Headline writers and producers of “Shark Tank” want us tobelieve that all new products and ideas come from rising stars andSilicon Valley grads.

While many deserve the attention, we must also look to theexplosion of new products, services and capabilities resulting frominnovations emerging from disciplines such as marketing, accountingor finance. A compelling product that has risen out of corporateAmerica is the entrée of the insurance industry as a major playerin the development and deployment of cyber technology.

Increasing threats of cyber attacks and cyber extortion demandthe need for a product or service to protect and mitigate. Thepressure is mounting on C-level technology officers (CTOs, CIOs andor CISOs) — especially since to most CEOs, cyber and cyber securityare ethereal concepts involving unknown threats trying to stealunknown assets that can cause unknown damage.

How will corporate America address cyberrisk?

It falls in the same line of protection as risk has forgenerations: insurance.

Like a natural disaster, a company cannot completely avoid acyber attack, the next best option is to mitigate the impact of anattack. Because the range of impact from cyber attacks can be asminor as a picture of an employee doing something embarrassing toas critical as the total draining of the corporate bank accounts,there is no way to effectively prepare for all outcomes. Theinsurance model, therefore, fits the cyber security challenge verywell — and corporate America creates its new product: Cyberinsurance.

As Cyber insurance becomes a common element across the businesslandscape, accountants and actuaries will define the risks andassign financial value to these risks, otherwise known ascodification.

This activity is much like how an insurance company determineshow much the risk of a weather disaster is to a region of acountry, the value of personal property, the likely cost of medicalexpenses and even estimating the cost of death. With cybersecurity, first a business risk calculation will be performed, thenrisks will be identified, plus there will be a review of enterprisemonitoring, and finally determining regulatory compliance.

As the insurance industry codifies cyber risks, they will alsoassign pricing based on these risks and those activities thatmitigate risks. No longer will C-level executives be faced with theethereal concepts. Costs and expenditures will be defined inmonthly premiums, deductibles and other familiar elements ofinsurance.

Along with the codification process, technology and theaccompanying sales process for products will align with thesecodified insurance elements. In other words, the market will moveto the insurance company’s direction.

Technology follows money

For those that think the codification of cyber threats is yearsaway, think again.

In 2014, the Chief Risk Officer’s Forum released a report titled“Cyber resilience – The cyber risk challenge and the role ofinsurance.” The CRO Forum is a discussion group attended by chiefrisk officers of major European insurance companies. The reportbreaks the Cyber market into risk areas and provides a summarystatement of what would be covered under each area: businessinterruption, restoration costs, regulatory defense costs, securityand privacy, cyber extortion, intellectual property, data breachand crisis management.

New Cyber products and services are already hitting the market.For example, RiskLens, a software company out of Spokane, Wash.,has released a product called Risk Calibrator that provides aquantifiable risk assessment of a business. The tool uses theFactor Analysis of Information Risk industry standard risk model tocalculate the quantifiable cost of areas such as businessinterruption, capital asset replacement, etc.

The insurance industry’s codification of risks will beincorporated into similar tools which will provide the quantifiablerisks that companies can use to calculate what type, and how much,Cyber investment is needed for each area.

Carnegie Mellon Software Engineering Institute has developed aCERT Resilience Management Model that provides a maturity model ofan organization’s cyber operations. Maturity modeling will allowinsurers to assess a company’s cyber capabilities against thecalculated financial risk.

Related: 4 big mistakes insureds make when choosing a Cyberclaims provider

Additionally, CISOs are being trained at places such as CarnegieMellon to approach Cyber from a risk-based approach versus theformal, checklist-driven compliance methodology that has beenemployed in the past. This risk-based approach aligns with theobjectives of the insurance industry.

The growth of the Internet of Things will involve insurancecompanies in the day-to-day cyber operations of everything frommedical devices to home security. (Photo: Thinkstock)

Fear, uncertainty and doubt … the Cyber salesmodel

The current sales model for Cyber products and services is tostrike fear into senior executives to make a purchase or upgrade toavoid a could-be disaster of a cyber event. This sales model canonly last for a limited amount of time. As the insurance industrycodifies the market, sales and products will turn to a morequantitative approach.

Currently, the fear model makes it difficult to determine howmuch to spend on a product to protect an indeterminate risk. Asrisks and threats are quantified, determining if a large scale,enterprise security solution is needed or a localized, endpointprotection fits the bill will become evident. To quote a CISO fromTexas, “you don’t put a $100 fence around a $10 horse.”

Expansion of risk with the Internet ofThings

The insurance trend mentioned above is based on the currentinformation environment where the loss to a company is primarily inbusiness interruption, personal/financial data release, reputationattacks and similar events.

This will change rapidly as the Internet of Things becomes partof our daily lives. From driverless cars to the control of criticalfacility systems such as heating and security, the risks jump fromthe information domain to the physical domain. Risks then includethe loss and damage of property and the health and safety ofpeople.

This increased risk will further involve insurance companies inthe day-to-day cyber operations of everything from medical devicesto home security. A cost of doing business will include protectionfrom cyber attacks that could cause serious harm.

The legal costs

As the quantification of risk becomes more defined, so will theliability calculations. This again will drive technology.

Take, for example, the financial community. The Securities andExchange Commission released a Risk Alert under the National ExamProgram for the Office of Compliance Inspections and ExaminationsCybersecurity Initiative. This document describes areas where theOCIE could evaluate companies under the SEC auspices.

A logical legal defense against a hack of a securities companywould be that companies that followed this guideline followedcommercially reasonable efforts for protecting their environment.Companies will buy technologies that provide the regular reportingrequirements to meet this SEC standard.

There will be a growth in technologies that support legalactions from breach notification, from e-discovery to forensicstools that can be used to defend or prosecute companies that havehad a breach.

Furthermore, the interpretation of attacks will become acritical item. For example, many insurance policies do not cover“terrorism or acts of war.” If the government says that acyber-attack could be the action of a foreign state, this couldaffect the recovery of insurance claims. The combination of theinsurance and legal factions into the cyber marketplace willdramatically change the lexicon of how cyber attacks are describedand attributed.

Chip Block is vice president of cyber security andinfrastructure services company Evolver Inc. Contact him at[email protected].

Related: Here are 25 tips to both prevent and manage a cyberattack

Have you Liked us on Facebook?