Advanced Threat Protection

 View Only
Back to Library

The Art of Measuring Cyber Aggregation Risk 

Dec 15, 2016 09:35 PM

Ashwin Kashyap, Symantec Corporation, and Julia Chu, Guy Carpenter

Cyber risk is now an embedded feature of the global risk landscape, and preventative risk management and post-event remediation are gaining importance as shareholders, customers, supply chain partners, and regulators are increasingly focused on how companies are managing cyber risks. Insurance is becoming an important piece of the strategy to help businesses address these risks.  

Cyber insurance is one of the fastest growing lines for insurers and reinsurers. While insurers are developing pricing tools for underwriting cyber risks, the focus on aggregation has increased – how to understand and control the potential exposure.   Unlike traditional property insurance where aggregation is monitored by physical locations, cyber insurance aggregation can span connected systems that extend beyond physical geographies.  While a large systemic risk has not yet materialized, it does not mean the risk is not present. Moreover, there is limited history and lack of data for this emerging exposure, which makes it difficult for insurers to measure cyber risk and calculate capital needs. In other words: it’s a huge challenge to profitably grow a portfolio of cyber risk, without exceeding risk tolerance.

For decades, insurers have considered aggregation from natural perils, and developed catastrophe models.  These models go beyond the insured loss experience by blending the historical evidence and expert understanding of the nature of the peril, and provide a more robust understanding of future exposure.   Modeling for cyber risk introduces new challenges, including:

  • Changing perils – The types of cyber attacks, as well as the nature/motivation of the attackers, are in constant flux.
  • Extended duration – Related attacks against different defenders may take place simultaneously, or may repeat over a period of months.
  • Definition of damage  - Cyber damage is harder to quantify, due to the gap between the technical and business impact.
  • Reporting lag – It may take months or years to discover a cyber attack.

Symantec Cyber Insurance, in collaboration with Guy Carpenter, has developed a series of frameworks to systematically break down this complex problem into tractable components.   Many of these components are impossible to observe directly from insured exposure or historical loss (much as wind or tides could not be inferred purely from insured hurricane loss).   But as the global leader in cyber security, Symantec has spent decades tracking the emergence of new cyber threats and attack vectors, and has unparalleled proprietary telemetry database, providing a unique capability to identify and quantify the nature of each phase of cyber attacks.

First and foremost, it is important to distinguish between the technical and business impacts of a cyber attack. The technical impact provides a mechanism to understand how an attack was carried out, but rarely provides a handle on the far greater consequences on a collection of businesses. To resolve this, Symantec has invented the CUBE framework that clearly articulates every facet that is relevant to a business user.

The framework consists of six complementary dimensions to break down the technical complexity of a cyber attack: Attackers, Targets, Objectives, Vulnerabilities, Impact and Consequences.

We will take a specific aggregation scenario to illustrate how this framework plays a useful role in describing these events. A cloud service provider disruption scenario has been widely regarded as one of the manifestations of aggregation on cyber portfolios. In the narrative below, the business impact on a leading cloud platform lasts for 24 hours and causes cascaded impacts on other businesses dependent upon its services. This scenario can play out in many different ways, and we can use the CUBE framework to showcase one such realization of this scenario.

             ArticleImage.png

The multi-dimensional view of risk provided by the CUBE framework not only helps insurers understand the key aspects of a scenario but also helps them control risk aggregation by avoiding higher degrees of exposure in their portfolios to the “footprints” of each of the attacks. The framework also minimizes the possibility of a misrepresentation of the description of a scenario and, consequently, the quantification of its frequency and severity. In essence, the CUBE framework provides a foundation to create an event set that can be understood easily by business users in the context of managing cyber aggregation risk.

It may be essential to think beyond the CUBE framework for building sophisticated risk models where uncertainty quantification becomes the primary goal. For this purpose, Symantec recommends using the “kill chain” methodology for a technical persona to capture the different phases of a cyber attack. For example, an insider attack on a confidential database in a large data aggregator will have a very different likelihood when compared to a financially motivated threat actor carrying out the same attack through a phishing campaign. A sequential model can capture this differentiation, specifically in the area of frequency quantification. More importantly, the quantification can be driven by Symantec’s security telemetry.

The kill chain tends to fall closer to the technical end of the spectrum in cyber security and is not as business-friendly as the CUBE framework. It is, however, extremely useful in understanding the diminishing probabilities of success as you move down the kill chain, where each subsequent step in the attack process poses a challenge to the attackers that not only depends on the motivation and capability of attackers but also the security controls that exist within the target(s).   

The relative importance of each of these frameworks is context dependent. If you are trying to model the frequency and severity of scenarios, you will find the kill chain much more appealing, but if you are a portfolio manager or a business stakeholder within an insurer, you are likely better served by the CUBE framework which transforms layers of complex cyber security concepts into simplified “snackable” content.

An unabridged version of this article was published in the MMC handbook 2016. Ashwin Kashyap is a Director, Product Management at Symantec where he specializes in creating and commercializing data-driven analytic products for cyber risk modeling to the insurance industry. Julia Chu is a New York-based Managing Director at Guy Carpenter where she focuses on strategic advisory.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Jan 19, 2017 06:49 AM

Cyber risk is now an embedded feature of the global risk landscape, and preventative risk management and post-event remediation are gaining importance as shareholders, customers, supply chain partners, and regulators are increasingly focused on how companies are managing for cyber risks. Insurance is becoming an important piece of the strategy for helping businesses address these risks.

Migration User
Jan 19, 2017 05:13 AM

Cyber risk is now an embedded feature of the global risk landscape, and preventative risk management and post-event remediation are gaining importance as shareholders, customers, supply chain partners, and regulators are increasingly focused on how companies are managing for cyber risks. Insurance is becoming an important piece of the strategy for helping businesses address these risks. When will we grow to understand this and get it insured !!!  

Great Article !!! Thumbs Up

 

Emasar
Jan 18, 2017 06:48 PM

Lo interesante es ver si hay una integración de prevención al mismo servicio de seguro, para así tener un paquete completo.

cesfa1907
Jan 18, 2017 12:33 PM

Es interesante saber que hay tal cosa como seguro de riesgo cibernético, sin embargo, en muchos casos después de que el daño se hace la cobertura de seguro podría no ser de mucha ayuda.  Estoy de acuerdo en que la definición de daños es uno de los principales desafíos, porque a veces puede ser fácil de calcular, pero a veces puede ser sólo especulativo. Imagine, alguien robando un nuevo producto planos que no está en el mercado todavía, sería imposible calcular el daño ya que la popularidad del producto mencionado no se puede predecir por adelantado. Me alegro de que symantec esté tomando el seguro cibernético.

PGA_CR2
Jan 13, 2017 11:31 AM

Esta parte de seguros ciberneticos es algo nuevo y me parece no haberlo escuchado aun en latinoamerica.  el detalle es la medicion del reisgo, y ya lo tenemos dimensionado  se puede mitigar de una vez. El cubo de riesgo es bastante interesante no me queda claro como definen el atacante. pero puede tener futuro en busca de una seguridad mas robusta.

Migration User
Jan 13, 2017 03:09 AM

I had no idea you could get this, I suppose if you have confidence in your products then why would you not offer this. I hope you offer good support in getting to a level to gain the insurance. I wonder if the return from a premium will cover the loss of a small buisness data, I'm sure this is going to be for the bigger company.

 

mprocter
Jan 12, 2017 09:52 AM

I didn't know that Symantec offered this. Cyber insurance is an interesting concept it will be good to see how this space plays out. Not sure if it's something we would consider though. 

Madhav Reddy
Jan 09, 2017 05:49 AM

Thats something new, didnt knew Symantec offer this service. Great Article.

Seeing forward for more blogs on Cyber Insurance.

Migration User
Jan 09, 2017 04:24 AM

Cybersecurity professionals in any given organisation assess cyber vulnerabilities one organisation or one country at a time, without necessarily looking at the cumulative risk to the overall system. Individual cyber insurance underwriters can fall into the same way of thinking, and the potential for aggregation of cyber risk is the current ‘elephant in the room’ for the insurance industry. The burgeoning cyber insurance market is grappling with aggregation of risk in two main forms.
i.e. 1)Aggregation of cyber risk across business lines 2)The evolving approach to cyber risk.    

bhagyesh
Jan 05, 2017 02:16 AM

This is something great start...................now a days its a critical moment for the Internet. Mass government and commercial data collection have weakened public trust. Uncertainty is rising as nations disagree over Internet governance and new technologies disrupt existing markets and mechanisms. The Internet of Things (IoT) is developing rapidly and creating new economic opportunities, but manufacturers are consistently failing to incorporate security and privacy by design, thereby exposing consumers to a host of vulnerabilities.

Migration User
Jan 02, 2017 10:55 PM

@ Symantec - what don't you guys do???

I would like to know more about what you have to offer for a company that uses several of your products.

Q: How are your prices structured for this service? 

If you can you share a link that gives more in depth details, it would be great.

Thanks!

FofM
Dec 30, 2016 10:15 AM

First of all, it is interesting to learn that there is such thing as cyber risk insurance, however, in a lot of cases after the damage is done the insurance coverage might not be of much help. Take for example the very own case of Symantec with the leakage of the PC Anywhere source code, it eventually brought about the death of the product which one was one of the strong points of the company, especially its integration with SMP 7.0. I agree that the damage definition is one of the main challenges, because sometimes it can be easy to calculate but sometimes it can be only speculative. Imagine, someone stealing a new product blueprints that is not on the market yet, it would be impossible to calculate the damage as the popularity of the mentioned product can't be predicted in advance. I am glad, however, that symantec is taking up the cyber insurance seriosly since it is an area that is in need of further research and they (Symantec) have the right expertise for that.

DLP kishorilal
Dec 30, 2016 05:10 AM

This good article. Explained each part of security in details. Good writing on CUBE framework to showcase one such realization of this scenario. I could not understand the CUBE framework for building sophisticated risk models where uncertainty quantification, what does it talks about. The framework is describe well but architecture is not clear

Fantus_Longhorn
Dec 29, 2016 09:25 AM

I think the next few years will see this side of the industry grow, insurance will probably become standard practice in the coming years. I do wonder how this ties in to platforms moving to 'the cloud', though, it may well come bundled in with the package. It's possible it may become a requirement, much like contents insurance when renting a property.

Migration User
Dec 29, 2016 08:33 AM

Cyber insurance is important today. It helps cover costs and backlash if the proper insurance is purchased. As with any insurance policy you always need to read the small writing.

TonyS
Dec 28, 2016 02:16 PM

Like many has commented, we was not aware about this product by Symantec. I've passed this link to someone who might be interested in this. Good to see yet another product that helps to protect our network.

Thank you, Symantec! :)

jjesse
Dec 28, 2016 11:34 AM

Interesting was not aware of this

Migration User
Dec 28, 2016 05:04 AM

This is interesting, considering it's not if it's going to happen but when!

Hopefully more companies will offer this and it will have competitive rates :p

Migration User
Dec 28, 2016 12:29 AM

great article!  I also was not aware that Cyber insurance was even a thing.
I guess if companies buy flood insurance why not have cyber insurance.
I would be interested in knowing the qualifications a company must have in order to get this type of insurance, maybe specific prevnttive threat measures must be used?

Hogan Chen
Dec 27, 2016 11:15 PM

I heard of similar insurance, but did not know how it work, interesting to know how Symantec cyber insurnace work, most of companies buy other differnent insurance, not sure if enterprise is interested in it and what exact outcome if the insured company has a cyber attck.

Powershell_Guru
Dec 27, 2016 09:05 PM

I don't think I realized that companies were looking at this sort of insurance. I would really like to see if 2017 brings even more of this.

chaves8111
Dec 27, 2016 11:11 AM


Me parece importante lo que estan ofreciendo sera bueno para los negocios definitivamente.  Symantec considera que es una defensa cibernética razonable y que el cliente sabe lo que tiene que hacer para estar totalmente protegido. 


 


Symantec está tomando de nuevo las cosas con el seguro cibernético.



dyeLucky
Dec 27, 2016 08:15 AM

@Symantec great article!  I also was not aware that Cyber insurance was an offering!  Looks like I need to research the Symantec/Products web page to see was else you guys are offering because there has been a few products like this lately that I haven't been aware of.  

Simon Chaperson
Dec 27, 2016 05:39 AM

I did not realise that this was a service offered by Symantec. It's good to see that this is something they now offer and can see it proving to be a popular service, definitely taking things in the right direction. I wonder how many businesses will now be looking into Cyber insurance.

 

Migration User
Dec 26, 2016 04:15 PM

Cyber insurance is something we had at my previous job as a necessity. It's great you are offering it and I imagine you'll get a lot of business out of it. The bad part is being able to prove you meet the qualifications for deductibles and to be clear enough on what Symantec feels is reasonable cyber defense and that the customer knows what they have to do to be protected.

Migration User
Dec 26, 2016 12:34 PM

Hello,

Symantec CyberInsurance seems to be an unique concept which Symantec is diving into.

Cyber-insurance is a risk management technique via which network user risks are transferred to an insurance company, in return for a fee, i.e., the insurance premium.

Examples of potential cyber-insurers might include ISP, cloud provider, traditional insurance organizations.

Proponents of cyber-insurance believe that cyber-insurance would lead to the design of insurance contracts that would shift appropriate amounts of self-defense liability to the clients, thereby making the cyberspace more robust.

Here the term ‘self-defense' implies the efforts by a network user to secure their system through technical solutions such as anti-virus and anti-spam software, firewalls, using secure operating systems, etc.

Cyber-insurance has also the potential to be a market solution that can align with economic incentives of cyber-insurers, users (individuals/organizations), policy makers, and security software vendors. i.e., the cyber-insurers will earn profit from appropriately pricing premiums, network users will seek to hedge potential losses by jointly buying insurance and investing in self-defense mechanisms, policy makers would ensure the increase in overall network security, and the security software vendors could experience an increase in their product sales via forming alliances with cyber-insurers

Best of Luck Symantec...!!!

ℬrίαη
Dec 26, 2016 11:40 AM

I was unaware that Symantec offered this service. Seems the proper way to go though considering the way threat landscape is looking these days. Looks like Symantec is again taking things in the right direction with cyber insurance. I'd be interested in seeing the numbers on companies opting for cyber insurance.

Related Entries and Links

No Related Resource entered.