Will the Insurance Industry get back to its founding principles and work towards setting new standards for managing cyber-security risks effectively?

riskgroup_black

Insurance Industry has the power to bring powerful change—by defining and setting standards for the greater good of the humanity. If in 17th century, an insurance company was able to set new standards for building homes, insurance industry of the 21st century can collectively work towards setting new standards for managing security risks effectively—and thereby driving the security of cyberspace -geospace and space (CGS).

If an insurance company had the courage to refuse insuring houses that were considered fire hazards centuries ago, insurance industry of a digital global age can now begin to collectively refuse to insure for the risks that can be managed independently by entities and offer policies for only the risks that have interdependent risks

Introduction

“Risk,” that reflects the probability of a loss, continually brings complex challenges to each nation: its governments, industries, organizations, academia, and most importantly “individuals” (NGIOA-I) in cyberspace-geospace and space (CGS).

When NGIOA-I faces complex “security” challenges from CGS, it is important to understand that the “security risks” is not a new phenomenon and the fundamental need for “security” has always been deeply entrenched in human nature since the beginning of times. In fact, the story of human race is in essence the story of “security”. The complex challenges facing NGIOA today in CGS will never be understood unless “security” is taken in account.

Irrespective of stone age or digital global age, “security risks” brings a possibility of a loss– irrespective of geospace, space or cyberspace. It is therefore not surprising that attempts to cope with “risk” have been developed since the beginning of human times and will continue till the end of time!

Each nation: its government, industries, organizations, academia and individuals (NGIOA-I) faces numerous security risks today. While we have a system to manage the known risks of geospace: accident, fire, sickness or death, the mostly unknown perils of the cyberspace are creating complex challenges for every NGIOA-I in the digital global age.

Irrespective of CGS, when one has assets to protect, it is the threats and vulnerability in “security” that create the potential for risks and losses. The potential of financial losses, brought us humans, the pooling of risks and transfer of risks. The concept of transferring the economic consequences of risk, i.e., the purchasing of insurance protection, has now become an important constituent of risk management.

Over the years, the “insurance industry” developed rapidly with each new innovation, technology, business, processes and industries that advanced the industrialization and globalization. Digitalization and the onset of a digital global age, also brings the “insurance industry” on the footsteps of explosive growth.

However, the potential of explosive growth in a digital global age is shadowed by the complex challenges of “insuring digitalization risks” that have complex interdependencies.

How would the “Insurance Industry” deal with these challenges?

To begin with, insurance industry will need to play an important role in enforcing acceptance and implementation of integrated cyber-security risk management framework for managing internal and independent cyber-security risks any entity across nations: its government, industries, organization and academia  (NGIOA) face in cyberspace-geospace and space (CGS) while insuring the entities for security risks that are outside their corporate boundaries and have inter-dependencies that would not allow the entity to manage on their own and need to be managed collectively.

The Emergence of a Digital Global Age and Cost of Cyber-breach

As the internet has grown exponentially in its reach and scope, so has every NGIOAs dependence upon cyberspace for social, economic, governance, and security functions. Each nation has reached a significant decision point today as they not only must continue to defend their current systems and networks in the geospace and space but also attempt to get out in front of their challengers and competitors in the cyberspace.  In order to build on the good, to be prepared for the bad, and to face the unknowns, there is a need to create new effective cyber abilities.

The fierce mapping of cyberspace has already begun and security breaches have become an actuality of life. Amidst that, the important question is:

  • How do we secure cyberspace?
  • What are cyber-security risks?
  • What is the actual cost of cyber-security breach to a nation and its entities?
  • Do the entities across nations understand cyber-security risks and its impact?
  • Can entities afford the increasing costs of cyber-security breaches?

When the expense of dealing with a cyber-security breach is getting higher day by day, it is important to evaluate how the cost of cyber-breach can be effectively minimized and managed. This is where risk management comes into play!

Evaluating Cyber-Security Risks

Before we go further, it’s important to evaluate how entities should evaluate cyber-security risks:

  • Entities need to begin by identifying and understanding their independent as well as interdependent /collective assets in CGS. (Assets in CGS would be commonly defined as items of economic value owned independently and collectively by each individual entity and component of an NGIOA (People, Resources, Property, and Information).
  • Entities need to identify and understand their vulnerability in CGS (Vulnerability is commonly viewed as a weakness or gap in a security program that can be exploited by threats from the Cyberspace to an asset in the CGS).
  • Entities need to identify and understand their threats in CGS (A threat can be anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy any and all assets (individually or collectively) in CGS).

The reality today is that any entity within any NGIOA has a potential for loss, damage or destruction of its assets in cyberspace, geospace and space as a result of a threat brought on by cyberspace. When entities evaluate cyber-security risks, they will see that there is a clear linkage between cyberspace threats, vulnerabilities and assets.

When conducting a cyber-security risk assessment, the formula that should be used to determine cyber-security risk is CGS assets + cyberspace threat + security vulnerability = cyber-security risk.

If we don’t understand the difference brought on by the Cyberspace, we will never understand the true risk to our NGIOA assets.

Managing Cyber-Security Risks

Now, identifying and understanding cyber-security risks is one thing and managing it effectively is whole another thing. Cyberspace has brought each and every entity a liability due to the security risks brought to assets in CGS that may or may not belong to them. Amidst that, the big question today is how can any entity within any NGIOA across nations insure cyber-security liability –individually and collectively?

The answer may lie in cyber-insurance!

Cyber-Insurance

Cyber-insurance is a risk management (risk transfer) technique via which cyber-security risks can be transferred to an insurance company, in return for a fee. While cyber-insurance is already here in some form, whether it will be a meaningful risk transfer tool to cyber-security for assets in CGS and grow in the coming years needs to be seen.

When entities evaluate purchasing insurance to specifically protect against losses from cyber-crime, what is important to understand is whether cyber-crimes can be managed with cyber insurance? While we know that Cyber insurance is in its infancy and is evolving, there is no doubt that the insurance industry has a significant role to play within the Cyberspace value chain and ecosystem to help shape a true offensive model for combatting cyber-crime.

At the moment, cyber liability insurance largely includes data breach/privacy crisis management which covers expenses related to the management of a security incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines. In many cases it also includes multimedia/media liability which covers third-party damages including specific defacement of website and intellectual property rights infringement. Some cyber liability coverages also include extortion liability which are losses due to a threat of extortion, professional fees related to dealing with the extortion and so on.

In addition to incorporating all relevant cyber-security events, an effective cyber liability policy will need to ensure that all potential cyber-security risks are fully catered for. However, when what constitutes cyber-security is still not clear to most, it is completely fair to say that a lot still needs to be understood before cyber-security risks can be properly identified and insured.

Understanding the security controls, risks, data protection principles and compliance to regulations beyond the cyber-security risk transfer is important as the connected computers, the computer code and internet has spun a whole new “web” of liability exposures within, between and across CGS. While a large portion of any entity or a nations assets and its valuation in CGS resides in its intellectual property, trade secrets and strategic plans, its loss to adversaries and thieves who steal the confidential secrets to valuable assets in CGS to become direct competitors with identical or better value propositions is a grave concern.

Each individual or entity with any valuable asset within any NGIOA —especially the ones that have growth, development, success, prosperity and potential in its corner, have the possibility to be the next potential security risk target from adversaries. For those individuals, entities and nations, success, strategy and sustainability are at risk as there are many who wants to cut short the traditional innovation and entrepreneur journey and lifecycle to be successful. There is a need to evaluate and understand what this means for each and every individual, entity and nations for its ongoing survival, sustainability and viability in CGS?

The bigger question is how can anyone protect their confidential secrets and maintain a fair competitive and strategic advantage in the global marketplace without sacrificing the potential and value of cyberspace?

As nations lack effective security infrastructure in the cyberspace and the level of sophistication among cyber-criminals is often on par with the cyber defense community, the computer code and connected computers are creating a perfect storm for cyber-attacks and espionage, with the rapid acceleration of crisis, catastrophe and chaos.

It is important to understand that when the intellectual, operational and strategic capital of any entity within any NGIOA is threatened and at risk by cyber criminals, the resultant impact on not only the share price but the survival and strategic sustainability becomes critical.

How can individuals and entities from across NGIOAs secure themselves from such complex crisis in CGS and be covered /insured for this?

Due to vulnerability in security, cyberspace is expected to trigger an increase in the number of regulations to the already existing complex web of regulations each nation already has. When security vulnerability of one entity has a potential to negatively impact assets in CGS that may or may not belong to them, cyber insurance becomes a necessity and serious business. As integrated CGS risks are becoming better understood over the years, the cyber-security risk management community needs to better evaluate the promise of insurance protection as a viable risk transfer tool against potential losses of assets in CGS.

The question is whether the current form and role of cyber-insurance is effective and meaningful? I would say probably not as the effectiveness depends on insurance’s ability to go hand in hand with security centric risk management framework.

There needs to be a clarity that cyber-insurance, though around in some form for several years is mostly a concept that has in itself serious risks of perception and effectiveness. While the availability of the Cyber insurance protection has evolved dramatically over the past decade, how should the cyber- insurance community evolve in terms of coverage, services, limits, and pricing amidst the fundamental changes brought on by the Internet of Things (IoTs)?

The greatest challenge for the insurance industry is perhaps to keep up with the complex cyber-security developments in CGS and provide meaningful cyber-insurance solutions to NGIOA-I at the right price.

It needs to be understood that the security any entity within any NGIOA builds for themselves is precarious and uncertain until it is secured for everyone within that nation in cyberspace. Tradition becomes our security, so if all the entities within a nation build a culture of managing cyber-security risks that are within the control of their entity effectively, it will lead them to internal security in not only cyberspace but also geospace and space (CGS). For the security risks that are not within their control to manage, cyber-insurance is likely a way to go.

How will insurance industry insure the cyber-crimes like cyber extortion: data kidnaping and ransom exposure, which involves viruses holding corporate data hostage for ransom.

Integrated Cyber-Security Risk Management Framework

Risk Group’s Integrated NGIOA Cyber-Security Risk Management model (RG CSRM 2015) provides nations a framework for a foundation to build security in every action and decision every entity and individuals takes. It provides an ability to manage internal cyber-security risks and flag those risks that are outside their corporate boundaries and needs to be managed collectively. Now the important question is:

  • What has cyber-insurance got to do with insuring cyber-security risks that are external to corporate boundaries?
  • Why cyber-insurance should be tied to enforcement of the CSRM framework acceptance and implementation universally?

What needs to be understood is that a cyber-insurance policy is just one piece of the cyber-security puzzle. The foundation of a new model for cyber-security strategy must bring all the pieces of the puzzle into the final equation. Any cyber-security risk management strategy is grossly incomplete if the all the security elements are not addressed with a high degree of efficacy. Finding security vulnerabilities must be rewarded across NGIOA and proper incentives need to be in place as most existing security programs are outdated and ineffective and security barriers gets easily penetrated. Conversely, a bottom up, proactive, integrated security centric risk management program (e.g. RG CSRM 2015 or any other similar framework) affords the best measure of advanced proactive cyber-security protection along with the pre-loss perspective required to effectively address current and emerging cyber-security threats.

So how can the insurance industry begin to drive effective security risk management change in this new cyber war?

It is my recommendation that as part of the underwriting process, the insurance providers need to have a mandatory requirement for a security centric risk management framework for policyholders. This will ensure a structured integrated effort to manage internal security risks while having an ability to identify and flag the risks that are outside their corporate boundaries.  As the CSRM model is designed to reinforce the connection between security drivers and cyber-security activities, the loss or risk prevention program could be modeled on security centric cybersecurity risk management framework. In addition, this will eliminate the culture of transferring risk in its root. Issuance of insurance policy will mean that entities will do everything in their power to proactively manage the internal cyber-security risks, while identifying the external cyber-security risks that are not within their control (and purchasing cyber-insurance products for those risks) and flagging them for collective security risk management!

Insurance will need to play an important role in enforcing acceptance and implementation of cyber-security risk management frameworks for managing internal cyber-security risks in CGS while insuring the entities for security risks that are outside their corporate boundaries and need to be managed collectively.

There is a critical need for such cyber-insurance products that are tied to proactive, security centric integrated risk management programs. To reach there requires considerable hurdles to overcome, mainly around identifying and understanding insurable cyber risks, independent and collective risk management responsibilities and independent and collective costs and premiums. For example, questions like who will be the insurer of last resort—who will be responsible for managing cyber-security risks that are not within anyone’s clear jurisdiction? Other questions that need to be addressed include how personal liability protection for individuals should be incorporated, within and outside of entities, especially if entities do not have a CSRM framework. In addition, how can coverage for regulatory investigations and proceedings, notification and reporting costs, third-party civil liability for data breaches, calculation of reputational damage and more be determined?

Need for Integration of Insurance and Risk Management Framework

Cyberspace and its ecosystem are making it increasingly clear that the cyber insurance industry needs to be integrated with proactive security centric risk management frameworks and programs. Ensuring implementation of risk management programs will likely need to be a new expected role for insurance professionals.

Insurance can play a significant role in safeguarding security of the cyberspace, and regulators must be willing to move forward with innovative cyber-insurance products that are tied to mandatory implementation of cyber-security risk management frameworks.

Nations must transform its mindset and adopt a protective and proactive cyber-security strategy that involves every nation: its government, industries, organizations, academia and individuals (NGIOA-I) and where insurance providers must act as the enforcer to ensure that requisite cyber-security risk management framework protection is present to safeguard value, constituents, shareholders and customers of not only cyberspace, but geospace and space. To do this, they must become the driving force in implementing security centric cyber security risk management programs and putting necessary security controls at their disposal to protect intellectual property, trade secrets and competitive and strategic advantage.

A partnership of insurance and security centric cyber-security risk management will form the most effective offense – and will always be the best defense!

The insurance industry will need to be a driver for securing cyberspace and a key enabler of cyber-security risk management framework issuance, adaptation and implementation.

Challenges Ahead

While insurance is a part of life in the developed world, it is still not a common phenomenon in many developing nations.

Cyberspace does not have borders and irrespective of nations, it impacts everyone. If risk insurance is not a basic necessity in many nations, how would bringing security to the cyberspace be possible if not all nations can be pooled into the common web of cyber-security risk management framework and cyber-insurance?

If cyber-security insurance providers can unite across nations, they can be a powerful force to ensure that effective risk management framework is implemented across NGIOA and the risks are managed effectively. Managing risks effectively will bring us security and security will lead us to peace.

The question is whether the insurance companies get back to their founding principles and work towards the greater good of the humanity?

Let me know what you think?


About Risk Group: 

We @ Risk Group believe that risk management, security and peace walk together hand in hand. Though security is related to management of threats and peace to the management of conflict, risk management is related to management of security vulnerabilities as well as management of conflict, and it is not possible to conceive any one of the three without the existence of the other two. All three concepts feed into each other. We believe that the security we build for ourselves is precarious and uncertain until it is secured for everyone across nations. Tradition becomes our security-so if we build a culture of managing risks effectively it will lead us to security and security will lead us to peace!

About the Author: 

Jayshree Pandya (née Bhatt) is a visionary leader, who is working passionately with imagination, insight and boldness to achieve Global Peace through Risk Management. It is her strong belief that collaboration between and across nations: its government, industries, organizations and academia (NGIOA) will be mutually beneficial to all—for not only in the identification and understanding of critical risks facing one nation, but also for managing the interconnected and interdependent risks facing all nations. She calls on nations to build a shared sense of identity and purpose, for how the NGIOA framework is structured will determine the survival and success of nations in the digital global age. She sees the big picture, thinks strategically and works with the power of intentionality and alignment for a higher purpose—for her eyes are not just on the near at hand but on the future of humanity!

At Risk Group, Jayshree is defining the language of risks and currently developing thought leadership, researching needed practices, tools, framework and systems to manage Strategic and Shared Risks facing nations in a Global Age. She believes that Cyberspace cannot be secured if NGIOA works in silo within and across its geographical boundaries. As Cyber-security requires an integrated NGIOA approach with a common language, she has recently launched Cyber-Security Risk Research Center that will merge the boundaries of Geo-Security, Cyber-Security and Space-Security.

Previously, she launched and managed Risk Management Matters, an online Risk Journal and one of the first Risk Publications, publishing Industry Risk Reports of Biotechnology, Energy, Healthcare, Nanotechnology, and Natural Disasters over the course of five years. Jayshree’s inaugural book, The Global Age: NGIOA @ Risk, was published by Springer in 2012.

Copyright Risk Group LLC. Al Rights Reserved