Cyber Risk Modeling & Scoring: Creating Business Resilience
Over the last few decades, the way in which companies conduct business has gone through a transformation. Organizations have shifted their business models from brick-and-mortar products and services platforms to innovative, adaptive strategies that capitalize on the constant change brought about by technology. In order to compete, many businesses are redirecting their energies to more flexible, mobile business processes.
Yet such digital transformation comes with a significant exposure. A 2018 IBM-sponsored Ponemon Institute study concluded that the 383 companies surveyed have a 27.9-percent probability of experiencing a material data breach involving ten thousand records over a 24-month period. That’s a 2.2 percent increase of probability over 2017 statistics.
Also, on the increase: the average total cost of a data breach. The same Ponemon study shows that average total cost rose from $3.62 to $3.86 million, a 6.4 percent increase over 2017 figures. The average cost per record has risen from $141 to $148, up 4.8 percent in one year.
Evolving Threats & Coverage Gaps
From phishing scams to ransomware attacks, cyber thieves are finding their way into company systems and exposing sensitive corporate data. Yet as cybersecurity experts work to stay ahead of the threats, thieves are developing new ways to breach systems and profit from security gaps. Thieves are now targeting smart devices, including printers and IP cameras, and trying to compromise cloud-based systems and databases.
Yet what risks does any one company face? Understanding the full extent of a company’s exposure is not always obvious. Likewise, knowing what would constitute a comprehensive cyber liability policy for that particular business can be just as challenging. Most buyers are not aware of their needs or insurance options.
That’s because cyber risk can be a breach, a loss, or nearly any other form of disruption or damage to a company’s systems or data. In order for a cyber liability policy to be effective, a company must identify its vulnerabilities.
Network modeling and risk scoring allows companies to create an all-inclusive network model that encompasses both physical and digital company assets, including public and private cloud environments."
A Model for Network Risks
Fortunately, companies are now able to get a more targeted view of risks through network modeling and risk scoring. Objective measurement of network resilience, such as that which XL Catlin clients can access via a collaboration with network modeling and risk scoring platform provider RedSeal, can give companies a full-scale view of their cyber risks over time and serve as a roadmap for companies to improve their cybersecurity measures.
Network modeling and risk scoring allows companies to create an all-inclusive network model that encompasses both physical and digital company assets, including public and private cloud environments. That helps companies identify:
- Device and third-party software weaknesses and their impact on the network: a business can see device vulnerabilities and access paths across the enterprise, which can help improve incident response plans.
- Ease of accessibility of a company’s valuable assets to hackers: a business can identify misconfigurations, audit compliance issues, and adjust access controls, further improving security.
- How well the company’s network, connections, and devices are understood: by finding and repairing misconfigurations and vulnerabilities, companies can improve network access decisions, assess attack routes, and ensure compliance quickly.
Another bonus: companies are able to create a continuous improvement process within their cybersecurity initiatives, further improving their resilience and awareness of their cyber exposures.
Also, by using risk scoring and modeling, companies can improve their insurance costs and coverage. A low risk score can give underwriters more in-depth information for risk evaluation and can help them better evaluate a company’s risks over time. Such data can help underwriters determine the most appropriate policy terms and pricing.
For insurers, such comprehensive data can also provide:
- Better evaluation of internal and external threats
- Monetized metrics to better score risks
- Objective standards for coverage qualification
- Insight into network resilience and resistance, survival and recovery capability
The Smart Approach to Cyber Threats
As cyber risks evolve, so should the approach companies take to understand their risks. By working together, consumers and providers can manage cyber risk by developing a data-driven picture of each company’s unique risks. By understanding the entire cyber risk exposure, companies can reduce their financial losses and increase their cybersecurity, all while making their networks more resilient. The result: a more competitive, flexible approach to business without all the risks.
About the Authors
Steve Timmerman is VP Business Development at RedSeal, which helps customers understand their network from the inside out – providing actionable intelligence, situational awareness and a Digital Resilience Score to help enterprises measure and improve their resilience. He can be reached at firstname.lastname@example.org. Elissa Doroff is product manager for XL Catlin’s Cyber & Technology insurance business. She can be reached at email@example.com.