Cyber Risk Measurement: How to Measure a Moving Target
Blog: Enterprise Decision Management Blog
As I recently blogged, “Clearly, there’s a big disconnect between what companies perceive to be their strengths and the reality on the ground.” Now it’s time to move on to the reality of evolving cyber threats, and the important role of risk-scoring technology in cyber risk measurement. Again, I’ll draw on the session Cyber Risk, Cyber Ratings and Cyber Risk Transfer at the recent FICO World 2018 conference, and the conversation with my three panellists:
- Josh Ladeau, CISSP, Global Head of Cyber, Aspen Insurance
- Sasha Romanosky, Policy Researcher, RAND Corporation
- Mingyan Liu, Professor and Incoming Chair of Electrical Engineering & Computer Science, University of Michigan and founder of QuadMetrics.
Cyber Risk Measurement: Cyber threats are multiplying
Not surprisingly, the panellists’ perspectives on cyber risk growth were reflective of their professions. Josh said, “It’s about the interruption of business and systems being down; hackers aren’t the only source of cyber risk. Business outages and regulations like GDPR make companies realize they’re operating in an interconnected ecosystem with their business partners, and that is changing the dynamics of risk. Companies are explicitly requiring their business partners to have a certain level of cyber insurance coverage, and sometimes to the contract-specific level.”
Sasha’s definition of was even more expansive. “There is now systemic cyber risk, such as attacks on energy, power and transportation systems that can cascade across different sectors,” he said, continuing, “we need to think about the common characteristics of vulnerable firms if many could be affected and something catastrophic could happen. That model is well known in the physical space, with phenomena such as hurricanes or earthquakes, but what does that model look like in the cyber world?”
Cyber Risk Measurement: New systemic risks
Sasha answered his own question by describing two different risk models, one in which there is a common cause and a second in which many firms share the same vulnerabilities through a common resource. “’Common cause’ threats aren’t news; there have been many viruses and worms in the past decade, such as SQL Slammer.” But the other risk category, in which many companies have the same vulnerabilities in a common resource (such as a common cloud services provider), poses “systemic risk from interdependencies and supply chain issues. If web services or the cloud goes down, this introduces a dependency that didn’t exist before,” and thus new opportunities for cyber criminals to exploit. “There’s a lot of work being done by insurers and re-insurers on how to understand the common characteristics, dependencies and impact later on,” he concluded.
Cyber Risk Measurement: Risk measurement technology to fill the void
Having worked in the cybersecurity field for two decades, Mingyan offered her perspective: “When I started out I had relatively little knowledge of how underwriting works. When we built the technology, that would become the FICO® Enterprise Security Score, the industry-standard practice was to send security questionnaires for prospective customers to fill out. The IT organization typically provided information such as the number of employees in the company, which operating systems were used, and other very basic questions. The insurance company would then translate the information into variables.”
She continued, “Even though underwriters knew they needed something more modern, they weren’t ready to let go of their existing practices. When we presented our cybersecurity scoring technology to underwriters, we got a range of responses. When we showed how our cybersecurity ratings are tied to predicting data breaches, some underwriters said, ‘This approach is enough, and all we need,’ and others said, ‘What will I do with this?’ They were not sure how they could bake it into their underwriting process.”
After all, she concluded, “cyber risks are different from other risks; hurricane losses don’t change much but cyber losses do. Whether it’s nation-state attacks, hacktivism, or new threats on the horizon, the variables keep changing.”
In my last blog in this series, you’ll read about how insurers like Aspen are embracing the FICO Enterprise Security Score as an important component of their underwriting process. Right now you can find out more about US executives’ current views on cyber readiness by downloading our white paper Views from the C-Suite Survey 2018. If you don’t already, follow me on Twitter @dougoclare. Thanks!
The post Cyber Risk Measurement: How to Measure a Moving Target appeared first on FICO.