Denny Wan and Petra Wildemann discuss the understanding of quantitative cyber risk and cyber insurance in particular within the global impact under the corona crisis.

Podcast

Petra: When the global pandemic in the corona crisis started to spread and reaching effects on lives and a new dimension in the business world, we have experienced that governments around the world have escalated measures to mitigate the risk for a pandemic spread. At the same time, digital communication has expanded with a speed which we haven’t thought of. Do you think, that the risk for cyber attacks has increased during this time?

Denny: Petra, it is great to be speaking again since our debate last year with Steve
Wilson on “Managing Accumulation Risk in Cyber Insurance”. You are absolutely
correct that the global pandemic has resulted in significant in cyber attacks. In fact, the Australian Government Cyber Security Centre (ACSC) reported a massive
increase in phishing emails masquerading banks, government agencies and health authorities. These cyber attacks are making the accumulation risk problem much worse. In response, the ACSC issued a cyber security guideline for WFH. ACSC recommends using VPN (virtual private network) and enabling multi-factor
authentication.

Petra: I agree. I think the concern from the massive increase in cyber attack is one of the key reasons behind the release of the “COVID-19: Evolving Insurance and Risk Management Implications” report by Marsh in earlier this year. Did you get a chance to review the report and what are your insights?

Denny: Thanks for reminding me of the report. It is a conscious and insight report urging the insured to review all their insurance policies to reflect the impact of COVID-19. Cyber insurance is one of the review focus areas. Some of the insights include:
• Pandemic may limit cyber insurance and related policies
• Infrastructure exclusions and voluntary shutdown coverage limitations
• Technology errors and omissions (E&O) policies may not apply

Petra: This are indeed good advice from the report. Denny, you have spoken previously about the new global ISO27102 standard for cyber insurance. The standard was recently released in Oct 2019 which should be used to guide cyber insurance underwriting. How to apply ISO27102 to evaluate cyber insurance contract and identify silent cyber?

Denny: Yes, I am passionate about ISO27102 and recognise the significance of its
contribution in creating a common business language for cyber insurance. This is not a technical standard but a business policy statement. It helps business stakeholders to better understand the role of cyber insurance as a risk treatment option. This standard builds on the technical foundation of the ISO27001 standard for information risk management. Table A.1 in the ISO27102 standard provides a mapping between the two standards. It is much easier to identity silent cyber (e.g. non-confirmed cyber risk) by seeing through the lens of the mapping table A.1.

Denny: The insurability of cyber risks include a business need. However, a pandemic like the Corona virus has not really been part of the risk mitigation. We have observed an extension to digital infrastructures with or although without firewall protections, mainly also to the extended needs of computers, laptops, etc and outdated software. Do you see this as a risk? So when does insurance makes sense?

Petra: The Open Group FAIR framework is the only global standard for quantifying cyber risk into potential financial loss and provides a structured approach to estimate the Cyber Risk Quantification to calculate a fair insurance premium.
How does the FAIR framework apply to calculate a fair premium for cyber insurance? With your expertise, do you value the Corona pandemic to have an effect?

Denny: You are correct. FAIR is the only global cyber risk quantification standard endorsed by the National Institute of Standards and Technology (NIST) and been included in the “NIST Informative Reference Catalog”. In fact, the SANS Institute has also named FAIR (together with NIST RMF, OCTAVE and TARA” in the “CISO Mind Map and Vulnerability Management Maturity Model”.
As you pointed out, FAIR provides a structure and transparent process to estimate the potential reduction in financial loss across a range of cyber security investment options. The FAIR methodology is designed for calculating the Annualised Loss Expectancy (ALE) which is a key input for calculating the Return on Investment (ROI) of these cyber security controls.
The basic formulae for cyber insurance premium is to use ALE as the baseline and add administration cost and profit margin for the insurer. It is important insurers are profitable and enjoys a healthy margin to ensure the viability of the industry and thus minimising the accumulation risk.

Persons

Denny Wan is the principal consultant of Security Express
(https://www.securityexpress.com.au/), a Sydney Australia based cyber security consulting practice. His specialisation includes security policy development, IT security audit, GRC risk management, virtualisation and hybrid cloud security architecture. He is the chair of the Open Group FAIR Sydney Chapter (https://link.fairinstitute.org/group/19-sydney-chapter) and a postgraduate researcher in Supply Chain Risk Management at Macquarie University
(https://www.mq.edu.au/) under an Australian Government Commonwealth Scholarship.

Petra Wildemann is the Chair and Founder of the Swiss Cyber Think Tank (https://www.riskcyber-insurance.com), a business network for Cyber Risk & Insurability, providing an industry-wide networking platform for insurers, technology and security firms. As a qualified actuary for Life Insurance and Property & Casualty Insurance in Switzerland (SAV), Germany (DAV) and UK (IFoA Affiliate), her specialisation includes risk management on a variety of local and global risks. Of late, she has expanded her focus to also include the challenges of
modelling the risks in the age of cyber risk (https://www.linkedin.com/pulse/cyber-riskinsurance-challenges-modelling-risks-data-age-wildemann/) and the mismatch between measurement and pricing of cyber-risk insurance policies (http://images.info.fticonsulting.com/Web/FTIConsultingInc/%7B36264fa2-8735-4956-9a87-f69201c1253a%7D_FTI_Consulting_Article_Pricing_Cyber-Risk.pdf).