This article was produced in partnership with STORM Guidance.
Mia Wallace of Insurance Business sat down with Neil Hare-Brown, CEO of STORM Guidance, to discuss the rising demand for proactive cyber solutions.
From a panoramic view, this morning’s announcement that the UK insurance giant Aviva is utilising STORM Guidance’s Cyber3 assessment to measure insureds’ cyber risk management maturity levels and help determine appropriate limits, is not really a surprise. After all, as exemplified by Aviva’s fraud-prevention activities and initiatives, the insurer consistently favours a proactive approach to risk management.
STORM’s Cyber3: Rapid Risk Review is an intrinsically proactive service, said Neil Hare-Brown (pictured), CEO of STORM Guidance and, as such, appeals to companies engaged with the risk management process and looking not just to protect their balance sheet but also their customers’ businesses.
Cyber3, which measures clients’ Cyber Risk Management Maturity (CRMM) across five key areas – people, processes, technology, data asset awareness and vendor management - and also includes STORM’s ground-breaking Attackers Eye View™ scan, allows firms to comprehensively review the cyber resilience arrangements of insured businesses and their CRMM scores via a secure online portal.
This mitigates a core challenge that many insurers and brokers face – that they are reliant on clients’ self-reporting their cybersecurity profile, usually via proposal forms. Hare-Brown highlighted that the design and delivery of Cyber3 has been crafted in a bid to remove the “game of tennis” that is the more traditional measuring of a client’s risk profile.
Rather than continual back and forth between the broker and the insurer, then the broker and the client, and even the client internally, he said, Cyber3 consists of a single question set – derived from analysing 15 different insurer proposal forms and condensing the applicable and overlapping questions into a master set. Looking at cybersecurity best-practice from standards such as ISO 27001, NIST and PCI, the assessment drives a comprehensive view of cyber risk.
Read more: Aviva on the evolving fraud sector
“So, when a client does a cyber risk assessment, they are not only asked questions around cybersecurity best practices, but we also cover all the questions that the underwriter wants answered,” he said. “The important thing is that our experienced cyber specialists deliver the Cyber3 assessment via a web conference and we walk the client through the questions and scratch below the surface where needed at that time. We make sure that everybody who needs to be on that call is on that call. The adaptive design of Cyber3 means it only takes 90 minutes but in one go we collect all the information required and significantly reduce the friction for the client.”
This not only saves the insurer, the broker and the client time, he said, but ensures that a truly comprehensive picture of a client’s risk profile is made available. For an hour and a half out of their day, clients are given a holistic view of every cybersecurity concern that they face, as well as guidance and support regarding how to mitigate those challenges.
Many businesses don’t want to invest time and money into actually offsetting their cyber exposures but would rather a “sticking plaster” approach, he said, as they don’t understand the full range of advantages it brings and have a false impression of how difficult it will be to complete the process. Hare-Brown noted that an interesting element of STORM’s solution, which offers practical, tangible advice and recommendations instead of just insights, is that it is only when an assessment is complete that clients realise the process is far less daunting than they anticipated. It’s just a question of getting started.
Where Cyber3 sets itself apart from other cyber assessment services is that it offers an inside-out approach to pinpointing cyber risk. Others in the market tend to offer a much more external view of the insured, he said, which gives a business a score based purely on looking at their domain without digging deep into the strategies, tactics and operations that ultimately make the client more fundamentally resilient to cyber risks. Risks that cannot be detected by externally-focused tools.
“An external-only assessment is not going to be able to judge whether an insured has good data backups, or whether its board has a solid strategy for managing cyber risk and if there’s a cyber champion on that board,” he said. “Another example of this is the IT budget. Is the business running old legacy technologies that are easily exploited by cyber attackers? Are they only spending a single per cent of their overall revenue on IT?
“Then there’s the question of skills, what we call the ‘IT staff count ratio’, which is something we ask in our assessment. This is a key risk indicator. If you run a business and you’ve got 250 end users in your business and you’ve got one person in your IT department looking after those users, you can guess who’s going to be stressed and making mistakes when it comes to cybersecurity.
“These are things you simply can’t tell from an external scan.” He adds, “there are many other key risk indicators that only a rich interaction with the insured will surface. Cyber3 brings all of this together to not only present a deep and wide set of findings and recommendations but also to condense these down into an overall CRMM score.
Examining the shift from reactive to proactive cybersecurity solutions from insurers in recent years, Hare-Brown highlighted that it’s quite a natural reaction to the way the market has been trending. When the cyber insurance market was still in its early growth phase, brokers, who themselves were immature in understanding cyber risk, didn’t want anything that would block the client adoption of cover and so there was a concerted effort to minimise the barrier to entry for clients in terms of risk reporting and assessment of cybersecurity controls.
It was understandable that the industry was looking to minimise that friction, he said, but it reached the point that firms were actually proud they were only asking a handful of questions on their proposal forms. Major cyber incidents such as WannaCry moved the dial on this, and high-profile attacks on multiple organisations have continued to raise the value of cyber insurance – and the need for it to become more proactive in order to remain viable.
“That’s really where some insurers have caught a cold,” he said. “And I think it’s a good thing, because it means that they’re now being much more diligent in their risk management and in understanding what controls and safeguards insureds have got in place, either before they bind on a particular policy or by making that policy subjective to those controls. They’re now actually looking to do a thorough assessment of their insureds and Cyber3 is the ideal way to do this.
“Aviva have realised the need to do so, and also that a comprehensive assessment like Cyber3 is not just helping them understand their insureds’ risks but also helping the insured client themselves to improve. Because the whole idea of what we do is to try to draw a direct line of sight between the recommendations that we make and an improvement in a client’s CRMM over time. The insurer wins, the broker wins and, most importantly, the insured client wins! Aviva understands this and that’s why we are honoured to be working with them.”
Find out more about STORM Guidance’s Cyber3 assessment here
Neil Hare-Brown has worked for over 30 years in the field of information security. In 2014 he launched STORM Guidance to help victims of cybercrime by supporting cyber insurance markets.