Jake’s not alone. Scepticism about cyber insurance is common and many perceptions (some, misconceptions) get batted around by cynics. I’ll let you into a little secret, we even agree with some of the perceptions of the cyber insurance space to date, and that’s why we’re doing things differently.
It would have been easy to ‘hear no evil’ emoji Jake’s critique and brush it under a carpet with all the other cynicism, but that’s just not our vibe. Instead, I organised a debate on cyber insurance.
In the ‘against’ corner, we have Jake Moore. With 14 years of experience in digital forensics and cyber crime investigation in the Police, Jake now serves as global cybersecurity advisor for ESET.
In the ‘for’ corner, we have Ed Ventham, a specialist cyber insurance broker, industry representative for NCSC and co-founder at Assured.
And then there’s me as referee. I know what you’re thinking: I can’t possibly be an impartial referee because one of the debaters is my colleague. But let this article do the talking because when it comes to editorial independence, I’m not throwing in the towel.
Let the battle commence…
Jake Moore (JM): My first and perhaps only point is that if you are best protected, you shouldn’t need to clean up in the aftermath. If you have all your ducks in a row with the best protection, then there’s a good chance, not 100%, admittedly, that your data and company are protected.
Ed Ventham (EV): Some organisations are buying cyber insurance due to contractual requirements. Some buy it because they want to outsource the legal, PR and forensic investigations teams in case of a breach to the experts. Some buy it because they want the security blanket.
JM: I get all that, but that’s the gold standard. Cyber insurance may be an unfortunate luxury that they can’t afford. My theory is that if you have a certain budget, as all decision-makers do, I would heavily fund the protection side as it’s far safer to prevent than clear up. Prevention is better than cure; I see cyber defences as prevention and cyber insurance as a cure.
JM: I only buy insurance if I absolutely have to. I’m not playing here with data, so I do understand your angle on cyber insurance.
EV: With individual and personal liability, either you get insurance, or you don’t –that’s on you. But businesses are responsible for hundreds of employees and have data on hundreds of thousands of clients. You have obligations to or a requirement for cyber insurance, whether contractually or an act of integrity, so that people trust your business. Insurance has become a sticker of trust. In the event of a cyber incident, if you’re able to say, “we’re insured; we’ve got the best teams working on incident response and data retrieval,” then that gives your customers confidence.
EV: Where cyber insurance really comes into play is that immediate access to the best experts once an incident has occurred. When you’ve got the threat of being investigated, you need a cyber lawyer to ensure complete due diligence to report back to the ICO. In the wake of a cyber incident, the legal expertise, the PR requirements, the potential investigation for the regulators and the incident response all costs time and money. This is when you need to lean on an insurance partner.
JM: So you’re like the guys in Pulp Fiction? They go in when shit has gone down, and they clean up the blood over the Cadillac. But if you’re insured, and you press that button for the cleanup, it’ll cost you. Like everything in insurance, your premium will go up next year. To be fair, the way you’ve explained what happens when you press that button, the cleanup from the professionals, sounds wonderful. And for the right client, that’s a dream, and that is why my view of cyber insurance is not an industry-wide view for everyone in cybersecurity. That said, if you spend your budget on covering your security bases, you may never need to press that button.
JM: Let’ ‘s face it, it’s in a cyber insurer’s interest not to pay out.
EV: I categorically object to that. It’s one of the simplest attacks on insurance to say they don’t want to pay claims. On the contrary, paying claims is the business model. If they didn’t want to pay claims, it just wouldn’t work. I understand there are stories in the press, and I agree that there have been awful cases in property insurance or when an individual consumer has been denied a financial lifeline when they need it most, for example. Often, in cyber, the reason for a claim not being paid is contractual wording in insurance policies that are not being read by the people who sign them, something that could be avoided with transparency from brokers. If insurers stopped paying claims, cyber insurance would become untenable because no one would buy it.
JM: I put cyber insurance in the ‘quick-win’ category that many are looking for, but in my mind, if they had better protection in place, the insurance wouldn’t be needed. My theory is that if you have a certain budget, as all decision-makers do, I would heavily fund the protection side as it’s far safer to prevent than clear up. Prevention is better than cure; I see cyber defences as prevention and cyber insurance as a cure.
EV: Cyber insurance isn’t a quick win. Insurers continue to raise the bar in terms of what an organisation needs to implement to mature its security posture to permit a policy. So there is no quick win and it’s not available to everyone. Instead, it’s a security blanket in the form of balance sheet protection and reputational integrity that organisations deserve to have if they’ve put the proper security measures in place.
EV: I want to touch on what you said about premiums going up after a claim. This is a common perception, and I have the same one outside of cyber insurance. With a car, you might prang it and decide not to claim if you calculate that the premium increase will cost you more than the repair. But cyber is different. If you have an incident, you have to report it; otherwise, six months later, when the attack is realised, the insurer could refuse to pay. But organisations are often reluctant to report incidents because they believe their premium will go up. However, cyber is probably one of, if not the only, sector which is trying to change how consumers behave. Only a few people are aware that cyber insurance policies can offer access to the breach response service for zero cost when notified within the first 72 hours (essentially your excess is waived). The idea is that if a potential disaster can be mitigated within the first 72 hours, the breach is contained, the claim is avoided and there is no reason to hoick prices when renewal comes around. Insurers are happy to swallow those initial investigation costs. At the same time, an organisation tries to work out what has happened, whether any damage has been done, and if the situation needs escalation.
JM: Don’t the police offer this service for free, though? Even if it is ad hoc. Of course, many companies will choose the hotline for cyber insurance services, but they’ll pay a large premium for it.
EV: They’d pay a lot more for those breach incident response services without an insurance policy to cover the costs though.
“They’d pay a lot more for those breach incident response services without an insurance policy to cover the costs”Ed Ventham
JM: If a company gets hit with ransomware, they are way more likely to pay it with the backing of an insurer. A cyber insurer gives the money to the ransom-demanding criminal (be it directly or indirectly through the client), which funds all sorts. I ethically detest that the money goes from the insurer into the pockets of the cyber criminals, funding a business model that should not occur. I am in two minds about demands being paid or not, but I hate the idea of the insurers paying because the ransom demanders just increase their prices. Yes, you may have been dug out of a hole by your wonderful insurer; they’ve been there, patting you on the back and wiping the sweat off your face, and then reminding you that next year your premium will go up 50%.
Cyber criminals know how much you can afford. They do their homework; they even know if you’ve got an insurer. If a company is targeted with a ransom they can afford, I disagree with paying it but I understand it. I feel sorry for them in that headless chicken moment, stuck between a rock and a hard place. When they have the backing of an insurer, they may have less sweat on their brow, but the money going to the criminal will have increased.
EV. Insurance has never been the driver of ransomware. Instead, cyber insurance is a solution to a huge problem. Insurance or no insurance, those attacks are going to happen. Around 40 to 45% of businesses buy some form of cyber insurance, so a larger number of companies are being attacked and don’t have insurance. They’re still paying bad actors; they just don’t have the insurance support as they’ve chosen not to take it.
Of course, with an insurer backing you, you’ve got the resource to pay the ransom should you wish. More importantly, you’ve also got a panel of experts to call. They will send in a ransom negotiator who has been doing exactly that every day for 20 years. They give you options. They will fully assess your infrastructure, determine what data the criminals have, and give you both options and advice.
JM: I agree with the advantage that brings and think it fits well with a particular size business.
EV: For organisations that don’t agree with paying ransoms, there’s also the option to take a policy and take the ransom part of the policy out. Of course, if they are held for ransom, they may wish they had it. The part of the policy that should never be overlooked, is access to expertise. Most businesses don’t have a ‘Jake’ and have absolutely no idea where to turn in the event of an incident.
JM: If an insurer gives an organisation a list of things to do to protect itself to qualify for a policy, and they follow all those rules, the chance of then needing insurance is so small it isn’t worth the amount you’re charging us, so the money it would have spent on cyber insurance could then be invested in cyber risk instead. However, if insurers can offer simulation attacks or pen tests to sweeten the deal, too, and the result of that means you might even pay less because you’ve patched those holes, then that’s a win. That would also make me feel more confident because there’s additional due diligence on the insurer’s behalf.
EV: There’s a whole suite of services that are included alongside the policy itself. Such as dark web monitoring, phishing simulations, providing real-time threat alerts and access to cybersecurity advice (to name a few). Insurers are doing non-intrusive scans on network perimeters, and they’ll identify exposures for patching. Some will withhold a policy until it’s fixed. Others will offer a discount for addressing vulnerabilities. It’s encouraging good behaviour and improved security posture.
JM: I believe that insurance spent on post-compromise PR to minimise reputational damage is a really good thing. However, I think there are freebies you can do in this space that is superior to paid-for PR. As a customer, I don’t care if a breached company has insurance; I care solely that they hold their hands up, share the details of how it happened and enable peer learning.
EV: We have a client who did go public, an architecture firm, and straight away, they held their hands up and explained what happened. Everyone loved it, but it doesn’t end there. Access to expert teams in the aftermath of an incident makes an enormous difference.
“Prevention is better than cure; I see cyber defences as prevention and cyber
insurance as a cure.” Jake Moore
JM: It comes down to who the decision-makers are and whether cybersecurity is important to them. If it is, you’ll probably find they aren’t requesting cyber insurance.
EV: I’d argue quite the opposite. To get cyber insurance, you need to prove a level of cybersecurity for the underwriters to offer a policy.
JM: We’re seeing many tech lay-offs, and I fear that cyber insurance could be one of those lay-offs because it could potentially be seen as a luxury.
EV: During COVID, people assumed that cyber insurance, and indeed insurance generally, would have been one of the things people started offsetting. The reality is that it was the most successful two years for cyber insurance. Why? Because at a time of so many uncontrollables, people want to control what they can, insurance becomes a real security blanket. They’d rather pay £20. £30, or even £40,000 for cover, rather than risk hundreds of thousands of pounds due to a cyber-attack. Five years ago I might have agreed with you, cyber was a luxury. But the cyber risk landscape has evolved and the protection from a cyber insurance policy has matured to remain relevant. It’s no longer a luxury, it’s a necessity.
JM: What cyber insurance has done positively is made people think about their security. I don’t know if it’s driving behaviour, but if it drives an organisation to do a penetration test, then great.
EV: Cyber insurance is driving good security behaviour, and we’re passionate about collaborating with the cybersecurity industry and improving cyber hygiene across the board. Cyber insurance has driven four key areas: The integrity and security of back-ups; multi-factor authentication; remote access; and internal employee training.
JM: It comes down to this: I believe prevention is better than cure, and I advocate for that.
EV: I would argue that the cure encourages prevention, so I think insurance drives better security behaviour.
From light-hearted banter between the contenders before the debate to strong rebuttals and respectful challenges. There are areas where the debaters failed to see eye to eye, but on balance, some mutual ground was found.
Expecting a swing from either side would have been naïve, but the regular airings of the phrases “I do agree” and “I get that” from both parties was encouraging.
It was a candid, at times slightly heated conversation, but so very worthy. I thank both Ed and Jake for their willingness to go head-to-head in Assured’s first debate.