transforming cyber underwriting - fireeye...underwriting is enabled through many data elements that...
TRANSCRIPT
Cyber COPE™ - Cyber Underwriting Model
The content of this document is solely for informational purposes and is not intended as legal advice. It may
not be copied or disseminated in any way without the permission of a member of Chubb Group.
Published 7/2016 Page 1 of 11
Cyber COPE™ Transforming Cyber Underwriting
Synopsis Cyber COPE™ is a new model for cyber underwriting, intended to simplify and improve the assessment of both cyber and privacy risks. It is based on COPE which has been adopted by property underwriters to assess property risk for hundreds of years.
Russ Cohen Director of Cyber/Privacy Services 215-640-1239 [email protected] CHUBB
Cyber COPE™ - Cyber Underwriting Model
The content of this document is solely for informational purposes and is not intended as legal advice. It may
not be copied or disseminated in any way without the permission of a member of Chubb Group.
Published 7/2016 Page 2 of 11
Contents
Introduction ...........................................................................................................3 Property Underwriting with the COPE Model .......................................................3 Cyber COPE™ ........................................................................................................ 5
Goals .................................................................................................................... 5 Transforming COPE to Cyber COPE™ ............................................................... 5 Components ....................................................................................................... 6 Organization ........................................................................................................ 7 Protection ........................................................................................................... 8 Exposures ........................................................................................................... 9
Sample Implementation of Cyber COPE™ .......................................................... 10 Conclusion ............................................................................................................ 11
Cyber COPE™ - Cyber Underwriting Model
The content of this document is solely for informational purposes and is not intended as legal advice. It may
not be copied or disseminated in any way without the permission of a member of Chubb Group.
Published 7/2016 Page 3 of 11
Introduction
Are you a smoker? Have you been in an auto accident in the last year? What is
your birthdate? Are you male or female? How many floors are in your building?
Insurance companies ask simple, objective questions like these so they can
provide coverage and limit financial losses. What kind of questions will
insurance companies ask if you are looking for cyber insurance? Do you encrypt
all sensitive information? Do you have a firewall at all Internet access points?
Do you have anti-virus software installed? Do you patch computer systems for
all known vulnerabilities? The answers to these and other cyber related
questions tend to be more complex and subjective. This lack of simplicity and
objectivity makes the risk evaluation process for underwriters a very “risky”
proposition. All this led to the question, “If a property underwriter can use the
number of floors, can the number of computers be used to underwrite cyber?”
The answer was the idea to apply a time tested property underwriting model
(called COPE) to technology to improve the overall quality of cyber underwriting
and data intelligence.
Property Underwriting with the COPE Model
Close your eyes for a few seconds and picture any building in your mind. Can
you estimate the square feet? Do you know what type of company(s) are using
the building? Do you think there is an alarm system? Is the building near a
major airport? It’s ok if you don’t know the answers but you probably
understood the questions. Either way, the previous four questions get their cues
from the COPE model.
In property underwriting, COPE is an acronym for Construction, Occupancy,
Protection and Exposures. Each letter represents a group of data points that
contribute to evaluating the overall risk of a particular structure. Construction
gathers data points that describe such things as the materials, square footage
and age of a structure. Occupancy gathers data points on what the company
does and how the company manages the hazards associated with what they do.
Protection measures the factors that can help mitigate various types of structural
Cyber COPE™ - Cyber Underwriting Model
The content of this document is solely for informational purposes and is not intended as legal advice. It may
not be copied or disseminated in any way without the permission of a member of Chubb Group.
Published 7/2016 Page 4 of 11
exposures. Exposures describes information on the potential exposures related
to a particular property.
So now imagine a simple three story building. It’s made of mainly steel and
brick. There are four businesses that use the building with approximately 20
employees each. The building has a central sprinkler system, alarm and meets
all other building codes. It is located in a wooded office complex in San Diego,
California. Although there is a lot more information needed to produce an
actual insurance quote, COPE model is highly effective for gathering and
organizing information for a property underwriter to effectively evaluate a
property risk. But what makes the COPE model so effective?
Underwriting can be as much of an art as it is a science. This is because it
requires analyzing both objective measurements (“the science”) and subjective
measurements (“the art”). That is one of the key benefits of the COPE model - it
helps a property underwriter leverage both the objective and subjective
measures to make a better decision about a risk. A building is made of 75%
wood (objective) and the fire suppression system is 20 years old (subjective). An
underwriter can weigh these two facts to determine the risk which contributes to
the overall pricing of a policy. The subjective measurement can also provide the
opportunity to improve a risk for a policyholder (“You may want to look into an
upgrade to your sprinkler system.”).
Objective Measurements: Construction, Occupancy
Subjective Measurements: Protections, Exposures
Now having a basic understanding of the COPE model, we can return to the
premise of this paper.
Cyber COPE™ - Cyber Underwriting Model
The content of this document is solely for informational purposes and is not intended as legal advice. It may
not be copied or disseminated in any way without the permission of a member of Chubb Group.
Published 7/2016 Page 5 of 11
Cyber COPE™
Goals As we have seen, COPE is simple and provides different measurements to help
underwriters make better decisions on property risks. So how can COPE be
applied to technology to improve the overall quality of cyber underwriting
decisions? Before trying to answer this question with Cyber COPE™, a few goals
were established for the model. First, it must be simple so individuals with
technical and non-technical knowledge can use it. Second, it must provide both
objective and subjective measurements in line with the original COPE model.
Finally, it must foster information sharing so that organizations can learn from
each other to help limit future losses.
Transforming COPE to Cyber COPE™ So taking the original premise of COPE, we start by transforming Construction
to “Components”. Similar to a physical building, Components represents those
objective data elements that provide information on the overall “cyber structure”
of a company. Examples include number of computers, user accounts and
Internet connections. Next we transform Occupancy to “Organization”. Similar
to the make-up of the company, Organization captures those objective data
elements about the people, process, information and overall enterprise risk
strategy. Examples include company industry, number of employees, number of
contractors and budget allocations for cyber security. The last two elements of
the COPE model, Protection and Exposures, remain the same. However, instead
of property, the aim is to capture those subjective data elements that describes a
company’s cyber defenses (“Protection”) and potential cyber weaknesses
(“Exposures”). Examples of Protection include encryption, firewalls and
intrusion detection. Examples of Exposures include threat actors, system errors
and software vulnerabilities.
Cyber COPE™ - Cyber Underwriting Model
The content of this document is solely for informational purposes and is not intended as legal advice. It may
not be copied or disseminated in any way without the permission of a member of Chubb Group.
Published 7/2016 Page 6 of 11
The following table summarizes the transition from COPE to Cyber COPE™:
COPE
Cyber COPE™ Objective vs. Subjective
Example Data Elements
Construction Components Objective computers, networks
Occupancy Organization Objective people, information
Protection Protection Subjective encryption, access controls
Exposures Exposures Subjective internal, external
The next four sections will provide additional details on the four areas of the
Cyber COPE™ model and how they address the original goals of simplicity,
objective/subjective measurement and information sharing.
Components So what are the data elements that would help to provide a “cyber structure” of a
company? Before providing some suggested data elements, it is important to
understand that the data must be as objective as possible. Therefore for each
element, the goal is to measure against the simplicity of the question “number of
floors in a building”. Number of floors is very objective plus meets the
requirement of being simple for everyone to understand. The following data
elements are examples of measurements within Components. They have been
presented as questions to help aid in the ongoing simplicity:
How many endpoints (e.g., desktops, laptops, mobile devices) are used
by the company?
How many employee user accounts or “IDs” do you have?
How many non-employee user accounts do you have?
How many public Internet connections does your company have?
How many 3rd parties do you use for storing or processing company
information?
In addition to these data elements being objective, it is important to note that
they must be as “publicly accessible” as possible to be effective. Property
underwriting is enabled through many data elements that are publicly available
Cyber COPE™ - Cyber Underwriting Model
The content of this document is solely for informational purposes and is not intended as legal advice. It may
not be copied or disseminated in any way without the permission of a member of Chubb Group.
Published 7/2016 Page 7 of 11
and accessible by multiple entities (i.e. Construction). In Cyber COPE™, the
questions within Components must also meet this requirement. Meeting this
requirement will make information sharing more effective and unlike other
models, the information being shared is less likely to be used by threat actors.
The data elements within Components does represent one of the greatest
opportunities of innovation. Coming up with data elements that can balance
objectivity and accessibility will be a challenge. However, if developed properly
with input from multiple perspectives, the cyber marketplace can benefit for
assessing current risks and predicting future events.
Organization The data elements captured in organization are more straightforward than those
in Components. These data elements must also be as objective as possible for
the model to be effective. What we are trying to achieve within the Organization,
is gathering those data elements that can provide a “board level” or enterprise
view of cyber security to an underwriter. As with Components, the data
elements are framed against the question of, “floors in a building” to help drive
objectivity. The following data elements are examples of measurements within
Components. They have been presented as questions to help aid in the ongoing
simplicity:
What is your company’s primary industry?
Which industry security standards do you leverage?
Do you have specific security language built into 3rd party agreements?
What PCI merchant level is your company?
What percentage of the IT budget is allocated to cyber security?
As we progress down the Cyber COPE™ model, we will see that the level of
accessibility of the data elements being captured will be naturally reduced. This
is due to the fact that the questions we ask reveal more about a company’s cyber
security posture. So although we want to maintain objectivity, we will also need
to be cognizant of the sensitivity of the data being captured. Therefore, as these
Cyber COPE™ - Cyber Underwriting Model
The content of this document is solely for informational purposes and is not intended as legal advice. It may
not be copied or disseminated in any way without the permission of a member of Chubb Group.
Published 7/2016 Page 8 of 11
questions are developed, the goal of the model is to ask questions that captures
data that is objective as possible.
Protection The data elements captured in Protection revolve around the security controls
that exist within a company to help prevent against a cyber incident. These data
elements are reminiscent of those found in existing security standards such as
the NIST, PCI and ISO27001. Although it would be easy to insert questions
from these standards into an application for cyber insurance, they are far too
lengthy for organizations to complete - especially smaller ones. In addition,
insurance companies, brokers and agents, would not have sufficient resources to
assess all the data points provided by these standards.
Therefore it is suggested that the Protection data elements must be based on a
refined, core set of security controls. Although new types of attacks are
occurring all the time, the same vulnerabilities are still being exploited year over
year. For example, ransomware is a new type of malware that restricts access to
files unless a ransom is paid to the attacker. However, ransomware is generally
only effective if someone clicks a malicious link in an email (i.e., the untrained
human being is exploited). Therefore with Protection, the goal is to decide
which security controls are essential regardless of company and allow a degree
of subjectivity on top of them. The following data elements are examples of
measurements within Protection. They are presented as simple terms instead of
questions because the initial goal is deciding upon the refined controls first
(objective) and then provide flexibility to build subjective questions:
1. Awareness - How often are employees trained on cyber security?
2. Authentication - Do you use enforce password hygiene?
3. Encryption - Is your sensitive data encrypted at-rest and in-transit?
4. Firewalls - Do you limit ports on all Internet access points?
5. Anti-Malware - What anti-malware software do you install?
6. Systems Management - Do you have any unsupported software running?
Cyber COPE™ - Cyber Underwriting Model
The content of this document is solely for informational purposes and is not intended as legal advice. It may
not be copied or disseminated in any way without the permission of a member of Chubb Group.
Published 7/2016 Page 9 of 11
7. Account Management - Do you restrict access based on job function and
responsibilities?
Although these are just examples of data elements and questions, it is important
for the industry to come together on what is truly important to prevent the
majority of attacks. If we polled the top cyber security experts, what would they
say? In addition, these data elements should also be prioritized (which is why
they have been suggested using numbers). If the “human” is statistically the
weakest link then the most questions should be asked about the security
awareness program and authentication. Having these prioritized would also
provide the benefit of prioritizing loss control investments.
Exposures When we think of exposures in property, we think of things like natural disasters,
fire, floods, theft, etc. So naturally in Cyber COPE™, we need to determine
cyber related exposures and which ones apply to any particular company.
However, in order to align with property we need to understand and agree upon
the underlying characteristic of a cyber exposure. The primary characteristic is
that an exposure generally cannot be controlled. In property for example, we
can try to predict where a hurricane may strike but we have no control over the
hurricane itself. In cyber, we can try to predict which company Hackivists may
target but we have no control over the Hackivists motivation or determination.
Since these are more subjective measures, they are presented as simple terms
instead of leading questions:
Handling of Desirable Information - corporate data, customer data
Targeted Attacks - motivated threat actors
Non-targeted Attacks - unintentional human errors
Third Party Resources - outsourcing
Common Software Vulnerabilities - Java, Flash, Windows
System/Software Errors - programming errors
Compliance or Regulatory Requirements - PCI, HIPAA
Cyber COPE™ - Cyber Underwriting Model
The content of this document is solely for informational purposes and is not intended as legal advice. It may
not be copied or disseminated in any way without the permission of a member of Chubb Group.
Published 7/2016 Page 10 of 11
Let’s briefly take a look at one of these Exposures - Handling of Desirable
Information. The first question - is this something that can be controlled? If
you store/process millions of credit cards, one could argue that you could
outsource this function to a 3rd party processor. However, the company you are
insuring is still responsible for protecting that information (i.e., the Exposure
still exists). If multiple companies use the same payment processor, the
Exposure increases due to risk aggregation - especially for the insurance
company.
Sample Implementation of Cyber COPE™ The initial model was leveraged during the development of the Chubb Cyber
Facility Insurance Product, which provides up to $100 million of primary
capacity, as the basis for the application for insurance. Using the model, Chubb
worked with strategic partners to create a question set that provides the
necessary data elements to help underwriters assess cyber risk and price
accordingly. The model also served as the basis to foster ongoing dialogs with
prospective buyers on the topic of cyber risk.
Figure 1 - Sample Pages from Chubb Cyber Facility Assessment
Cyber COPE™ - Cyber Underwriting Model
The content of this document is solely for informational purposes and is not intended as legal advice. It may
not be copied or disseminated in any way without the permission of a member of Chubb Group.
Published 7/2016 Page 11 of 11
Conclusion This is just the beginning and the model is open to innovation particularly in the
Components and Exposures sections. We will be collaborating with industry
leaders to help refine these objective measurements with the goal of correlating
specific components and exposures to cyber risk. This will provide – not only
the insurance industry the necessary data to better predict the frequency and
severity of cyber-attacks and risk aggregation – but also allow the insurance
industry to share this data with its policyholders – in all industries.