Reducing Cyber Underwriting Risk Starts with the 3 “Bs”

Beyond holding second place in the alphabet, the letter “B” touches many things. In classical terms, the three Bs have delighted listeners for centuries: Bach, Beethoven, and Brahms. As for the bees we all know and love, researchers have found that they buzz in the key of A. Today, I would like to add a trio of “Bs” to mark what I believe is a pivotal moment for cybersecurity, one with its own original score unfolding as we speak.

One very good example for social cyber education is the National Cyber Security Centre (NCSC). Backed by the United Kingdom Government, the NCSC is based in London and provides support to keep UK citizens, organizations and businesses of all sizes safe online. NCSC’s Cyber Essentials complements the measures for improved cyber resilience by the insurance industry, which are nicely outlined in the Swiss Re paper.

Cybersecurity is a moving target. We all use devices to manage our day-to-day living and working. With that, there are constantly new attacks and threats in play. Cybersecurity insurance, it turns out, can help protect us and fend off those risks.

This is where imagination meets originality. We are witness to an evolution in the insurance industry I’ve never seen before: education as an accompaniment to an actual insurance policy. In virtuoso speak, this is the first duet of its kind for insurers and policyholders.

The NCSC has launched what they call Cyber Essentials whereby employees get certified on basic cyber knowledge. While Cyber Essentials is not a requirement to purchase a cyber insurance policy, the NCSC encourages education as a recommended companion to investing in cyber insurance.

Imagine if we could detect risk before we click a link in a phishing email. This is power to the user. Certifying users increases defensive strength against cyberattacks across an entire organization.

Making Cyber Insurance More Meaningful

One innovator in the reinsurance space is Swiss Re. It advocates leveraging education to mitigate risk, making cyber insurance meaningful and valuable as an added service. When an insurance premium is based on risk factors while educating companies on cyber know-how, it’s a win-win and Swiss Re is taking measures to combine both by arming companies with ideas and research for greater cyber resiliency.

According to Swiss Re, reported cyberattack incidents have grown five-fold since 2016, with monetary estimates of global losses around USD 945 billion. This is a growing organizational threat. Requiring people become educated on cybersecurity makes sense, and it is something Swiss Re is bringing to the table as a global reinsurance company. The company emphasizes education and calls for greater transparency in cyber insurance policies.

Bracing for cybersecurity, but not sure where to start? Enter the 3 “Bs” of reducing cybersecurity risk:

1. Be aware of where you are at. Use an assessment to benchmark your cybersecurity situation and, thereby, see your cybersecurity gaps. This includes identifying vulnerabilities, exposing weaknesses under a simulated cyberattack, testing your website security, and challenging your team’s email behavior and knowledge of phishing emails. For some organizations, making the leap to an assessment is a big one, but here are a few starter questions to see your cybersecurity gap.

  • What are the key assets do you need to protect? What are the threats associated with these assets?
  • How many suppliers do you have and how are they protected?
  • How is sensitive information shared and protected?
  • What investments can you make to safeguard your assets?
  • What company-wide training do you currently do around cybersecurity so that employees won’t compromise security?
  • How can you know when unauthorized activities have occurred?
  • What are the step-by-step procedures you have in place to handle cybersecurity event?
  • How do you resolve the disruptions caused by a cybersecurity event and continue doing business as usual?

Cybersecurity gaps often live-in established processes. Being aware of your threat landscape gives you visibility into those processes. Imagine if an insurance company provides a pre-qualification check list and then having someone on your team to oversee cyber-related activities. The key is clearly defining their role and responsibilities as well as reporting protocol.

2. Be prepared to invest and commit. It’s generally accepted that Fortune 500 companies invest in cybersecurity. Small companies oftentimes can’t afford cyber insurance on a larger scale. Case in point: during the recession of 2008, one of my insurance technology clients was forced to make cuts. As a result, the company fired the entire cyber team. Pulling back on its defences left them in a more vulnerable position.

Those companies investing in cyber insurance then have a cyber hygiene checklist – a playbook of sorts provided based on security posture, including security awareness, cloud security, patch management, application security, vulnerability management, IAM, PAM.

3. Be proactive to take action. I believe cybersecurity is everyone’s greatest challenge and opportunity. It starts with leadership and includes the board having cybersecurity on the agenda at every meeting. Cyber resiliency is no longer an “IT problem.”

This third “B” might be the most challenging of the trio. Let’s turn to manufacturing as an example. According to SCORE, the nation’s largest volunteer base of business experts, 98.6% of manufacturing companies are small businesses 75.3% have fewer than 20 employees. CEOs of manufacturing companies are busy in the weeds – attracting and managing talent, keeping operations running, handling supply chain issues, and watching quality. The challenge for them, and for many leaders of private companies, is the luxury of time to think things through.

When it comes to cyber resilience, this could change if they had access to an affordable policy that required individual certification. Data transparency is the key. How do we balance the need?

Cyber insurance agreement needs to provide more clarify around what is and what is not covered. Many cyber insurances opt out the coverage for ransomware nowadays. That could become an opportunity if done it right.

A New Song for a New Era

On a macro level, having an industry standard for cyber metrics and risk measurements will increase the maturity and reduce overall risk as well.

You would never hand the keys over to your kids and tell them to drive. You educate them first. Same goes with cybersecurity. When it comes to cybersecurity reinsurance, we’re at a pivot moment to set down a new score by including education as part of a policy standard.