Cyber insurance, human risk, and the potential for cyber-ratings

It’s undeniable that cyber insurance and cybersecurity are intrinsically linked. One requires the other, and they are a perfect pairing, even if they may deny the relationship. Looking ahead, however, we probably need to add a third party into the relationship: the business. Now we have everyone in the room, what could the future hold?

There are obvious areas of evolution in the relationship. Insurers want to know that cybersecurity is not just turning up for work, but that it is also doing a good job. It’s likely that insurers will want to see this good job in action, in near real-time, and in some instances possibly in real-time.

For example, if an insurer requires endpoint detection and response (EDR), they don’t mean “install it and forget about it” until next year’s insurance renewal. They want to know that the system is operational and that alerts are being responded to promptly. We can already see this oversight requirement as some insurers are heading down a path of providing an element of managed services or requiring regular reports from EDR systems. However, this provision of service via the insurer may be causing a monoculture environment of security products, where all the insured are protected by a single product – something I advise against.

Where might this go long-term? What might insurers see as another method of reducing risk that ultimately removes the need for them to pay out on a claim? After all, their goal is to minimize payouts and maintain profitability.

Humans pose a significant risk in cybersecurity terms. They can be socially engineered, make mistakes, take shortcuts, and, unfortunately, their behavior is difficult to change. As insurers look to protect their profits and reduce claims, how can they solve the issue of the human risk?

This challenge is not dissimilar from the one faced by the finance industry, which attempts to reduce the financial risk of loaning money to humans who make bad decisions, don’t make payments, or are, maybe, a little reckless with their cash. A significant part of the answer in the finance industry is credit ratings: each human is awarded a dynamic score that changes as behavior patterns change, and financial organizations can adjust their risk in near real-time. This is a data-based decision made possible by using advanced AI technology and because data about our financial transactions is shared, at least in part.

Could cyber-ratings be the future?

Could cyber insurers leverage a similar approach and create risk profiles for individuals within an organization that would help prevent costly claims by predicting whether an individual is likely to make a bad cybersecurity decision or action? In other words, could we see the development of a “cyber-rating”, similar to the credit rating used in finance?

In some countries and regions, a potential employer may reject an applicant based on their credit rating, at least for roles where financial responsibility is required, and there may come a day where a cyber-rating is used in the same way.

Now imagine a scenario where every internet user has such a rating based not on the detail of their transactions or communications, but on some specific elements of their online interactions and patterns of behavior. With enough information, a data-based prediction could be made on whether a person will click a phishing link, attach unencrypted data to an email, or engage in questionable browsing habits. As with credit ratings, everybody could view their cyber rating, and take advice on how to improve it, just as we do with credit ratings today.

Employers could use this metric to ensure they are offering a position to a cyber-responsible individual who will not put the company at risk. Insurers may require their clients not to employ anyone below a certain score, or to put limitations on those with lower scores, thus reducing the insurer’s risk exposure.

Some employers already monitor employee online behavior and identify those that pose a risk, so that they can then reinforce cybersecurity awareness and policy to reduce the risk. This is controversial, though, as it may infringe privacy and employment law. On the other hand, a potential employee may be willing to waive these rights if it means securing a job, in the same way they may consent to the employer running a credit rating check.

A cyber-rating could have other uses, and even strengthen the credit rating system. Online fraud and scams often require the victim to have taken actions online; if the probability of someone clicking on that unbelievable offer or a scam email were known due to the cyber-rating, then a bank may place additional authentication requirements for that person when transacting online. The two ratings could potentially complement each other.

On the other hand, obviously the security surrounding cyber-ratings would need to be very stringent. If these risk scores were to fall into the wrong hands, cybercriminals could weaponize them to identify the people who are most susceptible to phishing and other attacks. This could effectively turn the system into a tool for targeting vulnerable individuals, undermining its purposes in enhancing cybersecurity measures and risk management.

There are many ways cyber insurance could evolve over time, but the ability to remove or reduce the human risk would be the next big win beyond imposing the current cybersecurity requirements that insurers insist on today.

Business transformation and hybrid working with AI: How should organizations respond to the growing cyber risk?

Listen to journalist Peter Warren’s conversations with Prof. Leslie Wilcox, Professor at London School of Economics, about the problem with digitalization, and the importance of balancing cost-efficiency and cyber resilience.