Things have been tough recently in the cyber insurance industry. Businesses have a difficult time finding affordable policies with the right limits that don’t exclude ransomware. Underwriters suffer from the high claims associated with ransomware and struggle to return loss ratios to profitable levels. These challenging times, however, are forging a resurgence in cyber business intelligence – the idea that insights into cyber risk aren’t just for mature enterprises looking to avoid a breach.
Let’s start by leveling on the term cyber business intelligence and why it differs from cyber threat intelligence. In the mid 2010s, the term cyber business intelligence appears to have made a short run in the lexicon of cybersecurity, but terms like cyber threat intelligence or vulnerability assessments surged in prevalence. These terms differ because they imply a focus on introspection. The terms refer to activities where you assess yourself and your own risks or engage with an outside firm that will help you do those things.
At the time, the popularity of those terms were well earned. The disciplines of risk discovery were reaching maturity, aided by a maturing infosec industry with now well-established standards and best practices. In other words, those were the areas where people needed to focus because they were so important at that time. Get your shield up, understand what types of things to look for and identify the tell-tale signs of danger. The risk is real and you are holding the risk.
Now that the hierarchy of cyber needs had been met on this primary level, the hurdle of the 2020s presented itself. As we discovered that we are holding the risk, savvy businesses sought to transfer all or part of that risk. And that wasn’t a hurdle – until it was. As the age-old violence of “ransom” regained popularity through the ease at which attackers could execute and benefit from ransomware attacks, the increased transference of that risk caught the insurance industry off guard.
Before the era of ransomware, cyber insurance was a great way to make money. It could be fair to say that risk assessments weren’t rigorous or serious enough or that the underwriters didn’t truly understand the risk. When times were simple, the old five-question survey during the application process where you answered questions like “how do you feel about your security” (only half joking) was just fine. It worked and it was profitable, but the old ways of assessing risk via surveys, assumptions and historical trends were very limited. They served a purpose, but they were not agile enough to keep up with ransomware and whatever emerges as the next threat trend.
Because cyber insurance deals with risk that has been transferred, there is a subtle but powerful distinction from the need to understand your own risk. In many cases, insurance companies that can curate low risk pools and a favorable loss ratio can significantly improve profits. That’s not the only way they make money, but it is one way.
Now enter the resurgence of cyber business intelligence. While concepts like cyber threat intelligence and risk assessments focus on preventing loss, cyber business intelligence aligns with concepts already utilized elsewhere in a business environment. “What pieces of knowledge and trends can I follow – that by following them I can be more profitable?” This is a different mindset. This is one anchored on the idea that “you’ve got to spend money to make money.” This drives a culture and enthusiasm that can foster better innovation, better results and faster progress.
There’s another key word there. Business. Not only relevant to technical experts, this information is equally relevant to business leaders and key decision makers. Now the purpose of that intelligence is not just to maintain a shield. It can help drive an organization forward.
Companies that receive transferred cyber risk provide fertile ground to sow new ideas around risk-related data and information as cyber business intelligence. The purpose of cyber business intelligence is to always be there to illuminate and guide leaders toward achieving more efficient and smarter business performance.
Insurance will bring back cyber business intelligence. Once they do, they will reverse the current profit loss trend into a highly profitable trend, companies will benefit from better policies more tailored to their unique risk profile and other industries that accept or deal with the transference of cyber risk will also flourish if they can recognize the opportunity to harness cyber risk intelligence.
Source: CPO Magazine
