What's Your Captive's Cyber-Security Risk Profile?

It's been a while since we wrote about cyber risk, but several recent announcements caused us to reexamine the current environment. To say cyber security continues to be a growing priority for organizations of all sizes is an understatement. The Online Trust Alliance (OTA), an initiative of the Internet Society, concluded in its annual report that "cyber incidents targeting businesses nearly doubled from 82,000 in 2016 to 159,700 in 2017. Since the majority of cyber incidents are never reported, OTA believes the actual number in 2017 could easily exceed 350,000." Which leads us to ask, what is your captive insurer's cyber-security risk profile?

We would wager that, for most captive insurers, the issue of cyber security doesn't receive the attention it deserves at the management and board levels. This generalization may be less true for single-parent captives of large corporations where information technology resources are abundant and focused on cyber risk. However, for most group captives and smaller single-parent captives, cyber-security risk is a real threat, but, unless a problem occurs, it doesn't garner much thought. However, as highlighted in the adoption of cyber-security regulations by the New York Department of Financial Services, regulators are looking more closely at what companies are doing. This means corporations, including captive insurers, need to think about creating a well-conceived strategic plan for cyber security.

In an effort to jump-start this initiative at the captive insurer level, we thought an article on creating a cyber-security risk management framework would be beneficial. There are a number of excellent resources available to captive managers and board members to begin this discussion. For starters, we suggest the following.

• National Institute of Standards and Technology's "Framework for Improving Critical Infrastructure Cybersecurity." The original document was recently updated and describes a voluntary risk management framework that consists of standards, guidelines, and best practices to manage cyber-security-related risk.

• Deloitte has an extremely useful checklist, "Assessing Cyber Risk: Critical Questions for the Board and C-Suite." The guide and self-assessment tool is designed to help leaders gauge their cyber maturity, build new cyber-risk understanding, and help answer key questions such as the following.
  • Do we have the right organizational talent?
  • Are we focused on, and investing in, the right things?
  • How do we evaluate the effectiveness of our organization's cyber-risk program?

For those looking for a simple method to begin building a cyber-security risk profile, we'd suggest a five-step analysis originally developed and recommended by CDW-G, a subsidiary of CDW. While somewhat dated (the original analysis appeared back in 2010), the steps are still relevant today and offer captives a reliable road map to begin the process. CDW-G's five-step list below is adapted from the news report titled "5 Steps to Cyber-Security Risk Assessment," in Government Technology from June 24, 2010.

1. Identify Information Assets

Consider the primary types of information that the captive handles (e.g., underwriting data, claims information, Social Security or tax identification numbers, human resources data), and make a priority list of what needs to be protected. As a guide, plan to spend no more than 1 to 2 hours on this step.

2. Locate Information Assets

Identify and list where each item on the information asset list resides within the organization (e.g., the cloud, internal file servers, workstations, laptops, removable media, PDAs and phones, databases).

3. Classify Information Assets

Assign a rating to your information asset list. Consider a 1 to 5 scale, with the following categories.

1. Public information (e.g., marketing campaigns, contact information, finalized financial reports, etc.)
2. Internal, but not secret, information (e.g., phone lists, organizational charts, office policies, etc.)
3. Sensitive internal information (e.g., business plans, strategic initiatives, claims reports, reinsurance agreements, etc.)
4. Compartmentalized internal information (e.g., compensation information, professional vendor agreements, etc.)
5. Regulated information (e.g., patient data, classified information, etc.)

This classification scheme lets your captive rank information assets based on the amount of harm that would be caused if the information was disclosed or altered.

4. Conduct a Threat-Modeling Exercise

Rate the threats that top-rated information assets face. One option is to use Microsoft's STRIDE method, which is fairly simple and covers most of the top threats.

STRIDE:
Spoofing of Identity
Tampering with Data
Repudiation of Transactions
Information Disclosure
Denial of Service
Elevation of Privilege

It is also worth considering using an outside consultant with experience in cyber-risk modeling to facilitate conversation.

After completing the CDW-G method, develop a spreadsheet for each asset, listing the STRIDE categories on the X axis. On the Y axis, list the information asset locations that your organization identified through the CDW-G process in the "locate information assets" step. For each cell, make estimates of the following.

• The probability of this threat actually being carried out against this asset at the location in question
• The impact that a successful exploitation of a weakness would have on the organization

Use a 1 to 10 scale for each item above (e.g., 1 is "not very likely" or "this would not have a large impact"; 10 is "quite probable" or "catastrophic"). Then multiply those two numbers together and fill them into the cells. The spreadsheet should be populated with numbers from 1 to 100. This activity will likely take a full day for smaller organizations and several days for larger ones.

5. Finalize Data and Start Planning

Multiply all the cells in each of the worksheets by the classification rating your organization assigned to the asset during the CDW-G process step " classify information assets." The result is a rational and comprehensive ranking of threats to the organization. The ranking includes both the importance of the assets at stake and a broad spectrum of possible contingencies. A reasonable security plan will start tackling the risks identified with the highest numbers.

Many organizations set thresholds as follows.

1–250: will not focus on threats at this level
250–350: will focus on these threats as time and budget allow
350–450: will address these threats by the end of the next budget year
450–500: will focus immediate attention on these threats

However you choose to begin the process, the need for a cyber-security risk analysis is real. It's better to get ahead of the curve rather than playing catch-up when a problem arises or your domiciliary regulator requires you to provide a report.