Better Risk Assessment for Cyber Insurance: How Will We Get There?
Summary
TLDREric Skinner from Trend Micro and Theresa Le, Chief Claims Officer at Cowbell Cyber, discuss the evolving cyber insurance market's approach to risk assessment amidst rising cyber threats. They highlight the importance of continuous assessment, the impact of ransomware, and the need for better security practices like EDR and MFA. The talk emphasizes the role of insurers in fostering security resilience and the potential for policy pricing to reflect an organization's risk management efforts.
Takeaways
- 😀 The cybersecurity landscape has been chaotic, with the cyber insurance market evolving to better assess risk in response to turbulent years.
- 🛡️ Eric Skinner from Trend Micro and Theresa Le from Cowbell Cyber discussed the importance of cybersecurity and how the insurance industry is adapting to foster better practices and risk mitigation.
- 📈 Cyber insurance has seen significant changes, including increased difficulty in obtaining policies and higher rates due to a rise in severe claims and ransomware incidents.
- 💡 The insurance industry has historically driven the adoption of safety measures, such as seatbelts and carbon monoxide detectors, and aims to do the same for cybersecurity practices.
- 📚 Theresa highlighted the limitations of traditional cyber insurance questionnaires in accurately assessing an organization's risk posture, emphasizing the need for more dynamic and continuous assessment methods.
- 🔒 Eric emphasized the importance of having proper security controls in place, such as EDR and MFA, noting that their absence can lead to immediate rejection by insurers.
- 📉 Despite an uptick in ransomware severity, there has been a momentary decline attributed to companies becoming more resilient with better incident response plans and backup strategies.
- 🤖 The use of AI, such as chat GPT, is aiding attackers in creating more convincing phishing and BEC emails, making it increasingly difficult for employees to detect threats.
- 💻 Attack surface management is emerging as a key strategy for organizations to continuously discover and assess their assets, misconfigurations, and vulnerabilities, helping prioritize mitigation efforts.
- 🔑 Continuous assessment by cyber insurance providers, using telemetry from various sources, allows for more accurate risk evaluation and personalized policy offerings, potentially leading to better terms for policyholders.
- 🔮 Looking forward, the panel predicts that ransomware and extortion tactics will continue to evolve, emphasizing the need for ongoing vigilance, improved data science for threat detection, and the mainstream adoption of cybersecurity best practices.
Q & A
What is the main focus of the discussion between Eric Skinner and Theresa Le?
-The main focus of the discussion is the evolution of the cyber insurance market and how it is getting better at assessing risk in the context of a chaotic few years in cybersecurity.
What is Trend Micro's current focus in cybersecurity?
-Trend Micro is currently focusing on areas like Extended Detection and Response (XDR), attack surface management, and cloud security.
What is Cowbell Cyber and what role does Theresa Le hold there?
-Cowbell Cyber is a cyber insurance provider in the InsureTech space, and Theresa Le is the Chief Claims Officer at Cowbell Cyber.
How has the cyber insurance landscape changed in recent years?
-The cyber insurance landscape has changed significantly with increased claims due to severe breaches and ransomware attacks, leading to higher rates and more difficulty in obtaining cyber insurance.
Why is the insurance industry interested in promoting best practices and risk mitigation?
-The insurance industry is interested in promoting best practices and risk mitigation to foster adoption of safer measures, reduce the frequency and severity of claims, and maintain a sustainable business model.
What are some of the challenges faced by the cyber insurance industry in assessing risks?
-Some challenges include the dynamic nature of cyber risks, the outdated nature of questionnaires used for risk assessment, and the difficulty in capturing the real-time state of an organization's cybersecurity posture.
What is the impact of ransomware on small to medium-sized enterprises?
-Ransomware has a significant financial impact on small to medium-sized enterprises, with an average impact of half a million dollars to an organization.
How do attackers use AI and machine learning to improve their phishing and BEC attacks?
-Attackers use AI and machine learning tools like Chat GPT to write more convincing phishing and BEC emails in various languages, making it harder for employees to recognize these threats.
What is the significance of continuous assessment in the context of cyber insurance?
-Continuous assessment allows cyber insurance providers to collect real-time data on an organization's security posture, enabling more accurate risk assessment and the ability to offer tailored insurance products and services.
What are some of the emerging trends in the cyber insurance industry?
-Emerging trends include the use of data science for better risk assessment, continuous monitoring of policyholder's security posture, and a shift towards a more collaborative relationship between insurers and policyholders to improve cybersecurity practices.
What advice do Eric and Theresa give to organizations preparing for cyber insurance renewal or application?
-They advise organizations to start early, work closely with brokers and insurers to understand their requirements, and consider implementing attack surface management to get ahead of the assessment process.
Outlines
😀 Introduction and Cyber Insurance Market Overview
Eric Skinner from Trend Micro and Theresa Le from Cowbell Cyber introduce themselves and set the stage for a discussion on the evolving cyber insurance market. Eric highlights Trend Micro's focus on XDR, attack surface management, and cloud security, while Theresa shares her background in cyber insurance and legal expertise. They emphasize the importance of cyber insurance in fostering risk mitigation and best practices, drawing parallels with historical examples like boiler inspections and seatbelt usage. The session aims to cover the challenges in the cyber insurance industry, practical tips for better terms, and a look into the future of the market.
📈 The Impact of Cybercrime on Insurance Rates
Theresa and Eric delve into the financial impact of cybercrime, particularly ransomware, on organizations. They discuss how data breaches and cybercrime have become significant drivers of cyber insurance, noting the substantial financial and reputational damage they cause. Eric highlights the increase in attack frequency and the stabilization in severity, while also mentioning the resurgence of some attack groups. Theresa discusses the significant increase in insurance premiums and deductibles, attributing it to the rise in claims and the financial impact of cyber incidents. They also touch on the role of cyber insurance in requiring and promoting better security practices.
🔍 Challenges in Assessing Cyber Risks
Theresa and Eric discuss the challenges in accurately assessing cyber risks for insurance purposes. They highlight the limitations of traditional questionnaires used by insurers, which provide a static snapshot of an organization's security posture rather than a dynamic, real-time assessment. Eric shares anecdotes from incident response teams, illustrating how misconfigured security controls can lead to significant breaches despite the presence of basic security measures. Theresa emphasizes the need for insurers to evolve their risk assessment methods to better reflect the reality of an organization's cyber resilience.
📉 The Evolution of Cyber Insurance Questionnaires
Theresa and Eric explore the evolution of cyber insurance questionnaires, acknowledging their limitations and the need for a more dynamic approach to risk assessment. They discuss how insurers are beginning to ask more detailed questions about an organization's security controls and practices, but still face challenges in keeping up with the rapidly changing threat landscape. Eric emphasizes the need for continuous assessment and the potential for insurers to provide more value through proactive engagement with their policyholders.
💡 The Importance of Continuous Assessment in Cyber Insurance
Theresa and Eric discuss the concept of continuous assessment in cyber insurance, highlighting its potential to provide a more accurate and dynamic understanding of an organization's risk profile. They explain how insurers can collect telemetry data from various sources to inform underwriting decisions and help organizations identify and address security gaps. Theresa emphasizes the benefits of this approach, including the ability to benchmark organizations against their peers and provide tailored advice for risk mitigation.
🛡️ The Role of Attack Surface Management in Risk Assessment
Eric and Theresa explore the role of attack surface management in continuous risk assessment, explaining how it helps organizations discover and prioritize their assets and vulnerabilities. They discuss how this approach can provide real-time visibility into an organization's security posture, allowing for more proactive and effective risk management. Theresa also touches on the potential for insurers to use this data to offer more competitive pricing and better coverage based on an organization's actual risk.
💼 The Future of Cyber Insurance and Continuous Monitoring
Theresa and Eric conclude their discussion by looking into the future of cyber insurance, predicting that ransomware and extortion will continue to evolve and that phishing and business email compromise will remain significant threats. They emphasize the importance of continuous monitoring and assessment, suggesting that it will become more mainstream and valued as a partnership between insurers and policyholders. They also highlight the potential for insurers to provide additional value through risk engineering services and incident response support.
🤝 Closing Remarks and Call for Audience Engagement
In their closing remarks, Eric and Theresa thank the audience for their participation and invite them to engage in a Q&A session. They reflect on the importance of the topics discussed and encourage attendees to consider the insights shared as they prepare for their cyber insurance renewals or applications. The session ends on a positive note, with an emphasis on the value of continuous learning and adaptation in the face of evolving cyber threats.
Mindmap
Keywords
💡Cyber Insurance
💡Risk Assessment
💡Cybersecurity
💡Attack Surface Management
💡Ransomware
💡Data Breaches
💡Incident Response
💡Phishing
💡Business Email Compromise (BEC)
💡Continuous Assessment
💡Risk Engineers
Highlights
Cyber insurance market is improving in risk assessment after a chaotic few years.
Trend Micro's focus on XDR, attack surface management, and cloud security.
Theresa Le's background as a Chief Claims Officer at Cowbell Cyber and her experience in cyber insurance.
Historical context of insurance industry's role in fostering safety standards, like boiler inspections and seatbelt usage.
Cyber insurance's potential to influence mainstream adoption of cybersecurity best practices.
The shift in the cyber insurance landscape from 2019 to 2021, with increased claims and premium rates.
Ransomware's significant financial impact on organizations, even for small to medium-sized enterprises.
The importance of continuous monitoring and improvement in cybersecurity measures.
The challenges in the dynamic cyber threat environment and the need for rapid response.
The role of AI in enhancing phishing and BEC email effectiveness for attackers.
The significant increase in loss ratio between 2018 and 2021 in the cyber incident realm.
The stabilization of cyber insurance rates post-2021 and the importance of risk assessment.
The limitations of traditional cyber insurance questionnaires in accurately assessing risk.
The need for insurers to adapt to the evolving risk landscape and the importance of continuous risk assessment.
The emergence of attack surface management as a key strategy for continuous risk assessment and mitigation.
Cyber insurance's new approach involving in-house cybersecurity experts and risk engineers to guide policyholders.
The future of cyber insurance with predictions of continuous evolution in ransomware and the importance of proactive security measures.
Transcripts
- [Eric] Hey everybody. Thanks for coming.
It's really nice to be in front of big audiences again.
After a few years,
Theresa and I are gonna talk about
how the cyber insurance market
is getting better at assessing risk
because it's been a chaotic few years.
So I'm Eric Skinner. I'm from Trend Micro.
Trend Micro is a longtime security vendor,
currently huge focus in areas like XDR
and attack surface management and cloud security.
And I've been in cybersecurity for about 25 years.
My first RSA was the year 2000,
so I guess I'm showing my age
and I've had the pleasure
of working with Theresa.
- [Theresa] Hi everyone.
It's nice to be here and see all of you
and spend some time this afternoon together.
My name is Theresa Le.
I'm the Chief Claims Officer at Cowbell Cyber.
So we're a cyber insurance provider in InsureTech.
And before this I was also in VP at Swiss Re,
which is a cyber reinsurer and XXL also.
So I've been in cyber insurance.
And then also I should say
that I'm a recovering coverage attorney.
So represented cyber insurers for over a decade,
the first part of my career,
trying to keep them out of trouble.
And so we can just get started, I think, right?
- [Eric] Let's do it. - [Theresa] Okay.
So because I'm the lawyer in the room,
this is the disclaimer you guys have seen,
please read it and remember it and abide by it, Lala.
(both chuckling)
And so why are we talking about cyber insurance today?
Especially with respect to cybersecurity.
And you'll see in this picture,
it's a boiler that blew up.
And in the 1800s,
this is just to depict that sometimes
there needs to be an industry,
an insurance, you know, it's type of, you know,
it's not that interesting,
but it did have some very influential ways
to foster adoption.
And so best practices, better practices,
risk mitigation is oftentimes forwarded
by the insurance industry.
So when the boilers were blowing up
and causing lots of property and bodily injury damage,
a Hartford steam and boiler,
they said we should do inspections.
And that's one way that we can mitigate against loss.
I think the, and then more recently, I mean,
everybody in this room seems too young to remember
the days that we didn't have to wear seatbelts,
but the auto insurance industry, yes, you are.
Now, it's not even that controversial.
You just get in the car, you put on your seatbelt,
but it was the auto insurance industry that really forwarded
that adoption of a better practice
to mitigate against bodily injury.
So if you wear your seatbelt,
then you as a condition to getting auto coverage
if you get hurt.
And then more recently, carbon monoxide detectors,
sprinklers, things that are now part of the building code,
but they were forwarded by the insurance industry.
So just kind of a signal towards, you know,
maybe there'll be another circle here, 2020 something.
The cyber insurance industry was how X, Y,
and Z got adopted mainstream.
That would be good.
And so today we hope to cover some things in our agenda,
really to have a little look back.
And in cyber insurance,
which is a relatively new line of insurance,
looking back really means five years.
It's shifted a lot,
but we'll see what the challenges were in recent memory,
how risks have been assessed historically
in the past few years and where we're going with that.
And then we'll give you some practical tips and things
to how you may get better terms for cyber insurance
and what the future holds.
I think I'll show you my insurance crystal ball later.
So let's talk about some of the challenges that we've seen.
Again, I mentioned that it's a space
that's shifted quite a lot recently.
So in 2019, just, you know,
four or five years ago, the claims were relatively low.
This is also pre pandemic.
So the, the policies were relatively easy to get.
There was expansive coverage,
not too much you needed to do
to even get high limits on cyber insurance.
In the next two years,
yes, we had the pandemic,
the attack surface increased quite a bit,
but also claims case started to come in
very severe claims, lots of breaches.
Ransomware really got its, you know, traction here.
And then as procurers of cyber insurance,
you may have seen the rates go up quite remarkably.
So I'll go through that adjustment later on
in the presentation.
But there was also a challenge in getting cyber insurance.
So even if you had what used to be relatively good controls
and were seen as a good risk,
the cyber insurance industry was having a different look,
a different approach,
and then you might not have had that much success
even getting cyber insurance.
And we'll go into a little bit more of the future
of what that looks like.
There is some good news, hopefully.
One of the drivers of cyber insurance
is obviously data breaches, cybercrime and ransomware.
And ransomware, I just put this up here.
Net diligence did a survey and it's no surprise
that a ransomware event is very financially impactful
to an organization.
And in recent times, even, you know,
small to medium size enterprises.
So the mom and pops up to $2 billion in annual revenue.
Even that space that did not used to be a focus
for the threat actors now is,
and it's quite impactful with an average of
half a million dollars impact to an organization.
And then the other impacts to, you know,
reputational, business interruption,
other things that are quantified,
but also we often hear from the SME policy holders that,
but for the support of the cyber insurance policy,
it would be very difficult
if at all possible to get through a cyber event
such as a ransomware.
Hand it over to Eric.
- [Eric] Yeah, so let's talk,
let's talk a little bit about some of the dynamic
in this environments
because for customers as well as for insurers,
the last few years have been pretty turbulent
and for cybersecurity vendors as well with respect
to the way attackers have been behaving
and the way environments have been changing for customers.
So let's have a brief look at what Trend and Cowbell
are seeing with respect to the dynamics
in the ransomware space and some of the other threats
that result in some of these high claims.
So at a high level,
what we've seen is that the frequency has been increasing
on these kinds of ransomware attacks.
The severity has been mostly stabilizing,
but we'll touch on this a bit later.
There was a little bit of an uptick in late 2022
and into Q1.
Some of the attack groups are having a little bit
of a resurgency.
There's been a lot of growth in exfiltration behavior.
Some of the attack groups got a little bit too much heat
for some of the destructive stuff they were doing.
And in order to take some of the pressure off themselves
and for a variety of other reasons
as well as just being able to exert more pressure,
even if people had good backups,
they've pivoted into doing a lot of data exfiltration.
The speed is intensifying.
So attackers are able to move a lot more quickly through
your organization and that means that organizations
have less time to react.
And at the same time, when people are paying ransoms,
they are funding these attack groups.
And I think we're all interested in seeing
the attackers get less money, right?
When the attackers do get money,
they're subsidizing attacks against
a further six to 10 victims according
to some data science work that Trend was doing.
And then when we look at BEC, this is,
it doesn't get as much attention as ransomware
and yet it it's a pretty substantial cause of claims.
And historically that's been, hey,
pay this fake invoice and using various pressure tactics
and social engineering tactics to get invoices paid.
And a few strategies are evolving there
because of course organizations
are implementing more process around this.
So we've noticed that attackers are now leveraging
other social engineering and phishing
to take control of a legit account
and then send the BEC emails from
an internal valid account
and that avoids certain legacy email controls,
a gateway controls, things like that.
And it's of course more credible, it's more effective,
but they're also using strategies,
avoiding the finance team altogether.
And they're, for example,
making a request for confidential data that look like
they're coming from an executive.
And then the employee provides tons of confidential data
and the attack returns right around
and tries to extort the company for
otherwise they're gonna leak that data.
So it's really hard for employees to recognize this.
For example, I know everyone's talking about AI,
who's sick and tired of hearing about AI yet?
Yeah, okay.
I'm kind of like half putting my hand up,
but one thing we have seen is that cha GPT is helping
the attackers write better phishing emails,
write better BEC emails.
I was in Finland a few weeks ago,
our team there said, yeah, you know,
the attackers used to do a terrible job of writing phishing
emails in finish because finish is a really hard language,
but chat GPT does perfect finish for example, right?
So it is hard for employees to recognize these things.
So this has an impact on losses.
- [Theresa] So the cybercrime is one of the top three types
of cyber claims that have coming in,
but there was a lot,
there's been a lot of loss in the cyber incident realm.
And so just this depicts that there's,
between 2018 and 2021,
there was a doubling of the loss ratio
and that's quite severe.
So there are lots of claims were coming in,
the premium wasn't keeping up.
You'll see between 2020 and 21,
just within that year there was a doubling of premium.
So you might have felt that as you were working
with your brokers and thinking,
why did cyber insurance get so expensive?
Why did my rates double?
And that's why, there was a historic, you know,
in that time, severe claims that came in.
So to sustain us all,
that's what happened with the rates.
Another depiction here is quarter over quarter,
that time period that we saw remarkable increases
in the cost quite painful.
Like acknowledge that at the same time the deductibles
and retentions what what policy holders were paying
out of pocket before the insurance
that was even triggered was also going up
if the premium wasn't enough.
And then of course the difficulty in getting cyber insurance
at the same time because claims were coming in
and a recognition that cyber instance
were financially impactful as well as having other impacts
to your reputation and ability to do business
or be competitive that lots of contracts
were requiring cyber insurance to make sure
that if I do business with you,
if I trade with you that I provide your, you know,
you with my data, with my customers data,
that you have a financial mechanism to transfer that risk.
So contractually cyber insurance was becoming more of
a requirement and to be competitive.
After the last quarter of 2021,
the rates did stabilize a little bit.
They're still increasing but not
at as the rates that historically we saw.
So they are going down in the sense that
they're not increasing as much.
- [Eric] And 28% year over year
is still pretty painful. Right?
So we all have to, we all have to do better and
that's what we're gonna talk about.
- [Theresa] Yeah.
So we recognize this in the cyber insurance industry
and would, you know,
have taken on a different approach
to try to help policy holds and
the space in general to still get coverage.
But how we do that is to properly assess the risk
so that we can be prepared for those claims
and and for the impact.
- [Eric] Yeah, so at the end of the day,
insurers have to measure risk, right?
And we're gonna talk a little bit
about how a risk is getting measured now.
And I'm going to pull in some stories from trends,
incident response teams to sort of contrast
the risk measurements with the risk reality.
How many people in the room, by the way, have,
or their companies have cyber insurance?
I'm just curious.
Wow. Look at that.
Right? Okay.
So yeah, really depends on the country,
but in the US a lot of organizations do.
So you're feeling this pain, cool, so,
well it's not cool that you're feeling the pain,
but it's, you understand.
So I don't like the pain.
Yeah. So how many people know this podcast Risky Business?
Some of you? Yeah.
Okay. It's a really cool podcast.
A guy in Australia, Patrick Gray hosts the podcast,
very technical, but they did have a conversation.
This is a little while ago,
but the point is still valid, right?
He was joking at the time, but he said, Hey,
you know, like the cyber insurance business right now,
it's a mess because if you set up your actuarial table
and the risk equals 100%,
you probably don't wanna offer insurance for that.
But that's exactly the situation that
the insurers were in a few years ago,
is no ability to figure out who is more at risk
than other people.
And that's why rates and deductibles and everything go up
because just like all of our businesses,
insurance companies like to make money, I've heard.
- [Theresa] Yeah, we do. - [Eric] Yeah, exactly.
So we know how life insurance works and insurance companies
have got really good at measuring risk and life insurance
for a long, long time.
And they've developed a very good data models.
And these data models don't have to change every few weeks
the way they do in cyber.
But you know, they do questionnaires, they do medical tests,
they ask a lot about your family history and oh, okay,
you've got family history of cancer or you're a smoker,
your risk is higher and they have a pretty good measure of
your risk by doing that kind of basic thing.
Well in cyber, they have been asking a lot of questions.
Who's filled out one of these
cyber insurance questionnaires personally?
Yeah, exactly right.
And these questionnaires have been evolving,
but they happen once a year and like,
let's talk about these questionnaires.
- [Theresa] I'm sorry.
We know it's a burden and this questionnaires from a few
years ago and we've been trying to develop
the application process to be more streamlined.
We do have an approach,
I think it will work, but this is just to,
this is to display that even the questionnaire, just like,
as Eric mentioned, it's not an ideal,
it's not optimal for a cyber risk.
And here you see that, you know,
it's asking about endpoint detection,
which is completely valid, but you know, doesn't,
I don't know if you see it,
but it doesn't go as far as well
if you get an alert who's monitoring that?
What's the action?
So just to have it,
doesn't necessarily give us insight into
the cyber resiliency or controls
that are actually being followed by the organization.
And so we've worked to improve the questionnaire,
the application process,
also recognizing that it is a snapshot of that risk manager
or financial persons understanding
at the time that they signed it.
And then of course, you know,
it's one day out of the 12 month policy period,
that that information is to the true to the best
of their knowledge of the person signing.
But what's going on the 364 other days of the year where
that organization's cyber posture and architecture
and other things and vulnerabilities,
everything else is shifting around, changing.
How do we capture that as a cyber insurer in order
to provide the best service, the best product, to keep up,
to make sure that we're properly assessing the exposure,
questionnaires aren't perfect, we recognize that.
And then also, is it really fair to then decline
an organization because the questionnaire wasn't filled out
in a way that, you know,
that we were comfortable underwriting to that risk.
They could improve and we could take another look,
but what have they improved during the year?
Should we not incentivize adoption
of better control so that it's not just at renewal
that we take an assessment.
So a lot could change in a year also, I just,
because the calendar's up there,
I would remiss if I be remiss if I didn't mention that
when you are preparing for renewal of your insurance program
to start early,
because if you're starting 90 days out or 120 days out,
you'll have the opportunity to then adopt some measures
and then when the application comes in,
you'll be able to show that you're a better risk.
But if you start too close to that deadline
as we tend to do,
you may not have time and there's an impact
on the terms in that regard.
So that was just my plug to start early if you can,
on cyber insurance renewals.
- [Eric] Totally agree.
So really want to explore some of the cases
that we have seen in incident response
that teach us an important lesson
about some of the challenges with the way cyber insurers
have to assess risk.
So we have an insurance, sorry,
we have a incident response team.
We do not have an insurance team,
but we have an incident response team that helps customers
and also other organizations
that get into serious trouble.
And I'm just gonna tell you two stories.
They're anonymized of course,
where it really points to some of the challenges
with respect to insurers asking the right questions
and not having enough detail.
And I tried to pick some reasonably representative ones,
but still perhaps with a little bit of diversity to them.
So here's a situation where a customer had a server
that was internet facing,
but because they'd misconfigured now
so they didn't realize the server was missed,
was internet facing.
And also because it wasn't internet facing,
they thought well, you know, maybe,
maybe we don't need to have active
or properly configured MFA on that server.
And then they did have EDR but they were not monitoring it
and they weren't monitoring the logging.
So there was a massive brute force attack
against that external facing server.
There were thousands and thousands and thousands
of password attempts against the RDP server
that nobody noticed,
even though alerts were being generated.
And I wanna pause for a second.
I'm in no way, you know,
trying to blame customers for this.
We're gonna talk about the evolution and how vendors
and insurers and everybody has to do better
in these kinds of circumstances.
We do a lot in our product team to learn
from these incidents to figure out
how we can better protect customers
and not all these products are trend products.
You can recognize these situations anywhere, right?
So behavioral detection, misconfigured, not running,
you know, various other types of configurations.
So the controls were present but they were not configured
in a way that was going to catch these attackers.
And that is very typical of things
that end up in incident response.
And they could truthfully answer yes to all the questions on
their insurance form about these controls
and the insurance company would not have
any awareness of these misconfigurations.
So that's one example.
- [Theresa] You might wonder would this have been covered?
And yes it would because again,
things will happen even if the questionnaire was truthful,
even if you have controls and these things get missed.
But again,
to to not cause anyone to be defensive for anything.
And we recognize that this is something we need to address
as an interest with the cybersecurity industry as well.
Like's the insurance industry
'cause they are costly to address.
- [Eric] Yeah, mistakes get made, right?
and they're gonna keep on getting made
and it's all of our jobs as defenders and vendors
to try to control those.
Here's an interesting one.
So the employee receives a phishing email,
all that Phish training worked.
He read the email and he said, "Hmm, this looks suspicious,
I better send it to IT."
IT read the email and clicked the link
and infected the network.
(Theresa laughing)
And yeah, we all laugh and it's like,
think about could that happen to me, right?
So they had a legacy email gateway, right?
The more modern approaches to plug in to Office 365 directly
because then you can see internal emails
and things like that.
But they did not have those kinds of controls and
the IT employee opened the link and didn't notice
the suspicious activity and the attacker was able
to move laterally in the environment
because they had some misconfigurations
in their EDR deployment and they had
some incomplete coverage.
So they had various assets in the organization
that had no security controls on them
and the attacker was able to obviously use those
for various forms of privilege, elevation and so on.
This is a very typical story
and the EDR was not regularly monitored.
So where there was EDR detection,
it was not actioned in a prompt way.
Some customers, some organizations have got
into the habit of, you know,
because they're stress teams, right?
Oh wow. You know, weekends, evenings, et cetera.
Small teams,
they're not at the cadence yet of the attackers
and who wants to be monitoring EDR alerts
at three in the morning on Saturday, right?
We'll talk about where that has to go.
But this is another example where, hey,
they're doing all the right things superficially and
insurance would've said, sounds good, here's your policy.
And that's how we got into the trouble
of these policies resulting in big claims.
So when we zoom out a little bit
and we look at trend IR data over a longer period of time,
I really get interested in these conversations.
I ask 'em like, hey, how do these attacks start?
And the first time I asked 'em this,
I was kind of surprised to hear the answer.
Oh it's really only two things.
So was really only two things.
Like half of it's fishing,
half of it is exploitation of unknown
or misconfigured internet facing assets.
And then the trouble flows from there, right?
Fishing and other kinds of social engineering, right?
But broadly, and then when we did
a little bit more digging, right,
35% of the cases there were alerts but they were missed
or they weren't acted on promptly.
72% of the time security controls were there,
but they were misconfigured.
We had a situation for example,
where a customer had a different EPP product, not trends,
but this could happen with any product.
They had misconfigured an exclusion and .star
was excluded in the EPP and that's wrong.
So the EPP was not looking at any files, for example,
39% of cases the security controls were present
but they were outta date, right?
They were using old versions of software and so on.
So these are things that are typically not visible
on insurance forms.
So there is a way to do this better
and we're gonna pair into that right now.
- [Theresa] Yeah.
And one of the things that just pains us as a group I think
is when these cyber incidents,
whether it's social engineering, monetization of a breach,
ransomware, the money, the resources of your,
you know, your premium and that the policy resources,
they're going to be funneled into these threat actor groups.
And so the ransom payments,
we did an analysis of the ransomware payments and
there was a dip between 2021 and 2022, which is good news.
I would asterisk that and that's the last point
that there's been a rebound at
the end of last year and the first quarter
has seen an uptick in ransomware severity.
We can attribute the momentarily momentary decline
on some geopolitical things that were happening
at the beginning of 2022.
But also we think that the decline in the last year
between 2021 and 22 was due to a variety of factors.
And I just wanted to point those out
because it does give some insight into things
that are happening that could improve this situation.
For instance, more companies now are being more resilient.
So they have strategies in place of incident response plans,
business continuity,
a lot of these things the insurance industry is pushing,
these are you know,
value add free resources that will help an organization
be more resilient in the face of a cyber event.
But in particular ransomware,
we particularly focus on the backup situation.
So making sure that if they are hit with ransom,
where there's a viable backup strategy there
as well as other controls that could be in place
that we hope and that we see have had an impact
on the amount of ransom, when there is a ransomware event
that the amount of ransom is declining
or the instances where ransom has to be paid
as a last resort, there's no other option available.
Good option, that is decreasing.
- [Eric] Yeah and I've talked to several insurers
and several other cybersecurity vendors
and everyone agrees, yeah there is an uptick happening now
in the ransomware success and that's
because attackers adapt and they've also regrouped
they were disrupted in various ways.
But now they're finding new things to do
that will be effective.
And so yeah,
we can't pat ourselves on the back yet.
- [Theresa] It is concerning because
even with the backup strategies in place,
we can have double extortion.
It's the suppression of data or the,
you know, you'll see the threat actors say, fine,
you don't need the crypto,
but I'm still gonna ask you for a million dollars,
otherwise I will publish your secrets.
Or there could be even triple extortion too when they go
and actually calling family members and customers
and clients of that organization and really basically
embarrassing them that they don't have good controls.
And so there's a lot more ways to exert pressure
on an organization to pay the ransom
even if the decryptor is not the primary need
for that transaction.
So it is concerning they're getting just more tricky.
And so the questionnaires have improved.
So I just wanted to show an example
of a more recent application
and you'll see that because phishing
is such a key gateway to an organization's infrastructure
that we have focused on, you know,
let's go a little bit more in detail.
So is an organization conducting fishing training
and how often and if if there's a failure rate,
are those individuals being retrained?
So things like that where
we can really improve the questionnaire.
That being said,
it's still an imperfect process in many people's opinion
just because it's not as accurate a depiction
of the real state of affairs.
- [Eric] Yeah and even if they're starting
to ask better questions, which they are,
there's constantly new TTPs, right?
The attackers are doing new things and the questionnaires
outta date almost instantly, right?
So actually if we go back to that one for just a second.
Great. So they used to say, what email security do you have?
And that was about it, right?
And it turns out that even asking what vendor you have
isn't necessarily indicative of your risk
'cause you can misconfigure any vendor, right?
But now they're asking a bunch of questions, that's great,
but they're still not, for example asking, well, okay,
does your email security have visibility to internal emails?
Because that's a new tactic.
Well that questionnaire is six months old so, right?
Or maybe a year old.
So it's really hard for these questions to keep up.
And the other thing is they're really painful, right?
They're getting longer now they ask more questions.
Do you want to answer more questions? No, you do not.
- [Theresa] The page is long
and then we're not going to be sending them out
every month just to get more current information.
- [Eric] I saw one form that was 35 pages long.
- [Theresa] Not a us but yeah.
- [Eric] I know, right?
So there is a better way
and we're gonna talk a bit about some of the stuff
that's going on that is helping.
So, and it's really,
there's kind of an echo that something we can relate to.
Perhaps some of you in the room do this,
although I think we're all cyber security people
so we might shy away from this particular thing,
but some of the car insurance providers will give you
a discount if you run their app or you plug in this device
into your ODB port and it will monitor your driving
continuously and then they get a better picture
of correlation of driving habits to claims.
So if you're driving crazy and breaking heavily
and speeding all the time,
they can understand that and they can rate your policy
a little bit differently.
So that has been going on for a little while and there is
a similar approach to that continuous assessment
that's happening in two ways that are kind of converging.
So Theresa and I are gonna talk about that.
So the first thing that's going on
inside organizations themselves,
and you've been hearing about this,
it's a space that's been sort of emerging
and getting a little bit higher profile in the last year.
Some analysts call it different thing of course
'cause they all have to have their own acronyms.
But attack surface management is a market category
that broadly is about discovering your assets.
So you know, finding those internet facing assets,
finding the misconfigurations, finding so on,
assessing the risk across that and then prioritizing
for security teams the relevant mitigations.
So it's kinda like,
hey, what are the top five things that you
or team should be focusing on today
based on broad visibility?
And that's something that organizations
can obviously do for non-insurance reasons,
'cause it really helps you keep attackers out in general,
but also can be done before insurance applications.
You can get into a cadence.
And then the other thing that's going on is cyber insurance
is also doing continuous assessment in a few cases.
So some cyber vendors are starting to do
this more continuous assessment approach where
they're pulling telemetry on your security controls
and then understanding those controls and doing
data modeling and data science to understand the risk
and have an opportunity to engage
with the customer much more often.
So let's start with that last one, the cyber insurance.
Tell us about it. - [Theresa] Sure, sure.
So this is exciting and sorry,
the middle diagram is a bit small,
but I can talk through it and I have it large
on the next one, so don't strain your eyes.
But part of the challenge
as we've talked about is that application process is just,
it's a static data point,
just that one moment in time where it's signed
and the risk manager or whomever,
maybe not even the cyber security team
is providing information,
but that is an imperfect way to underwrite,
to risk a risk that's dynamic,
that's shifting, that has many risk signals
and requires a more in-depth risk assessment.
So the automated continuous collection of telemetry
in the cyber insurance space is what Cowbell
and other intratex have been starting to do.
And we've done it for a while,
is to collect data points from various many sources.
So it's not just
the one source of the risk manager providing
that questionnaire, it's scanners,
it's third party databases, it's telegraphic,
thermographics,
anywhere we can grab data from on that organization.
And this is the outside in.
We also have live connectors through APIs that will provide
us inside out data behind the firewall,
which is extremely valuable, extremely insightful.
And that is in going into the machine too.
And then these data-driven immediate types of input
can really inform the underwriting decisions,
the data selection, the creation and adaption
of an insurance product that works for that organization,
their particular risk and exposures.
Also, we can incentivize that organization by,
I'll go into it a little bit later by subjectivity.
So if they're not doing so well in a particular area,
we can help them identify that security gap
and help them get better.
And they are our customer.
So the goal of being resilient to claims is the same.
And so there's a good partnership there
that we see an opportunity with policy holders.
One of the really interesting aspects
of how the cyber insurance,
especially those that follow
this continuous assessment model,
is that we can benchmark how organizations
are doing relative to their peers.
This is important because if you look from the perspective
of perhaps a threat actor that's focused on healthcare
and that industry in particular,
and they're thinking that's a rich data source,
so there's a lot of money there
or whatever it is that's attractive,
how would our policy holder or prospective policy holder
rank relative to the peers in that industry?
So it has to be a more granular analysis and focus
and so benchmarking how
a particular perspective policy holder's doing
relative to their peers can then
in turn provide better pricing
or more relative pricing to that actual risk.
But also we can help them by saying, look,
your peers are doing X, Y,
and Z that's why maybe they have
a different premium rate than you.
And we can help with that.
The point here is that if you're doing very well,
if you're doing better than
your industry partners or industry colleagues
and that benchmark and that's that blue kind of line.
And then we also break it down so that it's not just
are you susceptible to a cyber incident but you know,
how are you doing on compliance?
How are you doing on supply chain?
There's different factors that feed
into the overall risk pricing, data science of it.
So there's cloud security, endpoint security,
dark intelligence, funds transfer,
different ways that we can analyze those thousands
of data points into some clear benchmarking and ranking.
And then the idea is that if you are better,
if you are doing better, if you have better controls,
if you're more resilient than your peers,
then you should get better pricing than your peers.
If you're not doing so well then your insurance coverage
because your risk here perhaps is going to be higher.
And then if you're in the middle, you know,
there's some things that you could do better on.
And so this particular profile,
this organization's not doing too well
on the funds transfer.
So they're susceptible more than their peers at 65
and the industry benchmark is 75
that we help them focus on that particular function
in their organization.
So maybe that is training,
maybe that's the financial department
that needs some best practices guidance.
The subjectivities that middle,
so they could be doing better.
We're not going to decline them
as compared to a few years ago.
But how can we help that organization do X, Y, and Z
and then get better rates,
but we're still gonna take them on
as a policy holder as a customer.
And this is where it gets interesting
'cause we really do see that organizations
are taking the guidance of cyber insurers
because now we have this financial incentive that they can,
most often the security team can go to their C-suite
or the whoever holds the purse strings and say, look,
are cyber insurers recommending that we do A, B and C?
And if we do that we're gonna get, you know, better terms,
we're gonna get higher limits,
we're gonna get a reduction in our premium perhaps.
But this is the driving of adoption of better practices
of security controls that might otherwise take longer
to kind of get there.
So the subjectivities,
and if we do recognize that the smaller to medium size
enterprises have challenges
in the cybersecurity departments,
so maybe not as robust and underfunded
and very tired cybersecurity professionals.
And so a lot of cyber insurers are now also taking
the approach of having in-house cybersecurity experts,
risk engineers that then can get on calls with organizations
with their customers and say, look, if you don't, you know,
we recognize you haven't patched or we can,
we're monitoring you,
we know that you've maybe missed a few updates,
let's get that taken care of.
Or we see that you had a subjectivity,
so that might mean your ransomware limit is, you know,
$500,000 perhaps,
but would you like to have it increased to the full
$2 million limits with no increase in premium?
By the way, how you get there is, you know,
let's make sure you have MFA on everything.
Let's make sure your RDPs are protected
and take a look if you really need them open.
Things like that.
So the cyber insurance industry
has provided these value adds to the piece of paper
that historically was, you know, you get your policy,
you put it in a drawer, you cross your fingers,
make sure you don't, you know,
hope you don't get a cyber incident.
Now it's a more constant engagement.
And that's a necessity because
the threats are constantly changing too.
So something could happen this afternoon
and I would like my risk engineers to reach out
to that particular policy holder population
that's vulnerable and let them know, be vigilant,
take note up.
You know, these are some steps
that you can take to mitigate.
So we've seen, you know,
some of your colleagues in this space experience
this type of vulnerability being exploited,
perhaps used to do A, B and C.
So it's almost like an outside,
you know, valued partnership that really is impactful
to driving better practices inside.
- [Eric] Yeah and then what I've seen
is a fascinating parallel development
of this other technology attack surface management
that's really aiming to solve
this same continuous assessment problem, right?
So I've become a really big believer
in the value of continuous assessment,
not only for insurance where things are changing so often,
but inside the organization there's all kinds of reasons
to do it, including people
who are doing zero trust projects, for example,
where you want to understand the risk of any particular
asset at any particular time
when they're making a connection.
But more broadly,
customers being able to be more proactive security teams
getting better visibility about what they need to do today
compared to the list of thousands
of other things they could be doing.
So again, this is a market category,
there's a bunch of different vendors doing it.
There's a bunch of different vendors showing you sort of
risk scores and visibility trend in a bunch of other people.
So I'm generalizing here.
The idea is that you're trying to first of all
discover the assets in the organization.
There was an early focus to find, you know,
servers and and laptops and things like that.
But now it's like what applications are in the mix?
What SaaS applications are there?
What kinds of AWS services are in use
and where is the data?
What identities are in the environment and so on.
The first step is just finding what they are
and where they are, the work from home employees,
because we've seen some incidents, right,
where threat actors were able to get into an organization
by compromising somebody's home computer.
But after you do that discovery,
the value comes from this risk assessment
and the goal there is to weigh all kinds of factors
that get collected across that inventory
with respect to where they are
on the network, criticality, who's using them?
Is it the CEO's laptop, is it my laptop?
Is it internet facing?
Is it in the DMZ? What's the story?
What controls are present, how they're configured?
Basically everything you can collect about it.
And you can also build an asset graph
and you can understand what the data flows are.
So which people talk to,
which assets in various different ways
and that leads to the ability
which is constantly refined, right?
So none of these solutions are gonna be perfect
at telling you here's your worst risk
or giving you the right number on your risk score.
But things do bubble to the top of the list.
And that's the idea.
It's kind of like, hey,
for the wide array of things in your organization,
there's always gonna be misconfigurations,
there's always gonna be vulnerabilities and so on.
There is a limited team size.
So what are the five things
that you should focus on today based on
as accurate an assessment as can be made
by one of these tools to say, okay, well yeah, you know,
that vulnerable server that's internet facing,
that's a highly exploited vulnerability right now
that's probably one of your top tasks or hey,
there's a lot of misconfigurations,
but your domain controller in the bottom left
of the picture there.
Yeah, maybe you should fix that one first, right?
Trying to prioritize based on what the vendor knows about
how attackers behave, how they exploit certain TTPs.
And then the next level is trying to get predictive to say,
well okay,
we expect that the attackers are gonna do these other things
next and that can influence the weighting of these graphs.
So this is helping, right?
We're gonna talk a little bit about how organizations accept
these kinds of controls.
For attack surface management,
they're not that intrusive, right?
So the idea of simply getting better visibility
across your environment, is it helping,
I think the concern early on is it just gonna generate
more noise or is it actually gonna help?
And the experience so far in talking to our own customers
but also other vendors and analysts in this space is, yeah,
you know, the prioritization is helping, it's not perfect,
but it is guiding people towards getting
into a more proactive posture
and focusing on the most important things
versus dumping lists from all kinds
of different security controls
and then trying to figure it out from there,
even inside those silos, right?
Like the vulnerability assessment vendors
that got really good at telling you, okay,
here's priorities on your vulnerabilities.
But some of those vendors are also doing
attack surface management 'cause they're saying, yeah,
the more we know about what else is in the environment
and what the other controls are,
we can actually prioritize better.
So very, very valuable
and it also helps prioritize detections.
So if you're using EDR or XDR and the XDR product
is able to understand more about the risk levels
and the asset criticality and so on,
it can actually prioritize detections in part based on
that asset criticality.
So it can say, oh yeah,
well this is an external facing asset that's involved
in this particular detection, therefore bubble it up higher.
So those things working together is very, very effective.
How about customers when you're talking to them
about plugging in their security controls
into the insurance company, how do they react to that?
- [Theresa] Well, there was a little bit of resistance
at first because it's a new approach for sure,
but it's been adopted and welcomed.
The main reason why I think is because it does create
a more accurate picture of that organization's risk
and vulnerabilities.
And not just that,
but because we're helping them to then address it, right?
So we're providing guidance as well.
I think, you know,
it's important to say that the rates have an ability
to come down if you're a better risk.
And so that's also incentivizing it
and part of that welcoming in
of the insurance partner to help them to lower rates.
And this also obviously has an impact,
greater impact because we're getting better data
and with that better data,
we're able to then tailor the product
to focus on the actual risk to make sure that
the policy holder when they do have a cyber incident
that it's the right coverage.
So, but just, you know,
don't take my words and I don't (indistinct) for it.
We do see,
we've been monitoring and part of the continuous assessment
that we do during the policy period,
we do see that organizations throughout,
just like the one year policy period will have a 9%
improvement on their security posture just by becoming
an insurance policy holder.
They also have lower claims rate so that, you know,
is music to my ears than the industry average.
So this continuous assessment,
because we have rich claims data, so no claims goes to risk,
goes to waste even, you know, with a low claims rate.
There's rich data in that instance
that we can then provide insights to the greater population.
So if we see something going on, we will advise,
we'll send alerts out,
we'll have our risk engineers reach out to policy holders so
that the ones that don't have a claim can be better
protected so they don't become one of the ones
that do have a claim.
And then also just with the value add.
So we recognize that that pricing has increased of course,
but the different resources that I mentioned
that are part of the cyber insurance program now,
the risk engineering services,
the referral to vendors that we know are impactful and
efficient that we've negotiated preferable rates for
the incident response and other resources
that are part of the insurance package now for cyber.
We are coming to the end and so we wanted
to kind of give you some insight
into what you can do now to prepare for
your cyber insurance renewal or apply for cyber insurance
and just to be, have better posture.
- [Eric] Yeah, so by the way,
the RSA program committee reviews these slides in advance
and they provide feedback and so on.
And one funny comment, so across the bottom there,
they wanted a timeline on our recommendations
and so next week and then they said, you know,
it might be a little aggressive
to get people to deploy EDR next week.
And I said, yeah, I know, I know,
I work at an EDR vendor, we know we can't do that in a week.
The point is,
there are organizations out there
that don't yet have EDR and don't yet have MFA
and if you haven't started rolling those out,
you should start making that plan right away
because you will not get cyber insurance
if you do not have EDR and MFA complaint controls in place,
especially with the traditional insurers.
They will just reject you on site.
So those are very, very important steps.
Of course we know they're not magical things
that will make all problems go away,
but we just have to point out you will get rejected
if you don't have these controls.
And then of course it's worth starting early,
as Theresa mentioned.
So if you wait until you're filling out the application form
to realize that they're asking about certain things,
by then it's probably too late.
So work with your broker,
work with your insurer to understand what it is
that they're going to be looking for
because that always changes.
So consider a tax surface management to help you get in
front of that, but work with your broker.
Theresa, some of the right hand column stuff.
- [Theresa] Yeah, sure.
And basically here every insurer has a different approach
and so what I've said today
is the approach that generally intro techs are taking with
the continuous assessment and scanning and outside in,
inside out data approach.
But you know, talk to your broker about
what would work if there are other options.
'Cause really you do need the coverage at the rates
that are right for your organization.
And if there's an insurance company out there,
cyber insurer that's going to help you,
guide you to what that would be,
whether it's this policy period or, you know,
come back next year and when you're at better risk
and we'll give you terms then,
but just to understand that
there's different approaches out there.
- [Eric] So let's do the one minute crystal ball
before we have to let this people go.
- [Theresa] Here's my crystal ball.
- [Eric] Yeah, I know, right?
It's a pretty one.
So quick predictions from both of us with respect to
where this is headed.
No surprise,
ransomware and extortion is gonna continue to evolve.
So there's not gonna be a near-term moment in time
where we say, wow, okay, we beat those guys.
It's continuously evolving.
We all have to recognize fishing and BC in particular,
which is again,
like Phish is 50% of the initial attack vector,
BC is a huge chunk of claims.
It's getting harder and harder for humans to detect.
So you really have to consider the policies,
the procedures in-house for things like invoice payments.
You have to think about how these attacks
are gonna get through.
And vendors like us,
we have to think about how we can do better.
Nobody should be saying, oh wow,
the user clicked on a thing they shouldn't have clicked on.
It is getting super hard for them to figure that out
and hey, yeah, data science is getting better.
- [Theresa] Data science is getting better.
It's, you know, we started out by saying,
oh well it used to be not weird,
but different that you'd have to wear a seatbelt
or have a carbon monoxide thing in your house
and maybe one day these things
that are kind of sounding like, oh,
this is a burden to have,
like really the insurance companies
making me do X, Y, and Z.
That that won't even be such
a controversial thing that we're talking about.
That these controls will be more mainstream with the goal
that we'll have better data even something like
a connector into your organization
so that we have some of that good data
so that we can see if there's something adrift
that we can then help the organization come back on
and be more resilient that those things will be seen
as a value add,
as a different type of partnership
with your cyber insurance partner.
And so I think there'll be more widespread adoption
of this continuous monitoring assessment and approach.
- [Eric] Thank you so much for coming to our session.
It's really fun to have you here and nodding
and putting up your hands at different times.
It's been a pleasure.
If any of you have questions, we are happy to stick around.
I think they told us we actually have the room
for a bit longer,
so if people want to do audience Q and A, that's fine.
Otherwise just come on up and chat with us.
Thank you so much.
- [Theresa] Thank you very much.
(audience applauds)
関連動画をさらに表示
The 3 Types Of Security Controls (Expert Explains) | PurpleSec
Why Privacy Matters in Cybersecurity | Ep 32
Cisco - CyberOps Associate - Module 01 - The Danger
Introduction - Cybersecurity and Privacy - Prof. Saji K Mathew
RANE Podcast: The Future of Cyber Insurance
FULL Dialog - Mantan Hacker Bicara Soal Data Nasional "Down"
5.0 / 5 (0 votes)