KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
After several tumultuous years, the cyber insurance safety net is in question as costs rise and coverage contracts. Research conducted with IT security professionals to understand the real-life experiences companies have in obtaining and using cyber insurance.In this session we’ll unpack the survey findings and put them in context. Join the discussion to prepare for your next cyber insurance assessment so you end up with coverage and rates that accurately reflect your organization’s risk profile.
Joe Carson will talk about
And help you find answers to these questions
After several tumultuous years, the cyber insurance safety net is in question as costs rise and coverage contracts. Research conducted with IT security professionals to understand the real-life experiences companies have in obtaining and using cyber insurance.In this session we’ll unpack the survey findings and put them in context. Join the discussion to prepare for your next cyber insurance assessment so you end up with coverage and rates that accurately reflect your organization’s risk profile.
Joe Carson will talk about
And help you find answers to these questions
So hi everyone. It's a pleasure to be here and actually I just want, I want to answer your question earlier that was raised and I'll, I'm actually gonna answer your question in this session as well. So one of the things that you had asked us about why do criminals target cyber insurance companies is because there's a reason for it is that they want to know what the policies are and they know, want to know what the payouts are so that when they target organizations they know what, they optimize the ransom payment so they'll get paid. They need the cyber. Exactly.
So, so it's interesting, it's ironic because that's one of the things they want to know how they can actually optimize the payment so they can make sure that they're claiming a ransomware that is actually covered by insurance. So one of the things I worked on many years ago when I started getting heavily involved in insurance was in the maritime industry, cuz that was one of the areas of shipping and where ransomware really came out of was actually Pirate Sea. It was actually, you know, pirates and the Gulf of Aiden.
That's where they got the idea when they see ships being targeted and been held to ransom and having to pay money, the attackers at the time were targeting the policy holders for the ships. So they knew exactly how much the pay it would be in order to actually get the ransom from the ship owners. So it's always important.
It's, it's they, they do it because it's their business. So I'm gonna cover some of your talks. I just wanted to clarify why insurance companies, why the legal companies get targeted because it allows 'em to optimize their, their actually attacks.
Now I, every year I conduct different types of research and this was the second research I did last year and it was the end of the year and I just finished another piece of recent research which is around communication and trans translating cybersecurity to business outcomes. So that was one of the latest research. But this one I focus around cyber insurance and we actually surveyed over 300 companies. Do you understand about what their experience and going down the path of getting cyber insurance was?
So I'm this chief security scientist, so I'm primarily a ethical hacker and security researcher and I like to try and understand about what's the best way to mitigate So, and cyber insurance has been something that's been going on for a ti long time. And again I started this, you know, back in 2009, 2010 when I was involved in the maritime industry and that's where I got a lot of the insights in the insurance industry and how it works. So I'm gonna share with you the results of the survey. One of the key things here is that the reality check is that we face cyber attacks every single day.
Organizations are being targeted from things like malware to getting credential theft to insider risks about even attackers going and paying employees to leak data. We see a lot of those cases financial fraud where it's about business email compromise, somebody accidentally sent funds to the wrong account. We've seen a lot of those types of attacks changing invoices I've seen were a ship company that ship a ship, pulled the port and had a fueling bill.
So they actually had the, the fuel the ship and that's quite expensive when you wanna fuel a ship and ultimately when they ship got the invoice, they paid the invoice immediately and two days later the actually company sent another invoice and they're going, well we just paid it already. And they're like, no, no, no. How could you pay? Our systems were down, we were actually having attack. So you see those types of areas where basically it's all about financial fraud and payments. Then you get into data breaches and data theft and ransomware.
For me, ransomware is probably the biggest threat because as I mentioned in my previous talks during the sessions is that it's not just a security incident that's not gonna be managed by it, it can't be just managed by security team. When you're in ransomware, you're actually dealing with a business response. It's completely different. It's all about business resiliency and sometimes ransomware falls into even the safety part of the business or even disaster scenarios and that's where it should be kept separate. You can't treat ransomware just like an IT incident because it's not the same.
These are the types of attacks we see. So one of the things is, so the research, we wanted to understand why organizations were going down the path. What did their experiences were in the reality check? So this research, so one of the things we found out how many companies were going down the path of actually getting cyber insurance. It was really interesting. Out of all of these organizations, more than 300 we surveyed actually many of them were going down the path over almost just under 50% had already done the process of getting and already had a cyber insurance policy.
Then we had just over 20% were in the process. They were going down that process of getting insurance and then others just under 20% were considering only 5% out of all of those who applied got denied. Which is like shocking. It was like, you know, it's quite, I I would expect the process to be a lot more vigilant and a lot more, you know, detailed and thorough, but only 5% are being denied. I mean that's, you know, that's for me is a surprise. Meaning that a lot of the policies are actually self-assessments.
It's, I self-assess myself and then verify with the insurance company. Some bigger insurance companies that have more stringent policies might require you to have a third party risk assessment. They might have designated risk assessment companies that come in and do it for you, but majority of those policies is self-assessment. So it means you are going and saying, yes, I've got this in place, yes I've deployed this fully, yes I've got MFA in place. That's what the self-assessments going through. So it's almost like a checklist.
So surprisingly, you know, that's why you only see 5% getting denied because a lot of them they, they they're the ones that's being honest on the policy possibly I, I'll get the questions at the end. So here we go through and then there's only a few percent. So out of that when we get into the is that 70% of organizations are going down the path. They've already decided that they're investing in cyber insurance. 20% were in the process of considering it and 93% get it when they apply. 93% organizations get the cyber insurance when they apply because it's a very competitive market.
Cyber insurance companies want to expand their market, they want to get into other areas, they want to get more services. So for the insurance companies, this is a very lucrative market for them to get into and it's early stages. A lot of the insurance companies, their, their business is based on risk quantification and we all know in the cyber industry, even US cybersecurity professionals, we struggle with risk quantification in cyber techs.
So insurance companies are also starting to learn what that is and what it means because ultimately cyber attacks, they're high, highly likely it's not all attacks are the same and they're high impact when they do occur. And this is not a good risk quantification kind of calculation when you get into that. But when you get into this is typically it is something that all organizations will go down the path. You will likely have to get cyber insurance if you don't already have it today and you're gonna go down that path of actually applying.
The main reason for applying is basically risk reduction and the main reason for risk reduction was mostly financial risk reduction. It was about reducing the impact from a financial loss perspective. Now insurance over the years, if you go back to about 12, 13 years ago, it was actually only the tangible fixed asset cost. So if you had an attack then it would've covered you the hardware, not necessarily the data was not covered because the tangible cost of that data was hard to calculate.
Now, fast forward today is that those insurance policies are covering the data. It's not just about covering the hardware. If you had, you know, machines or data center destructions or hardware failures and you had to replace those, now you're also having the coverage of data sometimes to a certain policy companies over the years like Target. What they end up doing was because it was very hard to get coverage for the data those companies went and did cyber captives.
Cyber captives was the first type of cyber insurance that companies tried to get and that's almost like ensuring yourself, you're becoming an insurance company of yourself. So com large companies that might have had one policy to cover their hardware costs, they might have had another policy to cover other types of supply chain costs and then it might have had another coverage which was cyber captive to cover their data because it was always hard to do that.
Risk quantification on data, A lot of the reasons for cyber insurance is the board of directors forcing the organization to get it because the board of directors want to make sure that they're not getting any surprises. Their focus is about reducing risk and reducing the risk to the organization. And a lot of those board of directors sit in other organizations, they're not just sitting 'em on board, they're hearing it over and over again.
So they're coming and saying, you as an organization we want to make sure that we don't get this surprise or massive financial impact from a ransomware case or a cyber attack. So therefore we want you to offset that risk from a financial impact and make sure that you have cyber insurance. So one third of organizations is the board of directors. So it's a top down approach for many of those organizations. A lot of it's reactive organizations have already had a ransomware case and they're not responding.
They, they're like okay, we've already had this financial impact, we wanna make sure that we can't take another hit again. So ransomware cases you have also business critical requirements is that there's a lot of, you know, contracts that you wanna get a contract therefore you have to do it. A lot of compliances is now forcing organizations in order for you to be compliant you have to make sure that you're covered from a cyber impact this perspective as well.
And then the other part of the question you had was supply chain is that suppliers an organization that's going in part of a supply contract, the current organization or the supplier or the one that's actually getting that service is gonna require you to offset your risk from a cyber insurance perspective as well. So they're also requiring their suppliers to make sure that they're covered. But it is a separate policy. Some are looking at served policies. That's something that's interesting.
So that's where we get into where organizations will say that we will help you because you might be a smaller organization or critical part of supplier, they might want to actually expand our coverage render suppliers, but it does mean that that organization will be more visible and more accountable for the security of those smaller organizations. So there's different aspects where you're seeing this can broaden run, but that's a rare case. The organization would prefer them to do it on their own rather than take that responsibility themselves.
Unless some type of really highly dependent scenario from my supply chain, maybe it's oil and gas type of organizations and then we get into basically data breaches and another, they may have not been a ransomware but they've had data theft and data theft today is still another form of ransomware because they're, you know, demanding that if we don't dis disclose your data on the dark web or publicly, you know disclose it that you'll pay the ransom. And that's been the more popular type of ransomware case in recent times is data breaches.
The next area is that have they seen an increase for those organizations that already had cyber insurance that went down a path. Almost 80% of organizations had a significant increase in the past year. So to between 50 to a hundred percent off a price increase in the previous year of premiums in order because what we've seen, of course ransomware cases having high impact, high cost the insurance companies rather than actually, you know, we haven't seen a decline in cyber tax. So in order for insurance companies to offset the cost, they have to increase the price.
Either we actually have less attacks and less cost of attacks or you're gonna have the high higher premiums or you're gonna have to spread that risk across many companies or more companies get cyber insurance and hopefully fewer victims. So there's different aspects of trying to cut the costs. Only few percent had less than 50% and less than 20% had it stay the same and some actually haven't had an increase. Maybe they're not at that renewal point of their policy, they haven't got to the renewal so they haven't been hit with that increase.
So if you do have an existing cyber insurance policy today, you will likely see that when you go to renew the action insurance companies either gonna require a much higher premium and they might have specific requirements for you to actually get a reduced premium by having certain security controls in place. So the next thing is that the board of directors are ultimately driving demand. That's the case is that majority of demand has been driving by board of directors.
Now one of the things that's interesting for organizations as you on this path is that if you actually want to get cyber insurance, what the board and the executive team are is they're going, most cases you will get additional budget to do the cyber insurance. It's not gonna come out of your existing budget. They will likely cover it out of basically additional funds. So this is a thing if you are going down the path, it's a good way to get additional budget to do some additional security controls or security projects.
So cyber insurance will help you increase some of your capabilities to to become cyber. Cyber insurance capable are to be able to get those policies. So for many organizations that went down this path, it was a good thing because it actually increased their budget for a period of time. Only very few, less than 20% actually it was only partially supplemented on actually almost as no one had to actually fund it out of their own existing budgets. So the positive here is if you go down a path, you will get a diesel budget to cover it.
Majority of executive teams will see it and it will likely be something that finance will determine what they're willing to offset from a, you know, financial perspective to get the policy itself. Now summarizing again one third of organizations, the board is driving it, 75% of the cyber insurance in you know have experienced an increase and 95% respondents get the budget when they need it in order to get the policies. So those are saying that some of the summaries that we've seen from there, I'll just pause for you to take a picture but you will get a copy of the slides anyway.
So the next thing, did you get this? Okay, so next thing is that what does the policy cover? And this goes back into a lot of what you were speaking about earlier. Now a lot of it covers the data recovery process. So I've been involved in a lot of instant response and one of the things that I've seen is that the organizations will help fund the data recovery process. Now that's always a bit of a gray area when it comes to insurance data recovery. You know, my mind is that okay let's go and restore it from a backup, that's my data recovery perspective.
And insurance company data recovery could still also be going and paying the ransomware criminals to get the data back. That's also a data recovery process. Now one of the things is that you also had to be very careful about your insurance policies because when you sign insurance policy, a lot of you are basically passing over the decision making to the insurance company as well. A lot of insurance policies in the last couple of years have been revised that the insurance company will determine whether or not you'll pay the ransom. It becomes the responsibility of the insurance company, not you.
So that's something you always have to be careful about is that who becomes the negotiator? Do you retain that rights or is the insurance company? A lot of insurance companies will also determine who you're allowed to contact in regards to INS response. They might have a specific list of only certified insp responders and if you decide to go outside of those, you might be costing that yourself. If you decide to go with another company that's not on their preferred list, that might be something that you would have to incur. So this is another area to be aware of as well is the INS response.
Now what's really interesting, and we all of course have been basically drowned in GDPR for the last, you know, 13 years and for the last it's a five year anniversary. Woo. So we have a five year birthday coming up for gdpr. Now the interesting thing is, is that some of the policies, if you become a victim, we all know that if we become a victim of cyber attack and it impacts PI or PII data that we have to go and notify the data protection authority.
Now interestingly, some of the clauses and the recent insurance policies that I've seen says that no you need to contact the insurance company before you contact the data protection authority. So if you're following your old instant response plan that hasn't been updated since your insurance policy, you could actually be accidentally be putting yourself out of insurance by contacting the data protection authority first. So you had to be very, very clear into the fine print about what you're getting into when you go into these policies.
So other thing is you get victim so your impacted parties might get monitoring and some coverage for a period of time. That's what we've tend to seen from American insurance companies is you get credit monitoring because credit rating is a big thing in America. The cost improved security, this was a surprise for me that a lot of the policies actually included that if you do have an incident that they will help you improve your security. It's kinda retro. It's like isn't that the purpose of getting insurance in the first place that you will actually get better security?
But actually some of the policies said that we will actually help you improve it based on an incident. So some companies are doing self-assessment might even go down the process of saying, well I will actually do self-assessment, might not be completely honest in the policy and then I get an incident and then I will get the help to get my security in place.
So, and I've seen some small companies going down this path, some smaller companies have decided that cyber insurance is an alternative to security, which it should never be. It should never be an alternative. A larger organization see it as a financial offset risk. But small organizations, media organizations are really looking at as well I, I don't have a lot of budget to do all of this so I might do it as an alternative and it should never be an alternative. It should be addition, it should be something you do in addition to security.
So also it covers instant response, which is primarily what a lot of the policies do. Cover hardware and software replacement as I mentioned actually surprisingly regulatory fines was also included in a lot of the cyber insurance policies. Just over 30% third party damages. So if you have third parties, some of the costs will cover the damages to them as well. But there's sometimes a limited liability into the exposure depending on the size of the organization. And then ransom negotiation as well.
They might have specialists who come in and do ransomware negotiation on your behalf and maybe even decide on the payment. So these are some of the things the policy does co cover. I didn't wanna mention about the Merck case cuz I have very, let's say intricate details and and association to that, but I'm not gonna get that in details. So the Merck case was basically that Merck became a victim during npaa and it was a very severe impact to the organization.
Now in a lot of insurance causes, one of the things I've, from my maritime background and experience a lot of the clauses in maritime insurances is that you're not covered as an exclusion saying you're not covered for terrorist attacks war.
And there's that specific clause that says in the case of a terrorist attack, which a lot of those ran piracy cases can some mind be associated that the clause said we will not pay you in the base of a terrorist attack in the
And the reason why, and this also comes down to if you're going down to cyber insurance, you should look at this case very closely because the cyber insurance, even though the exclusion clause in that policy said you're not gonna get paid if it was an act war, the actually federal courts decided that because Merck is not a military institute or a military organization or target, that that clause does not apply.
So if you are an organization that is associated with government or military or some type of thing, you might want to look at your clauses because all ransomware gangs, I can tell you, you can get a dotted line to a basically government institute, whether it's basically willingly, whether they're actually doing it as mercenaries or basically as patriots. You'll find that there's a lot of dotted lines. So if you become a victim of ransomware, you can almost in all cases find an association to some government funding or some government campaign. And that's always difficult.
So I'm actually really happy for that case because now it's not, they're saying that this doesn't apply. If you are, you know, a non-military institute, that that clause will not stand and that's great going forward. But if you are, then you might want to look at your cyber insurance policy because that clause might hurt you in sping a ransomware case. So this is the shocking part, this is the part where I'm like, okay, don't we ever learn is that, has an organization ever used their cyber insurance policy? Almost 80% of organizations have used it.
Whoa, wow. 80%. That's why we get into that risk quantification is the, the, the likeliness is very high. Now the shocking part, even more shocking is that 50% of those 80%, so half of those that experienced an incident and had to use their cyber insurance policy used it again multiple times. Not once but multiple times meaning they didn't learn from the first time. And also what happens is, in especially ransomware cases is that ransomware criminals share information very well. They're really good at having a community.
So typically they will, you know, I get paid and they will share with others and other ransomware criminals be like, Ooh, they paid, we're gonna target them again, how did you get in? Oh this is how we get in. And they never closed the door, they never stopped it. So they go back again. And this is always shocking. So you look at this, 80% have used the policy, this is why premiums are going up is because we're not stopping, we're not preventing the issue. We're actually just prescriptive. The basically, you know, the the the pill to help you survive, to keep you alive.
But we're not actually preventing the actually illness itself. And this is what we have to get into is that how do we make sure we reduce this? How do we reduce the impact because we can't continue what 80% of policy's been used and ultimately getting into 70% of their policies don't explicitly cover ransomware. And that's the majority of the cases. The majority of the cases are ransomware based.
So you get into that, you might have a cyber insurance policy, you wanna get into the fine print and you wanna understand is that do I have to have a different policy for ransomware or do I have to have additional policy premium on top of what I already have to cover ransomware. So it's really important to understand about what you're covered with.
And the other side of things that my experience is that when we look a lot of the cases in the past incidents, one of the things that we always say, you know, we hate hearing the human is the weakest link, but sometimes insurance policies force that because what happens is if an organization had a PCI compliance failure and that was the cause of a incident or that a misconfigured server or an unpatched system, then the clauses in the actually policy says that, well because you fail to configure, you actually did the assessment, you said that you were covered in that early, you said you were doing patch management and that was the cause.
Then they can find ways to reduce their payouts. Ultimately what the organization will then find is let's find a human because if we find a human at fault, we will get paid out from the policy. And that's why a lot of times when you see incidents that organizations will be like, do we say it was a misconfigured unpatched system or do we say it was Jew that didn't patch the system, it was his responsibility.
And that's unfortunate because ultimately we're forcing it back into the human failure and that's what it's not human failure is that people are doing their jobs but we're finding ways to make sure that we're covered financially. And this is some of the things we had to get into. And also what's really important for a lot of these organizations where go down the cyber insurance path is it really required cross-functional teams, very few organizations in the IT and security team could do it by themselves. They needed to understand the risk quantification and financial side of things.
So they had to go to the cfo, they had to work with other teams. So who assisted, these are the teams that was involved in a lot of the insurance policies to obtain it internal IT were heavily involved with more than 50% of their time. Internal security team, the board were heavily involved in a lot of these cases. Over 30% of organizations had the board involvement when they were deciding insurance policies. And also the financial team involved legal team to go through this fine prints to see what you're covered with.
It was also some organizations outsourced it to others to help them through that path because they might not have the internal expertise and also the CS A was directly involved in actually quite a few of the cases as well. And then third party assistance. So it's really important to understand is don't try to do this alone. Go with those who've had expertise and have done it before and they will help make sure that you don't get into those fine prints or mistakes or that you're not covered in certain areas that you're actually more likely at risk to.
So depending on your business, make sure you get expertise assistance to make sure that the policy you get is the right policy and coverage for your organization. And that's what's critical here is that multiple people will be enforced.
Also, will it meet the company requirements? Is that will you be able to actually have the right security controls in place? So this is where we looked at if things around access controls and antivirus and you know, endpoint fraction. It was interesting enough that organizations will still go down to very legacy. So insurance companies have went down the force of best practices of legacy security. You have to have AV and all systems, you have to have firewalls. And we're like, okay, well actually how much of our data is within the perimeter of organization anymore?
It's especially sitting in cloud environments, it's across multinational borders. So it's really important to understand about what it is that covered. So organizations who went down and when they got to the part where they actually had to show their excess management requirements, which was significant, only over just over 40% organizations already have solution that actually satisfied the cyber insurance needs.
So when they go down the kinda path of getting cyber insurance, they find that only about 40 to 50% of the solutions that they already in place got them to that point of secure of meeting the security requirements of the policy and therefore they always had to go and do additional implementation or additional deployments of other solutions.
So if you can down this path, you should be expected that if you're actually going to audit and look at your systems today, unless you've got some compliance that's forcing you to do these, you might find that you're falling short and you might have to go and actually deploy additional solutions or you might have to deploy additional functionality solutions that may have not covered you before. So it's really important to make sure that you go through that you're not doing a self-assessment and saying, yeah, I've got it in like 50% of my machines, but that should be enough.
You should be making sure that you're fully compliant and you've got the right controls in place because the purpose of cyber insurance is a financial safety net as I mentioned. You wanna make sure that you don't have to use it just because you have cyber insurance doesn't mean if you had car insurance you're gonna drive recklessly without a seatbelt and like you know, up the road you still have to drive safely, you don't wanna have to use it.
So ultimately 40% organizations had an existing solution in place, but 40% needed to go and purchase something an additional and that's something we should be pur prepared to do. So some additional resources that I want to leave you with that you can take away and I'll answer some questions is, I've actually got the report here so if you're interested in getting a report, you can take a picture name but we'll make sure that you'll get a copy of the report so they can go and look at it and fill details. But we also have a cyber insurance checklist ebook as well.
So something you're looking through to see about what things you need to be thinking about. But ultimately it's really important.
My, my last message before opening up the questions is cyber insurance, definitely it's a great thing if we get it right and we have the right coverage, but it should never be seen as an alternative to security. It's there to help you when in need of bad times and let's hope that we can find a way to reduce it by making sure we do security by default. So thank you. Hopefully this has been enjoyable educational and Thank you Joseph. I'll take a few question. We have any questions here? Just one please.
Well, thanks Jill. That was entertaining as ever in the, in the last statistics slide, you, you had, you had one one point where they said, we checked all the required boxes, how do I have to understand that they just checked the boxes or they actually did, They just, they met all the requirements officially it's not, they just checked the boxes. They met all the, actually met the requirements.
Thanks, Thanks. Yeah, there's a difference between actually, you know, saying, saying and and doing. So One of the other areas in insurance is like catastrophe claims, things related to hurricanes and earthquakes that, so it's not part of the core carrier network. Do you see, I'm just hypothetically asking you to look into the future, this becoming separated out from some of the major carriers because they don't want the burden of all this risk. It it will be separate, it will be separate policies. They won't, they, they will try to.
So even in a lot of the, let's say healthcare companies and they might have different lines of business. The policies are saying you can't cover the entire health company, you have to have different policies. You might have vaccines, you might have basically, you know, devices and so forth.
You know, so they will not basically provide a policy for all you will have individual. It's, yeah, the umbrella is Nokia. So what you might have though, what I do see happening is more the shared economy of insurance. So we're basically, we have a collective come together. We tried this a few years ago in the maritime industry and it didn't quite, this is the basically, you know, where you have a profit and loss scenario where basically it becomes an investment rather than a just a cost of insurance.
So it means that we'll all receive dividends in the end of the year if we don't have cyber tax. That's the approach I would like to see moving forward. Meaning that we all get rewarded for a good security. Isn't that, isn't that a nice thing?
You know, it's used to be a, and premiums go down because we, we ultimately do it and also it means that you're, you've got a bigger pool of coverage because more companies are putting into that pool. Meaning that if one company has an incident that you've got enough coverage for all. So you're hoping that it's not 80% because that would kill it, but you wanna make sure that everyone survives and, and that means that we ensure best practices and we all, you know, help each other. But ultimately I would like to see the shared economy of insurance go that direction.
Cuz we've seen it in even, you know, other areas where maybe car insurance has also done it where you've got time based insurance or the risk is higher. So then you know, the, the premiums become more flexible that it's not static. You actually, depending on high risk times that that can fluctuate just like electricity does. That's something good.
I've seen it in the maritime where a ship might, a ship's going down a path and there's a hurricane ahead and the insurance premium will say, okay, if you decide to go through that hurricane, the price is up or you can go around and be delayed and they will have to make that decision. So that's where you get into much more time-based and risk-based insurance. And that's where I think it's also gonna decide to go because we can't go down the same path we've done historically because the cost of math doesn't make up. Thank you. Thank you Joseph. Yep.
