Why cyber risk assessment is critical to staying ahead of threats [Q&A]
The cybersecurity landscape is changing all the time and security teams are constantly searching for anything that can give them an edge in defending their systems.
We spoke to Rajeev Gupta, co-founder and chief product officer at insurance specialist Cowbell Cyber, about cyber risk assessment and how it can help businesses understand their level of risk and improve it to stay ahead of bad actors and threats like phishing attempts.
BN: Why has cyber risk assessment become critical in today's threat landscape?
RG: The cyber threat landscape has drastically changed over the last five years. While most smaller businesses have not been worried about the impact of cyberattacks in the past, threat actors are now targeting small and medium-sized enterprises (SMEs) increasingly. One way they go about this is through mass phishing. This means that a threat actor sends out a malicious email containing a phishing link to as many people as possible, and whoever clicks on that link will fall victim. Mass emails have drastically reduced the effort and time it takes for bad actors to attack organizations.
SMEs are frequently targeted as they have been historically unprepared to detect cyberattacks and respond to cyber incidents. Many do not have basic company-wide cybersecurity hygiene, which means that they are more likely to pay a ransom since they don’t see another option.
Cyber risk assessments can make a tremendous difference in these scenarios. Once a company understands its cyber risk exposure, it can take concrete measures for improvement. Just a few simple steps can drastically improve a company's cybersecurity posture and reduce the chance of falling victim to an incident. This starts with awareness, which is where cyber risk assessment comes into play.
BN: What are the keys to conducting a cyber risk assessment?
RG: Cyber risk assessment helps an organization prevent and reduce security incidents and avoid compliance issues. At Cowbell, we use Cowbell Factors, which are proprietary risk rating factors used to assess the risk of small and medium-sized enterprises (SMEs) across the US and the UK. We created our risk pool to understand both the frequency and the severity of cyber claims for businesses in order to calculate the chances of future claims and, therefore, underwrite better risk. Cowbell Factors take into account:
- Network Security: Measures the strength of the organization’s network infrastructure and whether security best practices are deployed -- encryption, secure protocols, patching frequency. This factor also checks for vulnerabilities, malware, and misconfigurations.
- Cloud Security: Measures the strength of an organization’s cloud security based on footprint on commonly used public clouds (AWS, Azure, GCP, etc), security configuration, and alignment to security best practices.
- Endpoint Security: Measures endpoint preparedness (servers, mobile devices, IoT endpoints) toward cyberattacks. This factor incorporates the number of endpoints as well as the level of security hygiene applied to them.
- Dark Intelligence: Measures an organization’s exposure to the darknet, taking into account the type and volume of data exposed and its value for criminal activity (examples: stolen credentials, PII).
- Funds Transfer: Tracks risk markers related to the compromise of emails that commonly leads to nefarious activities such as fraudulent funds transfers.
- Cyber Extortion: Measures an organization’s potential exposure to extortion-related attacks such as ransomware.
- Compliance: Measures an organization's level of compliance to security standards such as CIS (Center of Internet Security) benchmarks, NIST CSF (Cyber Security Framework), CSC-20 (Critical Security Controls), HIPAA, PCI, EU GDPR, and CCPA.
- Supply Chain: Measures an organization’s susceptibility to software supply chain incidents. This factor is compiled from technographic and firmographic data, web scraping information, and public vulnerability repositories.
We wanted to make sure we could identify the best of the risks and assess risk with a perspective of how that risk stacks up against the rest of the market (i.e., in relation to its peers and its industry). Our risk pool is currently comprised of 38 million businesses in the US alone, and that gives us a good benchmark when comparing each business’s risk.
BN: Why have you introduced Cowbell Factors?
RG: We came up with the idea of Cowbell Factors as a new approach to underwrite only the best cyber risk. This idea isn't new to insurance; when you think of an auto policy, insurance companies want to know if you've had an accident in the past, and if you did, it will impact your premium.
The difference when it comes to cybersecurity is that a company's security controls are constantly changing, and bad actors move fast -- so we needed to find a way to calculate risk that could relate to an entire industry at all times while benchmarking individual companies against their peers.
So, in 2019, we interviewed hundreds of underwriters personally to find out more about their pain points. An issue we identified was that some interviewees would underwrite the same risk differently, depending on the day. This obviously is a problem, and our Cowbell Factors help to eliminate that problem and create objectivity.
Automation and objectivity are key when it comes to Cowbell Factors. Our goal was to make underwriting quick, easy, and more accurate.
To make that happen, we needed a large risk pool. We currently have around 38 million US and UK SMEs, more than 90 percent of both markets, that we regularly assess.
But, with the size of our risk pool came the challenge of how to convert thousands of attributes per company into something that underwriters can use to accurately assess risk. That’s where the Cowbell Factors come into play. One Cowbell Factor contains hundreds, if not thousands, of data points, adding them up into a singular score. That helps our underwriters understand the risk of a business without having to get into the nitty-gritty of their individual cyber posture. Cowbell Factors also allow for much more consistent underwriting through the automation it brings into the process. We defined cut-offs of risk that we won’t underwrite until a company fixes its most pressing security weaknesses, and we can automatically underwrite really good risk without human touch.
BN: How can risk assessment benefit different audiences (policyholders, agents/brokers, insurers, reinsurers)?
RG: Many policyholders have several different security products in place. That can be a lot to keep track of and can result in an information overload. Cowbell Factors boil all that information up into a single, easily-digestible form of metrics.
Our Cowbell connectors allow us to gather even more in-depth information about a company’s security, improve the efficacy of Cowbell Factors, and make it easier for organizations to improve their personal Cowbell Factors. Activating connectors can even result in a premium credit for eligible policyholders.
To agents and brokers, Cowbell Factors enable a more honest and objective conversation around their clients’ premiums and how to become more secure. They also benefit from a summary of all the insurance-relevant information boiled down from thousands of data points to the top eight, those being our eight Cowbell Factors.
Reinsurers are interested in aggregation and accumulation of risk, in other words -- risk management at the portfolio level. Cowbell Factors help us keep our claims low -- in fact, we have the lowest claims ratio in the industry.
Lastly, for us, Cowbell Factors underpin everything our underwriters do on a daily basis, from helping us optimize our processes to increasing speed and ease of underwriting.
BN: How can businesses improve their cybersecurity posture?
RG: Improving one's cybersecurity posture should be the goal of every company. It can not only reduce one's premium but it can also drastically decrease the chance of a cyber incident.
To facilitate this at Cowbell, we provide policyholders with Cowbell Insights. Cowbell Insights find weaknesses within a cybersecurity posture and give actionable recommendations on how to eliminate those issues. This improves a company's overall risk posture, reflected, of course, by higher Cowbell Factors.
At the end of the day, a secure business is a happy business. It truly is a win-win-win situation. Businesses decrease their chances of falling victim to a cyber incident, and reduce the financial and operational burden that comes with a successful attack. They might also reduce their insurance premium that way.
Insurance companies get a better risk for their book. And agents get happier clients and less stress with incidents they have to get involved in. Cybersecurity awareness is the first step to a safer online presence.