I know cyber risk insurance isn't one of life’s most sexy
topics, but one worthy of discussion. I
was reading an article by Craig Carpenter titled “Lack of Incident Response
Holding Back Cyber insurance Market” this afternoon (The article can be found
here: http://tinyurl.com/pn2yjs8). Craig made some very good points in his “Three
Simple Steps” that will help both the insured, and the insurance companies, in
working together towards a common ground.
These steps include: detection and swift response, full-fledged incident
resolution teams, and working with clients to develop best practices starting
with “Mean Time to Response (MTR).” Each
step should be considered by any organization, if not already in place, and are
really part of good overall cyber hygiene With these steps in place,
organizations are already mitigating much of the cyber risks and insuring
themselves from costly, and often, cyber incidents.
What if insurance companies planning to write cyber risk insurance
took the time to assess the “Cyber Health” of the potentially insured before
writing policies? When I shopped for life
insurance when my children were young, I answered pages of health history
questions about myself and my family.
Then there was the urine and blood tests and the blood pressure
cuff. The insurance company was really
interested in my current health condition(s) prior to estimating how healthy I
would be in the future. Why are
insurance companies not requesting a cyber “health” assessment prior to insuring
companies, not just from a cyber risk standpoint but from a all-inclusive
business risk perspective?
Network data can be analyzed through a number of tools,
ThreatRecon comes to mind www.threatrecon.co
. Tools to that can quickly assess the
malicious activity found on the potentially insured network, can go a long way
in helping actuaries assess the potential for financial loss in the event of a
network breach. Indicators from a client’s
network data can be run against indicators known to be questionable or even
dangerous. Wouldn't an underwriter be
interested in knowing if a potential insured was already p0wned before writing
any coverage? Tools such as ThreatRecon,
could also allow a business owner or third party analyst review their data
before calling their insurance agent for bid.
If you have a verified “sound” cyber health check, shouldn't you get a
better price on your new policy? Knowing
the context behind threats that may already be hitting your servers would even
be better, why not raise the level of prevention before you experience a
breach?
The question will arise, who will pay for the cyber
assessment? Of course the insurance
company will not want to absorb the expense, but it could be listed on the
insurance invoice as a consulting fee. I
would hope that a business owner would like an independent assessment of their
cyber health, especially since they are shopping for cyber insurance. When taking into account the costs associated
with cyber breaches, both financial and reputational, the costs of an
assessment are a fraction of post breach cleanup. A sound plan to assess a business’s network
and knowing the cyber health of your own company first, then implementing
Craig’s Three Simple Steps looks like a winning combination to me.
BT BT
Yesterday, we held our first webinar for ThreatRecon, Wapack
Labs’ cyber threat intelligence API. The
webinar was very well attended by more than thirty of some of the best analysts
in the industry. We couldn't have been
more pleased! The feedback from the
cyber community remains very positive and the adoption rate for the platform is
growing daily. Giving cyber security
teams the means to look at hundreds of thousands of high confidence indicators
with full context and full attribution is fill not only the quick answers needed
by the analysts but also compelling stories required by CISO’s when advocating
for the need to keep their operations fully funded.
Wapack Labs’ offers ThreatRecon for free for the first
thousand queries – we believe that strongly in our mission and core values of
protecting organizations from cyber threats.
You can get started by going to the ThreatRecon website at https://www.threatrecon.co If you didn’t have the opportunity to see the
webinar, you can watch it here: https://vimeo.com/103543432
No comments:
Post a Comment