Two years ago, I had the great fortune to be seated at a dinner next to an expert in cyber security insurance. Setting aside all good manners, I ignored the others at our table, pulled out a pencil and small pad, and basically did an interview. I knew this social gaffe was necessary, mind you, because despite my expertise in packets and firewalls, I barely knew the difference between a broker and an agent. I needed to fix this - which I did.
And so, thus began my investigation into the field of cyber insurance, which has since resulted in my contrarian observation that the industry has grown primarily because CISOs don't have to pay the premiums. That is, I've made the assertion that once CISOs begin footing the bill, policy purchases will wane. Now look, regardless of whether you accept my claim (ahem), I think we can all agree that for whatever reason, the cyber insurance industry is growing - and fast.
One issue that I completely missed in my research, however, is the enormous growth the industry is seeing in policies for so-called micro-business. According to Wikipedia, that means companies - like my own - with roughly a single digit number of employees. These companies apparently account for most breaches and, according to Kaspersky Labs, spend tens of thousands dealing with the aftermath. (That number sounds high, but directionally accurate.)
For macro-business, we already know that buying cyber insurance is a lengthy, involved process. But for smaller companies, buying cyber insurance is apparently more transactional. That is, to underwrite cyber risk for hundreds, thousands, or even hundreds of thousands of micro-businesses, the industry cannot expect to employ experts going through the due diligence process of sifting through security posture. That simply would not scale.
Last week, I met up with an old friend of mine - Vimal Vaidya, CEO and Founder of WhiteHaX. I first met Vimal many years ago while he was at iPolicy Networks, and we've stayed in touch as his career progressed across different businesses in our industry. Today, Vimal is developing a platform that automates security testing for customers - and we spent the better part of an hour discussing how this will influence micro and smaller-business insurance vetting.
"There are three ways an insurance company can estimate cyber risk for a potential policy holder," Vimal said. "First, they might perform a risk scoring based on external characteristics. Many different companies do this, but it might not be the most accurate means for small businesses that are in the cloud. Second, they can employ experts, including consultants, to go through all the details of a potential customer's security. This takes time and effort, obviously.
"But a third possibility arises, and this is what we are focused on supporting at WhiteHaX," he continued. "We have created a platform that allows for a light and simple test of the security capabilities of a target enterprise. The platform can be thought of as automating the penetration testing process, and the result is an on-going analysis of risk that insurance companies can deploy and use at scale."
The WhiteHaX platform supports two modes of operation for a target enterprise: First, it can be operated with an agent embedded into the network of interest. This allows for a deeper analysis, because having a beachhead inside the corporate firewall obviously extends the area of visibility. And second, it can be operated, like a scanner, from the outside. A browser-based version of WhiteHaX can also drop a temporary agent into the network of interest.
I asked Vimal whether any real conclusions can be drawn about security from such a seemingly light test: "Certainly, our approach does not replace the due diligence that an IT security team must follow to ensure proper security management of an enterprise," he said. "But for insurance companies, especially ones selling to micro-business, the alternative to the WhiteHaX approach is to basically do nothing. We therefore provide considerable value in such cases."
I also asked Vimal about the types of threats being considered. He took me through the details of his low-impact, remote testing approach - including an impressive demo of the GUI, which includes easy-to-read summaries of identified security issues, along with basic suggestions for how to mitigate risk. The entire set-up does look to me like a wonderful option for high-scale vetting of businesses that would otherwise have unknown posture.
An obvious business challenge for any platform of this type is the dynamically changing nature of small business computing and networking, with almost all software applications and systems finding their way to public clouds. This implies that automated penetration testing solutions such as WhiteHaX will have to include more generic methods of assigning risk posture to companies that are mostly just a collection of XaaS offerings.
Nevertheless, Vimal and his team have clearly identified a pragmatic solution to scaling the posture vetting for insurance companies selling cyber risk policies to micro-business at scale. With the alternative method being little more than reviewing the responses to a questionnaire, I think the insurance companies would be well-served to review the WhiteHaX approach, and perhaps the greater visibility will help them keep premium costs low.
So, regardless of whether you are in the insurance industry as a buyer, seller, agent, or broker, or if you are just interested in learning more about automated penetration testing using quick, low-impact methods, then perhaps you might give the WhiteHax team a call and ask for an overview and demo. Let us know what you learn.