Host Adrian Vernon, VP of Product Managment Chris Goettl, and Chief Security Officer Daniel Spicer give you the rundown on everything Cyber Insurance! The conversation includes:
Host Adrian Vernon, VP of Product Managment Chris Goettl, and Chief Security Officer Daniel Spicer give you the rundown on everything Cyber Insurance! The conversation includes:
Adrian: Well hey everybody, I’m Adrian Vernon your host here for another episode of Ivanti Insights, so welcome, and I'm joined today by our usual cast of characters. First we have Chris Goettl, who's one of our vice presidents of product management. How are you doing Chris?
Chris: Doing good Adrian, thanks.
Adrian: All right. Well always a pleasure to have you here at Ivanti Insights, and I hope you're ready to rock and roll. And then of course we are joined by none other than Daniel Spicer, our Chief Security Officer here at Ivanti. Welcome Daniel.
Daniel: Hey, thanks.
Adrian: All right, here's the main question, are you guys ready to rock and roll and talk about Cyber Insurance? That is our topic of the day. The question is what do people need to look out for, can it really help mitigate risk and be effective for organizations? So Daniel, let's ask you first, what does cyber insurance cover, and why should organizations even look into getting it?
Daniel: Yeah, absolutely. So cyber insurance is one of the ways that an organization can handle risks, this is the magical transfer of risk from your organization to another organization. And specifically around cyber insurance, there are a few things that it can help with, a lot of that is around malware, especially ransomware, which we hear a lot about. It can help with major service outages, or supply chain issues. It can also help with data breaches, especially if you run afoul of any privacy laws like GDPR or some of the different privacy laws that you've seen come out of the US. There are dollar numbers associated with each record that is breached, and that adds up very quickly. So cyber insurance is a very popular way now for organizations to protect their assets, and it's very similar to how you would protect a house or a car, right? You probably have locks on the doors and windows, probably even a security alarm potentially, but if someone actually gets past all of those different protections you have, what do you do? You'd probably go back to your homeowner’s insurance or your car insurance and have them replace items that were lost or damaged. So it's a very similar situation with cyber insurance. This is your last line of defense, when everything has already gone wrong, you can turn to your policy.
Adrian: Okay, so let me ask you Chris, let's turn to you, what are some things that organizations may need to know, or that could come up during a conversation with a broker?
Chris: There's definitely some things that can help potentially impact the cost of your policy for cyber insurance. So think of it like car insurance, there's some vendors who hey if you have a good, safe driving record, your rates go down. If you do things like use their app and they can monitor some more behavior, especially with like a young teen driver or something, there are ways to mitigate that. The same applies to cyber insurance. There are certain things that you can be doing that makes sure that you're meeting good security cyber hygiene practices, and that can actually help influence that policy cost for you. So that could be things like are you utilizing MFA for your domain accounts. You should definitely know who are admin permissions be given out to for your organization. You should make sure you're locking down those accounts effectively, and using MFA puts that additional layer of security in there. Even going towards things like passwordless authentication helps to influence that even further. You're using MFA, but you're also using stronger types of authentication during that process. Other things, vulnerability and patch management, making sure that you're taking care of and reducing that attack surface. Even things like who are your providers that you're going through? If you're going through a top-tier cloud or third-party providers, that could help influence that policy. If you are using less known vendors that could also potentially influence the cost of your policy in different ways.
So funding for your organization, and Daniel I know has talked about this before, where even understanding the cost and investment that you put into your organization's security team could influence your insurance policy. So there are a lot of different factors, a lot of it comes down to making sure you've got those good security controls in place, using a good framework to do so is very important. It can help you adhere to and reference certain guidelines to make sure that that provider you're going through is comfortable with the level of security you've put in place. A good vendor risk management program, making sure that you've got your top vendors that you go through, that you've vetted them out, and there's no additional risk being introduced through them as well. So there's quite a bit Adrian, that you can do to help influence the price of that policy.
Adrian: Okay. There's certainly a lot to consider, but it certainly sounds like, you know, considering the high stakes of cybersecurity and all the headlines that we see out there. And let's remember for every headline that we see…Main headline around breaches, around ransomware, there must be hundreds, if not thousands on a day-to-day basis that are occurring outside of the headlines that we don't hear about. So certainly a lot at stake here. Daniel, what are some examples you may be able to give us of cybersecurity vendors who are getting involved?
Daniel: Yeah absolutely. So I think one of the places where we're seeing the most change specifically around what influences decisions for the brokers is around your managed security service provider or your MDR provider. There's actually quite a few companies now who have started coming in with their own underwriting and their own breach protection or breach insurance that comes with their managed security service. They come in with their tools, with their SIM solution and they watch for the environment. They also typically take a hand in helping with containment, but now there are also a layer of insurance with you. And this is a signal to the brokers that you've brought in a high quality vendor, such that another organization already underwrit them, already is providing a level insurance and helps you negotiate better. There are some other third parties though that also speak into this market around third parties that help build business continuity plans or disaster recovery plans, also a little bit into your incident response policies and plans. So the brokers are interested where you're bringing in third parties to help build these programs to perform those risk assessments. To build the plans and the readiness and perform the exercises to demonstrate those plans are functional, so that when you do have an incident, they're paying less out of pocket, so they're willing to insure you for more.
Adrian: But, and gentlemen, there is always a but, cyber insurance can't cover everything, correct? Chris, let's start with you, what are some of the incidents that cyber insurance may not cover for an organization?
Chris: Yeah, so many of you have heard the term nation-states. When nation-state funded, threat actors get involved, that oftentimes gets into a gray area where there can be complications with this where insurance and cyber insurance cannot cover it. So certain nation-state attacks have fallen under the category of hostile or war-like actions. This is an area where there could be a gap in insurance policies that can sometimes cause issues. So companies that didn't have cyber insurance that turned to their regular insurance to invoke that property or casualty policy, may not be able to claim anything there because it was executed by a nation-state. So that is a complicated area where weeding through that may be difficult at times. One thing to do in a case where you're dealing with the aftermath of an attack is work with a third party who is used to dealing with and profiling the threat actors to understand who you're dealing with and what circumstances you might be running into. Another example of where things have gotten complicated, towards the end of last year in November 2020, the US Treasury Office of Foreign Asset Control, OFAC, issued an advisory about ransomware payments. In this advisory, they state that actors who fall under their sanctions nexus, basically it's this list of threat actors who are known to be funded by, or their money goes back into nation-state entities that are a threat to national security. If you, or a third party on your behalf pays one of these sanctions nexus threat actors, that could actually incur steeper penalties from the US Department of Treasury. So that's where a lot of times this gets really complicated when nation-states start to get involved. In those cases, again, there's some very effective third-parties that know how to negotiate and deal with these types of entities. They can help you navigate that much more effectively than you'd be able to do on your own.
Adrian: So Daniel, anything else there that you might want to cover that Chris may not have?
Daniel: Yeah, when the Department of Treasury sent out their reminder about the OFAC sanction lists, a lot of people took notice. Of course, part of that was the insurance companies, and sometimes they will deny payment just because you didn't engage with an expert to verify that they were not sanctioned, right? Because they don't want to take on that risk of running of ballads to the treasury department, but you know interestingly, threat actors also took notice. One of the groups that's actually on the OFAC sanctions list is an organization called Evil Corp, they're a well-known threat actor group, and they participate in ransomware. And at some point, several of their ransomware that they had used had been affiliated with Evil Corp and had been made very public that those ransomware were being used by Evil Corp. And so that sends a signal, you shouldn't be paying the affiliates of those ransomware providers and those ransomware disappeared off the face of the earth within weeks. Simply because there's no money to be made. When you think about it, ransomware is operating very much as a business, and so you can see how they take signals from these messages that the US government puts out just like the insurance companies and our own organizations.
Adrian: All right, earlier Daniel talked about cybersecurity vendors getting into this space, Chris let me ask you, what does this mean for the cyber insurance market overall?
Chris: It's growing pretty rapidly right now. In 2020, the cyber insurance market was about 7.8 billion and it's expected to grow to 20.4 billion by 2025. It's a pretty significant growth space right now. So you've got quite a mix of things going on. You've got the insurance vendors continuing to expand, you've got cybersecurity vendors coming in and also helping to rapidly expand this. With some of the complications, there's also a few vendors who have actually backed out of the space, so for it to still be growing at this type of rate, with those complications on top of it, it's a very budding market. Let's put it that way.
Adrian: I'm not surprised to hear that by any means. All right gentlemen, we reached just about the conclusion. This is where I like to ask each of you, Daniel we're going to start with you, final parting shot. Is there anything we missed from earlier in this segment?
Daniel: Yeah, one of the things that I don't think people pay a lot of attention to when they select their cyber insurance policy is who's actually going to help them when a breach occurs. And so very much like health insurance, there are quote unquote in-network providers for breach support. So when you purchase your policy, you should really pay attention to which vendors are allowed to support you both from external factors, and from a technical forensic standpoint. See who's actually on that list, see if that matches who you have on retainer, that's a very important thing that people miss very often.
Adrian: Final parting pearl of wisdom from one Chris Goettl.
Chris: Yeah, absolutely. As you get into cyber insurance, it's very important to make sure that you enter into this with the desire to fully execute this well. Management commitment is very important. Having a risk assessment done to make sure you understand your current cybersecurity position. Making sure that you've got internal controls that are going to meet the requirements of your cybersecurity insurance vendors. Very important. As you get into those, if you're looking to investigate cyber insurance for your organization, those are some things to keep in mind. You might have to implement some additional controls, you might have to step up your game in a few areas or resource your organization a little bit differently. Or that cyber insurance policy could be more expensive or not able to cover you effectively in all cases. So some important things to keep in mind as you investigate that.
Adrian: All right gentlemen, well thanks so much for your thoughts. Gentlemen, we appreciate you coming on, and until next time everyone, stay safe, be secure and keep smiling.