“What gets measured gets managed” has got to be near the top of the business world’s Top 10 list of favorite quotes. It’s a go-to quote because it’s true — and I can’t think of a more applicable area than enterprise cybersecurity risk.
With few exceptions, notably the FICO Enterprise Security Score (ESS), cyber risk is not being measured in rational, effective ways. As a result, cyber insurers and the corporate customers they serve are in a quandary as to how to quantify, price and manage the risks and cost associated with data breaches, internal threats and a wide range of other cyber vulnerabilities.
At our recent FICO World 2018 conference, I had the pleasure of moderating a panel discussion on “Cyber Risk, Cyber Ratings and Cyber Risk Transfer.” My three very engaging panelists were:
- Josh Ladeau, CISSP, Global Head of Cyber, Aspen Insurance. As head of cyber grading at Aspen Insurance, Josh brings 15 years of underwriting experience to the cyber business. He joined it in 2008 and has seen how the cyber sector has evolved dramatically over the last decade. He was spot-on with his observation that in an era in which the number of policies is increasing, and so is the number of participating carriers, the market effect of all that competition is suppressed premiums. “It’s destroying logic,” said Josh.
- Sasha Romanosky, Policy Researcher, RAND Corporation. Sacha is a renowned researcher, working on empirical policy research in the areas of privacy and security. His topics of interest include data breach litigation, the cost of data breaches and cyber insurance, and how premiums are calculated. In addition to RAND, he has worked with the US Department of Defense, and is a prolific author and speaker.
- Dr. Mingyan Liu, Professor and Incoming Chair of Electrical Engineering & Computer Science, University of Michigan. Mingyan has been a professor at the University of Michigan, Ann Arbor since 2000, where she has collecting internet-scale data and conducting analytic exercises with it. She is the founder of QuadMetrics, a company that built the world’s first cybersecurity rating systems, and was acquired by FICO in 2016. QuadMetrics’ technology is the basis for FICO ESS, incorporating a combination of large-scale automated data measurement and advanced machine learning techniques.
This blog is the first in a three-part series recapping the highlights of our spirited, well-attended discussion. I’ll be posting blogs two and three in the next couple of weeks.
Market Growth Is on FireSasha kicked off the discussion with an overview of how is cyber insurance market is growing. As a “sanity check,” he noted that cyber insurance policies have been around for almost 20 years; total annual US premiums are between $2-3 billion now, and cyber is still a small portion of corporate insurance. However, cyber is a rapidly growing insurance market and will hit $20 billion within just a few years. Typical premiums might be in tens of thousands of dollars, and large corporations typically build a “tower of insurance” with blocks of coverage from various carriers.
Josh agreed that there is tremendous growth opportunity in the cyber security business; international market penetration is at less than three percent, while the US market is currently the most covered. One of the industry’s biggest challenges, he said, besides the “logic-destroying” price cutting, is finding enough underwriters to meet demand.
Aspen has partnered with FICO to use ESS because, as he said in a 2017 press release, “The FICO cyber score presents the most accurate externally derived assessment of organizational security posture that I’ve seen, and when combined with the underwriting data we collect, will help us to shape a cyber insurance portfolio of the highest possible quality.”
The Current State: “Irrational Exuberance”However, Miyang presented a picture of a current state of “irrational exuberance,” in which companies are overly optimistic about their preparedness to handle cyber security attacks. She cited recent research by Ovum and FICO that revealed exactly that. (You can read more about the research in this post.)
“A lot of them think they’re above average, she said, “but relatively few of them had an assessment in place, no benchmarking in place. But still, the respondents feel pretty good about themselves. Most of them think they will get even better at managing cyber risk in the years ahead, but at the same time, almost 98% of them think the threat landscape will get worse.”
She continued, “Furthermore, 80% think that their senior execs are very mindful of cybersecurity, but only 20 to 25% had a board member who’s responsible for cybersecurity oversight.”
Clearly, there’s a big disconnect between what companies perceive to be their strengths and the reality on the ground. In my next blog I’ll talk about the evolving nature of cyber threats, and how cyber risk measurement is a key predictor of breach vulnerability.
Right now you can find out more about US executives’ current views on cyber readiness by downloading our white paper Views from the C-Suite Survey 2018. If you’re not already, follow me on Twitter @dougoclare. Thanks!