Where does Phishing Simulation fit into Cyber Risk Insurance?

An analysis of insurance modelling and how to lower your premiums

email supply chain control snippet
Author profile photo
Sebastian Salla February 11, 2022

TL;DR: Phishing Simulations can be used to demonstrate the cyber readiness of your people and processes to insurers.

Cyber Risk Insurance is a growing discussion among Executives across businesses of all sizes. It’s not difficult to understand why... we’re living through a time where Ransomware is a threat that every business must consider in its threat model. Beyond Ransomware, there’s a multitude of political, economical or ideological related reasons your business may come under the crosshairs of a threat actor.

On the flip-side, insurance companies are increasing the premiums of Cyber Risk Insurance year-on-year. Understanding the cyber readiness of a business is a difficult task that encompasses all aspects of the people, processes and technologies a business adopts. Through my own research of insurers, insurance brokers and their clients, it appears that the Cyber Risk Insurance market is contracting at a time that demand is soaring.

A market contraction while demand is soaring?

It seems paradoxical, but insurers need to accurately price risk to understand what premiums a customer needs to pay. Pricing risk is driven by a variety of metrics but two key factors behind this equation are historical loss amounts (across the industry) and the current state of cyber readiness (of the requesting business).

Historical Loss Amounts

Using historical data on loss amounts across geographic regions, industry verticals and business sizes, an insurer can calculate what the average loss expectancy of a cyber intrusion is. Data over multiple years can then be used to trend what the future average loss expectancy may be 1, 2 or 5 years from now.

Current State of Cyber Readiness

This is arguably the hardest part for insurers. How can an insurer determine whether your business is resilient against cyber-related threats? There is no short answer to this. Insurers need technical guidance from domain experts along with a continuous feed of analytical data to make an assessment. This analytical data may relate to vulnerabilities, compliance failures, attempted cyber intrusions but the most important metric is whether your employees are resilient. Do they know what a phishing email or website looks like? Are they prone to drive by download attacks? What action do they take if they fall victim to an attack? Do they report it? These are all questions an insurer will ask… And they won’t just take your word for it. You need proof of how you track and continuously improve upon phish click rates within your business.

Using Phishing Simulations to lower Insurance Premium

Cyber Risk Insurers absolutely love the analyticals that phishing simulation platforms provide. It’s easy to understand why… vulnerability, compliance and runtime data is relative. For example, it's difficult to understand what the true impact of a vulnerability is without understanding the context behind it. Is it a critical vulnerability? Is it in-use by a public-facing system? Does it have a network-based attack vector? Does it provide remote code execution capabilities? If you’re able to answer all these questions then you're equipped to respond to that specific vulnerability. What if there are dozens, hundreds or thousands of vulnerabilities or compliance related issues your organisation manages continually?

Simply put, an insurer is always going to struggle to understand your cyber readiness based on vulnerability, compliance or runtime protection capabilities. Phishing simulation statistics provide actionable evidence on what percentage of your employees have a security focused mindset and given 90% of breaches are the result of a phishing attack, this is an extremely relevant metric for insurers.

If your organisation is able to proactively provide evidence that it conducts regular phishing simulation exercises, you can use this as evidence that your security awareness training program is effective with continuous validation and improvement. Ultimately, this will put your organisation in a favourable position when discussing cyber risk insurance premiums.

Wrapping up

Phishing simulation and security related analytical data helps insurers increase visibility and understand the effectiveness of your organisation’s cyber threat readiness. This visibility isn’t just a point-in-time assessment… Regular control validations are typically a requirement for insurers and is essential to ensure a premium can be maintained over the policies lifetime.

By utilising the free phishing simulation platform provided by CanIPhish, you can provide evidence to insurers that your organisation is actively addressing and hardening your largest attack surface - your employees. If you have any questions, please don’t hesitate to contact the team at CanIPhish.

Avatar profile photo
Written by

Sebastian Salla

A Security Professional who loves all things related to Cloud and Email Security.