats, since correlation can reveal whether seemingly insignificant indicators all add up as part of a larger attack. This can overwhelm smaller security teams and take away precious time and resources from their other tasks.
MDR aims to address this problem not only by detecting threats but also by analyzing all the factors and indicators involved in an alert. MDR also provides recommendations and changes to the organizations based on the interpretation of the security events. One of the most important skills that security professionals need is the ability to contextualize and analyze indicators of compromise in order to better position the company against future attacks. Security technologies may have the ability to block threats, but digging deeper into the hows, whys, and whats of incidents requires a human touch.
The Cyber Insurance Application Process
Traditional insurance approaches have not kept pace with the kinetic nature of cyber-attack threats. The traditional application process still relies on standardized checklists, irrelevant data collection, and actuarial models when taking applications. When applying for traditional cyber insurance, applicants are surveyed with a range of 20 to 25 cybersecurity questions and then are required to submit documentation supporting their answers. The application process is cumbersome and often involves multiple meetings to define what the survey questions are exactly asking for, educating stakeholders, and documenting any new policies or practices that need to be implemented. This requires coordinating staff and vendors to sort out who knows what. Sometimes, it may require an outside vendor to run a cybersecurity assessment or establish a baseline to inform the insurance underwriter. All of the costs involved in collecting this information are the responsibility of the organization seeking cyber insurance.
New approaches to cyber insurance use technology to simplify the application and underwriting process. Instead of surveys and questionnaires, Insurers use MDR tools to perform online scans that collect thousands of data points about an organization. These scans calculate a cybersecurity score and are formatted into an easily understood security analysis report that a potential client or applicant can review. The report provides tips and recommendations to improve the company's cybersecurity posture. The scan data is also used to inform the underwriting process. The underwriting process utilizes sophisticated algorithms that combine company information such as industry, revenue, and number of employees with the data points collected by the scan. This results in an incredibly fast application process, start-to-finish. Literally, some policies can be bound within minutes from the application being submitted. In some instances, additional information may be required, but most quotes can be generated within 48 hours, even for the most complex cybersecurity environment.
Before a Cyber-Attack: Prevent and Mitigate
Next generation cyber Insurance represents an interactive relationship between policy holders and insurers through the utilization of MDR services. Insurers remain engaged with their policy holders, continuously scanning and monitoring a client's cybersecurity using the same tools that were employed to assess and underwrite the policy. Additionally, some insurers offer security application suites that can further enhance security, provide actionable data, and mitigate threats. Policy holders have access to online MDR portals and can monitor their security scores as well as review policies. Insurers provide policy holders with alerts when threats are detected, and the insurer's internal security teams are available for consultation and to help resolve security issues or to implement mitigation measures. The focus is to prevent cybersecurity incidents before they occur.
During a Cyber-Attack: Make a Cyber 911 Call
Disaster can strike even the most well monitored and secured environment. Response time is a critical factor involved in limiting the financial impact associated with cyber-attacks. Since next generation insurers are actively involved in monitoring and securing the policy holder’s cybersecurity, they have access to the insured’s security intelligence and risk analysis resources. Access to these assets means there is an immediate response to an attack as soon as it is identified, whether by the policy holder or the insurer. Next generation cyber insurance handles security incidents much differently than traditional approaches. Rather than having a Breach Manager sit out a waiting period before getting authorization to coordinate with experts to respond to a security incident (like an insurance adjuster), the next generation approach uses an expert in cybersecurity to act as an Incident Response Manager. Incident Response Managers triage security incidents and take an active role in containing damage and responding to threats in real-time. They typically are not limited by waiting periods and start working on a response to a security incident immediately. If additional expertise is needed, it can be brought to bear quickly since the Response Manager is already familiar with the insured’s security environment. The interactive partnership with the insurer means the time needed to authorize and coordinate expert partners is practically eliminated. The focus is on rapid containment and minimization of damages.
After a Cyber-Attack: Getting Back to Normal Operations
Once an attack is over a forensic investigation begins. Organizations will want to make sure to avoid a similar attack in the future, and forensics evidence can provide an idea of what happened and how it occurred. Policy holders will also want to make sure there are no lingering issues or hidden traps waiting to take advantage of them again. Often, attacks come with regulatory and legal issues that will need to be resolved. An insurer can provide expert legal representation to ensure all reporting requirements are met and provide any legal defense services that may be needed. In data breach scenarios it is not uncommon to need legal representation to resolve 3rd party claims. Insurance claims may require credit monitoring services or even direct financial compensation to persons whose private data has been compromised. The focus is to pay any claims, make the policy holder whole again, and get back to business as normal. Both traditional and next generation insurance approaches are very similar in this phase, however next generation insurers are more likely to be involved in implementing security fixes and interacting with the various security experts on cybersecurity issues.