Saturday, August 16, 2014

Red Sky Weekly: The unsexy truth about cyber insurance.

I know cyber risk insurance isn't one of life’s most sexy topics, but one worthy of discussion.  I was reading an article by Craig Carpenter titled “Lack of Incident Response Holding Back Cyber insurance Market” this afternoon (The article can be found here:  Craig made some very good points in his “Three Simple Steps” that will help both the insured, and the insurance companies, in working together towards a common ground.  These steps include: detection and swift response, full-fledged incident resolution teams, and working with clients to develop best practices starting with “Mean Time to Response (MTR).”  Each step should be considered by any organization, if not already in place, and are really part of good overall cyber hygiene With these steps in place, organizations are already mitigating much of the cyber risks and insuring themselves from costly, and often, cyber incidents. 

What if insurance companies planning to write cyber risk insurance took the time to assess the “Cyber Health” of the potentially insured before writing policies?  When I shopped for life insurance when my children were young, I answered pages of health history questions about myself and my family.  Then there was the urine and blood tests and the blood pressure cuff.  The insurance company was really interested in my current health condition(s) prior to estimating how healthy I would be in the future.  Why are insurance companies not requesting a cyber “health” assessment prior to insuring companies, not just from a cyber risk standpoint but from a all-inclusive business risk perspective?

Network data can be analyzed through a number of tools, ThreatRecon comes to mind .  Tools to that can quickly assess the malicious activity found on the potentially insured network, can go a long way in helping actuaries assess the potential for financial loss in the event of a network breach.   Indicators from a client’s network data can be run against indicators known to be questionable or even dangerous.  Wouldn't an underwriter be interested in knowing if a potential insured was already p0wned before writing any coverage?  Tools such as ThreatRecon, could also allow a business owner or third party analyst review their data before calling their insurance agent for bid.  If you have a verified “sound” cyber health check, shouldn't you get a better price on your new policy?  Knowing the context behind threats that may already be hitting your servers would even be better, why not raise the level of prevention before you experience a breach?

The question will arise, who will pay for the cyber assessment?  Of course the insurance company will not want to absorb the expense, but it could be listed on the insurance invoice as a consulting fee.  I would hope that a business owner would like an independent assessment of their cyber health, especially since they are shopping for cyber insurance.  When taking into account the costs associated with cyber breaches, both financial and reputational, the costs of an assessment are a fraction of post breach cleanup.  A sound plan to assess a business’s network and knowing the cyber health of your own company first, then implementing Craig’s Three Simple Steps looks like a winning combination to me.


Yesterday, we held our first webinar for ThreatRecon, Wapack Labs’ cyber threat intelligence API.  The webinar was very well attended by more than thirty of some of the best analysts in the industry.  We couldn't have been more pleased!   The feedback from the cyber community remains very positive and the adoption rate for the platform is growing daily.  Giving cyber security teams the means to look at hundreds of thousands of high confidence indicators with full context and full attribution is fill not only the quick answers needed by the analysts but also compelling stories required by CISO’s when advocating for the need to keep their operations fully funded.

Wapack Labs’ offers ThreatRecon for free for the first thousand queries – we believe that strongly in our mission and core values of protecting organizations from cyber threats.  You can get started by going to the ThreatRecon website at  If you didn’t have the opportunity to see the webinar, you can watch it here:   
Post a Comment