Features 30.11.2022
The Chronicles of Cyber Insurance: The Responder, The Lawyer and The Broker
What do you get when you mix an incident responder, a lawyer and a cyber broker?
Features 30.11.2022
What do you get when you mix an incident responder, a lawyer and a cyber broker?
We’re a long way from Narnia, but read on to find out what you get when you mix a cyber incident responder with a cyber lawyer and a cyber broker. Spoiler: Some unique but also surprisingly aligned views.
We ask our panel to share their thoughts on the relationship between ransomware and cyber insurance, the collaboration efforts between law, response and insurers, the impact the recession may have on cyber insurance decisions and kick off the debate around whether cyber insurance will, or indeed should, become mandatory.
Let’s introduce you to our esteemed panel, moderated by Eleanor Dallaway, content director and co-founder at Assured.
LPH: The obvious ones are going to be ransomware and phishing, they’re just huge attack vectors. There’s also the use of the dark web. We’ve seen a huge amount of ransomware as a service and people using the dark web to sell vulnerabilities to target big corporates.
We’ve also seen a rise in MFA fatigue. Most people have the muscle memory of picking up their phone, and [instinctively] clicking approve on auto-pilot. Once you’ve clicked approve, it’s called a handshake and it’s very hard to go back on. There’s a huge reliance on staff to be at the top of their game all the time and the reality is we’re all human beings, we’re going to make mistakes and we need to get rid of that blame culture. A solution to this is to lock down permissions. Reduce privileges and set up a control process to make sure you’ve got one admin, but do not call them ‘admin’ because if someone is exploiting a network, the first thing they’ll do is try to hunt down the admin to set up a user to replicate their procedures and controls. If you have a named admin, you have a target on your head.
AR: Multi-factor authentication has been seen as a silver bullet, certainly in the insurance industry. We saw so many insurers insisting on MFA as a prerequisite for cover and I think that has made some organisations complacent about their general security hygiene and practices. We see people interact with a phishing email or click and download something, thinking ‘it will be fine because we have MFA.’ That’s not necessarily the case though. Training and awareness campaigns, however, can be hugely beneficial. They’re always something we speak to insurers about in terms of an easy win with regulators. No company is immune to human error, it’s the weakest link in any cybersecurity posture, but if we can get companies to put in regular training and reminders about password complexity and phishing campaigns, they do work.
The Information Commissioner understands that no one is immune from cyber-threat but instead the focus is on what measures a company has in place to try and stop these things happening. They’re also looking at how a company reacts to suffering an incident and whether their response is proactive. If we can focus on these elements, it’s our best chance of persuading a regulator that we’re doing everything right and they don’t need to take a closer look.”
EV: The lack of skillset, both in security and insurance, is a risk, even if it’s not a threat per se. When we went into lockdown in 2020, there was a huge spike in ransomware and there was a massive uptick in businesses that wanted to secure themselves against attack and transfer the risks by purchasing cyber insurance. There simply wasn’t enough people in the industry to service them all. As a result, the whole industry got shaken up, all policies were reviewed, new exclusions put in place, conditions were applied, and it became a very, very different scene. It all had to be done almost instantaneously because of the speed at which everything happened. The majority of people working in cyber insurance have two to three years of experience, which means that for the next year or two, there’s a few playing catch up as people learn and the junior people catch up.
LPH: We see the same on the technical side. You can get graduates on (close to) six figure salaries these days who don’t have the practical experience to respond to some of these incidents. There’s actually a very little pool of good quality incident responders in the UK.
AR: It’s the same on the legal side. We’re consistently recruiting people who haven’t previously done cyber. When we first started growing the team, everyone had to start fresh and learn from the ground up.
EV: No-one outwardly publishes having cyber insurance, so I don’t think hackers are targeting firms that do or don’t have cyber insurance. Instead, hackers start with who has the least secure defences, looking for easy prey. So before questioning insurance, consider whether weak security exacerbates the ransomware crisis. Insurance is now a catalyst for higher levels of security maturity, and when the cyber insurance process is managed properly, it’s fair to assume a business with cyber insurance is more secure than one without, given the high standards they are being held to.
The fundamental basis of what insurance stands for is that it supports businesses and is there to protect against financial loss and operational loss. If you took away a key risk, or a key loss which impacts businesses, then you’re taking away a really core element of the point of cyber insurance.
Does having cyber insurance increase the likelihood that a ransom will be paid? Admittedly, probably yes, as the funds will be available. That said, the more important consideration is the ability to handle the ransom decision through the capability of incident response experts and a ransom negotiator that will be readily, and instantly, available for insured organisations. In many instances, even with ransom cover, the decision is made not to pay a ransom. AIG was the first insurer to lead with coinsurance clauses. What they did was grade businesses as gold, silver, and bronze for example. If you get gold, it means you’ve done everything you can to mitigate the risk in the first place, so you get full ransom coverage. If it’s coinsured, perhaps a business rated silver or bronze, it’s because you haven’t got your controls to a place where the insurer is comfortable. They’re effectively saying ‘if you have a ransom attack, we’ll pay 50% of it, but you need to pay the other 50% because ultimately, we’ve got better risks out there.’ It’s meeting in the middle.
AR: Absolutely. From an insurance perspective, I don’t think you will ever get away from the odd attitude of, ‘well, we’re insured, so why can’t we just pay it and everything will go back to normal’. It’s our job to explain why it’s not that simple. Even if we do pay a ransom, it’s not just a case of flicking a switch and all the lights going back on. It can take months, even if we do go down that route between negotiating, getting a working decrypter tool, testing it, getting the system rebuilt to power everything back up. The beauty of insured clients is they will immediately be tapping into the network of vendors that are on their insurance panel. They will immediately have a huge range of guidance to talk them through the process, advise on what needs to be done, what the risks are, and what the benefits are of different courses of action. There is no ‘one size fits all’ approach to these sorts of incidents.
If you have an insurance policy in place, we’ll be on the phone within minutes of discovery, talking them through everything, reassuring the, and advising them of the next steps. For the non-insured, it can take 24 to 48 hours to actually get to the stage of speaking to us and getting the right people on board. That can have a huge impact on the trajectory of an incident. CEOs are often more familiar with the traditional lines of insurance and have less understanding about cyber insurance because it works in such a different way. There isn’t an appreciation that the cheque you’re going to get at the end isn’t the only benefit. Just as important is that immediate support system that you have in place”
LPH: I think insurance does make ransomware more appealing for cyber-criminals. Knowing that there could be third-party funding does increase the opportunity that they are going to pay the ransom. We’re seeing huge stats on the number of people who are getting hit twice, from cyber-criminals bragging on the dark web about which companies pay out. We’re always one step behind, and the reality is we’re always chasing our tail. People need to wake up, be more proactive and stop relying on backups and insurance.
EV: I’d actually put down ransomware as the single biggest driver for the cyber insurance market maturing, almost coming of age. I think when the spike in ransomware happened, it was a sudden wake-up call for the insurance sector and I feel now is the time when both the insurance and security communities are starting to communicate more. Cyber insurance gives businesses options; the option to pay, or not pay, but because you’ve got access to experts who deal with this day in day out, it means that you’re not left in the dark, and you’re not paying the fees that you would be if you didn’t have an insurance policy.
EV: The biggest risk before ransomware was social engineering. Prior to 2018, you could get coverage for cybercrime and you could get covered for the full whack. The maximum you’ll get in the market now is £250,000. That was the cyber market turning around and saying ‘this is a straight financial crime loss and we shouldn’t be covering this.’ There is now a fear of systemic risk and I actually don’t know if it’s changing policies for the better.
LPH: Even as a [cybersecurity services company], CYFOR Secure has been turned to buy cyber insurance, which at face value we see as being slightly irrelevant as it tends to be us that does the incident response, so we always thought we didn’t need it. Our forensics division provides backlogs for forensic investigations for the police, and they stipulate that you need cyber insurance. That’s the same for a lot of government tenders and portals. I think this is something the UK will wake up to more and more. We’re seeing this in the US already: cyber insurance is becoming mandatory for lots of big supply chain negotiations and the UK is starting to cotton on to this now, understanding that supply chain fraud and cyber-attacks can affect us all and we want to be adequately covered. Cyber insurance is going to become mandatory.
The flip side is that a lot of our work comes from the non -insured. It tends to be the SME market that rings us who aren’t insured, who might only have 50 to a couple of hundred staff and the ransom payment might be £50k. These are the guys that during COVID (and before) can’t afford cyber insurance and have had to cancel it. More recently, we’re hearing clients saying they don’t see the value for money in cyber insurance because it’s just a policy, a piece of paper, and instead they want to invest that money on improving their security position. The reality is they need both, but it’s easy to say that when you’re not the person paying the bills. That said, we are seeing more and more companies adapting to the idea that cyber insurance needs to be mandatory and I’m a big advocate of that, I think cyber insurance should be mandatory in the same way that solicitors need professional indemnity insurance to practice law. I think it will be good news for everybody.
EV: Well, it would be amazing, definitely, but would people begrudge it if it was mandatory?
AR: Cyber risk is tricky. There is so much diversity in the market right now in terms of how insurers quantify that risk, and so many variables as to what sort of benchmarks they look at in terms of security, that I find it really difficult to see how it how it could be formally mandatory. That said, it’s almost mandatory by default in some industries because of contractual requirements, particularly anyone working with a local authority or within the health service. It is now a tough market in terms of security prerequisites and things that are required in order to get insurance. So it’s tricky to see how that could be made mandatory until the market matures and becomes more accessible. Regulators are taking a much closer look at those supply chains and consider due diligence after cyber-incidents. Part of that due diligence process is asking a supplier whether they have cyber insurance in place.
EV: It depends who you speak to. Lawrence and Arran probably think the questions being asked are nowhere near good enough and are not asking the right questions. If you’re a business buying insurance, you would think it’s an absolute minefield to go through before you can even get there.
The insurers have had to standardize their question set because ultimately, it’s not one size fits all, you have different insurers who specialize in different industries, but they need to capture as much information they can without going too niche into one specific sector.
If you’re a manufacturing business, you might have an operational technology set of questions in addition to a ransomware form, in addition to the application form. So if you’re filling this out as a business, you’ve got potentially 30 pages of questions to complete. The problem is that a lot of those questions are closed ended. For example, Do you utilise MFA? Tick, yes, you do, but actually you’re only utilising it within email and not to access your backups. This becomes problematic when (and if) the claim is made and the insurer digs deeper and says ‘you only had MFA on authentication but you ticked yes.’
If they go any deeper with the questions being asked, it will make the insurance industry non-commercial because ultimately, the more information you get on a business’ security, the more you realise nothing is technically insurable because no security is ever 100%. To summarise, they’ve raised the bar as high as they can, any deeper and they’d price themselves out.
LPH: We work with one professional indemnity broker and we vulnerability scan all their clients
We give a risk register back to the insurer and client and as long as they remediate all of their critical vulnerabilities, their insurance policy may remain in place. And then every time they do a renewal, we redo a scan. They see it as really valuable because they’re getting an actual technical good look through the company to see how risky they are to insure.
“We had an incident with a small veterinary practice the other day. It was a ransomware attack, they had no backups, and they couldn’t afford the ransom. They are now out of business.”
LPH: At the lower end of the SME bracket, we have seen a rise in considering the cyber retainer route, rather than the cyber insurance, in the hope of achieving maximum value for money. From an incident response perspective, it’s good for us when our clients are insured. Not just because it gives us confidence that the bill will get paid, but because we know there will be more parties involved, including a legal firm. It takes the weight away from us and people expecting us to also give legal advice and PR advice when in reality, we’re the techies that do forensics and cyber. As I say, we’re mainly seeing this cyber retainer preference from SMEs. The concern is that the cyber-threats are trickling all the way down to the small businesses. We had an incident with a small veterinary practice the other day. It was a ransomware attack, they had no backups, and they couldn’t afford the ransom. We tried to negotiate with the cyber-criminals but they weren’t budging. Without cyber insurance, they had no other options and are now out of business.
Recession or no recession, there’s an expectation that people do need cyber insurance. At the very minimum, they need the details of a lawyer, a PR firm and a forensics company, even if they’ll be picking up the bill. I do think we will recover from this and people will realise they do need to have insurance as well as a list of people to call in the event of a scenario.
AR: We naturally work very closely with insurers and other vendors that we’re liaising with on incidents, but that tends to be on a reactive basis. A huge opportunity for collaboration is to be more engaged at a much earlier stage in the process. We’re trying to get in at the broking stage to explain the measures that might make them a better prospect for insurers and to help them get their ducks in a row. I can’t count the number of times that we walk into that initial triage stage of an incident and ask ‘who do we need to be telling about this?’ and the answer is, ‘we don’t know, everything was on our computer systems that we now can’t access’. There is a huge opportunity for overlap between us on the legal side, the insurers and what they want their insured to be doing on the front end before they even submit that proposal form with teams like Lawrence’s to do that vulnerability scanning so that when we do get to that stage were they’re looking to take up cyber insurance, they’ve got a suite of information. It puts everyone in a better position.”
EV: You can throw as much tech as you like at this problem, and technology will always help move us to the next stage of defence, but ultimately you need to address challenges head on with everyone in the same room, working together.
LPH: People need to do the desktop exercises to reduce risk. If you feed back to the insurers that last year’s premium was quite high but that over the year, you have revised the incident response plan, carried out desktop exercises and shown a willingness that you’re actually taking it seriously and being pragmatic, that willingness to improve will reduce the premiums so that everyone can afford insurance at the end of the day. These measures don’t need to be hugely costly. You can become acquainted with key people, store the right numbers on your phone, open dialogue with cyber lawyers. Perhaps sign an NDA so that framework is in place whenever needed.
EV: Before August this year, I would have said no, but we’re seeing examples of businesses that have put measures in place to improve on their security posture from the year before and have actively responded to vulnerabilities. When the insurer knows about this, the premium can be positively affected, bringing it down. So that’s a really good sign that it’s moving in the right direction.
“We’re seeing examples of businesses that have put measures in place to improve on their security posture from the year before. When the insurer knows about this, the premium can be positively affected, bringing it down.”
AR: We’re doing a huge push on more face time and interaction with our clients. We want to get to know them on a face to face basis before we have to sit in a room with them having crisis talks. We don’t want to be a faceless phone number that’s sat in a policy somewhere.
EV: How nice for a business who is going through (potentially) the worst time of their business career to already know their response team and have confidence the response team already has insight into your business. It’s so much warmer and instils confidence straight away, a pair of safe hands.
LPH: Even from a technical point of view, I echo that. Onboarding can be minimal, but there needs to be more of it. Do the infrastructure map of the network, get annual updates so that when that call comes in you can find which server has had an unknown IP attached to it, isolate it and then your response can go from hours of learning a network to minutes of doing an actual response. That quick onboarding and familiarisation is so powerful, allowing a quicker, cheaper, faster, more effective incident response.
EV: Insurance is reactionary and, to date, has been dealt with like every other line of insurance. But cyber is a risk that’s proactively trying to get into your business and actively take you down. The change needs to be proactive insurance, and that means using tools or better means of communication to be proactive in cyber. Insurers are raising the bar because you have to complete so much in terms of your security infrastructure before you can take out insurance.
LPH: I’d like to see the industry be a bit more awake to cyber. We’re still having to have the conversations convincing the board that this threat is real, and I’d like to see people realise the severity of incidents and what lasting damage it can have. We’ve been involved with so many incidents, even in companies with thousands of staff, where they’re frankly trying to sweep everything under the rug. It’s just not good enough. In a few years, I’d love to see people kicking into action quicker, ensuring a speedier response.
AR: I’m going to pick on insurers a little bit. I’d love to see a bit more consistency in the market because there’s so much diversity in the policies. If a client is filling out 30 pages of forms and getting quotes from a few insurers, it’s a huge burden. At the moment, every cyber insurance policy is completely different in terms of what it offers and what it covers. I’d love to see more consistency.
EV: That’s a really fair point. If, in two years, there’s a standardised format in which you can capture everything with open ended questions, that’s probably the best route forward.
So there you have it, the (articulate) musings of a responder, a lawyer and a broker.