COPEing with Cyber Insurance Risk Assessment

In 2015, more breaches were brought to the public eye than ever before. While reports on these breaches focused heavily on the healthcare and financial sectors, nearly every industry vertical found itself the target of an ever-evolving threat landscape.

Fortunately, our M-Trends 2016 report shows that organizations around the globe are identifying breaches and other compromises quicker than ever before. The median number of days an organization was compromised before the organization discovered the breach (or was notified about the breach) was 146 – a roughly 50-day improvement over the previous year.

It is still not enough, though. Mandiant’s Red Team can obtain access to domain administrator credentials within roughly three days of gaining initial access to an environment, so 146 days is at least 143 days too long. Until compromises are identified within a few days or even hours, breaches will continue to result in the loss of massive amounts of personally identifiable information, theft of credit card data, and – in some instances – entire systems being held for ransom.

Data loss is not all that breached organizations face – the overall financial impact can be staggering. According to the 2016 Cost of Data Breach Study: Global Analysis conducted by the Ponemon Institute, the average total cost of a data breach is $4 million. The following are additional costs specific to the U.S.:

  • Average notifications costs – $590,000
  • Average post breach costs – $1,720,000
  • Average lost business costs – $3,970,000
  • Average detection and escalation costs – $730,000

Organizations are seeking to mitigate their risk by purchasing cyber insurance policies. The most recent Betterley Report concludes that the “annual gross written premium may be as much as $3.25 billion (up from $2.75 billion in last year’s report),” a nearly 20 percent increase in the purchase of cyber insurance policies.

As organizations shift their attention to this growing industry, Mandiant has developed the Cyber Insurance Risk Assessment (CIRA). The CIRA’s goal is to help businesses determine their risk posture at a high level so they can make well-informed decisions about purchasing a cyber insurance policy.

The Cyber Insurance Risk Assessment is based on the four basic foundational domains used for ages by underwriters to assess an organization when preparing a policy. These domains are Construction, Occupancy, Protection, and Exposure (COPE), and each evaluates the organization in terms of what risks it faces in each sector of the assessment. This very traditional method of risk evaluation has been brought into the information security sector with the development of the Cyber Insurance Risk Assessment. Mandiant is utilizing the existing pillars to focus on different aspects of an organization’s ability to mitigate cyber risks to provide a deeper understanding of their strengths and weaknesses.

This understanding comes from breaking these domains into subdomains to provide a comprehensive look into the capabilities of each. Examples of these domains include assessments into the organization’s Data Management capabilities, Asset Management processes and Incident Response procedures, as well as the Threat Landscape the organization is up against, Crisis Management flows, and many other areas. This provides a full understanding of important risk posture considerations the organization is faced with when preparing for a cyber insurance policy.

As the threat landscape continually evolves and transitions, organizations must take measures to ensure their risk exposure is minimized. The Cyber Insurance Risk Assessment helps organizations gain visibility and understand the risks they face, allowing the businesses to better insure against them.

More information on the Cyber Insurance Risk Assessment is available here, or you can email create@fireeye.com.