How security pros, the insurance industry, and regulators can combat ransomware | SC Media

How security pros, the insurance industry, and regulators can combat ransomware

April 19, 2021
AIG is one of the top cyber insurance companies in the U.S. Today’s columnist, Erin Kennealy of Guidewire Software, offers ways for security pros, the insurance industry and government regulators to come together so insurance companies can continue to offer insurance for ransomware. eflon CreativeCommons CC BY 2.0
  • Infosec loss prevention and mitigation: While progress on incident actuarial data leaves much to be desired, infosec statistics around threat and vulnerability dimensions have improved. In fact, they show remarkable consistency in the case of ransomware. Reports from leading vendors such as Coveware, Emsisoft, and Recorded Future agree that the most popular attack vectors and sources of ransomware incidents are remote desktop protocol (RDP), email phishing and spam, and unpatched vulnerabilities. Basic “blocking and tackling” can significantly decrease risk exposures.
  • Risk management coordination: Start with good tech hygiene, but intertwine it with insurance industry risk mitigation coordination. Rather than rely solely on factors like compliance or case law developing over time, embracing a risk management coordination role can help insurers take the fight to ransomware. Have insurers and infosec professionals coordinate closely on security risk metrics. Such coordination can better align risk optics, lower information asymmetries, and scale victimology beyond the current ad hoc dynamics. At a basic level, insurers may simply need to start requiring policyholders to assist in providing or verifying technographics and security posture to bring about more accurate cyber risk assessment. More aggressive measures might include incentivizing companies to share internal security telematics could add the missing link in cyber risk assessment and measurement.
  • Ransomware disclosure regulation: Since federal regulation, litigation, and state laws which require reporting and disclosure of data breaches served as the foundational basis upon which the industry anchors data breach underwriting and coverage, it bears asking: Do we need a similar enforcing function to adapt to ransomware risk? Regulatory fines, reporting requirements, and liability and legal costs have made data breach losses tangible, thereby capturing the attention of the industry. Government action via legislation, regulation, or judicial rulings can play a role in reducing risk and enforcing compliance.
  • Controls failure reporting: Attackers will generally follow the path of least resistance – so knowing and documenting their tactics, techniques and procedures (TTPs) and victim company technographics can go a long way to reducing exposures. However, there’s a trend with insurers to cut costs by collecting less information during the underwriting and claims processes. This trend works counter to the recommendation aimed at developing more mature cyber loss models to align risk with price premiums, because better modeling demands better data. Adaptation within the cyber risk landscape requires committing higher quality and quantity data to the actuarial record as possible. Collecting and sharing controls failure data would mark a significant step toward being able to quantify the end-to-end relationships between threats, security compliance, and incident outcomes.
  • Data-driven predictive models: In managing ransomware, mere knowledge of yesterday’s attacks won’t suffice to inform us about tomorrow’s outcomes. Any foresight becomes highly valuable for effective ransomware risk segmentation, assessment, pricing, and defense. Foresight in cyber insurance can come by way of predictive models. We need better validated and empirical data-driven models which incorporate expert knowledge. Such predictive models can drive more robust and reliable pricing models and inform underwriting guidelines.
  • Extortion payment policy reform: Cryptocurrency has fueled the growth of ransomware. Under debate is whether current regulations and policy appropriately guard against facilitating ransomware, or if more robust prohibitions are needed. It’s an open question whether further government interventions around ransomware will develop, such as outright prohibition of ransomware pay-outs, or improved attribution and enforcement against bad actors. As well, the insurance industry should strongly consider a self-regulatory approach that establishes a ransom non-payment policy.
prestitial ad