A lot has changed since 2015 when cyber security was viewed purely as a cost centre for most companies. “Across S&P Global Ratings we continue to view cyber risk as one of the largest structural risks increasingly impacting the credit landscape in the years ahead,” says Simon Ashworth, chief analytical officer, insurance ratings with S&P Global Ratings in a recent webinar hosted by the credit ratings agency, the 4th Annual Cyber Risk Seminar.

The risks emerging since then included NotPetya and WannaCry malwares 2017, where many were caught by the programs which spread from device to device in a “wormable” way that hadn’t been common for malware prior to that, says the head of cyber security with Gallagher Re, Ed Pocock.

“I think other threat actors looked at that and said you know what? I can do that. This very much kick started a surge in ransomware that we saw in 2018 and onwards,” he adds. The trend, he says, was further enabled by the rise in cryptocurrencies that allowed threat actors to move money remotely and with less chance of getting caught.

“All of this has driven a significant amount of change. Investors are aware, boards are aware, c-suite is aware, supply chains are aware of the importance of cyber security and, crucially, the damage that it can do to organizations both financially and from a reputational standpoint if you’re not doing it well.” 

Your CISO is probably tired  

And while investment in cyber security is still broadly increasing, the picture they paint depicting the chief information security officer’s (CISO) or chief security officer’s (CSO) concerns and responsibilities is daunting. Indeed, they point out that the average tenure for a CISO is only 18 to 24 months.

“On the whole, CISOs are having a pretty tough time, right? Not only did they need to navigate a fundamental shift in how people work in 2020,” Pocock says, “but they’re also having to adapt to another fundamental shift in how people work with the move to cloud from traditional networks. Those two big things are happening at the same time and that’s before they start answering all the questions about how artificial intelligence (AI) is going to impact business down the line.” 

These executives will also find themselves responsible for the fallout when adequate tools are not provided to employees – Pocock points out that if these are not provided, employees will work around using the tools that work for them, whether those are secure or not. Mobile application security, for example, is today the second most important characteristic of cyber risk driving the likelihood of a company making a claim, he says. 

There is also the perennial tradeoff of security and usability. “The costs of getting that wrong are greater than before,” Pocock adds. “How secure do I make it? How usable do I make it?” he asks. “If you get it wrong now, it’s easier than ever for employees to go around you.” 

More, he adds there can be legal implications too. “It’s a tough one for CISOs because they’re not always responsible for the things they need to be responsible for,” he says. “The c-suite needs to be aware of this in decision making and they need to support the CSO and have the responsibility across the organization to identify where processes might get in the way of good security practices. Insurance here, we’re going to be looking at this data, as well.” 

Insurance, however, has proven to be frustrating for information and security executives who are faced with companies today who are operating and making assumptions based on external information sets which can be obtained without asking for access, and which can be interpreted erroneously, they say. Specific findings may not actually be causing a material change to the organization’s risk profile, or they may have already been taken into consideration and mitigated with controls such that they think the risk no longer exists, for example.

“From an insurance standpoint, we’re of course going to use all the tools that we have to get the information that we need to make a good decision. There’s only a certain number of questions that we can ask on a questionnaire and there’s only a certain amount of time that we have in underwriting meetings. Also, it’s a useful data set, right? Because it’s the same data that attackers use to pick their targets.” 

For insurance companies, then, he suggests providing that information to CISOs to help them to better quantify investment decisions that would otherwise be hard to justify without it. He also recommends having strong underwriting guidelines and a clear feedback loop between underwriting and claims.

“Those feedback loops are going to be crucial to constantly identifying the things, the features, the characteristics of risk that are holding us back or letting us down, and then notifying the individual insured,” he says. “Insurance should be an early warning system. I think that’s where the sustainability comes from.”