What Drives Over- and Under-Confidence in Cyber Security?

Libby Benet* Global Chief Underwriting Officer, Financial Lines, AXA XL

Libby’s experience in the insurance and reinsurance sector spans over 30 years. She joined AXA XL in February 2020 after serving as President and CEO of Cyber Secure Work Inc, and holding several senior positions across the likes of Beazley, General Reinsurance, and Zurich Financial Services, among others. She is a member of the Minnesota Lawyers Mutual Board of Directors through the International Association of Privacy Professionals. She is a certified information privacy professional, and certified as a privacy information manager.

Billy Gouveia

Billy joined S-RM in 2019 as Senior Managing Director. He also forms part of S-RM’s Executive Committee. Prior to S-RM, his career spanned the tech startup scene, management consulting positions at Booz Allen Hamilton, Sungard, and Protiviti as well as service in the US military. He holds degrees from Columbia University and Georgetown’s School of Foreign Service.

For the full discussion, tune into Episode 9 of S-RM Insider, available wherever you get your podcasts.

S-RM: What does cyber confidence mean to you?

BILLY: With cyber confidence – as a concept – we’re exploring a measure of how large the gap is between how you might feel about your cyber security posture’s effectiveness and its actual effectiveness. If you have cyber confidence, it means that you understand your security posture, you feel good about your security posture and your security posture is indeed good. However, there’s a lot of room for mismatches here. For example, you might feel very insecure about the state of your security posture, as though you’re never doing enough, when in fact you are. On the other hand, you might be feeling completely satisfied with your security posture, certain that you’ve covered all your bases, when in fact you haven’t: you’re overconfident. Both over- and under-confidence are prevalent in our sector, and understanding the drivers behind the gaps I’ve mentioned, and how to address them, is something we’re extremely focused on.

LIBBY: From the insurance perspective, we evaluate our insureds, or applicants, to determine where they are on their roadmap to cyber confidence. But at the same time, insurance itself forms a part of that roadmap. We therefore also want to determine to what extent an organisation understands which risks it wants to assume, i.e. what they want to keep, and which ones they want to transfer via insurance.

“If you have cyber confidence, it means that you understand your security posture, you feel good about your security posture and your security posture is indeed good.”

S-RM: What do you think is one of the primary obstacles that prevent cyber security professionals from feeling confident about their security posture?

BILLY: I think a major challenge arises when organisations don’t take the time to understand what their real business risks are in the first place. There’s a tendency to overcomplicate cyber security. In fact, I think this is an industry (of which I’m admittedly part), that has an over-complication problem. There’s a lot of information out there, it’s very dynamic and some of it is quite technical. And there are a lot of providers that are trying to create uncertainty and anxiety based on throwing scary numbers around.

The impact of this is that instead of thinking through their cyber risk in a logical and systematic way, organisations feel confused by all the information, and that can lead to an oversimplification of the risks. So I think it’s incumbent on security leaders and management teams to take the time to understand what those risks really are, what they actually mean for the business and what should be done about them.

LIBBY: I think the issue of complexity or over-complexity often comes into play with management teams who frequently fail to understand what their responsibility is as business leaders and as board members. It might be the result of them feeling overwhelmed.

But because of that feeling, leadership teams tend to hold their IT and information security teams responsible for all things cyber security. I think that’s a mistake. As Billy says, leaders have to understand what the business risks are, and while those people in IT and information security are your hands and feet on the ground, this business risk analysis at the highest levels still needs to be conducted, and decisions taken as to what to do about it.

S-RM: How can organisations gain a clearer understanding of the impact a cyber-attack might have on them? And what role does cyber insurance play here specifically?

LIBBY: The cyber insurance industry is very much about risk mitigation, and therefore it plays an important part in any business risk analysis. If you’ve never experienced a cyber incident before, you may under-appreciate the impact on your organisation. We, in the insurance sector, have visibility of the types of losses incurred by organisations who have suffered a cyber-attack – because we’re paying them. And because we have a very deep knowledge of historical losses and how they came about, we can be an important source of information on what that might look like for those companies that haven’t had a loss yet.

BILLY: Certainly, we see that all the time in our incident response work, and in our planning and exercising sessions in which a company may be the victim of a ransomware attack, for example. One of my roles is to educate them and help set their expectations around how long it would take to recover, irrespective of which path they take, be it recovering from backups, decrypting after a negotiation with the threat actor, or rebuilding their entire infrastructure. Oftentimes there’s a mindset of: ‘I’ll just get the keys and I’ll decrypt everything. I’ll be back to normal in three business days.’ But that is simply not the case. So, I think another key point that organisations can learn from their cyber insurance is the expected time of business interruption.

S-RM: What factors do organisations consider when deciding whether to purchase cyber insurance? And where are the blind spots?

LIBBY: I think there is an opportunity in the industry to help drive improvements in this area. I don’t think that insureds really understand what they’re buying sometimes. I think many organisations buy a cyber policy and think, ‘Okay, good. I’ve got this. I’ve got the issue covered.’ But they don’t actually understand the many ways in which their business can sustain a loss.

An example of that is the trend we’re seeing with regards to attacks on operational technology. An organisation may purchase a cyber insurance product that is focused on breaches of personally identifiable information or corporate information and the downstream impacts that relate to these types of breaches. But what if an attack occurs on an operational technology that then causes a fire or equipment breakdown? Have the consequences of that been thought through?

“I think many organisations buy a cyber policy and think: I’m good. But they don’t actually understand the many ways in which their business can sustain a loss.”

So, I think we have an opportunity to help policyholders make sure that they are covering the diverse range of business risks that they are exposed to in the event of a cyber incident. When it comes to cyber insurance, businesses – in conjunction with their insurance agents/brokers – need to evaluate whether there is adequate coverage in the event of damage, loss, modification or unauthorised access of information, and whether there is coverage in the event of a breach of privacy and regulatory non-compliance. In other words, when advising a company that wants to purchase cyber insurance, insurance sector practitioners must understand not only that company’s security posture, but also what type of losses the company is likely to incur if it gets hit with a cyber-attack.