transforming cyber underwriting - fireeye...underwriting is enabled through many data elements that...

Cyber COPE™ - Cyber Underwriting Model

The content of this document is solely for informational purposes and is not intended as legal advice. It may

not be copied or disseminated in any way without the permission of a member of Chubb Group.

Published 7/2016 of 11

Cyber COPE™ Transforming Cyber Underwriting

Synopsis Cyber COPE™ is a new model for cyber underwriting, intended to simplify and improve the assessment of both cyber and privacy risks. It is based on COPE which has been adopted by property underwriters to assess property risk for hundreds of years.

Russ Cohen Director of Cyber/Privacy Services 215-640-1239 [email protected] CHUBB





Contents

Introduction ...........................................................................................................3 Property Underwriting with the COPE Model .......................................................3 Cyber COPE™ ........................................................................................................ 5

Goals .................................................................................................................... 5 Transforming COPE to Cyber COPE™ ............................................................... 5 Components ....................................................................................................... 6 Organization ........................................................................................................ 7 Protection ........................................................................................................... 8 Exposures ........................................................................................................... 9

Sample Implementation of Cyber COPE™ .......................................................... 10 Conclusion ............................................................................................................ 11





Introduction

Are you a smoker? Have you been in an auto accident in the last year? What is

your birthdate? Are you male or female? How many floors are in your building?

Insurance companies ask simple, objective questions like these so they can

provide coverage and limit financial losses. What kind of questions will

insurance companies ask if you are looking for cyber insurance? Do you encrypt

all sensitive information? Do you have a firewall at all Internet access points?

Do you have anti-virus software installed? Do you patch computer systems for

all known vulnerabilities? The answers to these and other cyber related

questions tend to be more complex and subjective. This lack of simplicity and

objectivity makes the risk evaluation process for underwriters a very “risky”

proposition. All this led to the question, “If a property underwriter can use the

number of floors, can the number of computers be used to underwrite cyber?”

The answer was the idea to apply a time tested property underwriting model

(called COPE) to technology to improve the overall quality of cyber underwriting

and data intelligence.

Property Underwriting with the COPE Model

Close your eyes for a few seconds and picture any building in your mind. Can

you estimate the square feet? Do you know what type of company(s) are using

the building? Do you think there is an alarm system? Is the building near a

major airport? It’s ok if you don’t know the answers but you probably

understood the questions. Either way, the previous four questions get their cues

from the COPE model.

In property underwriting, COPE is an acronym for Construction, Occupancy,

Protection and Exposures. Each letter represents a group of data points that

contribute to evaluating the overall risk of a particular structure. Construction

gathers data points that describe such things as the materials, square footage

and age of a structure. Occupancy gathers data points on what the company

does and how the company manages the hazards associated with what they do.

Protection measures the factors that can help mitigate various types of structural





exposures. Exposures describes information on the potential exposures related

to a particular property.

So now imagine a simple three story building. It’s made of mainly steel and

brick. There are four businesses that use the building with approximately 20

employees each. The building has a central sprinkler system, alarm and meets

all other building codes. It is located in a wooded office complex in San Diego,

California. Although there is a lot more information needed to produce an

actual insurance quote, COPE model is highly effective for gathering and

organizing information for a property underwriter to effectively evaluate a

property risk. But what makes the COPE model so effective?

Underwriting can be as much of an art as it is a science. This is because it

requires analyzing both objective measurements (“the science”) and subjective

measurements (“the art”). That is one of the key benefits of the COPE model - it

helps a property underwriter leverage both the objective and subjective

measures to make a better decision about a risk. A building is made of 75%

wood (objective) and the fire suppression system is 20 years old (subjective). An

underwriter can weigh these two facts to determine the risk which contributes to

the overall pricing of a policy. The subjective measurement can also provide the

opportunity to improve a risk for a policyholder (“You may want to look into an

upgrade to your sprinkler system.”).

Objective Measurements: Construction, Occupancy

Subjective Measurements: Protections, Exposures

Now having a basic understanding of the COPE model, we can return to the

premise of this paper.





Cyber COPE™

Goals As we have seen, COPE is simple and provides different measurements to help

underwriters make better decisions on property risks. So how can COPE be

applied to technology to improve the overall quality of cyber underwriting

decisions? Before trying to answer this question with Cyber COPE™, a few goals

were established for the model. First, it must be simple so individuals with

technical and non-technical knowledge can use it. Second, it must provide both

objective and subjective measurements in line with the original COPE model.

Finally, it must foster information sharing so that organizations can learn from

each other to help limit future losses.

Transforming COPE to Cyber COPE™ So taking the original premise of COPE, we start by transforming Construction

to “Components”. Similar to a physical building, Components represents those

objective data elements that provide information on the overall “cyber structure”

of a company. Examples include number of computers, user accounts and

Internet connections. Next we transform Occupancy to “Organization”. Similar

to the make-up of the company, Organization captures those objective data

elements about the people, process, information and overall enterprise risk

strategy. Examples include company industry, number of employees, number of

contractors and budget allocations for cyber security. The last two elements of

the COPE model, Protection and Exposures, remain the same. However, instead

of property, the aim is to capture those subjective data elements that describes a

company’s cyber defenses (“Protection”) and potential cyber weaknesses

(“Exposures”). Examples of Protection include encryption, firewalls and

intrusion detection. Examples of Exposures include threat actors, system errors

and software vulnerabilities.





The following table summarizes the transition from COPE to Cyber COPE™:

COPE

Cyber COPE™ Objective vs. Subjective

Example Data Elements

Construction Components Objective computers, networks

Occupancy Organization Objective people, information

Protection Protection Subjective encryption, access controls

Exposures Exposures Subjective internal, external

The next four sections will provide additional details on the four areas of the

Cyber COPE™ model and how they address the original goals of simplicity,

objective/subjective measurement and information sharing.

Components So what are the data elements that would help to provide a “cyber structure” of a

company? Before providing some suggested data elements, it is important to

understand that the data must be as objective as possible. Therefore for each

element, the goal is to measure against the simplicity of the question “number of

floors in a building”. Number of floors is very objective plus meets the

requirement of being simple for everyone to understand. The following data

elements are examples of measurements within Components. They have been

presented as questions to help aid in the ongoing simplicity:

How many endpoints (e.g., desktops, laptops, mobile devices) are used

by the company?

How many employee user accounts or “IDs” do you have?

How many non-employee user accounts do you have?

How many public Internet connections does your company have?

How many 3rd parties do you use for storing or processing company

information?

In addition to these data elements being objective, it is important to note that

they must be as “publicly accessible” as possible to be effective. Property

underwriting is enabled through many data elements that are publicly available





and accessible by multiple entities (i.e. Construction). In Cyber COPE™, the

questions within Components must also meet this requirement. Meeting this

requirement will make information sharing more effective and unlike other

models, the information being shared is less likely to be used by threat actors.

The data elements within Components does represent one of the greatest

opportunities of innovation. Coming up with data elements that can balance

objectivity and accessibility will be a challenge. However, if developed properly

with input from multiple perspectives, the cyber marketplace can benefit for

assessing current risks and predicting future events.

Organization The data elements captured in organization are more straightforward than those

in Components. These data elements must also be as objective as possible for

the model to be effective. What we are trying to achieve within the Organization,

is gathering those data elements that can provide a “board level” or enterprise

view of cyber security to an underwriter. As with Components, the data

elements are framed against the question of, “floors in a building” to help drive

objectivity. The following data elements are examples of measurements within

Components. They have been presented as questions to help aid in the ongoing

simplicity:

What is your company’s primary industry?

Which industry security standards do you leverage?

Do you have specific security language built into 3rd party agreements?

What PCI merchant level is your company?

What percentage of the IT budget is allocated to cyber security?

As we progress down the Cyber COPE™ model, we will see that the level of

accessibility of the data elements being captured will be naturally reduced. This

is due to the fact that the questions we ask reveal more about a company’s cyber

security posture. So although we want to maintain objectivity, we will also need

to be cognizant of the sensitivity of the data being captured. Therefore, as these





questions are developed, the goal of the model is to ask questions that captures

data that is objective as possible.

Protection The data elements captured in Protection revolve around the security controls

that exist within a company to help prevent against a cyber incident. These data

elements are reminiscent of those found in existing security standards such as

the NIST, PCI and ISO27001. Although it would be easy to insert questions

from these standards into an application for cyber insurance, they are far too

lengthy for organizations to complete - especially smaller ones. In addition,

insurance companies, brokers and agents, would not have sufficient resources to

assess all the data points provided by these standards.

Therefore it is suggested that the Protection data elements must be based on a

refined, core set of security controls. Although new types of attacks are

occurring all the time, the same vulnerabilities are still being exploited year over

year. For example, ransomware is a new type of malware that restricts access to

files unless a ransom is paid to the attacker. However, ransomware is generally

only effective if someone clicks a malicious link in an email (i.e., the untrained

human being is exploited). Therefore with Protection, the goal is to decide

which security controls are essential regardless of company and allow a degree

of subjectivity on top of them. The following data elements are examples of

measurements within Protection. They are presented as simple terms instead of

questions because the initial goal is deciding upon the refined controls first

(objective) and then provide flexibility to build subjective questions:

1. Awareness - How often are employees trained on cyber security?

2. Authentication - Do you use enforce password hygiene?

3. Encryption - Is your sensitive data encrypted at-rest and in-transit?

4. Firewalls - Do you limit ports on all Internet access points?

5. Anti-Malware - What anti-malware software do you install?

6. Systems Management - Do you have any unsupported software running?





7. Account Management - Do you restrict access based on job function and

responsibilities?

Although these are just examples of data elements and questions, it is important

for the industry to come together on what is truly important to prevent the

majority of attacks. If we polled the top cyber security experts, what would they

say? In addition, these data elements should also be prioritized (which is why

they have been suggested using numbers). If the “human” is statistically the

weakest link then the most questions should be asked about the security

awareness program and authentication. Having these prioritized would also

provide the benefit of prioritizing loss control investments.

Exposures When we think of exposures in property, we think of things like natural disasters,

fire, floods, theft, etc. So naturally in Cyber COPE™, we need to determine

cyber related exposures and which ones apply to any particular company.

However, in order to align with property we need to understand and agree upon

the underlying characteristic of a cyber exposure. The primary characteristic is

that an exposure generally cannot be controlled. In property for example, we

can try to predict where a hurricane may strike but we have no control over the

hurricane itself. In cyber, we can try to predict which company Hackivists may

target but we have no control over the Hackivists motivation or determination.

Since these are more subjective measures, they are presented as simple terms

instead of leading questions:

Handling of Desirable Information - corporate data, customer data

Targeted Attacks - motivated threat actors

Non-targeted Attacks - unintentional human errors

Third Party Resources - outsourcing

Common Software Vulnerabilities - Java, Flash, Windows

System/Software Errors - programming errors

Compliance or Regulatory Requirements - PCI, HIPAA





Let’s briefly take a look at one of these Exposures - Handling of Desirable

Information. The first question - is this something that can be controlled? If

you store/process millions of credit cards, one could argue that you could

outsource this function to a 3rd party processor. However, the company you are

insuring is still responsible for protecting that information (i.e., the Exposure

still exists). If multiple companies use the same payment processor, the

Exposure increases due to risk aggregation - especially for the insurance

company.

Sample Implementation of Cyber COPE™ The initial model was leveraged during the development of the Chubb Cyber

Facility Insurance Product, which provides up to $100 million of primary

capacity, as the basis for the application for insurance. Using the model, Chubb

worked with strategic partners to create a question set that provides the

necessary data elements to help underwriters assess cyber risk and price

accordingly. The model also served as the basis to foster ongoing dialogs with

prospective buyers on the topic of cyber risk.

Figure 1 - Sample Pages from Chubb Cyber Facility Assessment





Conclusion This is just the beginning and the model is open to innovation particularly in the

Components and Exposures sections. We will be collaborating with industry

leaders to help refine these objective measurements with the goal of correlating

specific components and exposures to cyber risk. This will provide – not only

the insurance industry the necessary data to better predict the frequency and

severity of cyber-attacks and risk aggregation – but also allow the insurance

industry to share this data with its policyholders – in all industries.

transforming cyber underwriting - fireeye...underwriting is enabled through many data elements that...

Documents