The CRIF Framework - Residual Risk - what insurers look for
The Cyber Risk Residual
The questions or elements of an organisation that a cyber underwriter [normally through client dialogue with a broker] would look for to assess the cyber risks are very similar to the risk approach stakeholders’ named above would consider. The main purpose of the residual risk exercise is to understand what liability an organisation can insure and how that risk transfer translates to better risk management. This is the last stage of the CRIF Framework.
Whilst there are various approaches to underwriting network integrity and privacy exposures, most underwriters attempt to obtain a technical understanding of the flow and type of data, the criticality of a network and the risk management applied. This will enable the insurance market to appropriately discount premiums and improve terms of the contract for organisations that have spent time assessing and understanding the risks to its business and can demonstrate incremental improvements to its network infrastructure, testing environments and employee and vendor management.
“Best Practice” to an insurance market will often incorporate the corporate culture of awareness and best practice rather than only a mapping process to any given “standards”. Many standards currently deemed to be in the “cyber” arena less focussed on handling reputational impacts, quantification and understanding of exposures or all-encompassing from an information assurance rather than simply an IT security perspective. Furthermore, there is less focus on the delivery model best practice into the organisation which is imperative to underwriters wishing to see a cultural mentality. Training, delivery and the potential for audit and accreditation by third parties will make the “standards” approach more robust. With insurance coverage responding to the “insider threat” (whether malicious or negligent) as clearly identified by many empirical surveys the focus on culture will only grow.
Whilst a proposal form is the typical manner in which to obtain high level information, the following themes (not exhaustive) can be expected to improve the countenance of the risk faced by underwriters:
The typical questions are as follows:
• Staggered Expectancies – “Benchmarking”
o Large or Global multinational
Insurers should at all times take into account the commercial realities of the costs for higher risk management within an organisation. Therefore it may be typical for companies to be benchmarked against each other within certain industry sectors or revenue thresholds with regards to IT spend and quality of risk management. A small law firm would not be expected to have the same standards as a large bank, despite the exposures to that business. However underwriters must bear in mind that such decisions can lead to insurance profitability being marginalised as often small businesses have a higher frequency of small claims, and large businesses having fewer claims but of a more ‘catastrophic’ nature. To ensure the insurance risk transfer process works for business insurers must ensure policies are adequately priced whilst taking account of the clients’ ability to pay for the insurance. Any use of a delivery model for the incorporation of standards and best practices within a business which can map one organisation against its peers (complex in theory) will assist in this regard.
• Quality of Risk Management
o Generally (non-silo)
o Specifically (Standards, PCI, Vendor Management etc.)
The risk management approach is to be considered from both a Specific of “technical” perspective and also from the General co-ordination and approach to risk within an organisation. The General approach includes ensuring that a company operates in a “cyber-savvy” manner by way of not throwing the burden of cyber/data risk management upon one individual silo but to ensure that legal, compliance, marketing, the Board and IT (amongst others) are all in discussion and aware of their roles and responsibilities. The Specific risk management an insurance market will look for are typically more aligned to the compliance, legal and IT functions and are inclusive of documented policies and controls, the awareness of appropriate standards or certifications and the management of exposures arising from third parties.
• Focus on data
o Type, Security, Distribution, Points of Access
o Policies & Controls
Liabilities arising out of data breaches, or indeed first party damage to an Insured, are rarely perfectly aligned to the turnover/revenue of a business and the exposure is better matched to the quality and type of data, an analysis of the points of failure and the protections in place.
Aligned to the quality of risk management are the quality of policy and procedure around privacy and security matters and the robustness of contingency plans. However, insurance markets will be aware of documents that are produced that are not tested, updated or fit for purpose. The use of a downloaded template which has been vaguely tailored to an organisation is easy to spot for a seasoned underwriter. Furthermore an underwriter can be impressed if a client has policies in place that might go above and beyond the standard “set” of policies that may be seen amongst the company’s peers, e.g. Cookie policies or Bring Your Own Device policies for smaller businesses.
• Industry Sector
Much empirical data on claims history in this area of insurance is still closely aligned to the threat environment and “typical” exposures of various industry sectors. A financial institution, telecommunications company or critical national infrastructure obviously considered having a higher exposure base than a cash-only company or B2B. Broad assumptions should not be made by the insurance market but their data will often be driven by such a split.
A key issue however is how large organisations interact with smaller organisations through supply chains and how a breach of personal or business confidential information or a system intrusion or critical failure could be the result of poor practices at the smaller partner organisation.
Considered of more importance to some underwriters than others, the revenue can still be a useful guide to the potential exposures whereby larger organisations are more visible targets, have more data of value and potentially larger quantum of exposure or loss.
• Network Dependency
o Online revenue? Critical infrastructure?
As with the discussion on Data above, the ability to correctly underwrite business interruption losses following a network integrity issue must focus on the dependence and type of network in place. Many organisations are critically dependent upon IT infrastructure without necessarily selling products online due to procurement, supply chain, logistics, computer aided design and manufacturing, to name but a few.
• Operational Jurisdiction
o E.g. USA? Spain?
The privacy and security liability exposures to an Insured are very much dependent upon the geographic scope of their operations and the jurisdictions under which organisations find themselves accountable. The regulatory environment of the USA at a State level and with regards to federal healthcare legislation, combined with the aggressive plaintiff bar, naturally lead to a higher degree of exposure to those with operations in the US. Another example might be that of the Spanish regulator for privacy breaches being funded by the fines it issues which leads to a more volatile risk environment.
• Relevant Laws & Regulations
o Telco? Data owner or data processor?
Any industry that may attract greater regulatory scrutiny or be subject to additional legal requirements will attract a more significant underwriting premium but also will be expected to have strong risk management.
• Claims experience
o No claims vs. managed to success
It will not be well accepted by the insurance market if companies falsely state that they have had no circumstances or possible claims that would have been covered by cyber insurance. The majority of companies, even SME’s, face attacks from external threats annually if not weekly or daily. It provides greater credibility if the risk environment of an Insured’s business is known, rather than management being oblivious of matters that have passed. Issues that have been managed to success will be underwritten to the advantage of the Insured for the most part over statements that there have been no claims.
o Crime/hacktivist/plaintiff bar threat
Certain businesses have a greater visibility than others to the “threat” environment. Large businesses may gain the attention of the plaintiff bar due to the deep pockets of the company. Companies supporting large events, holding themselves out to be of outstanding security or of questionable ethical standing may be the targets of “hacktivist” organisations. These matters will be considered by insurers.