/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us/ciol/media/post_banners/wp-content/uploads/2016/06/ID-100418586.jpg)
Pratima H
INDIA: Insurance in cyber-security realm may sound quite an odd word, and at the same time something that evokes ‘hey-why-did-we-never-think-of-this-before’ reactions.
Believe it or not, the cyber insurance markets have been pacing forth at 25-50 percent CAGR each year. In fact, The Betterley Report 2015 points out that annual policy premiums are touching $2.75 billion and Allianz’s estimates tell that premium income can rise to some $20 billion by 2025. Well almost 40 per cent of Fortune 500 companies have been procuring insurance against cyber incidents and a PwC 2016 survey reveals that 59 percent of organizations incorporate cyber insurance into their strategic plans to manage cyber risks.
If a recent Betterley Report is anything to go by, this new market is being sliced into two kinds: the ones who are troubled by lots of breaches organizations (read larger organizations as well as retail and health care) and those who so far have not been experiencing the frequency of breaches. The report guessed that the public sector could join the first ‘troubled’ group shortly if they have not already.
As per this Cyber/Privacy Insurance Market Survey 2015, premiums have grown, and insureds have been picking higher limits and additional types of cyber coverages (such as extortion and theft). The levels of claims have also been northbound given the proliferation of data breaches and the increasing sensitivity of the public to protection of their private data.
The result has been causing the insurance market to turn a new leaf – with insurers responding to the suddenly-large number of breaches by using more precise underwriting tools, or by offering improved risk management services, or as seen in a few cases, laying off more risk to the reinsurance market.
What really jumps out here is how insurers are helping insureds in selecting and implementing improved risk avoidance and mitigation techniques along with opening up the doors for pre-breach services as additional reasons to buy the coverage as well as post-breach action.
No doubt the market is rubbing its sleepy eyes with a new anguish. The Allianz 2016 Risk Barometer warns that cyber incidents are considered the No. 1 emerging risk for the long-term future (at 33 per cent while terrorism itself stands at a 9 per cent mark). This new-fangled cyber security insurance market could easily triple in size by the end of the decade, as SANS Cyber Insurance Survey projected.
But what about the ever-present communications gap between underwriters and insureds?
How to get a grip on the coverage and scope when the threat environment changes with every blink of an eye?
How to get the market ready for this new format with appropriate legal terminology, coverage assessment tools and claims processing?
There are attempts in form of U.S. government’s NIST framework, better ways of forecasting loss ratios, risk management and post-breach services, as well as loss-prevention measures and remediation tools.
But still this new breed of insurance cannot work like its predecessors that relied on actuarial tables based on 100 years of historic data, can it?
How would areas like accumulation risk be sorted out when the same cause of loss affects multiple insureds, leading to massive claims?
How would one have even a ballpark figure on PML (Probable Maximum Loss) with cyber threats?
How would first-party and third-party liability issues be worked out?
If you look at Hanover Cyber Insurance survey at this point, you would also wonder that when insurers put enterprise risk management philosophy at 25 per cent but encryption at 3 per cent, there is so much road to cover on individual broker’s ability to grasp exposures and coverage nuances too. No doubt that the Council of Insurance Agents & Brokers spotted 71 percent of brokers admitting to little to no clarity about what is covered in a survey.
This is indeed, a new planet altogether. Talk of cyber-threats and the same sentiment goes for having a unified platform fabric instead of a patchwork quilt of many solutions.
Surendra Singh, Country Director, Forcepoint fleshes out the why and how of this evolving aspect, along with other new buzzwords, that is catching a lot of attention and pockets. As he fields many doubts, he also underlines the crucial need of ‘all-hands-on-deck’ when it comes to vendors fighting the threat tempest with a fist instead of fingers.
Tell us something about cyber-insurance’s advent?
Of the billion dollars in cover for insurance, a notable percentage is for cyber-threats. As an industry we are not quite ready to evolve with the risks and tools required here. The market has woken up to that idea but is at a very nascent stage. It is still important. Qualification of risks is something that the market will have to sort out slowly but eventually.
Like every other insurance solution, how tricky is the fine-print part here?
You have to understand the threat landscape well and be able to quantify well. That will take time. May be another five to six years.
How would you sum up the current scenario?
Routine attacks happen one at a time and advanced attacks are those that are a series of attacks. So analytics is an important part now in understanding correlations and making sense of anomalies. In a couple of years both platforms as well as security analytics would be stronger to fight threats.
Has security changed from where you look at it? Is it still an expense item for enterprises?
Digital forces have flipped everything. Now any small slip-up can become a life-and-death question. Security has, hence, become strategic. Even CFOs are realizing that it’s not just the enterprise but the entire ecosystem like suppliers and partners that have to be secured. No part in the chain can get compromised. Every back-end matters. Incident plans have become more important. Chances of breach are higher.
You have been underscoring the notion of security blindness recently. What’s the significance?
Despite people spending too much on security, the assurance is actually a missing piece. The very nature of cyber attacks has changed a lot. Let’s face it – a lot of innovation is happening on the threat side. So the security industry has to innovate as well.
Enterprises have a security stance which tends to get complex. One vendor may be good at one thing and the other one would have some other competence so everyone has their own mechanisms and monitoring methods. The result is – too many security pieces. Security platforms with open APIs can solve this issue with good integration and visibility. Industry can find one single thread for better tackling of threats.
As path breaking as the concept sounds, is it pragmatic to come by, specially when there is so much competition and standards are fragmented?
Yes, it’s not as easy as one may desire. Many organizations have tried and failed. But now is the time to address this with a renewed effort. It is a big question now, and not just for the security industry but for the entire digital economy as well. It’s almost a life-and-death scenario. We have started working on architecture with the platform direction already.
Elaborate. Specially in context of new IT environments.
Forcepoint was created to empower organizations to drive their business forward by safely embracing transformative technologies – cloud, mobility, Internet of Things (IoT), and others – through a unified, cloud-centric platform that safeguards users, networks and data while eliminating the inefficiencies involved in managing a collection of point security products. The platform will protect against threats from insiders and outsiders, rapidly detect breaches, minimize 'dwell time' – the period between compromise and remediation – and stop theft.
Through a unified cloud-centric platform to defend against attacks, detect suspicious activity sooner, and give the context needed to decide what actions to take to defeat the attack and stop data theft. Defend, detect, decide, defeat – this is our vision for Forcepoint 4D Security.
The whole software-as-a-X phenomenon has impacted the network side too strongly. Is that a good thing? Does network become a new vulnerability or a new fence for security with this change?
It will be both in a way. It would be a power as well a challenge. Virtualisation, for instance, reduces dependence of hardware and helps with optimization. But threats will come with new ways and vulnerability-spots.