Why a Cyber Risk Framework is Essential for Modern Businesses
In our rapidly evolving digital landscape, the increasing reliance on technology has undeniably transformed the way organizations operate and communicate. While these technological advancements bring numerous benefits, they also expose entities to a myriad of cyber threats, ranging from data breaches to sophisticated cyber attacks. In light of this pervasive and ever-growing risk, the establishment and implementation of a robust cyber risk framework is imperative for organizations of all sizes and industries.
A well-defined cyber risk framework not only serves as a proactive defense mechanism against potential threats but also provides a structured approach for identifying, assessing, and mitigating cyber risks. By integrating comprehensive cybersecurity measures, organizations can safeguard their sensitive information, maintain the trust of stakeholders, and ensure the continuity of operations in an era where the stakes of cyber threats have never been higher.
Cyber Risk vs. Cybersecurity. And Why a Cyber Risk Framework?
Cybersecurity risk refers to any risk of damage, financial loss, disruption, or reputational harm to an organization from some sort of failure of its digital infrastructure or information systems due to malicious activity. Cybersecurity is the practice of protecting the digital footprint of an organization, its computers, networks, and data from theft, damage, loss, or unauthorized access. Cowbell has been studying, analyzing and leveraging AI to manage these types of risks since we were founded.
Cyber risk is broader than cybersecurity. For example – if two organizations apply the same security practices, a retail business is by nature typically more risky than a farm. A healthcare facility is more at risk of cyberattacks than a plant nursery. The nature of a business will make it more or less attractive to bad actors, regardless of its security practices. This has an impact on the insurability of the business. Similarly, car insurance premiums change based on zip code regardless of the type of car and driver.
Cybersecurity frameworks adapt to capture the security posture of an organization. However, they do not capture the likelihood of cyberattacks based on how attractive a business is to bad actors. Cowbell developed its proprietary Cyber Risk Framework to translate security controls into a unified risk framework. A unified framework also provides flexibility to rapidly evolve Cowbell’s risk assessment approach to reflect changes in the cyber threat landscape. Below are some examples of cybersecurity frameworks:
- NIST CSF: The [U.S.] National Institute of Standards and Technology Cyber Security Framework helps organizations better manage and reduce cybersecurity risk. In addition, it was designed to foster risk and cybersecurity management communications amongst internal and external organizational stakeholders.
- PCI DSS: The Payment Card Industry Data Security Standard is an information security standard for handling credit cards from major card brands. Mandated by the most prominent card brands, PCI DSS is a global standard and one of the oldest industry security standards with detailed and prescriptive controls.
- CIS: Regrouping prior initiatives from the SANS Institute (SANS Top 20), the Center for Internet Security is a nonprofit organization that published prioritized safeguards and controls to mitigate the most prevalent cyberattacks against today’s modern systems and networks. CIS has published CIS Benchmarks, a set of prescriptive controls for many major platforms and environments for organizations to deploy and benchmark their security posture against security best practices for these environments.
- ISO/IEC 27001: The standard known and used worldwide for information security management systems (ISMS). It provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining, and continually improving an information security management system.
- ISA/IEC 62443: An international series of standards that address cybersecurity for operational technology in automation and control systems. 62443 is used primarily in manufacturing, operational networks like water, gas and electricity distribution, and transportation networks like railroad or stop light systems.
- COBIT: The Control Objectives for Information and Related Technologies framework is an IT governance framework created by ISACA for information technology management and IT governance. While COBIT is focused on IT, it touches on many aspects of best practices for security and privacy.
- MITRE ATT&CK®: A knowledge base of cyber adversaries’ tactics and techniques that also shows how to detect or stop attacks, providing a common language for defenders such as security vendors to have conversations about developing effective defensive strategies.
- CAPEC: The Common Attack Pattern Enumeration and Classification (CAPEC) is a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
Note that the above frameworks are in constant evolution (example: NIST is in the review process for version 2.0 of its framework). Cowbell prides itself on providing input to the various organizations to further the use of the frameworks by SMEs and on our dedication to help shape and inform industry best practices.
Cowbell Cyber Risk Frameworks by the Numbers
A framework to identify and quantify cyber risk
One common saying in the cybersecurity industry is that the past cannot be used to predict the future. This is a crucial difference between cyber insurance and other lines of business but it should not stop the cyber insurance industry from building models that allow for the best identification and quantification of cyber risks which allows the market to sustain profitable growth. MunichRe estimates that the cyber insurance market will reach $33.5 billion by 2027. (MunichRe: Cyber insurance: Risks and trends 2023).
Cowbell Cyber Risk Framework (CCRF) identifies, collects, and quantifies cyber risks and exposures. The framework applies to small and medium-sized enterprises (SMEs) with revenue up to $1 billion across any industry. This comprehensive framework incorporates security controls from well-established privacy and security industry standards. Cowbell translates those into a unified risk framework and adds Cowbell’s proprietary controls where appropriate for the specificity of the SME market and for the specialized use case of cyber insurance. The output of CCRF is a model that can be applied to all accounts to evaluate their insurability on a continuous basis and support core underwriting processes, namely risk selection and pricing. The framework guides policyholders to prioritize controls to improve their cyber risk profile.
Combining the Best of Existing Cybersecurity Frameworks for Cyber Risk
CCRF was built with existing security frameworks in mind, as many have been deployed successfully. Many organizations are also familiar with these frameworks and are starting to or have fully deployed them, which significantly streamlines the collection of insights for Cowbell.
A large part of the challenge is the number of frameworks that exist and how to adapt practices that are personalized for a specific company or industry segment.
CCRF unifies these frameworks and normalizes risk to drive consistent insurance underwriting decisions to provide robust coverage. Cowbell has blended the security controls from NIST, ISO, COBIT 5, PCI DSS, CIS, ISA, with Cowbell’s added custom controls. Cowbell then collects data and risk signals to evaluate an organization against the blended controls.
Figure 1: Cybersecurity Frameworks and Standards contributing to Cowbell Cyber Risk Framework (CCRF)
CCRF consists of a set of questions or controls (CRF_ID) that are each mapped to the security controls of the various frameworks, thus identifying the responses provided through any of the frameworks in use.
Finally, CCRF goes beyond security controls to account, for example, for risks and exposures specific to or prevalent in each class of business. Along with claims frequency and severity statistics, this contributes to building a security assessment into a cyber risk evaluation.
Mapping between data sources, CCRF controls, and Cowbell Factors
The 1,600 CCRF controls resulting from the combination of all mentioned cybersecurity frameworks are mapped to one or several Cowbell Factors, using a model and a weighted contribution to the calculation of each Cowbell Factor. Altogether, the set of Cowbell Factors defines an organization’s cyber risk profile. See the illustration below.
Figure 2: Mapping of CCRF controls to Cowbell Factors
Similarly, all data sources are mapped to one or multiple CCRF controls with a weighted contribution and adapted as needed, which, combined with the above mapping, translates risk signals ingested into Cowbell Factors.
Up to 2,000 data points and risk signals are used to compile Cowbell Factors. All risk signals from the various data sources are processed and normalized using machine learning algorithms.
Ingested data comes to Cowbell in multiple formats and at different levels of aggregation. Machine learning and AI algorithms are applied to funnel the data from its raw form to CCRF and then Cowbell Factors as the below figure shows.
Figure 3: Ingested data are processed through CCRF controls and mapped to Cowbell Factors
Finally, because not all data sources supply data at the same time or same frequency, there is a continuous compilation of Cowbell Factors that is triggered by:
- The ingestion of new data from the sources in bulk
- The addition of new risks (accounts)
- The live requests from underwriters to re-assess a specific risk
- The addition of new data sources into the model.
Other Key Aspects of the Framework
Technology Vulnerabilities and their Prioritization
The cybersecurity sector continuously debates prioritizing vulnerabilities and what to patch first with up to more than 500 new CVEs reported weekly. Patching all vulnerabilities has been qualified by many organizations as a “mission impossible.” The good news is that not all vulnerabilities are created equal. Some impact niche software products or equipment and will impact a small account population. Others are related to broadly deployed software tools and can potentially generate cyber events for a large population.
A vulnerability is also not sufficient for a cyber incident to occur. There must be a known exploit path for the actors to take advantage of the vulnerability and mount a cyberattack. This is commonly referred to as an “exploit” and the industry has developed various models to empower organizations to prioritize which vulnerability to fix. The most common ones are CVSS, EPSS, and KEVs. Cowbell blends all three models in prioritizing vulnerabilities for its policyholders, which feeds directly into Cowbell Spotlight and provides policyholders with a recommendation for action. See below for examples of vulnerability reporting and classifications.
Vulnerability reporting and classifications
- CVE: CVE stands for Common Vulnerabilities and Exposures. It also refers to the database of known vulnerabilities and exposures.
- Exploit: An exploit is a program or code designed to find and take advantage of a security flaw or vulnerability in an application or computer system, typically for malicious purposes such as installing malware. An exploit is not malware but rather a method cybercriminals use to deliver malware.
- CVSS: The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. CVSS is owned and managed by FIRST.Org, Inc., a US-based non-profit organization whose mission is to help incident response teams worldwide. The official CVSS documentation can be found at https://www.first.org/cvss/
- EPSS: The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The goal is to assist network defenders in prioritizing vulnerability remediation efforts better.
- KEV catalog: CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog
More than half of cyber incidents in 2022 and 2023 to date have leveraged some form of vulnerability (CVE). In the SME market, we encounter many organizations with no resources allocated to patching. Cowbell monitors reported vulnerabilities and helps with remediation. Cowbell’s Threat Intelligence team reviews all sources of vulnerability and malicious activities daily. It uses a combination of CVSS, EPSS, and their knowledge of Cowbell’s book of business to define which ones warrant an alert to policyholders impacted by the product with the flaw.
All impacted policyholders can benefit from Cowbell’s Risk Engineering team’s services to first evaluate whether they are exposed to the vulnerability and, second, what to do about it. In most cases, if not all, the remediation is to patch and upgrade to the latest version of the impacted software product.
Spotlight has been instrumental in responding to major cyber events such as Log4j in 2022. Spotlight enabled Cowbell to respond to Log4j in a matter of hours. To date, no policyholder has been impacted by the vulnerability.
The Benefits of CCRF
The Cyber Risk Framework enables Cowbell to evaluate every risk submitted for coverage in a consistent, unbiased manner, relying on data instead of unverifiable answers to a static and limited questionnaire and helps to protect policyholders against new and emerging threats. Key benefits are outlined below.
- Immediate and continuous risk assessment: real-time assessment of risk and vulnerabilities;
- Underwriting efficiencies and accuracy: all information used by Cowbell underwriters is available in one central location and a consistent format across all risks underwritten;
- Common cyber risk language: the framework becomes one proxy for all stakeholders, internal and external to Cowbell, to talk about risks in standardized terminology;
- Cyber threats trends and predictability: with cyber risk assessed for millions of SMEs, Cowbell can apply predictive models to the risk pool to monitor for new threats;
- Policyholders can take proactive control of their organization’s cyber risk profile. Besides Cowbell Factors, the framework supports the creation of Cowbell Insights, which are individual to each account and published with recommendations on how to mitigate the identified security weakness;
- Cowbell can rapidly respond to market changes: Cowbell can evolve its model quickly as new threats emerge, as all aspects of its risk framework leading to Cowbell Factors and risk assessment are codified in the Cowbell Platform, are re-configurable centrally and can be operationalized immediately.
- Monitoring risk portfolio for current and future threats: unlike data collected once during underwriting, Cowbell continuously re-evaluates and monitors individual risks and its entire portfolio to identify gaps between committed coverage and covered risks.
Evolving CCRF to Address Future Threats
The world of cyber is not static which is why Cowbell continuously improves our model with new adjustments including:
- The addition of new security controls from other frameworks and standards;
- The addition of customer Cowbell Security Controls;
- The acquisition of new data through a variety of sources: third-party vendors, upgraded Cowbell’s proprietary scanners, additional connectors to security and technology vendors;
- The added documentation of attack patterns and their remediations;
- The need to add new Categories or subcategories based on requirements, technology innovations, and learnings. For example, the rapid emergence of AI in many businesses is changing many aspects of cybersecurity and privacy;
- The adjustment of the mapping between the security controls and Cowbell Factors.
As technology continues to rapidly advance and we see new threats emerge with the widespread deployment of AI, Cowbell remains committed to continuous innovation and adaptation. Our engineering team continues to improve our platform to better serve our policyholders, providing the insights and recommendations they need to mitigate risk. As more and more businesses interact online, a cyber risk framework is imperative for building a long-term sustainable business.