You'd think that the need to use best security practices would be self-evident to any executive by now. Unfortunately, they have a lot of priorities to juggle and the consequences of a major breach are hard to grasp until you live through one.
Even if they don't understand the need for all the security measures they should be taking, businesspeople understand what insurance is, and as a result cybersecurity insurance is a rapidly-growing business. As the Department of Homeland Security says, such insurance "...is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage." It may also cover regulatory fines and costs of coming back into compliance with various regimes and certifications. There are significant potential costs it doesn't cover, like loss of intellectual property, which is a particularly nasty risk to price.
I spoke with Stephen Boyer, Founder and CTO of BitSight, which consults with insurers on their cybersecurity policies.
They do a lot of the same work that security research and consulting firms do, but for insurers one thing they do is to test the security posture of insurance policy holders. The goal isn't just to find out what's wrong with a particular company — although they do that and pass it on to the insurer, who passes it on to their customer — but also to develop systematic methods of risk analysis.
Insurers have old, tried and true ways to rate the risk of customers for more conventional forms of insurance, like homeowners and professional malpractice, but cybersecurity insurance is both new and increasingly competitive. It creates an uncomfortably risky situation for the insurers themselves. The "data-driven risk management" BitSight is working on, explained by Boyer in a recent webinar, might help insurers to price the risk more accurately, and this will be better for everyone (at least in the big picture).
They know a few things about risk profile generally; for instance, once companies experience a breach, they take the measures to prevent them far more seriously. The hard part is preventing that first breach. Most of what insurers know about companies comes from self-assessments which, like PCI assessments, often are more reflective of wishful thinking that of facts on the ground. (Apparently they are termed "aspiration al" in the business.)
A great way to rate companies accurately would be to pen-test them, not just on application, but periodically and without warning. This is far too expensive for an insurer to require as a matter of course, although a company which performs such tests on their own undoubtedly qualifies as a better risk.
Instead, BitSight partners with other security intelligence firms to analyze intelligence world-wide for signs of problems for customers. For instance, if a computer on the network of one of the insured companies is observed connecting out to a known C&C (command and control) server, it's a pretty good sign that there's compromised system in that customer network.
Boyer says about one in three companies has a policy like this. While it has the potential to decrease risk for customers, insurance also has the potential to induce "optimism bias," i.e. the sense that you don't have to worry about the problem as much because you have insurance. This is plainly a stupid attitude — do you drive recklessly because you have auto insurance? — but it happens.
But insurance can help to bring about the normalization of this business, make the sloppiness of such thinking more obvious to everyone, and the result might be that everyone's security profile rises as a result.
That would be good.