InsureThink

How data is changing cyber insurance claims

Visualization created with AI assistance.

In the past, the process of evaluating cyber insurance claims was fairly simple. An organization would complete a security questionnaire, submit documentation to demonstrate that certain controls existed, and the insurance underwriters would assess their risk based on that information but as cyber threats evolved at a pace faster than the insurance process could accommodate, a new method was needed to make proper risk assessments.

Processing Content

The challenge for insurers is not the lack of information but the ability to separate the noise from signal.

With cyber losses on the rise, insurance underwriters are slowly shifting away from relying on self-reported cyber maturity assessments and toward evidence-based underwriting. In addition to identifying whether a control exists in an organization's cyber program, insurers will now validate that the control functions as designed.

The move towards evidence-based underwriting is one of the biggest changes in the cyber insurance industry in recent years.

The end of annual cyber risk snapshots

For a long time, cyber insurance underwriting heavily relied on annual questionnaires and periodic reviews. Organizations reported information about their cybersecurity programs, provided details on controls already deployed and answered questions regarding their overall cyber maturity level.

However, cyber risk does not stand still. An organization can experience a major shift in its security posture in the matter of weeks due to an acquisition, migration to the cloud, expansion of its workforce, deployment of a new software application, or introduction of an entirely new ecosystem of vendors.

To address the problem, some insurers are beginning to explore continuous cyber risk assessment as opposed to annual snapshots. By using technological means, they will be able to continuously monitor the risk exposure of their clients while the organization will get the opportunity to proactively discover risks that they were previously unaware of.

Why cyber insurers are demanding more proof

Not long ago, most underwriters were content with the fact that an organization claimed that multi-factor authentication (MFA) is deployed in its environment. For years, this statement was more than sufficient to make a risk evaluation.

But recent cyber events revealed that in many cases, organizations were unable to fully deploy and maintain certain cyber controls. As a result, security solutions that should have prevented an incident were missing or malfunctioning in several key ways: multi-factor authentication might have been disabled for some of the accounts, including privileged ones; security monitoring solutions may be missing certain clouds assets; endpoint protection solution may not protect all endpoint devices; or, the logging solution may be failing to capture necessary forensic information.

From an insurance perspective, having an attestation of control presence does not mean much if the control does not function as it should.

For this reason, underwriters are becoming more demanding and interested in evidence-based verification of control efficacy.

Once a cyber incident takes place, an insurer needs answers. Common questions include: What happened? When did the compromise take place? What systems were breached? What data was accessed/exfiltrated? Were the security controls functioning as they should? Was MFA enabled? How was the response managed?

The answers to these questions will be essential for proper evaluation of the claims. And the only way to get precise answers to those questions is to gather the digital forensic evidence.

While other sources of information, such as interviews with employees, will help to identify potential problems, they can be unreliable. In the case of forensic analysis, log files, endpoints artifacts, cloud telemetry, authentication records, and other pieces of evidence will provide the answers needed to understand what happened and how.

For many years, traditional cyber investigations required significant time. Investigators had to go through logs, examine multiple systems, and recreate the attack trajectory. It took hours or even days to collect sufficient evidence and prepare a final report.

But today's environment does not provide the luxury of such a slow process. Executives, regulators, legal teams, customers, and other stakeholders are expecting quick answers whenever a cyber event takes place. Delayed visibility can mean additional losses for an organization. Thus, today's enterprises are investing in technological solutions that speed up forensic investigations and enable them to deliver results faster.

In addition to quickness, defensibility of forensic findings is crucial. While speed is important, organizations must ensure that their findings will withstand further scrutiny. In today's world, it is important to be fast and accurate.

AI, deepfakes, and synthetic identity fraud are redefining cyber risk

Advances in artificial intelligence do not affect the cyber landscape in terms of defensive techniques only. People can fake executives' voices, create synthetic identities, or launch large-scale phishing attacks. In such a world, cyber insurers will need to adjust policies.

The future incidents will require organizations to investigate unusual circumstances, such as: Was a transaction authorized by an actual employee or an AI-generated impersonation? Was a customer account hacked by an adversary or an AI-powered fraud system? Did a particular communication happen from a valid executive or an advanced deepfake?

It will be a challenging task to answer these questions. But the process is unlikely to stop with policy adjustments. To make sense of future incidents, organizations will need more advanced forensic analysis skills.

Why investigation readiness matters

Traditionally, organizations collected evidence after an incident. But now, insurers will look into the readiness of organizations to conduct forensic investigations.

Known as investigation readiness, this metric may give a good idea to insurers of how an organization will react in the event of a cyber incident. For example, they may ask the following questions: how quickly can investigators access required information, is the chain of custody preserved, can findings be independently validated and, are investigation procedures consistent, repeatable, and defensible? The answers can help insurers understand whether the organization is well-prepared to react to cyber events.

It is expected that within the next five years, evidence-based underwriting will take center stage in the cyber insurance industry. While questionnaires will still play an important role in cyber insurance underwriting, they won't be enough anymore.

Instead, insurers will start relying on more advanced approaches to evaluating cyber risk, including continuous cyber risk monitoring, validating security control effectiveness, investigation readiness, ability to perform rapid investigations, AI-related threats and exposures, preserving chain of custody, claims validation based on evidence, and so on.


For reprint and licensing requests for this article, click here.
Cyber Security Risk management Claims Insurtech
MORE FROM DIGITAL INSURANCE
Load More