Cyber Insurance Conundrum: Using CIS Critical Security Controls for Underwriting Cyber Risk

There has been a number of insurance industry- related research done to define new cyber security frameworks to help insurers underwrite cyber risk. This research includes copula-based actuarial models for pricing cyber insurance based on the number of computers; using peaks-over-threshold method (from extreme value theory) to identifying 'cyber risks of daily life'; using Principal-Agent model (from microeconomic theory); creating methodology for common cyber risk categorization; modeling cyber risk based on operational risk, and more. However, there has been little to no input or research into cyber insurance related topics from cyber security experts. The purpose of this exploratory study is to propose the integration of a risk framework for underwriting cyber risk. This paper will analyze how CIS Critical Security Controls, along with its accompanying quantified metrics, benchmarking, and auditing tools can be used as a rating mechanism for determining the cybersecurity posture of insured organizations. Furthermore, such mechanism can be perpetually used for either self-assessments by insured organizations, or by independent qualified security assessors.