In a press release on December 12, AIG (American Insurance Group) released information on how the insurance giant is benchmarking and evaluating the cyber risk of its clients. The release and the model that it outlines underscore just how seriously insurance agencies are taking the threat of malicious attacks and the importance of cyber insurance. For many years insurance agencies have used actuarial information to guide their policy and premium costs as regards traditional risks such as loss of property through theft, fire and other types of losses – however, now cyber security and its attendant risks have come under the spotlight.
Cyber insurance metrics
The metrics outline what the insurance leader regards as clients’ maturity when it comes to cyber risk – and how that compares to the maturity of the defenses those clients have against those risks. Of course, an insurance giant would push the fact that the emerging cyber insurance premiums are necessary, but that does not mean that the findings are not valid – or possibly alarming. The metrics used by AIG are immensely useful to cyber security professionals who may, up until this point lacked benchmarking tools that would allow them to evaluate the risks that their organizations face in terms of cyber security.
The report outlines what the greatest threats are the clients of the insurance giant as far as inadequate cyber security is concerned – and in this day and age of the ‘Internet of Things’ those responsible for cyber security may find AIG’s metrics on which 11 devices are most at risk of cyber attack and exploitation tremendously interesting.
AIG is possibly uniquely positioned to offer this sort of research to the wider market due to the fact that it handles thousands of cyber claims each year and the information that it has gathered is an invaluable resource for not only its clients – but also the wider cyber security industry.
Client insight into cyber risk
Of course, the AIG report and model is aimed squarely at providing clients with insight in the service of selling AIG as a thought leader on the issue of cyber security – however, the fact that the report from AIG’s internal sources has been bolstered by what it terms ‘current threat intelligence from multiple sources’ lends it credence.
The model incorporates critical security data, such as current threat intelligence from multiple sources, effectiveness of an organization’s cyber controls, potential impact of a cyber breach on an organization, and other insights gained by AIG over years of handling cyber breach claims.
According to Tracie Grella, head of cyber risk insurance for AIG, the organization ‘developed the model based on historical insights and patterns of how companies experience cyber breaches – the points of entry and the types of attacks and vulnerabilities seen in the vast majority of cyber breach scenarios. Companies have been demanding a way to benchmark their cyber maturity against these known cyber risks to quantify what they are up against and where they stand.”
AIG will also be launching CyberMatics, a patent-pending security approach in conjunction with cybersecurity companies CrowdStrike and Darktrace. CyberMatics verifies inputs into AIG’s model from clients’ cybersecurity tools, providing greater confidence in the information used for underwriting and again making the benchmarks used in the report more robust for those cyber security professionals who may, in the past have lacked a framework to evaluate risk.
Importance of cyber risk benchmarking
There can be no doubt that the model and report issued by the insurance giant is ultimately self-serving in that it markets their cyber security insurance offerings and expertise. However, for those professionals with access to this report, its contents will no doubt be of great interest. The mere fact that it sets the parameters for those cyber threats that most affect companies and the devices that are most susceptible to these sorts of attacks will inform and guide efforts to protect vulnerable systems from cyber risk. Importantly, the industry needs such benchmarking models based on historical data as a measure for cyber security maturity and to advance the cyber security dialogue.