of risk exposures. These act as a proxy for how quickly an organization can operate a security tool or
            restoration process on the day a severe cyberattack occurs.

            The growing database of material losses that have actually happened highlights the inadequacy of these
            paper-based assessments as pragmatic indicators of performance. Recent cases, such as the dispute
            over Merck’s $1.4B cyber insurance claim settlement, demonstrate that exclusion provisions are not the
            answer for the very unique and fast changing aspects of cyber threats and their increasingly varied ways
            of creating losses for companies.



            A radical solution: Efficacy-based underwriting

            By reforming the cyber underwriting process, basing it on the regularly tested efficacy of a company’s
            cybersecurity defenses and not just on paper assessments, insurers can draw the line they need for
            proper underwriting. In turn, insured businesses can get rewarded for their preventative approach which
            pioneers efficacy against potentially material cyber events.

            The good news is that a number of companies in the US and around the world have been efficacy testing
            and optimizing their cyber controls for years. From stack optimization to stress testing, these methods
            serve  as  a  means  to  fortify  their  organization’s  security  posture  across  people,  processes  and
            technologies. This approach involves maintaining high-fidelity replicas of an organization’s expansive IT
            and OT networks and regularly attacking it and its defenders with a range of light to severe cyber threats
            to failure. This allows companies to ensure their teams, tools and processes remain effective against
            even the most severe cyber threats. The goal is to regularly evaluate the effectiveness of individual
            components as well as the collective efficacy of all parts and controls. So, metrics based efficacy testing
            in cyber can, and is already being done.

            A good analogy can be found in the airline industry. Flight crews regularly practice their responses to
            severe engine out, hydraulic and other systems failures in high fidelity replicas of the Boeing or Airbus
            planes they fly. They are allowed to fail, and often do. The data collected from such exercises reinforces
            where responses are correct and goes a long way in ensuring pilots are proficient and prepared to handle
            such events during real-life commercial flights.

            The benefits to both companies and their cyber insurers of using high fidelity replicas for similar efficacy
            testing in cyber are undeniable.



            The bottom line

            Cyber  underwriters  no  longer  need  to  assess  companies  based  solely  on  theoretical  effectiveness.
            Companies are now able to provide effectiveness evidence against full spectrums of the latest potentially
            material cyber threats, and insurers can make ready use that evidence.

            Property  and  casualty  underwriters  don’t  grant  ‘highly  protected  status’  to  companies  that  have  fire
            suppression systems but lack evidence that they have ever been inspected for their ability to operate well







                                                                                                            199