Assessing Cyber Risk in a World of Relative Risk- “Cyber Telematics” A New Approach for Cyber Insurance

cy·ber tel·e·mat·ics

ˈsībər/teləˈmadiks, noun: A new product class within an existing class of insurance industry technologies, in the branch of information technology that assesses, monitors, and transmits computerized information about IT network risk generally for risk management and insurance purposes.

The Chairman of the Board turns to the CEO and says, “It’s 2017- What is our company’s cyber risk profile? How do you measure it? How do we compare against our peers? And what do are we doing about it?” The stomachs churn inside the Chief Financial Officer, Chief Risk Officer, and Chief Information Officer sitting outside the Boardroom. Tough questions that need solutions.

As telematics technologies are revolutionizing the car insurance industry, so will a combination of big data, fast network speeds, and new adaptation of similar telematic-like technology concepts address significant challenges in cyber security, organizational cyber risk management, and cyber risk transfer.

What are telematics? Proprietary sensor technologies like Snapshot from Progressive Insurance that plug into a car, monitor driving, and communicate data over the cell or Internet networks, which helps providers accurately price risk in policies based on actual individual driver behavior, rather than using proxy actuarial on large populations or generic cohorts. A new approach to adapting this concept to “cyber telematics” will allow businesses and insurance providers to know and understand their individual network risks and compare and monitor their network risk against other peer companies. Corporate customers want to “know and understand” their cyber risks so they can reduce, avoid, and mitigate those risks, or transfer them. Insurers need to “know and understand” their exposure so they can write, price, and distribute their risk portfolio appropriately. “Cyber telematics” embrace and address the five major challenges in accurately assessing cyber risk for the cyber insurance and cyber organizational risk management.

“The use of these data-collection devices, called telematics, is part of the Internet of Things, and it is the future of insurance. In the near future, telematics will change everything about how insurance companies evaluate risk and communicate with customers. Data is the lifeblood of the insurance industry. Without good data, actuaries, and underwriters can’t charge accurate premiums... Some of this data is relatively straightforward, such as life expectancy factors and driving risks, but all of it depends on people other than the actual insured. Telematics promises to consider the individual, rather than the group, to provide better premiums for more customers.” Saar Yaskovitz Source

The Challenge of 2017: Cyber Risk Management

Cyber risk is a “hyper-dynamic” business risk model because of the highly complex interdependencies that create vulnerability. An inverse relationship exists between the exponential growth in victims and attack opportunities through the dependency of complex information and telecommunications networks, third party network-based relationships, and the rapid expansion of operational technologies networked across the enterprise. Hyper-complexity in risk interdependencies between business processes, technologies, suppliers, customers, and employees are exacerbated by the low barriers to entry, lucrative payouts, and extremely low risk for malicious cyber threat actors. It’s a tremendous challenge for businesses seeking to manage their risks and insurance providers seeking to insure their risk.

“Year of the Breach” Drives Urgency in Cyber Risk Management

As 2016 may become known as the “year of the breach”, companies seek to reduce their organizational cyber risk, protect their network integrity, and transfer their cyber risk through additional insurance coverage. The Wall Street Journal stated cyber insurance is the fastest growing insurance product in the United States, and global demand is expected to continue to dramatically increase to a $100B market within 10 years. Source Cyber insurance providers seek to accurately assess the risk and vulnerabilities of insurers’ networks, accurately price that risk into policy premiums, and gauge their overall cyber policy portfolio exposure. There is a significant challenge for the insurance industry to balance risk, coverage, cost, and exposure so the coverage is valuable and affordable for corporate customers, and profitable at scale for the industry.

Adapting a vehicle telematics approach to cyber risk assessment and monitoring offers tremendous promise in both concept and practice. The name “cyber telematics” will likely be forgotten like the “horseless carriage,” but the conceptual approach is already market-proven by products like Progressive’s Snapshot. The National Association of the Insurance Commissioners (NAIC) and the Center for Insurance for Policy Research on Usage-Based Insurance and Vehicle Telematics highlights the value of telematics for the insurance industry and consumers:

“Vehicle telematics, integrated navigation, and computer and mobile communication technology used to directly monitor driving behavior allow insurers to use true causal risk factors to accurately assess risks and develop precise usage-based insurance (UBI) rating plans. Furthermore, with premium accurately reflecting true risks, policyholders are incentivized to adopt risk-minimizing behaviors with benefits accruing not only to consumers and insurance companies, but also to society as a whole.” Source

“[Telematic] Technology, due to advancements and reductions in price, allows insurers to directly measure factors that determine risk. By using UBI rating factors instead of traditional rating proxies, insurers could offer an 80 percent discount on the best drivers and still be profitable.” Source

Two key predictions for Cyber Insurance Trends in 2017:

“Moving forward, not only will it be important for insurance companies to better understand the risks facing individual clients, but they will need to view this data over their entire portfolios to understand aggregate risk and ensure they are not over extended.”

“…to make cybersecurity insurance credible and to justify its costs, companies and underwriters will use a Big Data analytics approach in 2017, adding: Beyond the data, there will be a new focus on what happens during the lifetime of a business relationship. Underwriters will begin developing programs that drive better security hygiene. In the same way that health insurance providers developed no-smoking policies or provide discounts for gym memberships, cyber insurance underwriters will reward companies for taking a more proactive approach toward cybersecurity.” Source

Insurance industry and government benchmark reports highlight five significant cyber risk management challenges facing businesses, technology providers, and the insurance industry:

1) The Challenge of Missing Actuarial Data

Understanding the problem: “Due to the poor quality of data and the fast changing risk landscape, there is no established method to model cyber risk, and not much research has been done so far. The poor quality of data required insurers to analyze cyber risk from a technical rather than a statistical point of view….” Source “Today, in the absence of such data, insurers compensate by pricing that relies on qualitative assessments of an applicant’s risk management procedures and risk culture. As a result, policies for cyber risk tend to be more customized than policies for other risks, and, therefore, [potentially] more costly.” Source Ultimately, the question remains, do the current methods of assessing qualitative or quantitative cyber risk correlate and give the insurer and business visibility into their actual cyber risk?

Addressing the Challenge: Since the 1930’s researchers have known that an accurate representation of an individual’s behavior would be far more advantageous too both the customer and the insurer, rather than writing and pricing policies against generalized “100 years” of actuarial data. Source It’s only been the last 10-15 years that technology could enable this advantage and even more recently in “real-time”. As telematics takes clear advantage of this advancement in technology, so can new “cyber telematics” provide insurers and businesses deeper visibility into network risk that is accurate, reliable, and extends across the entire enterprise.

• Use “cyber telematics” to improve internal visibility and risk awareness across the current network security investment by coupling new internal security middleware with pervasive cloud-based monitoring to gain unprecedented risk visibility without adding the burden of labor, training, and distraction.

• Use “cyber telematics” to comprehensively assess INTERNAL network risk by monitoring (device and user) behavior through next generation machine learning behavioral threat detection algorithms; assess the presence through malicious threats and actors through aggregate threat intelligence analysis beyond the security stack and across the entire enterprise; and also monitor violations of security policy across the enterprise.

• “Cyber telematics” combines an INTERNAL security middleware with complimentary pseudo-AI EXTERNAL technology to non-cooperatively assess “peer” or cohort networks. Comparing the INTERNAL risk assessment score of the prospect network and the weighted scoring risk against EXTERNAL network risk assessments of other peer business networks provides a threat assessment score distribution to evaluative the relative risk.

Security engineers carefully reviewed analyzed huge data sets of malicious events and data breaches resulting from a toxic cocktail consisting of attackers advantages, visibility gaps, and performance shortfalls in security technologies. A new approach to “cyber telematics” for network risk assessments and continuous monitoring addresses the critical void that lies between traditional SIEM tools and network monitoring/management tools in enterprise risk visibility. This new approach significantly enhances threat detection and visibility to match next generation machine learning awareness against automated attack vectors.

“Cyber telematics” is a new security product vertical emerging that is a unifying and overwatch security layer not intended to supplant or replace existing security technologies. This new security middleware exposes and monitors gaps in security performance across the enterprise. The security investment of today’s network is escalating dramatically, and it’s necessary that these visibility and risk awareness shortfalls be addressed to monitor risk, but without adding more complexity and architectural changes. An effective defense in depth strategy requires technologies to work together in unity of effort, a 'better together' philosophy with other security technologies. A new approach with “cyber telematics” is specifically designed to be integrated into existing SOC/SIEM/Ticketing workflows with ease. Understanding the challenges and designing the solution with Progressive’s Snapshot simplicity and elegance in mind…with “cyber telematics” businesses should be able to “plug in and drive” as well…

New “cyber telematic” technology case studies show large “best-in-lass” networks with high volume traffic that the amount of malicious events identified by this new approach can be 40%+ or greater. This new approach with “cyber telematics” provides maximum fidelity and visibility into user behavior, network devices, malware and threat activities, and security policy violations. The result is it improves cyber risk awareness, assessments, and internal monitoring far greater than other qualitative or quantitative methods. Like capturing “historical” driver data through a telematic device or conducting constant monitoring of a driver, cyber telematics case study data shows high fidelity cyber risk network assessments can analyzed historically with available metadata and also monitor in real-time, or both.

The advantages for customers are clear. They have deeper visibility for cyber threats, network traffic, and other issues across their enterprise within a coherent reporting framework. They can then address these issues to reduce risks to their enterprise. They can gain this visibility without replacing ANY existing security hardware, being burdened, or distracted by additional manning, or training.

The advantages for insurers are unprecedented transparency and visibility in cyber risk and also the ability to validate policyholders risk mitigating activities. This gives clear advantage in assessing, pricing, and writing cyber risk policies and managing an insurers risk portfolio exposure. Adapted Model- Source

2) The Challenge of Adequate Risk Models

Understanding the Problem: “Risk analysis means that consequences, probabilities of occurrence and risk levels are estimated. The estimation of probabilities of occurrence is one of the biggest challenges in this part of the risk management process. Since cyber risk is a relatively new risk category, there are not much data available for an adequate estimation of probability… Especially for insurance purposes, a pure number of data breaches is not sufficient when calculating premiums, capital or reserves. Instead, a price tag corresponding to the potential claim has to be allocated to each data breach…Furthermore, cyber risk is very dynamic, fast moving, and is subject to significant risk of change, which is why statements for the future, estimated by statistical surveys from the past, must be viewed with caution.” Source

Addressing the Challenge: Adopting telematics to cyber requires new technologies to assess risk of the prospective network with much greater fidelity and visibility and also address the problem Saar Yaskovitz raises in the opening quote, “but all of it depends on people other than the actual insured.” Considering an epidemiological ‘relative risk’ models seems appropriate. A prospective business network functions in an environment of ubiquitous risk. Like measuring the risk of an Ebola exposure at an international airport after a breakout in Eastern Africa, the exposure risk is incredibly complex and dependent on a meaningful set of variables. It is fully understood, that all networks are exposed to malicious threats. All networks can be compromised. Measuring cyber risk is dependent on assessing and understanding internal vulnerabilities and the external attack exposure of a prospect network. Meaningful cyber risk assessments must assess and understand the IT infrastructure attack surface of the prospect network and then also be able to contrast the external risk profile of “peer” networks within a comparable cohort.

What is the relative risk of one business network to compromise, when compared to other “peer” networks in their cohort who are all conducting normal business activities on the “live” Internet? A cohort could selected based on operational considerations such as market, vertical, financial metrics, customer metrics, product attributes, and or a technical comparisons such as number of network endpoints, security technologies, etc.. “Cyber telematics” could also provide the visibility required to actually assess and compare aggregate cyber risk across an insurers portfolio. “Cyber telematics” case studies now under way compare external threat scoring of “peer” networks as determined by data sets from third parties who compare and rank companies for industry purposes. The ranking and grouping of cohort data is “operationally, functionally, and performance” oriented.

3) The Challenge of Accurately Assessing and Monitoring Cyber Risk

Understanding the Problem: “Despite the growing threat, many companies continue to treat cyber risk as an IT problem, separate and apart from the other business risks they face. Without including cyber risk within existing ERM programs, however, they really are not “doing ERM.” Consequently, they often are blind to their true risk profiles and may not be prioritizing their risk management resources most effectively.” Source

Understanding the Problem: “In each step of the classical risk management process, cyber risks show special characteristics. The first and maybe most important aspect for sound cyber risk management is that cyber risk management is not the responsibility of the IT department, but a cross-company risk dialogue is necessary (e.g. sensitization, trainings etc.). The topic also should be embedded at the C-level.” Source

Understanding the Problem: “Despite these manifold instruments, information asymmetries still pose a significant problem for the insurability of cyber risks. For instance, because of complex interrelations in modern IT systems, firms might be vulnerable to cyber risk even though they have invested in self-protection.” Source

Understanding the Problem: “Companies that have experienced a serious cyber-attack are more likely to buy insurance (Shackelford, 2012), thus resulting in adverse selection. The insurers in the market try to alleviate adverse selection effects by screening (e.g. up-front audits), self-selection (e.g. questionnaires in the underwriting process), and signaling (e.g. certificates for IT-compliance). In addition, there is moral hazard (i.e. the change of behavior after purchasing insurance). One example is the insured’s lack of incentive to invest in self-protection measures following the purchase of insurance, if full coverage is offered. Insurers use instruments such as screening (e.g. audit) and risk sharing (e.g. deductibles, cover limits) to reduce moral hazard.” Source

Understanding the Problem: “It’s like running in a race without a finish line. As organizations bolster their defenses, adversaries adjust their strategies and methods of attack. New “zero day” attacks are conceived and launched. Organizations scramble to respond. This dynamic will continue—from our vantage point—for decades to come.” Source

Addressing the Challenges: A new approach to network risk assessment and monitoring with “cyber telematics” embraces the disappointments and uncertainty within many aspects of the traditional quantitative and qualitative approaches. Providing and sustaining accurate network risk assessments within the current threat landscape requires new agile technologies that evolve along with emerging attack vectors, deliver contextual risk awareness, and provide multi-layer visibility of the network security posture. To that end, new “cyber telematics” sensor capabilities have developed a comprehensive and automated breach detection framework that constantly evolves to counter advancements in emerging security threats. Through the use of multi-layer inspection of network, application and endpoint metadata, “cyber telematic” sensors detect breaches as they occur and thus significantly reduces meantime to remediation.

This new approach in “cyber telematics” is driven by using existing IT infrastructure and applications as a distributed sensors network coupled with narrow AI to learn and adapt to emerging conditions. Coupling these technologies and capabilities was specifically designed with the security analyst in mind to REDUCE the workflow and information overload and reduce cyber risk blind spots. This new approach with cyber telematics has proven success in increasing risk and threat awareness by 40%+ in large “best in class” network security stacks.

This new approach with “cyber telematics” has proven success in providing holistic threat detection for Fortune 100 Industry networks that already rely on best-of-breed security technologies.

• To reduce noise and false positives, traditional SIEMs, event correlation, and heuristics are de-tuned to ignore many event combinations that will naturally indicate malware, bruteforce, recon and other adversary activities.

• By applying parallel behavioral threat detection, threat Intelligence and Policy-based threat detection, the sensing and assessment methods unify network visibility across many network/application layers without loss of fidelity or increasing false positive rates.

• SIEMs and search-based security tools require human analysts to interpret sometimes overwhelming amounts of information, often without critical context, to ultimately discern good events from malicious events. Conversely, this new “cyber telematics” technology tracks behavior of all active network entities and has a firm, but adaptable, sense of good versus malicious events that has no dependencies on static signatures or heuristics.

Adapted model Source

4) The Challenge of “Knowing your digital profile”- Externally, Accurately Assessing Cyber Risk

Understanding the Problem: “Big Data approach to analyzing cyber risk—the “outside-in” perspective hackers look for opportunity and probe for weakness—a combination of the value of your assets and vulnerability of your systems. Big Data can now be harnessed to assess the likely motivation for and potential susceptibility to [malicious] cyber events by relying exclusively on data points beyond an organization’s perimeter. This is the outside-in approach. In the digital era, each organization creates a footprint through its online activity. Your business, just like an individual, leaves a trail of digital breadcrumbs behind. Aggregating these and hundreds of other data points over time yields…scores that can be used to benchmark your organization against past performance and the performance of your peers.” Source

Addressing the Challenge: This new approach with “cyber telematics” requires coupling technologies that provide unprecedented internal visibility across enterprise risk and also external visibility beyond the network edge. Understanding a network’s risk from the vantage point of the attacker is essential to assessing risk. Reliable external cyber risk indicators can be automatically collected, monitored, and scored.

The capabilities and specific external risk factors (below) accurately describe the complimentary software technology which coupled with internal capabilities within cyber telematics provides the network and external threat visibility required to identify, understand, and compare network risk of the prospect network.

Automated External Risk Assessment Technology Capabilities:

• Must be able function in an unobtrusive, non-cooperative manner unlike standard penetration testing and other conventional methods.

• Must be able to assess and collect data at scale, rapidly, and target the specific network for the assessment and their Internet facing devices (attack surface).

• Must be able to collect quick “snapshot” reports and also be able to conduct periodic, or constant monitoring of external risks and indicators of compromise beyond the network edge.

• Must be able to also conduct open web, deep web, and dark web searches for indicators of compromise.

External Factors for Evaluating Network and Cohort Risk are:

• Network Compromise or Data Breach Detected

• Outbound Email-based Malware Detected

• 3rd Party Domain Risk

• Live Phishing Sites

• Recent Threat Intel Events

• Significant Attack Surface Items Identified

• Significant External Vulnerable Applications Identified

• Significant Attack Surface Identified

• Significant Network Attack Data Breach Detected

• Internet-based Malware Samples Identified

• 3rd Party Risk

• New External Indicators of Compromise

“Cyber telematics” as a new approach to benchmarking cyber risk, assessing and comparing prospect network risk and cohort cyber risk, and then monitoring for changes in the risk profile.

5) The Challenge of Collecting and Analyzing Cyber Cohort Data

Understanding the Problem: Missing actuary data, if available would provide some insight to a generalized risk model. Most experts agree for assessing cyber risk network complexity, significant variability in network-to-network technology, and variability in attacker behavior and threats would make generalized risk models insufficient. Extreme reluctance for companies to discuss and share data on network defenses, architecture, and security incidents are significant obstacles for most conventional approaches to compare risk. The data that is available is limited, inconsistent, manually intensive to analyze, and not readily comparable.

Addressing the Challenges: Coupling technologies within “cyber telematics” means being able to capture a detailed internal risk assessment data, sustain internal monitoring, and adjust the internal scoring as risk changes over time with the external risk profile. Complimentary technologies must provide an external network risk assessment gathered from the attackers point of view. Cohort data must be also be collected externally, from the same vantage point of attackers. “Cyber telematics” new approach mimicking a “relative risk” model compares the prospect network’s internal and external risk profile to cohorts external risk profile. As the prospect risk profile internal and external scores are assessed, weighted, and compared, the external model is validated. The external model is used to collect external cohort risk data against a sample set of “peer” networks, assess their individual external risk profiles, and determine the cohort set score average. The average cohort score is compared to the prospect network’s risk score. Relative risk is then determined for the prospect network under real-world conditions as directly compared to other “peer” cohort networks.

What is the criteria for identifying a peer network to be included with the cohort sampling? The criteria could be operational or performance focused. For example, a similar-sized company, in the same market vertical, with comparable revenues, customer data, common technologies, and other aspects often used by industry organizations to rank companies. The comparison criteria could be technically focused using details such as number of endpoints, security technologies, operating systems, etc. though embracing the reality of ubiquitous network risk, such a detailed, technically-driven comparison may have limited value for assessing cyber risk in real-world conditions.

Understanding the Problem of Ubiquitous Cohort Cyber Risk:

Question: Which zebra in the herd is at greatest risk?

Answer: The one the lion chooses to chase.

How cohort data is collected, is essential to consistency in scoring, scaling the size of the cohort sample set, and monitoring changes in risk scores over time.

Anonymity in collection is also important and also is the ability to externally assess networks without significant signatures to alert or alarm evaluated networks. The data must collectable through an automated process, non-cooperatively, and at scale if necessary for larger cohort comparisons. Constant monitoring of the cohort risk scores will be extremely valuable to understand cohort risk versus individual network, and policy risks. Changes in cohort risk could indicate a common vulnerability, or industry specific shared risks targeted by attackers for unknown reasons or even certain common susceptibility to commodity malicious threats.

Conclusion

Big data, fast network speeds, and new “cyber telematics” technologies powered by next generation capabilities can address significant challenges in cyber security, organizational cyber risk management, and cyber risk transfer. A new approach using “cyber telematics” can address five major challenges in assessing cyber risk for cyber insurance and cyber organizational risk management. “Cyber telematics” will allow businesses and insurance providers to know and understand their individual network risks and compare and monitor their network risk against other peer companies. Corporate customers can leverage greater visibility and awareness of cyber risks to reduce, avoid, and mitigate those risks, or choose to transfer them. Insurers can observe, analyze, and mitigate their exposure so they can write, price, and distribute their risk portfolio appropriately.

Businesses and insurers can carefully observe and act on changes in cyber risk scores as they understand the impact of enterprise risk management choices, practices, and changes in technology. The win for both industry and insurance companies, is the ability to measure and reward cyber risk reduction strategies that are effective under real-world conditions and daily operations.