Better Risk Assessment for Cyber Insurance: How Will We Get There?

00:01

- [Eric] Hey everybody. Thanks for coming.

00:04

It's really nice to be in front of big audiences again.

00:07

After a few years,

00:10

Theresa and I are gonna talk about

00:12

how the cyber insurance market

00:15

is getting better at assessing risk

00:18

because it's been a chaotic few years.

00:20

So I'm Eric Skinner. I'm from Trend Micro.

00:23

Trend Micro is a longtime security vendor,

00:27

currently huge focus in areas like XDR

00:29

and attack surface management and cloud security.

00:33

And I've been in cybersecurity for about 25 years.

00:37

My first RSA was the year 2000,

00:41

so I guess I'm showing my age

00:43

and I've had the pleasure

00:46

of working with Theresa.

00:48

- [Theresa] Hi everyone.

00:49

It's nice to be here and see all of you

00:50

and spend some time this afternoon together.

00:52

My name is Theresa Le.

00:54

I'm the Chief Claims Officer at Cowbell Cyber.

00:56

So we're a cyber insurance provider in InsureTech.

01:00

And before this I was also in VP at Swiss Re,

01:05

which is a cyber reinsurer and XXL also.

01:08

So I've been in cyber insurance.

01:09

And then also I should say

01:11

that I'm a recovering coverage attorney.

01:13

So represented cyber insurers for over a decade,

01:17

the first part of my career,

01:18

trying to keep them out of trouble.

01:20

And so we can just get started, I think, right?

01:23

- [Eric] Let's do it. - [Theresa] Okay.

01:26

So because I'm the lawyer in the room,

01:28

this is the disclaimer you guys have seen,

01:30

please read it and remember it and abide by it, Lala.

01:32

(both chuckling)

01:34

And so why are we talking about cyber insurance today?

01:39

Especially with respect to cybersecurity.

01:41

And you'll see in this picture,

01:43

it's a boiler that blew up.

01:46

And in the 1800s,

01:48

this is just to depict that sometimes

01:50

there needs to be an industry,

01:52

an insurance, you know, it's type of, you know,

01:54

it's not that interesting,

01:56

but it did have some very influential ways

02:00

to foster adoption.

02:03

And so best practices, better practices,

02:06

risk mitigation is oftentimes forwarded

02:09

by the insurance industry.

02:10

So when the boilers were blowing up

02:13

and causing lots of property and bodily injury damage,

02:17

a Hartford steam and boiler,

02:19

they said we should do inspections.

02:20

And that's one way that we can mitigate against loss.

02:24

I think the, and then more recently, I mean,

02:26

everybody in this room seems too young to remember

02:29

the days that we didn't have to wear seatbelts,

02:31

but the auto insurance industry, yes, you are.

02:36

Now, it's not even that controversial.

02:37

You just get in the car, you put on your seatbelt,

02:39

but it was the auto insurance industry that really forwarded

02:42

that adoption of a better practice

02:44

to mitigate against bodily injury.

02:46

So if you wear your seatbelt,

02:48

then you as a condition to getting auto coverage

02:50

if you get hurt.

02:52

And then more recently, carbon monoxide detectors,

02:56

sprinklers, things that are now part of the building code,

03:01

but they were forwarded by the insurance industry.

03:03

So just kind of a signal towards, you know,

03:05

maybe there'll be another circle here, 2020 something.

03:09

The cyber insurance industry was how X, Y,

03:12

and Z got adopted mainstream.

03:15

That would be good.

03:17

And so today we hope to cover some things in our agenda,

03:21

really to have a little look back.

03:24

And in cyber insurance,

03:25

which is a relatively new line of insurance,

03:27

looking back really means five years.

03:29

It's shifted a lot,

03:30

but we'll see what the challenges were in recent memory,

03:34

how risks have been assessed historically

03:38

in the past few years and where we're going with that.

03:41

And then we'll give you some practical tips and things

03:43

to how you may get better terms for cyber insurance

03:48

and what the future holds.

03:48

I think I'll show you my insurance crystal ball later.

03:54

So let's talk about some of the challenges that we've seen.

03:57

Again, I mentioned that it's a space

04:00

that's shifted quite a lot recently.

04:02

So in 2019, just, you know,

04:04

four or five years ago, the claims were relatively low.

04:07

This is also pre pandemic.

04:09

So the, the policies were relatively easy to get.

04:13

There was expansive coverage,

04:15

not too much you needed to do

04:17

to even get high limits on cyber insurance.

04:20

In the next two years,

04:22

yes, we had the pandemic,

04:23

the attack surface increased quite a bit,

04:25

but also claims case started to come in

04:28

very severe claims, lots of breaches.

04:30

Ransomware really got its, you know, traction here.

04:33

And then as procurers of cyber insurance,

04:37

you may have seen the rates go up quite remarkably.

04:40

So I'll go through that adjustment later on

04:43

in the presentation.

04:45

But there was also a challenge in getting cyber insurance.

04:48

So even if you had what used to be relatively good controls

04:53

and were seen as a good risk,

04:54

the cyber insurance industry was having a different look,

04:57

a different approach,

04:58

and then you might not have had that much success

05:02

even getting cyber insurance.

05:03

And we'll go into a little bit more of the future

05:05

of what that looks like.

05:07

There is some good news, hopefully.

05:09

One of the drivers of cyber insurance

05:12

is obviously data breaches, cybercrime and ransomware.

05:16

And ransomware, I just put this up here.

05:18

Net diligence did a survey and it's no surprise

05:21

that a ransomware event is very financially impactful

05:25

to an organization.

05:27

And in recent times, even, you know,

05:29

small to medium size enterprises.

05:31

So the mom and pops up to $2 billion in annual revenue.

05:37

Even that space that did not used to be a focus

05:39

for the threat actors now is,

05:41

and it's quite impactful with an average of

05:43

half a million dollars impact to an organization.

05:47

And then the other impacts to, you know,

05:49

reputational, business interruption,

05:53

other things that are quantified,

05:55

but also we often hear from the SME policy holders that,

06:00

but for the support of the cyber insurance policy,

06:03

it would be very difficult

06:04

if at all possible to get through a cyber event

06:08

such as a ransomware.

06:11

Hand it over to Eric.

06:13

- [Eric] Yeah, so let's talk,

06:14

let's talk a little bit about some of the dynamic

06:17

in this environments

06:18

because for customers as well as for insurers,

06:21

the last few years have been pretty turbulent

06:23

and for cybersecurity vendors as well with respect

06:26

to the way attackers have been behaving

06:29

and the way environments have been changing for customers.

06:32

So let's have a brief look at what Trend and Cowbell

06:36

are seeing with respect to the dynamics

06:38

in the ransomware space and some of the other threats

06:42

that result in some of these high claims.

06:44

So at a high level,

06:46

what we've seen is that the frequency has been increasing

06:50

on these kinds of ransomware attacks.

06:53

The severity has been mostly stabilizing,

06:57

but we'll touch on this a bit later.

06:58

There was a little bit of an uptick in late 2022

07:01

and into Q1.

07:03

Some of the attack groups are having a little bit

07:05

of a resurgency.

07:06

There's been a lot of growth in exfiltration behavior.

07:11

Some of the attack groups got a little bit too much heat

07:14

for some of the destructive stuff they were doing.

07:16

And in order to take some of the pressure off themselves

07:20

and for a variety of other reasons

07:22

as well as just being able to exert more pressure,

07:26

even if people had good backups,

07:27

they've pivoted into doing a lot of data exfiltration.

07:30

The speed is intensifying.

07:32

So attackers are able to move a lot more quickly through

07:36

your organization and that means that organizations

07:40

have less time to react.

07:42

And at the same time, when people are paying ransoms,

07:47

they are funding these attack groups.

07:49

And I think we're all interested in seeing

07:51

the attackers get less money, right?

07:53

When the attackers do get money,

07:54

they're subsidizing attacks against

07:56

a further six to 10 victims according

07:59

to some data science work that Trend was doing.

08:02

And then when we look at BEC, this is,

08:05

it doesn't get as much attention as ransomware

08:08

and yet it it's a pretty substantial cause of claims.

08:11

And historically that's been, hey,

08:14

pay this fake invoice and using various pressure tactics

08:17

and social engineering tactics to get invoices paid.

08:21

And a few strategies are evolving there

08:24

because of course organizations

08:25

are implementing more process around this.

08:28

So we've noticed that attackers are now leveraging

08:33

other social engineering and phishing

08:35

to take control of a legit account

08:36

and then send the BEC emails from

08:39

an internal valid account

08:40

and that avoids certain legacy email controls,

08:44

a gateway controls, things like that.

08:46

And it's of course more credible, it's more effective,

08:49

but they're also using strategies,

08:53

avoiding the finance team altogether.

08:55

And they're, for example,

08:56

making a request for confidential data that look like

08:59

they're coming from an executive.

09:00

And then the employee provides tons of confidential data

09:03

and the attack returns right around

09:05

and tries to extort the company for

09:08

otherwise they're gonna leak that data.

09:09

So it's really hard for employees to recognize this.

09:14

For example, I know everyone's talking about AI,

09:16

who's sick and tired of hearing about AI yet?

09:19

Yeah, okay.

09:20

I'm kind of like half putting my hand up,

09:21

but one thing we have seen is that cha GPT is helping

09:24

the attackers write better phishing emails,

09:26

write better BEC emails.

09:27

I was in Finland a few weeks ago,

09:29

our team there said, yeah, you know,

09:31

the attackers used to do a terrible job of writing phishing

09:36

emails in finish because finish is a really hard language,

09:38

but chat GPT does perfect finish for example, right?

09:42

So it is hard for employees to recognize these things.

09:46

So this has an impact on losses.

09:49

- [Theresa] So the cybercrime is one of the top three types

09:51

of cyber claims that have coming in,

09:53

but there was a lot,

09:54

there's been a lot of loss in the cyber incident realm.

09:58

And so just this depicts that there's,

10:00

between 2018 and 2021,

10:05

there was a doubling of the loss ratio

10:07

and that's quite severe.

10:08

So there are lots of claims were coming in,

10:10

the premium wasn't keeping up.

10:12

You'll see between 2020 and 21,

10:14

just within that year there was a doubling of premium.

10:16

So you might have felt that as you were working

10:19

with your brokers and thinking,

10:20

why did cyber insurance get so expensive?

10:22

Why did my rates double?

10:24

And that's why, there was a historic, you know,

10:27

in that time, severe claims that came in.

10:29

So to sustain us all,

10:31

that's what happened with the rates.

10:33

Another depiction here is quarter over quarter,

10:37

that time period that we saw remarkable increases

10:40

in the cost quite painful.

10:41

Like acknowledge that at the same time the deductibles

10:45

and retentions what what policy holders were paying

10:47

out of pocket before the insurance

10:48

that was even triggered was also going up

10:51

if the premium wasn't enough.

10:54

And then of course the difficulty in getting cyber insurance

10:58

at the same time because claims were coming in

11:01

and a recognition that cyber instance

11:03

were financially impactful as well as having other impacts

11:07

to your reputation and ability to do business

11:09

or be competitive that lots of contracts

11:14

were requiring cyber insurance to make sure

11:17

that if I do business with you,

11:19

if I trade with you that I provide your, you know,

11:21

you with my data, with my customers data,

11:23

that you have a financial mechanism to transfer that risk.

11:27

So contractually cyber insurance was becoming more of

11:31

a requirement and to be competitive.

11:34

After the last quarter of 2021,

11:37

the rates did stabilize a little bit.

11:39

They're still increasing but not

11:40

at as the rates that historically we saw.

11:44

So they are going down in the sense that

11:47

they're not increasing as much.

11:48

- [Eric] And 28% year over year

11:50

is still pretty painful. Right?

11:51

So we all have to, we all have to do better and

11:55

that's what we're gonna talk about.

11:56

- [Theresa] Yeah.

11:57

So we recognize this in the cyber insurance industry

12:01

and would, you know,

12:02

have taken on a different approach

12:04

to try to help policy holds and

12:06

the space in general to still get coverage.

12:10

But how we do that is to properly assess the risk

12:12

so that we can be prepared for those claims

12:15

and and for the impact.

12:17

- [Eric] Yeah, so at the end of the day,

12:20

insurers have to measure risk, right?

12:22

And we're gonna talk a little bit

12:23

about how a risk is getting measured now.

12:25

And I'm going to pull in some stories from trends,

12:29

incident response teams to sort of contrast

12:32

the risk measurements with the risk reality.

12:36

How many people in the room, by the way, have,

12:38

or their companies have cyber insurance?

12:40

I'm just curious.

12:41

Wow. Look at that.

12:42

Right? Okay.

12:43

So yeah, really depends on the country,

12:45

but in the US a lot of organizations do.

12:47

So you're feeling this pain, cool, so,

12:50

well it's not cool that you're feeling the pain,

12:51

but it's, you understand.

12:53

So I don't like the pain.

12:55

Yeah. So how many people know this podcast Risky Business?

12:59

Some of you? Yeah.

13:00

Okay. It's a really cool podcast.

13:01

A guy in Australia, Patrick Gray hosts the podcast,

13:06

very technical, but they did have a conversation.

13:08

This is a little while ago,

13:08

but the point is still valid, right?

13:10

He was joking at the time, but he said, Hey,

13:13

you know, like the cyber insurance business right now,

13:15

it's a mess because if you set up your actuarial table

13:18

and the risk equals 100%,

13:20

you probably don't wanna offer insurance for that.

13:22

But that's exactly the situation that

13:24

the insurers were in a few years ago,

13:26

is no ability to figure out who is more at risk

13:29

than other people.

13:30

And that's why rates and deductibles and everything go up

13:34

because just like all of our businesses,

13:38

insurance companies like to make money, I've heard.

13:40

- [Theresa] Yeah, we do. - [Eric] Yeah, exactly.

13:44

So we know how life insurance works and insurance companies

13:48

have got really good at measuring risk and life insurance

13:50

for a long, long time.

13:51

And they've developed a very good data models.

13:54

And these data models don't have to change every few weeks

13:57

the way they do in cyber.

13:58

But you know, they do questionnaires, they do medical tests,

14:01

they ask a lot about your family history and oh, okay,

14:03

you've got family history of cancer or you're a smoker,

14:07

your risk is higher and they have a pretty good measure of

14:11

your risk by doing that kind of basic thing.

14:14

Well in cyber, they have been asking a lot of questions.

14:19

Who's filled out one of these

14:21

cyber insurance questionnaires personally?

14:22

Yeah, exactly right.

14:24

And these questionnaires have been evolving,

14:27

but they happen once a year and like,

14:31

let's talk about these questionnaires.

14:33

- [Theresa] I'm sorry.

14:34

We know it's a burden and this questionnaires from a few

14:37

years ago and we've been trying to develop

14:39

the application process to be more streamlined.

14:41

We do have an approach,

14:43

I think it will work, but this is just to,

14:47

this is to display that even the questionnaire, just like,

14:49

as Eric mentioned, it's not an ideal,

14:53

it's not optimal for a cyber risk.

14:56

And here you see that, you know,

14:57

it's asking about endpoint detection,

14:59

which is completely valid, but you know, doesn't,

15:03

I don't know if you see it,

15:04

but it doesn't go as far as well

15:06

if you get an alert who's monitoring that?

15:08

What's the action?

15:09

So just to have it,

15:10

doesn't necessarily give us insight into

15:13

the cyber resiliency or controls

15:15

that are actually being followed by the organization.

15:19

And so we've worked to improve the questionnaire,

15:21

the application process,

15:23

also recognizing that it is a snapshot of that risk manager

15:27

or financial persons understanding

15:29

at the time that they signed it.

15:32

And then of course, you know,

15:33

it's one day out of the 12 month policy period,

15:37

that that information is to the true to the best

15:41

of their knowledge of the person signing.

15:43

But what's going on the 364 other days of the year where

15:47

that organization's cyber posture and architecture

15:52

and other things and vulnerabilities,

15:54

everything else is shifting around, changing.

15:58

How do we capture that as a cyber insurer in order

16:00

to provide the best service, the best product, to keep up,

16:04

to make sure that we're properly assessing the exposure,

16:09

questionnaires aren't perfect, we recognize that.

16:12

And then also, is it really fair to then decline

16:16

an organization because the questionnaire wasn't filled out

16:19

in a way that, you know,

16:20

that we were comfortable underwriting to that risk.

16:24

They could improve and we could take another look,

16:26

but what have they improved during the year?

16:28

Should we not incentivize adoption

16:31

of better control so that it's not just at renewal

16:33

that we take an assessment.

16:35

So a lot could change in a year also, I just,

16:38

because the calendar's up there,

16:39

I would remiss if I be remiss if I didn't mention that

16:42

when you are preparing for renewal of your insurance program

16:47

to start early,

16:47

because if you're starting 90 days out or 120 days out,

16:51

you'll have the opportunity to then adopt some measures

16:54

and then when the application comes in,

16:57

you'll be able to show that you're a better risk.

16:59

But if you start too close to that deadline

17:02

as we tend to do,

17:03

you may not have time and there's an impact

17:06

on the terms in that regard.

17:07

So that was just my plug to start early if you can,

17:10

on cyber insurance renewals.

17:14

- [Eric] Totally agree.

17:15

So really want to explore some of the cases

17:18

that we have seen in incident response

17:20

that teach us an important lesson

17:23

about some of the challenges with the way cyber insurers

17:27

have to assess risk.

17:28

So we have an insurance, sorry,

17:30

we have a incident response team.

17:32

We do not have an insurance team,

17:33

but we have an incident response team that helps customers

17:38

and also other organizations

17:40

that get into serious trouble.

17:41

And I'm just gonna tell you two stories.

17:45

They're anonymized of course,

17:47

where it really points to some of the challenges

17:50

with respect to insurers asking the right questions

17:53

and not having enough detail.

17:55

And I tried to pick some reasonably representative ones,

17:58

but still perhaps with a little bit of diversity to them.

18:03

So here's a situation where a customer had a server

18:07

that was internet facing,

18:10

but because they'd misconfigured now

18:12

so they didn't realize the server was missed,

18:15

was internet facing.

18:17

And also because it wasn't internet facing,

18:20

they thought well, you know, maybe,

18:21

maybe we don't need to have active

18:23

or properly configured MFA on that server.

18:26

And then they did have EDR but they were not monitoring it

18:33

and they weren't monitoring the logging.

18:35

So there was a massive brute force attack

18:37

against that external facing server.

18:39

There were thousands and thousands and thousands

18:41

of password attempts against the RDP server

18:44

that nobody noticed,

18:46

even though alerts were being generated.

18:48

And I wanna pause for a second.

18:50

I'm in no way, you know,

18:52

trying to blame customers for this.

18:54

We're gonna talk about the evolution and how vendors

18:57

and insurers and everybody has to do better

18:59

in these kinds of circumstances.

19:00

We do a lot in our product team to learn

19:03

from these incidents to figure out

19:04

how we can better protect customers

19:06

and not all these products are trend products.

19:08

You can recognize these situations anywhere, right?

19:11

So behavioral detection, misconfigured, not running,

19:15

you know, various other types of configurations.

19:17

So the controls were present but they were not configured

19:21

in a way that was going to catch these attackers.

19:24

And that is very typical of things

19:28

that end up in incident response.

19:29

And they could truthfully answer yes to all the questions on

19:33

their insurance form about these controls

19:35

and the insurance company would not have

19:37

any awareness of these misconfigurations.

19:39

So that's one example.

19:41

- [Theresa] You might wonder would this have been covered?

19:44

And yes it would because again,

19:48

things will happen even if the questionnaire was truthful,

19:51

even if you have controls and these things get missed.

19:55

But again,

19:56

to to not cause anyone to be defensive for anything.

20:00

And we recognize that this is something we need to address

20:03

as an interest with the cybersecurity industry as well.

20:05

Like's the insurance industry

20:06

'cause they are costly to address.

20:09

- [Eric] Yeah, mistakes get made, right?

20:11

and they're gonna keep on getting made

20:12

and it's all of our jobs as defenders and vendors

20:16

to try to control those.

20:17

Here's an interesting one.

20:18

So the employee receives a phishing email,

20:21

all that Phish training worked.

20:22

He read the email and he said, "Hmm, this looks suspicious,

20:24

I better send it to IT."

20:26

IT read the email and clicked the link

20:28

and infected the network.

20:29

(Theresa laughing)

20:31

And yeah, we all laugh and it's like,

20:33

think about could that happen to me, right?

20:36

So they had a legacy email gateway, right?

20:40

The more modern approaches to plug in to Office 365 directly

20:44

because then you can see internal emails

20:46

and things like that.

20:47

But they did not have those kinds of controls and

20:50

the IT employee opened the link and didn't notice

20:58

the suspicious activity and the attacker was able

21:03

to move laterally in the environment

21:05

because they had some misconfigurations

21:07

in their EDR deployment and they had

21:10

some incomplete coverage.

21:11

So they had various assets in the organization

21:13

that had no security controls on them

21:16

and the attacker was able to obviously use those

21:18

for various forms of privilege, elevation and so on.

21:21

This is a very typical story

21:23

and the EDR was not regularly monitored.

21:26

So where there was EDR detection,

21:28

it was not actioned in a prompt way.

21:31

Some customers, some organizations have got

21:33

into the habit of, you know,

21:34

because they're stress teams, right?

21:36

Oh wow. You know, weekends, evenings, et cetera.

21:38

Small teams,

21:39

they're not at the cadence yet of the attackers

21:43

and who wants to be monitoring EDR alerts

21:45

at three in the morning on Saturday, right?

21:48

We'll talk about where that has to go.

21:50

But this is another example where, hey,

21:52

they're doing all the right things superficially and

21:54

insurance would've said, sounds good, here's your policy.

21:58

And that's how we got into the trouble

21:59

of these policies resulting in big claims.

22:03

So when we zoom out a little bit

22:04

and we look at trend IR data over a longer period of time,

22:09

I really get interested in these conversations.

22:11

I ask 'em like, hey, how do these attacks start?

22:14

And the first time I asked 'em this,

22:15

I was kind of surprised to hear the answer.

22:17

Oh it's really only two things.

22:18

So was really only two things.

22:20

Like half of it's fishing,

22:22

half of it is exploitation of unknown

22:25

or misconfigured internet facing assets.

22:27

And then the trouble flows from there, right?

22:30

Fishing and other kinds of social engineering, right?

22:32

But broadly, and then when we did

22:35

a little bit more digging, right,

22:37

35% of the cases there were alerts but they were missed

22:40

or they weren't acted on promptly.

22:42

72% of the time security controls were there,

22:45

but they were misconfigured.

22:47

We had a situation for example,

22:48

where a customer had a different EPP product, not trends,

22:52

but this could happen with any product.

22:55

They had misconfigured an exclusion and .star

22:58

was excluded in the EPP and that's wrong.

23:03

So the EPP was not looking at any files, for example,

23:06

39% of cases the security controls were present

23:09

but they were outta date, right?

23:11

They were using old versions of software and so on.

23:13

So these are things that are typically not visible

23:17

on insurance forms.

23:18

So there is a way to do this better

23:20

and we're gonna pair into that right now.

23:23

- [Theresa] Yeah.

23:24

And one of the things that just pains us as a group I think

23:29

is when these cyber incidents,

23:32

whether it's social engineering, monetization of a breach,

23:37

ransomware, the money, the resources of your,

23:40

you know, your premium and that the policy resources,

23:43

they're going to be funneled into these threat actor groups.

23:46

And so the ransom payments,

23:48

we did an analysis of the ransomware payments and

23:54

there was a dip between 2021 and 2022, which is good news.

24:00

I would asterisk that and that's the last point

24:02

that there's been a rebound at

24:04

the end of last year and the first quarter

24:06

has seen an uptick in ransomware severity.

24:10

We can attribute the momentarily momentary decline

24:15

on some geopolitical things that were happening

24:17

at the beginning of 2022.

24:19

But also we think that the decline in the last year

24:25

between 2021 and 22 was due to a variety of factors.

24:28

And I just wanted to point those out

24:29

because it does give some insight into things

24:32

that are happening that could improve this situation.

24:34

For instance, more companies now are being more resilient.

24:38

So they have strategies in place of incident response plans,

24:41

business continuity,

24:42

a lot of these things the insurance industry is pushing,

24:45

these are you know,

24:46

value add free resources that will help an organization

24:51

be more resilient in the face of a cyber event.

24:53

But in particular ransomware,

24:55

we particularly focus on the backup situation.

24:59

So making sure that if they are hit with ransom,

25:02

where there's a viable backup strategy there

25:06

as well as other controls that could be in place

25:08

that we hope and that we see have had an impact

25:11

on the amount of ransom, when there is a ransomware event

25:14

that the amount of ransom is declining

25:16

or the instances where ransom has to be paid

25:19

as a last resort, there's no other option available.

25:22

Good option, that is decreasing.

25:25

- [Eric] Yeah and I've talked to several insurers

25:27

and several other cybersecurity vendors

25:29

and everyone agrees, yeah there is an uptick happening now

25:33

in the ransomware success and that's

25:36

because attackers adapt and they've also regrouped

25:40

they were disrupted in various ways.

25:42

But now they're finding new things to do

25:44

that will be effective.

25:46

And so yeah,

25:47

we can't pat ourselves on the back yet.

25:50

- [Theresa] It is concerning because

25:51

even with the backup strategies in place,

25:54

we can have double extortion.

25:56

It's the suppression of data or the,

25:58

you know, you'll see the threat actors say, fine,

26:01

you don't need the crypto,

26:02

but I'm still gonna ask you for a million dollars,

26:04

otherwise I will publish your secrets.

26:06

Or there could be even triple extortion too when they go

26:12

and actually calling family members and customers

26:18

and clients of that organization and really basically

26:22

embarrassing them that they don't have good controls.

26:25

And so there's a lot more ways to exert pressure

26:28

on an organization to pay the ransom

26:31

even if the decryptor is not the primary need

26:33

for that transaction.

26:35

So it is concerning they're getting just more tricky.

26:42

And so the questionnaires have improved.

26:44

So I just wanted to show an example

26:46

of a more recent application

26:48

and you'll see that because phishing

26:51

is such a key gateway to an organization's infrastructure

26:57

that we have focused on, you know,

26:59

let's go a little bit more in detail.

27:01

So is an organization conducting fishing training

27:05

and how often and if if there's a failure rate,

27:08

are those individuals being retrained?

27:12

So things like that where

27:13

we can really improve the questionnaire.

27:15

That being said,

27:16

it's still an imperfect process in many people's opinion

27:20

just because it's not as accurate a depiction

27:23

of the real state of affairs.

27:25

- [Eric] Yeah and even if they're starting

27:27

to ask better questions, which they are,

27:30

there's constantly new TTPs, right?

27:33

The attackers are doing new things and the questionnaires

27:35

outta date almost instantly, right?

27:36

So actually if we go back to that one for just a second.

27:41

Great. So they used to say, what email security do you have?

27:44

And that was about it, right?

27:46

And it turns out that even asking what vendor you have

27:48

isn't necessarily indicative of your risk

27:50

'cause you can misconfigure any vendor, right?

27:52

But now they're asking a bunch of questions, that's great,

27:55

but they're still not, for example asking, well, okay,

27:58

does your email security have visibility to internal emails?

28:01

Because that's a new tactic.

28:02

Well that questionnaire is six months old so, right?

28:06

Or maybe a year old.

28:07

So it's really hard for these questions to keep up.

28:11

And the other thing is they're really painful, right?

28:13

They're getting longer now they ask more questions.

28:15

Do you want to answer more questions? No, you do not.

28:18

- [Theresa] The page is long

28:19

and then we're not going to be sending them out

28:20

every month just to get more current information.

28:22

- [Eric] I saw one form that was 35 pages long.

28:24

- [Theresa] Not a us but yeah.

28:25

- [Eric] I know, right?

28:27

So there is a better way

28:29

and we're gonna talk a bit about some of the stuff

28:31

that's going on that is helping.

28:33

So, and it's really,

28:36

there's kind of an echo that something we can relate to.

28:39

Perhaps some of you in the room do this,

28:40

although I think we're all cyber security people

28:42

so we might shy away from this particular thing,

28:44

but some of the car insurance providers will give you

28:48

a discount if you run their app or you plug in this device

28:51

into your ODB port and it will monitor your driving

28:54

continuously and then they get a better picture

28:57

of correlation of driving habits to claims.

29:01

So if you're driving crazy and breaking heavily

29:05

and speeding all the time,

29:07

they can understand that and they can rate your policy

29:10

a little bit differently.

29:10

So that has been going on for a little while and there is

29:15

a similar approach to that continuous assessment

29:19

that's happening in two ways that are kind of converging.

29:21

So Theresa and I are gonna talk about that.

29:23

So the first thing that's going on

29:25

inside organizations themselves,

29:27

and you've been hearing about this,

29:29

it's a space that's been sort of emerging

29:32

and getting a little bit higher profile in the last year.

29:34

Some analysts call it different thing of course

29:37

'cause they all have to have their own acronyms.

29:40

But attack surface management is a market category

29:43

that broadly is about discovering your assets.

29:47

So you know, finding those internet facing assets,

29:49

finding the misconfigurations, finding so on,

29:52

assessing the risk across that and then prioritizing

29:55

for security teams the relevant mitigations.

29:58

So it's kinda like,

29:59

hey, what are the top five things that you

30:01

or team should be focusing on today

30:03

based on broad visibility?

30:06

And that's something that organizations

30:08

can obviously do for non-insurance reasons,

30:11

'cause it really helps you keep attackers out in general,

30:14

but also can be done before insurance applications.

30:16

You can get into a cadence.

30:18

And then the other thing that's going on is cyber insurance

30:21

is also doing continuous assessment in a few cases.

30:25

So some cyber vendors are starting to do

30:28

this more continuous assessment approach where

30:30

they're pulling telemetry on your security controls

30:33

and then understanding those controls and doing

30:35

data modeling and data science to understand the risk

30:39

and have an opportunity to engage

30:41

with the customer much more often.

30:43

So let's start with that last one, the cyber insurance.

30:46

Tell us about it. - [Theresa] Sure, sure.

30:47

So this is exciting and sorry,

30:50

the middle diagram is a bit small,

30:52

but I can talk through it and I have it large

30:54

on the next one, so don't strain your eyes.

30:56

But part of the challenge

30:59

as we've talked about is that application process is just,

31:03

it's a static data point,

31:05

just that one moment in time where it's signed

31:07

and the risk manager or whomever,

31:09

maybe not even the cyber security team

31:12

is providing information,

31:14

but that is an imperfect way to underwrite,

31:17

to risk a risk that's dynamic,

31:19

that's shifting, that has many risk signals

31:21

and requires a more in-depth risk assessment.

31:25

So the automated continuous collection of telemetry

31:29

in the cyber insurance space is what Cowbell

31:32

and other intratex have been starting to do.

31:34

And we've done it for a while,

31:35

is to collect data points from various many sources.

31:42

So it's not just

31:43

the one source of the risk manager providing

31:46

that questionnaire, it's scanners,

31:48

it's third party databases, it's telegraphic,

31:51

thermographics,

31:54

anywhere we can grab data from on that organization.

31:58

And this is the outside in.

31:59

We also have live connectors through APIs that will provide

32:03

us inside out data behind the firewall,

32:05

which is extremely valuable, extremely insightful.

32:08

And that is in going into the machine too.

32:12

And then these data-driven immediate types of input

32:17

can really inform the underwriting decisions,

32:20

the data selection, the creation and adaption

32:23

of an insurance product that works for that organization,

32:26

their particular risk and exposures.

32:30

Also, we can incentivize that organization by,

32:33

I'll go into it a little bit later by subjectivity.

32:35

So if they're not doing so well in a particular area,

32:38

we can help them identify that security gap

32:41

and help them get better.

32:42

And they are our customer.

32:43

So the goal of being resilient to claims is the same.

32:48

And so there's a good partnership there

32:50

that we see an opportunity with policy holders.

32:54

One of the really interesting aspects

32:57

of how the cyber insurance,

32:58

especially those that follow

33:01

this continuous assessment model,

33:03

is that we can benchmark how organizations

33:05

are doing relative to their peers.

33:08

This is important because if you look from the perspective

33:12

of perhaps a threat actor that's focused on healthcare

33:17

and that industry in particular,

33:19

and they're thinking that's a rich data source,

33:21

so there's a lot of money there

33:22

or whatever it is that's attractive,

33:25

how would our policy holder or prospective policy holder

33:29

rank relative to the peers in that industry?

33:31

So it has to be a more granular analysis and focus

33:35

and so benchmarking how

33:38

a particular perspective policy holder's doing

33:40

relative to their peers can then

33:42

in turn provide better pricing

33:44

or more relative pricing to that actual risk.

33:47

But also we can help them by saying, look,

33:49

your peers are doing X, Y,

33:50

and Z that's why maybe they have

33:52

a different premium rate than you.

33:55

And we can help with that.

33:57

The point here is that if you're doing very well,

34:00

if you're doing better than

34:02

your industry partners or industry colleagues

34:05

and that benchmark and that's that blue kind of line.

34:08

And then we also break it down so that it's not just

34:12

are you susceptible to a cyber incident but you know,

34:16

how are you doing on compliance?

34:17

How are you doing on supply chain?

34:19

There's different factors that feed

34:21

into the overall risk pricing, data science of it.

34:24

So there's cloud security, endpoint security,

34:26

dark intelligence, funds transfer,

34:29

different ways that we can analyze those thousands

34:31

of data points into some clear benchmarking and ranking.

34:36

And then the idea is that if you are better,

34:40

if you are doing better, if you have better controls,

34:42

if you're more resilient than your peers,

34:44

then you should get better pricing than your peers.

34:46

If you're not doing so well then your insurance coverage

34:50

because your risk here perhaps is going to be higher.

34:54

And then if you're in the middle, you know,

34:56

there's some things that you could do better on.

34:58

And so this particular profile,

35:01

this organization's not doing too well

35:04

on the funds transfer.

35:05

So they're susceptible more than their peers at 65

35:09

and the industry benchmark is 75

35:12

that we help them focus on that particular function

35:15

in their organization.

35:16

So maybe that is training,

35:17

maybe that's the financial department

35:19

that needs some best practices guidance.

35:23

The subjectivities that middle,

35:25

so they could be doing better.

35:27

We're not going to decline them

35:28

as compared to a few years ago.

35:31

But how can we help that organization do X, Y, and Z

35:34

and then get better rates,

35:36

but we're still gonna take them on

35:39

as a policy holder as a customer.

35:41

And this is where it gets interesting

35:43

'cause we really do see that organizations

35:45

are taking the guidance of cyber insurers

35:47

because now we have this financial incentive that they can,

35:51

most often the security team can go to their C-suite

35:55

or the whoever holds the purse strings and say, look,

35:57

are cyber insurers recommending that we do A, B and C?

36:01

And if we do that we're gonna get, you know, better terms,

36:03

we're gonna get higher limits,

36:04

we're gonna get a reduction in our premium perhaps.

36:07

But this is the driving of adoption of better practices

36:11

of security controls that might otherwise take longer

36:15

to kind of get there.

36:16

So the subjectivities,

36:17

and if we do recognize that the smaller to medium size

36:22

enterprises have challenges

36:24

in the cybersecurity departments,

36:27

so maybe not as robust and underfunded

36:30

and very tired cybersecurity professionals.

36:33

And so a lot of cyber insurers are now also taking

36:36

the approach of having in-house cybersecurity experts,

36:41

risk engineers that then can get on calls with organizations

36:45

with their customers and say, look, if you don't, you know,

36:47

we recognize you haven't patched or we can,

36:49

we're monitoring you,

36:50

we know that you've maybe missed a few updates,

36:53

let's get that taken care of.

36:55

Or we see that you had a subjectivity,

36:58

so that might mean your ransomware limit is, you know,

37:00

$500,000 perhaps,

37:03

but would you like to have it increased to the full

37:05

$2 million limits with no increase in premium?

37:08

By the way, how you get there is, you know,

37:11

let's make sure you have MFA on everything.

37:13

Let's make sure your RDPs are protected

37:17

and take a look if you really need them open.

37:19

Things like that.

37:20

So the cyber insurance industry

37:24

has provided these value adds to the piece of paper

37:27

that historically was, you know, you get your policy,

37:29

you put it in a drawer, you cross your fingers,

37:31

make sure you don't, you know,

37:32

hope you don't get a cyber incident.

37:33

Now it's a more constant engagement.

37:37

And that's a necessity because

37:39

the threats are constantly changing too.

37:42

So something could happen this afternoon

37:44

and I would like my risk engineers to reach out

37:48

to that particular policy holder population

37:50

that's vulnerable and let them know, be vigilant,

37:54

take note up.

37:55

You know, these are some steps

37:57

that you can take to mitigate.

37:59

So we've seen, you know,

38:00

some of your colleagues in this space experience

38:03

this type of vulnerability being exploited,

38:06

perhaps used to do A, B and C.

38:07

So it's almost like an outside,

38:11

you know, valued partnership that really is impactful

38:15

to driving better practices inside.

38:19

- [Eric] Yeah and then what I've seen

38:21

is a fascinating parallel development

38:25

of this other technology attack surface management

38:28

that's really aiming to solve

38:30

this same continuous assessment problem, right?

38:33

So I've become a really big believer

38:36

in the value of continuous assessment,

38:38

not only for insurance where things are changing so often,

38:42

but inside the organization there's all kinds of reasons

38:45

to do it, including people

38:46

who are doing zero trust projects, for example,

38:48

where you want to understand the risk of any particular

38:51

asset at any particular time

38:52

when they're making a connection.

38:54

But more broadly,

38:56

customers being able to be more proactive security teams

38:59

getting better visibility about what they need to do today

39:02

compared to the list of thousands

39:04

of other things they could be doing.

39:06

So again, this is a market category,

39:08

there's a bunch of different vendors doing it.

39:09

There's a bunch of different vendors showing you sort of

39:11

risk scores and visibility trend in a bunch of other people.

39:14

So I'm generalizing here.

39:16

The idea is that you're trying to first of all

39:20

discover the assets in the organization.

39:23

There was an early focus to find, you know,

39:26

servers and and laptops and things like that.

39:28

But now it's like what applications are in the mix?

39:31

What SaaS applications are there?

39:32

What kinds of AWS services are in use

39:35

and where is the data?

39:39

What identities are in the environment and so on.

39:41

The first step is just finding what they are

39:44

and where they are, the work from home employees,

39:46

because we've seen some incidents, right,

39:48

where threat actors were able to get into an organization

39:52

by compromising somebody's home computer.

39:56

But after you do that discovery,

39:59

the value comes from this risk assessment

40:02

and the goal there is to weigh all kinds of factors

40:06

that get collected across that inventory

40:08

with respect to where they are

40:10

on the network, criticality, who's using them?

40:13

Is it the CEO's laptop, is it my laptop?

40:16

Is it internet facing?

40:18

Is it in the DMZ? What's the story?

40:22

What controls are present, how they're configured?

40:25

Basically everything you can collect about it.

40:27

And you can also build an asset graph

40:28

and you can understand what the data flows are.

40:30

So which people talk to,

40:32

which assets in various different ways

40:35

and that leads to the ability

40:37

which is constantly refined, right?

40:40

So none of these solutions are gonna be perfect

40:42

at telling you here's your worst risk

40:44

or giving you the right number on your risk score.

40:47

But things do bubble to the top of the list.

40:50

And that's the idea.

40:51

It's kind of like, hey,

40:52

for the wide array of things in your organization,

40:56

there's always gonna be misconfigurations,

40:58

there's always gonna be vulnerabilities and so on.

41:01

There is a limited team size.

41:02

So what are the five things

41:04

that you should focus on today based on

41:08

as accurate an assessment as can be made

41:11

by one of these tools to say, okay, well yeah, you know,

41:14

that vulnerable server that's internet facing,

41:17

that's a highly exploited vulnerability right now

41:19

that's probably one of your top tasks or hey,

41:22

there's a lot of misconfigurations,