The Cyber Insurance Incentive

I stumbled upon a blog (I wish I could find it again) that talked about Marsh's Cyber Catalyst program. Somehow I am late to the game and today is the first time I have heard about it. The Cyber catalyst program is designed to help Cyber insurance providers by giving them a baseline security posture for the insured. The premise is that if a company has implemented a solution from 1 of 17 vendors as of the 2019 list, they will have to pay a lower premium because in theory they should be operating more securely.

From Marsh, the insurers that participate in this program evaluated the submitted solutions over the following criteria:

• Reduction of cyber risk: demonstrated ability to address major enterprise cyber risk such as data breach, theft or corruption; business interruption; or cyber extortion.

• Key performance metrics: demonstrated ability to quantitatively measure and report on factors that reduce the frequency or severity of cyber events.

• Viability: client-use cases and successful implementation.

• Efficiency: demonstrated ability of users to successfully implement and govern the use of the product to reduce cyber risk.

• Flexibility: broad applicability to a range of companies/industries.

• Differentiation: distinguishing features and characteristics.

It's easy to criticize this approach. Below are the problems that immediately come to mind:

• It can be seen as a system that's designed to push companies into buying certain products. 
• Insurer evaluation of products were not readily transparent
• Merely owning a product does not mean you are more secure (poor implementation, management, etc.)
• Vendor solutions selected can often be beyond the price point of smaller organizations

But I have to give props where it's due. The premise is great. All things being equal it does take a step in the right direction of battling information asymmetry between the insurers and the insured. Not fully understanding risk is the principle problem when it comes to finding the right balance between insurers knowing the risk they are taking on and the insured knowing what coverage to select. I also applaud that they are attempting to make these decisions quantitatively and with input from various sources. 

My main issue with the premise is that I don't believe the list of vendors selected to this list will be attainable for all. Once again pushing security into the realms of the haves and have nots. Also the implementation of these solutions will be all over the map leading to a potential false sense of security.  What I think should be pushed for is a focus on people and processes. These will be the foundation for higher degrees of confidence that organizations are operating securely as well as implementing their tooling correctly. 

Effective policy and procedures grow the tent by enabling organizations to use any vendor of their own choice to accomplish similar capabilities of the vendors on the Marsh list.   

In any systems engineering process, there are many steps before vendor evaluation and selection. The Marsh list seems to skip many of those by implying if you have 1 of 17 you are immediately more secure. I contend that before anything else, insurers need to relay to their clients that a formalized and properly implemented security policy will have far more reaching impact than any product. Insurers should quantifiably measure what internal security operations have the most impact in limiting attack surface. This is what they should be pushing for premium discounts. And this is what can be applied to every organization of every time. 

Give a man a security product and he may be secure for a moment? Teach a man how to be secure, and he'll be secure for a lifetime?  hmmm.....I don't know, I'll work it.