Zero Trust, Insurance and Risk
The issue of cyber insurance came to mind after a recent article was published about a claim brought against a security vendor by an insurance company concerning a breach in 2008. There are various aspects to the claim including liability for not detecting malware; where this case will go is another matter. Claims on cyber insurance are not always straightforward. However, the issue of cyber insurance has become part of the lexicon of cyber resilience.
When assessing risk and deciding on the appropriate response, there are three options: accept, mitigate or insure. In recent years, cyber insurance has risen as a topic. Fourteen years ago, I recall trying to work with a major insurance broker on the concept of cyber insurance. It did not have much market pull. Now insurance brokers have adverts leaping out from web pages, festooning public places and appealing to us from the radio. So there must be money in it.
What are the areas of risk that may be covered? A straightforward policy may cover losses associated with a data breach, including:
- The costs of incident response, forensics and other investigations
- Repairing and restoring assets such as websites, networks and data
- Legal costs
- Business disruption and non-availability
- The PR costs of minimising brand damage and informing customers
In 2016, the Cambridge Centre for Risk Studies produced a Cyber Exposure Data Schema with 19 categorisations of cyber loss coverage. These covered loss areas from data breach to physical damage and injury to people; exemplifying a broad spectrum of risks that may result in liability.
But how does the CISO prepare an analysis of the potential costs so that a risk-based decision can be made? There will now be many models which will set out to quantify any loss so that a cost vs. risk comparison may be made. But no forecast can ever be 100 percent accurate. Insurance has its place, but there will always be a risk in insuring against risk. It is more of a Russian doll solution than an exact science.
A 2016 survey of insurers by PWC, albeit on a small sample set in London, found that 85 percent of respondents claim to have a loss estimation methodology; yet they were also simplistic and in the past, underestimated the risk.
With the insurable risk being difficult to estimate for both insurers and security professionals, it will always make sense to close the stable door to prevent the expenses from bolting. A zero-trust approach is one way of understanding and securing access to the corporate applications’ doors.
The first benefit is to prevent a breach by reducing the risk posed by compromised credentials. Only allow controlled access to an application after having authenticated the user and assured their device. - a multi-lock approach.
But how else can this approach reduce the risk or impact of a compromise? During a breach, there is seldom a clear and exact solution or identification of the cause of the breach. It can take time. So rolling out multi-factor authentication (MFA) rapidly can bring control to a corporation and protect against further misuse of compromised identities by the attackers.
This can be especially helpful when there is a mixed environment with cloud providers, corporate users and outsourced employees all accessing the same applications and data. As the digital investigation continues, the authentication logs can be fed into the analysis process to provide greater intelligence and insight.
In the event of a disruption that requires business continuity plans to be dusted off and applied, then a zero-trust approach enables high-risk users to change their working practices and deploy to new locations. So if there is heavy snowfall preventing people getting into work - in the UK this means more than an inch of snow - then remote yet trusted access to key applications can continue. This is not mitigating the cost of a cyber breach, but the cost of business disruption -an added benefit of the zero-trust approach.
An organization’s risk profile can be improved by the more rigorous analysis of the importance of different applications. Having to manage and control access enables applications to be risk-rated from a business perspective. When users are set up in a zero-trust environment, the process will highlight where the business may be most vulnerable from a compromise or disruption.
For insurers, this results in what is referred to as silent cyber risk. That is risk is not a direct consequence of a cyber attack. For example, a successful attack on a certain application may also give rise to claims under a professional indemnity policy. Clearer control of access by users may shed light on this area of concern.
Zero trust provides a great opportunity to implement a simple method of reducing the risk of a breach through compromised accounts. It enables better control over who can use an application in today's complicated technology environment. But a CISO should not lose sight of how it provides much more benefit to the risk-based accept, mitigate and insure approach to cyber resilience.
This brings us back to the issue of cyber breach insurance. When it comes to assessing the cost of cyber insurance, the better the state of security, the easier it is for a premium to be calculated. Having a zero-trust approach improves cyber resilience as a whole and may help pay for itself by reducing those premiums.