The previous parts in this series on taming the uncertainty of ransomware risk advanced a playbook approach to reducing conceptual uncertainty of ransomware risk, and revealed the value of risk factors in reducing empirical uncertainty. Here we bookend this series by delving into the cyber insurance implications of these approaches to reducing ransomware risk.
Insurance Implications
When reining in ransomware risk uncertainty, our perspective determines how we perceive risk. Since the time of the ancient Egyptians, humans have leveraged visual aids to improve our ability to detect and use the world around us. When it comes to measuring and using signals of cyber risk, effective insurance demands better optics along the entire continuum: from cross-sector systemic risk, to interconnected portfolio risk accumulation, and down to granular enterprise-level exposures. While the past is not necessarily indicative of the future with regard to cyber risk, the history of threat playbooks, perennial vulnerabilities,1 and security control deficiencies shows us that history often does repeat itself. Guidewire Cyence (Cyence) empowers both a telescopic and microscopic capability to help anticipate and forecast ransomware and other cyber perils.
Specifically, discriminatory risk factors can help insurers to:
Identify if a company is at a higher risk than its peers of sustaining a successful ransomware incident
Engage in meaningful conversations with current and potential policyholders about proactive risk controls and security management
Comparatively rank firms in a portfolio based on categorical risk factors
Draw on qualitative heuristics to zoom in on quantitatively-derived questions related to the cost of ransomware attacks, as well as premium and sublimit strategies
Inform trend analyses of cyber threats and exposures to help calibrate qualitative model output
Lower loss ratios based on discriminatory risk factors by tailoring policies and engaging in proactive risk management
Closing the Gap Between Security Risk Management and Insurance
“What’s driving a particular risk?” and “What are the maximum and expected loss exposures?” are top questions facing both companies and insurers. There is no simplistic single model for increasing the certainty of the answers. What’s needed instead is a combination approach composed of data and model variables that offer insight into the cyber risk playbook: malicious threats that exploit vulnerabilities in systems and devices because of deficiencies in controls, which negatively impact valuable assets and/or functions, and result in losses that are transferable via insurance policies. The better we are at collecting and mapping data and variables according to this cyber risk playbook, the more we lower the inference risk and close the gap between risk inputs and negative outcomes.
From a security controls perspective, there’s no mystery regarding what can be done to lower ransomware risk. Yet from a risk-management perspective, the realities of resource constraints, information asymmetries, and risk triage conspire to keep these questions at the forefront.
By collecting and measuring many of these data and model variables according to the cyber risk playbook, Cyence reduces uncertainty in ransomware risk identification, quantification, selection, and pricing. Also, by mapping the discriminatory power of these risk signals to outcomes and controls, Cyence offers actionable insights and value propositions for both indemnity and risk prevention, respectively. Amid the growing body of risk signals, being able to triage the most impactful is key. Cyber risk factors and scores that lack relational associations to controls and impacts invite uncertainty and they prevent meaningful risk benchmarking. They leave one wondering, “So what?”
In addition, there is much room for contributory data and information sharing among insurers, policyholders, and other cyber risk stakeholders. Cyber risk models that are informed by combined risk signals along with incident claims and on-the-ground losses have appreciably stronger predictive power compared to models composed of only one part of the playbook.
Reducing the level of inference between components in the risk playbook will yield more reliable cyber risk prediction, risk management capability, and certainty. It achieves this by:
Reducing information asymmetries
Synchronizing the typically siloed intra-firm IT and risk management functions
Specifically, the level of cyber risk uncertainty will improve substantially if companies provide security and event measurements, loss validation, and more detailed incident reports to cyber insurers, either directly or via impartial risk analytics intermediaries, like Cyence.
Cyence can observe, contextualize, and financially model telescopic and microscopic data and is an essential component to optimize the transfer of dynamic cyber risk via the continuous underwriting capability. Imagine having more complete knowledge of claims, losses, and near-misses across insurers and policy lines without sacrificing competitive intelligence. Overlaying these capabilities atop a growing aggregated cyber risk leads to certainty between risk inputs and harmful outcomes—a mapping that both sides of the risk-transfer market have lost sight of.
Future-Proofing Ransomware Risk Uncertainty
Technology is raising the cyber peril cat-and-mouse game to the power of data science. This will manifest as red team playbooks enabled by machine learning and artificial intelligence (AI). Threats will be accelerated by machine learning models that exploit vulnerabilities and hasten intelligent evasion, system infection and hijacking, and data acquisition faster than non-automated defenses can patch or react. For example, intelligent targeting will leverage training data about how individual employees communicate and respond to various phishing messages to create machine learning models that successfully impersonate legitimate messages—to dodge spam filters and click-bait victims into visiting infected websites or sending sensitive data to criminals.
The implications for risk control and transfer are nontrivial, yet the uncertainty is manageable. Automated and intelligent red team playbooks can be countered with defense playbooks that execute at machine speed with machine learning and AI prescience. The foundational knowledge to develop, train, and calibrate these advanced security models depends on scalable observation, synthesis, and orchestration of these risk signals according to the cyber risk playbook. Platforms that can manage, coordinate, and model this telescopic and microscopic data and knowledge are prerequisite for enabling such a foundation. In addition to aiding automated defenses, such platforms can further optimize cyber risk management and underwriting by increasing data quality and reducing acquisition costs associated with risk and control selection. Just as science is the discipline of how we change what we know, Cyence enables the observation and experimentation of how we change what we know about the structure and function of evolving cyber risk.
1 For an example, see https://www.us-cert.gov/ncas/alerts/aa20-133a.