The changing face of cyber-threats
When thinking about cyber-threats, most people think about a virus developed by a lone hacker trying to access financial information for personal gain. While that scenario is realistic, today's cyber threat has become far more complex and more challenging to identify. Consider that hackers gained entry to Target's customer data via an unsuspecting HVAC supplier.

For infrastructure companies, the danger of a cyberattack is also far more threatening. Imagine the potential damage and loss that could result from a malicious attack targeting water management, energy or gas production facilities. In such circumstances, insurance generally covers equipment damage resulting from the cyber event, but there is a host of other financial consequences following an attack.

It's these potential catastrophic scenarios that are forcing infrastructure businesses to take a closer look at their security profiles in order to make informed risk-management decisions.

This is where cybersecurity insurance can help infrastructure companies identify and reduce their risk exposure, while reducing their own potential for financial burden. In the course of policy development, underwriters must assess a potential insured's risk. Traditionally, this process is limited to a questionnaire completed over the phone. The data gathered is not validated, nor is there any third-party evaluation. This process is simply insufficient to properly assess a company's risk profile.

When assessing cyber-risk, insurers must consider every possible avenue of exposure. Security is neither a single act, nor a vendor sensor; it is a collection of activities that harmonizes corporate investments in people, technology and process. This perspective guides the holistic assessment methodology, as well as the domains that must be evaluated for risk: insider threat, data security, mobility and physical security, and internal and external business processes. The maturity of existing security policy, procedure and governance is assessed, and organizational resources are prioritized based on the severity of vulnerabilities identified across the multiple threat vectors.

The value of holistic enterprise risk assessment
Leveraging enterprise security risk assessment methods, cybersecurity insurers can gain a realistic understanding of a potential insured's holistic risk posture. For critical infrastructure companies, this offers a two-fold benefit by highlighting necessary business investments made in the public interest, while also generating information about high value security investments that are aligned with real business decisions. Herein lies actionable intelligence that supports infrastructure companies' needs to balance their investments to both meet market demands and also reduce risk.

These benefits extend to existing policy holders, as well. For example, enterprises can use an annual policy stipend toward holistic security assessments that provide actionable intelligence to assist in the enhancement of their security awareness and preparation. Further, the insured can benefit from improved decision-making on resource allocation against high-risk areas, thereby maximizing the value of existing security investments and reducing risk exposure. Combined, this can reduce the probability of future loss and ensure that the policy holder's value is preserved.

For critical infrastructure companies, holistic assessments illustrate the capabilities and limits of their security mechanisms, facilitate their selection of appropriate insurance coverage relative to their customized risk profiles, and recommend investments in additional controls where the return on investment is warranted, such as transitioning from a lower maturity level to a higher one in a priority area. 

With Executive Order 13636, it has become incumbent on all public and private organizations to proactively share and defend U.S. critical infrastructure from potential cyber-threats. In this vein, insurance providers are in a unique position to play a role in helping to protect critical assets by engaging in holistic risk assessments that enable risk-informed decisions by their clients with regard to their risk tolerance.

Related: "The Status of Data Breach Notification Laws in the United States."

As the patchwork of traditional insurance coverage is transitioning to exclude "cyber" from existing property & casualty, errors & omissions, professional and privacy liability policies, presenting a holistic security assessment is central to establishing stronger proportional links between insurance premiums and customers' validated security profiles.