Cyber Catalyst; Dead Cert or Rank Outsider?


Disclaimer: The views in this article/blog posting are my own opinion based on the available data that Marsh has made public.

As mentioned in episode 3 of my OMG Cyber! podcast, a number of insurers/brokers have joined a new cyber ratings project known as “Cyber Catalyst”.

More details can be found here: https://www.darkreading.com/risk/insurers-collaborate-on-cybersecurity-ratings/d/d-id/1334258 and direct from Marsh here: https://www.marsh.com/us/campaigns/cyber-catalyst-by-marsh.html

Here are a few snippets from the article on the Marsh site:

In the Cyber CatalystSM program, leading cyber insurers evaluate and identify solutions they consider effective in reducing cyber risk. Participating insurers include Allianz; AXIS; AXA XL, a division of AXA; Beazley; CFC; Munich Re; Sompo International; and Zurich North America. Microsoft is a technical advisor to the program.

Cybersecurity products and services viewed as effective in reducing cyber risk will be designated as “Cyber CatalystSM”. Organizations that adopt Cyber Catalyst-designated solutions may qualify for enhanced terms and conditions on cyber insurance policies from participating insurers.

I applaud Marsh for doing something to try and address the lack of cyber risk analysis, profiling, etc. However, I do question the value of this initiative; I will outline below my concerns and thoughts on why this is, I believe, not a helpful offering.

I do not see the value of Insurers/brokers carrying out product/solution ratings, as:

1. They (the insurers/brokers) are not experts in this area, and
2. There are already plenty of other independent testing/rating organisations that have been doing this for many years, to a very high standard. These include ISCA, NIST, AV-Test, and so on… It would have been far more sensible to partner with one of these instead, and it would have added more credibility…

So, this seems to be a strange thing to attempt; a bit like reinventing the wheel and coming up with a different shape that is not as efficient as the one we already have which has served us rather well, so far.

The program is, by my understanding, stating that if a client/insured has product/service x, y or z from the list of “approved/recommended” ones, that the client will get better rates (such as higher limits/lower premiums) and so on.

1. Now, this is fine, apart from the perspective that just because the client/insured has purchased an “approved/recommended” product/solution, it does not mean that they have rolled it out or installed it.
2. Even if they have done so, where are the checks and balances to confirm this, that it is not only rolled out, but actually configured correctly?
3. Furthermore, where is the ongoing validation? Without that, this is pretty much just a box ticking exercise, and therefore no better than the existing risk rating mechanisms they already use.
4. They state that “Microsoft is a technical advisor to the program.”, this does not really help, as they are not a trusted independent review organisation/body. What happens when Microsoft review their own products and solutions?
5. Their disclaimer doesn’t exactly offer a ringing endorsement of the value of the program, read it for yourself and see if you agree?

I would say that this is little more than a “beauty contest” and it doesn’t really do anything to address cyber risk in a new way.

Now, just to be completely transparent, I used to work for AIG as a Cyber Risk Specialist (and so I understand Cyber Insurance quite well). I helped AIG design their Cyber rating solution known as “CyberMatics”. Let me be very clear, I have no axe to grind with any of the insurers, and receive no financial benefit from “CyberMatics” or AIG on this, or any other article/blog posting that covers cyber insurance.

The difference with “CyberMatics” is that is collects telemetry and/or meta data to validate that:

1. The insured has the solution/service installed correctly, and more importantly
2. That it is being used correctly; not just once, but on-going, and this is shared with the client/insured via a secure portal, to help them further improve their cyber defences and resilience.

That is a huge difference!

You can find out more about “CyberMatics” here: https://www.aig.com/business/insurance/cyber-insurance/cybermatics

What are your thoughts on this?  Please let me know…

“Cyber Catalyst” and “Cyber Catalyst by Marsh” are registered trademarks of Marsh LLC
“CyberMatics” is a registered trademark of AIG

OMG Cyber! Episode 3 The one about Sextortion, Social Engineering, SIEM and SOAR

The latest episode of my podcast is now available, hope you enjoy it…

Episode 3- The one about Sextortion, Social Engineering, SIEM and SOAR

This episode does a fairly deep dive on Sextortion scams and Social Engineering.

I also talk about the latest news around the FIN6 Cyber Crime gang, Credential Stuffing attacks and a new Insurance initiative…

This episode uses a new microphone, improved workflow and  post-production tools, this has hopefully produced better (more consistent/levelled) final audio. As usual, all feedback is most welcome.

There are a number of companion blog postings, these can be found here: https://omgcybersecurity.co.uk/blog

You can find out more about us on our website, including how to contact us, here: https://omgcybersecurity.co.uk You will also find show notes there…

You can subscribe to it via Apple, Anchor.fm, Google, Pocket Casts, Spotify, Breaker, PodBeam, RadioPublic and Overcast (others to follow)