Redefining Cyber Insurance to Meet Today’s Cybersecurity Challenges

Jim [: 00:00:00

Hello and welcome to another edition of Razor Wire with your host James Reese, myself. Now today we are going to be revisiting the wonderful world of cyber insurance, where we're going to be discussing the current situation with cyber insurance, what the current trends are, what do we think about it? And I have some fantastic guests to help me along on this journey and we will introduce them right now. Welcome to the Razor Wire podcast, where we discuss all things in the information security and cybersecurity world, from current events and trends through to commentary from experts in the field, providing vital advisory on what it is to work in the information security and cybersecurity space. And to talk about the revisit to cyber insurance for race of wire. Who could I not have back but Matthew Clark. And today we're joined by another professional in this side of things, on the more incident response side of cyber assurance, Neil Hare Brown, an old friend of mine from way, way back. Neil, do you want to introduce yourself first since you're the newbie? And then we'll move on to Matt.

Neil Hare Brown [: 00:01:21

Yeah, thanks. Thanks very much for inviting me today. I've been inside this year for 40 years, originally with law enforcement looking at computer crime, the first computer crime unit in the back of harbor police station and assisting in those sort of early investigations, pre Internet, I should say. Some of them moving into CIso roles or they weren't called Ciso in those days. CISO roles for a few banks. Then I set up the first computer forensics company, the mid nineties in the UK, and grew that and then moved into cyber insurance side of things. Over my career I've sort of had the pleasure of looking at risk quite deeply, working with people such as Jack Jones on fair, other risk modeling methodologies such as octave and our own methodology that we made up as well, or made up, formulated, but in terms of cyber insurance, been in that area now for twelve years, set up, I think one of the first, if not the first incident response service for insurers in 2012 and sort of groomed that. And now dealing with over 100 planes each year, ranging from visiting our compromise to ransomware and everything else.

Jim [: 00:02:35

Really fantastic. Welcome and returning we have Matthew. Matt, do you want to introduce yourself? It's been a while.

Matthew Clark [: 00:02:44

It has. Thanks for having me back on, James. Delighted to be back on. Yes, I'm Matthew Clark. I've been in insurance for almost 40 years now. Various different roles, but chiefly risk advisory type positions, working for insurance brokers in different parts of the world and a very broad array of different types of industries sectors that have been served, particularly, I think, a passion for any kind of scientific and technological enterprise, businesses of all sizes, from startups right the way through to multinationals. And I'm currently working for partners and group as the cyber director. And we're essentially helping to get our clients on a journey of understanding around cyber risk and what it can do to their businesses, regardless of what size or sector they're in.

Matthew Clark [: 00:03:30

So a lot of what I do now is engagement focused work, trying to get conversations started, or help colleagues to get conversations started with their clients around cyber risk, not necessarily with a view to flogging an insurance policy. At the end of the day, I have to say what we do is we focus on client resilience. So much of what we're focused on is helping clients to understand what cyber is, particularly SME's, where there's often a lack of understanding there, and using tools and materials that we've developed ourselves, or third party tools and materials that we've brought in to help sort of put color on the subject, and then to help assess what those clients need to do about getting themselves into a more resilient position, using common sense, practical steps to improve their cybersecurity. In doing so, that happens to make them more insurable. And cyber insurance is something that's been available now for over 20 years in one form or another, and has, in more recent times, have coalesced around a specific, almost standardized type of coverage, although there are still variances between different insurance products. We're on a journey, as I say, to sort of making clients aware of the benefits that insurance can bring in the sphere of cyber risk.

Jim [: 00:04:45

So basically, yeah, we're revisiting cyber insurance. And when we talked about it last, it was very much a case that I think the industry was still quite new to kind of the whole insurance side of things. And maybe a lot of cisos, a lot of infosec people didn't quite understand what cyber insurance was, what it really covered, when they could kind of claim on it. And I know there was one specifically large case that was going to court where, you know, there was potentially a lot of a large payout that needed to happen to a particularly large organization who'd experienced one of the early day kind of like ransomware attacks, I think it was, without going back through the notes, where kind of are we now with cyber insurance within the security industry? Is there a lot more awareness now, or are we still kind of in the space where we were a couple of years ago? I mean, obviously, attacks have gotten bigger, they've gotten more prolific. Where are we with it?

Matthew Clark [: 00:05:50

I'm happy to share some stats which have cropped up in my world over the last few years, particularly since COVID hit. I think there's no definitive go to statistic thought for the amount of cyber insurance currently sold, but the estimates tend to range between. I know Aviva recently published some stats where they felt that penetration rates were around 10%. I think CFC and a few others, these are insurance companies, reckon that it's probably at best around 15%. So if we consider that between ten and 15% of UK businesses buy cyber insurance, we still have a lot of work to do. Right. In terms of addressing that underinsurance that currently exists, particularly with SME's, particularly with small to medium sized businesses who we know are the ones that are attacked. So I think it's improving.

Matthew Clark [: 00:06:44

We've certainly seen in our own panel of accounts and we have around 40 to 50,000 clients, so it's a decent representative group, if you like. You know, we've certainly seen the penetration rates increasing gradually there. Not as fast as I would like, but I think the awareness factor is slowly starting to bite. I think that the hike in attacks that happened as a result of COVID and people suddenly having to pivot their operations outside of their customary firewalls and so on, has driven a lot of activity in this area. People are now realizing they have to think about this. Space brokers such as myself are having conversations with their clients more regularly about the existence of cyber insurance and how it might bring benefits to them. So there are a lot more work still to do, but it's certainly increased.

Jim [: 00:07:30

Raoul and Neil, you're in this space from our perspective, so are you seeing something similar? I mean, what are you, what are you seeing from your angle?

Neil Hare Brown [: 00:07:37

It's definitely, as you're saying, I would say it's been a slow uptake and there was certainly lots of fear, uncertainty and doubt that was being spread in the sort of cyber, cyber risk management circles, sort of. And a lot of it was just not true, essentially, about the downsides of cyber insurance. And so, you know, I remember attending a couple of rants and people were putting in there sort of ten pence worth about the downsides of cyber insurance. And if they were working in the cyber insurance fields, like, I think, you know, we're lucky, my company at storm guidance, we're, in a way, quite lucky that we've been on a lot of the journey of cyber insurance prior to, I would say, 2010. Whilst cyber insurance had cyber liability insurance, as it was called then was it was possible to buy, et cetera. It was a very specialist product and it's really only since about 2012 that it's gradually become more and more popular. And really in 2017, until now, has been much more growth. There's still a long way to go in the UK, as Matthew was saying.

Neil Hare Brown [: 00:08:44

I think that the penetration might be somewhere between ten and 15%. And so compare that with the US, where it's towards 40%. There's still a long way to go. And it's really regulations in the US that have driven the growth of cyber insurance in the US. And I'm hoping that one day the information commissioner will grow up here in the UK and start to enforce the law a little bit and make people respect it. Maybe we'll start to get the same sort of similar focus for businesses as to what they'd be looking at when they have an incident in terms of their regulatory obligations. So, yeah, I think there is a growth going on at the moment. I hope it's going to increase a little bit.

Neil Hare Brown [: 00:09:32

Most companies do not appreciate the sort of impact that cyber incidents are going to have on their balance sheet. The work that Matthew and his colleagues and lots of other people in the field are doing, enlighten them as to what those impacts are going to be, should definitely drive them into thinking that cyber insurance is pretty much the only option to deal with some of these costs.

Jim [: 00:09:54

I mean, we see a lot of figures bandying around for the average cost of cyber incidents and all the rest of it. And Neil, whilst we have you here, obviously, are those kind of figures that we're seeing realistic, or do you have sets of figures yourself that you're seeing? And then obviously we'll go to Matt, who no doubt will give you kind of like a view from their angle, what they're seeing. What are you seeing from your side of things? I mean, obviously you've got the ransomware element, as you mentioned, the legal element, which is still yet to catch up, but then you've also got the clear up operation as well that comes with that. I mean, what are you seeing?

Neil Hare Brown [: 00:10:29

Risk is two factors, right? The probable frequency and probable impact. And I think the probable frequency, as most people in the profession, hopefully all with a test, has been growing over the last 510 years, definitely the last five years. The frequency of various specific types of attack, really, it's ransomware and business email compromise that have driven the frequencies up. And at the moment, I think there is a little bit of a lull. It definitely has come in waves for us dealing with claims. And there's a slight, I wouldn't say tail off is the wrong term, but there's a slight sort of pause at the moment. Most of that is because the russian Ukraine war has been going on for a couple of years and people who had had left the country to avoid the draft on two year visas have now had to come back and they are getting caught in the new draft in both countries. And so that is putting a little bit of a kibosh on their operations, especially on the ransomware side.

Neil Hare Brown [: 00:11:30

But anyway, nonetheless, it's still quite prevalent on the other factor, on the probable impact or probable loss, that is cost, that has gone up and up and up. And certainly the way that threat actors now have modified their attacks to extort businesses, not only for the impact on availability of data, because, for instance, with ransomware, that data has been encrypted and needs to be decrypted potentially, if businesses don't have backups, then. But there's the other side of it now, which is a reputational harm that comes from a data breach. So that sort of double extortion is now very much the flavor of the month or flavor of the year. That's also extending now into business email compromise, where the attackers are saying, well, we've hijacked this mailbox or that mailbox, and now that's given us access to n gigabytes of, in some cases, quite sensitive messages plus their attachments. And so how about pay us not to release that data publicly? So extortion is starting to near its ugly head in business email compromise as well.

Jim [: 00:12:38

Bit like that Sony hack as well, because we saw a lot of that with the Sony hack, didn't we?

Neil Hare Brown [: 00:12:42

Yeah, and I think the threat actors, it's quite strange that I'm sure anyone who sort of deals with incidents on a regular basis would sort of attest to the fact that business email compromised threat actors are, you know, a different bunch from the ransomware as a service threat actors. And, you know, they've been driven by different modus operandi, they've had different aims. There's many more business email compromise threat actors than there are ransomware as a service. If you go right to the sort of the apex cyber criminals, there aren't many of those. If you're looking at ransomware gangs, obviously they've got thousands of affiliates, but if you look at the actual, the drivers, the apex criminals, whereas with business email compromise, it's much more widespread than the threat actors are in many more different countries and their fraudulent deception techniques are also very multi language. So there are those. We're seeing things develop in different ways.

Matthew Clark [: 00:13:43

Yeah, I think this is an area where the available. The only good thing about cyber attacks when they happen and when they're insured, is that it gives us data. Right? So since COVID hit, or even before then, just the massive insured cyber events have given us useful information we can interrogate and look for trends in. And it's enabled us to be able to provide some quite startling insights to clients and prospects. So with tools like CFC's ransomware calculator or coalition, another us cyber insurer, they have a similar tool available on their website, which I believe is free to use. You can actually put in a little bit of information about your business and the size of the business, its revenue, its staff count, and you'll get an indication based upon empirical claims, data from cyber, claims against, made by businesses in your side, of your size of your sector. It'll tell you what they cost the insurers to pay. So they're really useful insights, compelling insights for businesses now to be able to put a value on what a cyber attack could cost them.

Matthew Clark [: 00:14:50

Different types of cyber attack. Neil's absolutely right. It's all about ransomware attacks. It's all about funds transfer frauds, which is the kind of downstream consequence of business email compromise very often. And those, the two major types of cyber attack that we see resulting in claims. As long as it's easy and lucrative for the bad guys to do this, they will continue to do it. There's ransomware as a service, routes into that market now that they can use to make it super easy. Ransomware gangs can, crime gangs can make it super easy to pull these things off.

Matthew Clark [: 00:15:28

We see the government now taking an interest. Of course, the UK government has its annual cybersecurity survey that it puts stats out on each year. The last one I saw was for 2023. I think the next one comes out in April, may time, if I'm not mistaken. But last year, the report showed that 32% of businesses were reporting at least one cyber attack against them in the past twelve months. So right away you can see that the frequency is around one in three. Okay. Which is a useful thing to be able to say to clients who are considering this area and maybe cyber insurance.

Matthew Clark [: 00:16:01

Well, there's a one in three chance you're going to become a victim. And here's some free empirical data that shows us what it's going to cost when it does happen. So those two things collectively are now a really powerful way of putting some colour on this issue, particularly for smaller businesses, helping them understand, therefore, what the benefits of an insurance policy would be and how valuable the premium is in relation to their exposure. Right. Because that's ultimately what they're going to be considering. Is my risk here sufficient for me to fork out for the premium?

Jim [: 00:16:31

Okay, so, I mean, speaking on premiums at the moment, what are we looking at nowadays when it comes to cyber insurance and getting it? How is that premium set these days?

Matthew Clark [: 00:16:43

Well, I mean, insurers, I can probably start with this one. Insurers have gotten better and better at using this data that they now have to assess frequency and severity, which, as Neil was saying earlier, if you can understand how often something's going to happen and what the impact is going to be financially, you've got the basics for modeling some insurance pricing. And the more that these attacks happen, the more data that we have around that. Of course, insurers have other tricks up their sleeve. They can use things like honey pot trend analysis information to see how the bad guys are operating. They can relate that to the kind of domain scan data that they have on their clients to see whether maybe vulnerabilities, they can be proactive about getting policyholders to repair or improve cybersecurity during the policy period, actually, oftentimes so that there's less chance of a claim having to be paid, all of that has a downward pressure on the premium. But just jumping back the last couple of years, we saw a spike in claims following Covid. We saw the insurance market contracting a little bit after that, as they always do in that sort of cyclical cycle.

Matthew Clark [: 00:17:50

We saw insurance premium rates climbing, we saw greater demands on cyber security. We want you to prove yourself to be more insurable before we insure you. Those sorts of conversations were happening a lot, and it was quite tough to get insurance for a lot of businesses. We're now seeing a relaxation of that slightly as we finish 2023, and we're going into 2024, where there's less pressure on pricing. There's not so many dramatic price rises as there were in premiums. Assuming that you've taken some very basic, practical, common sense steps to protect your domain, you can have insurance as an SME from a few hundred pounds a year. Those are the sorts of prices that we're seeing out of composite insurance markets. There are some really good new facilities that people like Aviva have just recently released.

Matthew Clark [: 00:18:40

They've launched a, a breach response kind of only service which doesn't have the insurance necessarily stacked with high limits, but actually is giving you a backphone when you get hit and a full access to their breach. Response panelists to help you recover and respond from that, and you can have that from 50 quid a year. So it's very affordable, it's very practical. You do still need to take some minimum sensible steps to protect yourself. But the insurance market has done its level best to make insurance as broadly available as possible, as affordably as possible.

Jim [: 00:19:16

Neil, from your experience with some of the customers that you've dealt with on this, obviously you deal with the other side of it. Those customers have had those incidents. Are they starting to. Do you deal with the insurance companies as well? Or is it independently, the people who've been breached coming to you? Is it referred by the insurance companies? How does it work in this particular industry that you're in?

Neil Hare Brown [: 00:19:40

By and large, it's insurers. We are on the insurers panels. So they will provide. The insurers will provide as part of their policy through the broker, they'll provide the hotline details, etcetera, to the. To the insured customers. And then when they have an incident, usually, actually, they usually call their broker, but if they were to read their policy documents, they have to call us directly. But it doesn't matter. You know, in a very short period of time, we get to speak and respond to the incident.

Neil Hare Brown [: 00:20:11

So that's essentially how it kind of works. We've got a separate service where we. For those organizations that either can't get insurance cover or don't want to get insurance cover, or as Matthew was saying before, maybe on the trajectory to attaining insurance cover, but can't get it quiet at the moment. We've got what's called Cybercare, which they can sign up to that and we'll provide the hotline support, pretty much everything they need. You know, the legal advice at crisis pr, the technical sort of computer, digital forensics and investigations, ransom negotiation and settlement. We've even got a trauma counselor on our team as well. We're trying to encourage insurers to add trauma counselling in as an area of coverage. I haven't done it yet, but we are really hoping they will, because we found in so many incidents that the.

Neil Hare Brown [: 00:21:04

The trauma that can be caused to senior management that are in the thick of things when they have an incident or to the it team, and sometimes also the guilt that's suffered by the actual poor victims who were scanned or were fished. So, yeah, that's. That's like an important aspect as well. But we've really worked hard over the last decade to have like an all in one, all encompassing service that provides anything that a victim would need to investigate and recover.

Jim [: 00:21:33

Okay. And, like, when it comes to kind of those customers who have experienced it, do they. I take it you see them kind of go through a period afterwards where they really increase their security. They've had that incident, they've realized how bad it can get, they've experienced the horror, and it's kind of like, well, I'm never going through that again. Do you see a good uptick in people who say, right, what we're going to do is we're going to shore up everything that we've got, we're going to start getting some of the more modern things, like contiguous pen testing or, you know, update our technological security countermeasures, make sure we've got good incident response. I mean, one of the things I've always said to all our customers is always have robust incident response, because you are going to have an event at some point you're going to have an event, you know, you have to test it, you have to make sure it works. And indeed, if you're required to meet the PCI DSS standard or the ISO 27,101 of those, the aspects that you see in there is, you know, you've got to test it, you've got to war game it, so to speak, which is becoming even more popular these days. Do you see a massive uptick in awareness, not only for the companies that deal with it, but maybe the adjacent companies as well? Either the parent companies, the other companies who are in their space, suddenly come to you and say, can we have some insurance? And by the way, it would be great to make sure we got some decent incident response.

Matthew Clark [: 00:22:57

We have, just interestingly on that, James, something like a third, I think it's about 28%. When I looked at the number of people that ask us for quotes are because they've heard of peer group companies suffering an attack. So it's a fear of that happening to us which drives them to approach us. The other thing we're seeing this a lot is counterparty requirements in contracts. So you touched on a few standards there, and they may well require or lead to or just make it very sensible to have insurance, but we are seeing lots of counterparties requiring customers, our clients, to carry us certain types of insurance, certain levels of cyber insurance as well. So that's becoming a thing. But as with any other type of insurance claim, it's a fire or a flood or a theft. We always find that people get wise after the event, so you try to get them to a good place and make them as resilient as possible with clever risk management before these things happen.

Matthew Clark [: 00:23:56

But if there's a loophole and something does occur and they get hit, they can learn from that and they can do better next time. And cyber is no different to that. So we're constantly talking to clients about taking those practical steps to protect themselves, to have a good corporate governance story to tell about your processes and procedures, building a cyber aware workforce with great training, adopting a privacy first or security first infrastructure, having a good story to tell about device patching, updating software authentication, encrypting data, and having, as you said, a plan for disaster. So those are the sorts of areas where we're spending a lot of time talking to clients about what they should be doing, which would reduce their cost, their chance of becoming a victim, and when it does happen, makes it much easier for them to recover and survive the event for sure.

Neil Hare Brown [: 00:24:48

It's a good point, Matthew. I think what we found, we looked at our claims data after many years of first response, and we wanted to identify what it was that companies who were suffering incidents were getting wrong. Not so much at the operational level if you think every business has got a strategic level and they've got tactical, and then they've got operational executive team, middle management and then specialists, whatever they do. And we wanted to find what it was they were getting wrong. At sort of like the board level, we found seven key strategies, which are completely non technical things such as what's the IT budget as a percentage of revenue? What's the. What we call the it staff count ratio? How many it support people have you got for the number of end users? And that can include third party providers as well, sort of like full time equivalents. That's just an example of two. You know, one of them is responsibilities.

Neil Hare Brown [: 00:25:46

Have you got someone on the board? They can be a Ned, but someone who is, if you like, a cyber champion. There are these seven key strategies and organizations. We're finding that organizations that are challenged in cyber, even if they've got a CISO, for instance, even if they've got people who are responsible and who are. Who know what they're doing at the operational level, they can still be very vulnerable, because as a business, they haven't got a strategy for dealing with cyber risk management. So at the end of the day, if money runs out in one particular area or whatever, and you see, I'm sure you've seen so many of this yourself, James, where businesses are, in a way, they are managing cyber risk on a few string and on a best efforts basis, basically. And even medium sized and large companies that we've dealt with will respond to the incident, and the senior management team will have never met anyone in the IT department, and that includes the senior management in the IT department. You know, you know, there's a different, there's a tech particular techniques of actually managing that situation effectively. But nonetheless, I think there is still quite a long way for businesses to go to be taking, for boards to appreciate that cyber risk management is not an operational problem.

Neil Hare Brown [: 00:27:05

It's something that they can ultimately control. I mean, for instance, you would never get a board saying that health and safety is, you know, an operational problem. You know, they will appreciate that health and safety is a board level problem and they have to strategize for it. And cyber risk is no different.

Jim [: 00:27:21

Yeah, it's definitely interesting. I mean, you know, we've been remodeling our defense in depth kind of recommendations to customers for quite a while now, you know, moving towards a more kind of active level of defense, rather than a reactive level of defense, which is the more traditional methods of doing it. Obviously, you still need your endpoint security, you still need your firewalls, you still need all the various different things that you needed before, but also adding in a lot more kind of like emphasis on GRC. And we've started putting in recommendations on things like cyber insurance as something that should definitely be looked at and definitely considered. And I think one of the big questions I have is we've seen a bit of a trend recently, and I don't think it's going to change anywhere. People in the manufacturing industry and in the service provider specific industry are getting hit through their third parties. So they're not the ones that have necessarily had the big hit. They are definitely the ones that are suffering from it.

Jim [: 00:28:23

But it's down to somewhere down in the food chain, a cloud provider, software provider, a backup provider, or something that gets hit, which by proxy causes them to have their own security incident. Does cyber insurance kind of COVID people for that as well, or is that like an additional product on top of a standard cyber insurance policy? I'd like to understand that a little.

Matthew Clark [: 00:28:47

Bit more, yeah, for sure. Absolutely it does. It can. And that sort of exposure or threat vector, the way an attack can occur, is super important. It's a very important piece of the underwriting process for brokers like ourselves to ask the relevant questions that tease out the information that shows us that that's a risk. Right. And you're right, the vendors that companies depend upon, the technology supply chain that they have is now often, even for smaller businesses, is often quite, is quite sophisticated. And the realization must be there, and we do talk to clients about this, that the attack doesn't have to happen against our client for it to be insured, for losses they suffer to be insured, it can be against one of those third parties that they depend upon, or it can come from a third party vendor who's accessing our client systems in a way which isn't as secure as we'd like.

Matthew Clark [: 00:29:44

So, yes, definitely that's the case. It's something which clients need to be alert to, and it's something which insurance is available for. That can happen. Obviously, there'll be an underwriting process to that. So insurers will look at the manufacturer, for example, and they'll want to look at their operational technologies, or they might want to look at the vendors that they're using and how they're accessing their systems and how it all fits together. And they might have demands around that in point detection and response, or manage detection and response, whatever it is that's appropriate for it to mitigate the risk, but that is something that they should be aware of. And the revenue dependencies that flow from those kinds of events can be quite severe. So having the right level of insurance in place to deal with that is very important.

Neil Hare Brown [: 00:30:30

Yeah.

Jim [: 00:30:30

Neil, are you seeing a lot more kind of attacks on people's. I mean, what's it like for an organization who has experienced this? You know, they have their insurance policy, it's a third party or a third party of a third party or even a third party of a third party of a third party that gets attacked and 1 minute everything's peachy, everything looks cool, and the whole world suddenly drops down. You're the man in the chair here that kind of gets to hear these conversations. What are you seeing and what do you think about that?

Neil Hare Brown [: 00:31:01

Yeah, there are definitely more incidents that are, if you like, supply chain incidents. The move it attacked last year, the CTS attack. CTS provide so hosted services for lots of law firms. They, and I don't know if you read about that in the news, but, you know, there are a number of law firms that were doing, for instance, property conveyancing and sort of with the, with the poor, their poor customers who were clients, should I say, who were trying to complete on their, their property purchases and were unable to do that. So that sort of had a knock on effect and, you know, the move it one was quite a big one and still fall out from the move it attack with insurers reserving their right to subrogate losses. This is essentially for where the insurers make good the losses of the, of the insureds as part of their cyber insurance policy. But then the insurers also have the right to what's called subrogate. So they have the right to take up with where the actual failings were, for instance, with a third party provider, and to take legal action to recover their losses from those third party providers.

Neil Hare Brown [: 00:32:08

So they've definitely reserved their rights, those various insurers, in both of those two instances. And I'm sure that this will occur a lot more, but it certainly brings up the point about procurement and organizations. Insured organizations need to really think about what their procurement team is doing when they are procuring various services, various technologies, etcetera. And the procurement team are a very good first line of defense. So they're really the team that needs to be trained up in what cyber risk management is all about and what they should rightfully be able to expect from the providers of those services to their organization.

Jim [: 00:32:51

So basically, one of the questions they should probably be asking as part of the standard questions at the beginning, whenever somebody's coming to provide services to their organizations, do you actually have any cyber insurance? Item number one, do you have infosec people and do you have cyber insurance?

Matthew Clark [: 00:33:09

It's a common question we ask, and very often clients wrongly align cybersecurity with it, so they think it's all the same thing. So again, you have to go through the process of educating them that these are actually two different specialties, and you can have fantastic it, and that's wonderful, but it doesn't necessarily mean it's completely secure. And you need somebody from a cyber security standpoint with that kind of specialist knowledge to review things there. I think Neil made a great point a moment ago about subrogation, and one of the benefits of insurance, I always feel, which is probably undersold, is that when a business has it, it doesn't have to worry about pursuing negligent third parties itself. You might have that dependency on that cloud provider or that third party software system, and that could be where the intrusion occurs from. You don't then have to wade through your terms and conditions with them and trying to sue them for having caused the breach. Your insurance policy will pay your loss, and then if the insurer so chooses, it can go after that negligent third party. It takes all the headache away from that.

Matthew Clark [: 00:34:13

It gives you the satisfaction and the reassurance of knowing that you don't have to do all of that. You can just rely upon your insurance to indemnify.

Jim [: 00:34:21

Okay, so we're reaching the top end of our time together. And one of the things I really wanted to kind of hit from both angles is, okay, so, you know, we've established that the cyber insurance is now becoming a need to have, rather than a nice to have, which is kind of maybe where it was a few number of years ago. Just looking at the amount of monetary value that cyber security ventures have said that cybercrime is going to be worth is a pretty good indicator. That is definitely something that you need to look at for organizations going out there to go and procure that kind of thing. Is it advisable from yourselves as the insurer? And as to people who've experienced what it's like to see these companies go through things that, things like ISO 27,001, good certifications, adherence to good security practice, by having the CISO and cybersecurity professionals, as well as kind of information security professionals, and having a full program, a strategy underpinning technological infrastructure, that whole defence in depth piece, can that kind of reduce down the premiums that they can expect when looking to get cyber insurance? Because I think from speaking to people a while back, I'll be honest about the subject matter of cyber insurance, they were very concerned that it would be quite a high premium for something that they didn't necessarily get a payout for. And I think that maybe that's one of the blockers or one of the things that you've got to get over when talking about cyber insurance with a lot of these people, is that something that you guys would recommend? Is that something that the insurance companies consider? And after an event especially, and this is where obviously, well, go over to Neil, if you have had an event, obviously you're going to see your premiums rise. Can you then bring your premiums back down by adhering to that? So let's start with Matthew. First, to keep your premiums at what would be considered a reasonable level, what would you advise organizations to do?

Matthew Clark [: 00:36:29

Max? Yeah, I think, again, just mentioning Covid, it's difficult to avoid it in these conversations immediately after that, when it became obvious that SME's in particular were at risk and very often hadn't taken any basic steps to protect themselves, they were uninsurable. So it almost didn't matter how much they were willing to pay for insurance. If they didn't take those basic steps, it wouldn't be available to them. And that's sort of still the case. You know, what a lot of insurers now do is rely upon their external domain scans as part of the underwriting process. They don't need a lot of information from the client themselves, they just get it from using their own tools to scan for vulnerabilities. In addition to which, they'll often ask for a proposal form to be filled in. That may go a bit deeper, but essentially, the insurers can get a lot of information just from their own scans these days, and they will often tailor the amount and extent of coverage they're willing to provide around that.

Matthew Clark [: 00:37:25

So if you go further and you invest in an endpoint detection and response solution for your manufacturer, for example, then that will enable you to have higher limits and lower premiums and better premium rates, all that kind of stuff. So there definitely is a correlation between an improved, enhanced cybersecurity posture and broader insurance terms. Better coverage limits, lower insurance premiums. It's rarely the case that we see insurance premiums necessarily spike immediately after a claim. What we tend to find is that insurers will always have a conversation around what happened in these specific circumstances. What do we need to do, if anything, to stop it happening again? They won't just launch straight into a higher premium, they'll have that conversation. And to my mind, it is all about having those conversations. A lot of insurers like to see a cyber aware workforce.

Matthew Clark [: 00:38:22

If you don't have a cyber awareness training program in place, you need to get one. They're freely available, actually, from the National Cybersecurity center is a good place to start. Or of course, there are various vendors that, for a subscription, will provide you, will set you up, and it's very affordable. Having authentication, multifactor authentication, on your email accounts, on your remote access points, is super important. And the stats just show us that flames drop when you've got those in place. So insurers, of course, love them. Like having an intruder alarm on the front door or a fire alarm to detect smoke. You know, it's basic stuff like that, which you need to have.

Matthew Clark [: 00:39:03

The other sort of measures will really depend upon the client, its size, its sector, what it's doing, its level of technology, its use of operational technologies, its dependence upon third party suppliers and technology suppliers. But those having a broker that works, that knows how to ask the relevant questions and get the right solution for you is just super important there.

Jim [: 00:39:22

And just a very quick one. Just to add onto the end of that question before we move over to Neil, what about specific certification like PCID assess? It's a bit of a thing here. It's like, is there insurance that will cover you not only for, obviously the event and the clear up and so on and so forth, but also potentially the fines that are incurred from that, or do you still not insure against that?

Matthew Clark [: 00:39:45

No, cyber insurance will pay for PCI related civil fines and penalties that relate to an event which is involving, obviously, the payment card industry data security standards breaches. So that is something that's generally available, broadly available as standard in most policies. Obviously, if you've got a corner shop that's dealing with a few tens of thousands of card transactions a year, it's going to be a different level of cyber security questions and control that the insurer will ask around versus a company that's got four or 5 million a year. We need to get into that. But certainly that coverage is available. And to answer your first point, insurers don't generally dictate that clients have to have an ISO accreditation or cyber essentials certification, but where it's prudent and necessary, we will ourselves say to the client, you should do this. Particularly around cyber essentials, which I'm actually a big fan of. And for smaller businesses, it's a very convenient way and easy, affordable way of de risking their enterprise against quite a large proportion of day to day cyber risks.

Matthew Clark [: 00:40:52

So it's a very, very useful thing to do. Raoul?

Jim [: 00:40:55

Basically, it doesn't hurt to have it.

Matthew Clark [: 00:40:57

Doesn'T hurt to have it. Exactly.

Jim [: 00:40:59

William Cool. And Neil, again, from your perspective, what are you seeing?

Neil Hare Brown [: 00:41:05

That's exactly right. That businesses can adopt various practices to, if you like, make their adoption of cyber insurance really work for them. Lots of insurers provide value add risk management services as well, including things such as sort of attack surface scanning, things like that. But I think just like anything else, it must be taken into account that whether it's cyber essentials or attack surface scanning or anything that we've been talking about on its own is not enough. You know, it's all about a layered approach. MFA on its own isn't. You know, there is, there is no cyber silver bullet. Basically, we've had a few incidents now where MFA has been compromised or rooted around.

Neil Hare Brown [: 00:41:48

You know, it's all about various different layers of an onion that organizations need to implement. And obviously, if you're a medium or a larger organization, it's going to be a lot easier if you're on a. If you're sort of like on the smaller micro end of the SME, then it's quite a complex thing to do. So it's kind of like critical to just look at what those key controls are. And as I said, I think even for smaller businesses, start at the board level first, get your strategies right, and then you can have a high level of confidence that everything else will flow. If you haven't got decent it budgeting, if you're running your infrastructure with legacy technology, if you don't have the number of it people in external, external or internal to look after your end users, it's just a matter of time until you have an incident and it won't matter what. It doesn't matter, it won't matter how much EDI you've got or MFA or whatever, it won't matter. You will still get it breached.

Neil Hare Brown [: 00:42:48

So get the strategy right first, then think about what you need to do if you like a tactical and operational level. But remember always that attackers are trying to break process. They're not trying to break people, they're not trying to break technology, they're trying to break processes. And it's what us human beings don't like. We don't like processes, right. And so, you know, it's always the process which is the area, certainly for SME's, it's always a process which is the area, which is that, where they are least mature in adopting, you know, effective processes, whether it's the cybersecurity or quality control or whatever it is. So, yeah, it's the process which is the hard nut to crack, and that's what's got to be supported, if you like, from the board level down.

Jim [: 00:43:36

Fantastic. And I totally agree with you, and I think now's the time for us to really reconsider when we look at our defence in depth, which is basically what Neil was going through with kind of like the onion. Sometimes it's an onion, sometimes it's an iceberg. It depends on what your preference is. Cyber insurance is definitely one of those items within that stack you do need to consider, because if all else fails and you're currently running on your instant response to kind of recover from it, you are definitely going to need your cyber insurance people to help you out to recover. A lot of organizations don't. There's a lot of cases in the past where that has been a significant problem. So for all of you out there considering cyber insurance, let's have another look.

Jim [: 00:44:21

Let's reconsider it. Get in touch with Matthew, get in touch with Neil. Have those conversations, get in touch with us. We'll refer you over to whoever you need. It's definitely something in our space that we definitely need to consider going forward.

Neil Hare Brown [: 00:44:34

I think you have to remember, really, that cyber insurers are, if you take it from a selfish point of view, they don't want to have claims any more than you want to have incidents. So they are going to do whatever they can to drive those claims down. And that's going to be something that can help you out a lot to reduce your overall exposure to attacks. So everyone's on the same side, basically.

Matthew Clark [: 00:44:54

One other thing on that. I happy to give any listener on this call a free domain scan from an insurance company we use so they can see where, at least from an insurer perspective, where they feel their vulnerabilities are. If anybody wants to reach out to James, you can connect them to me. James. And they can have that as a freebie.

Jim [: 00:45:11

Absolutely. And thank you very much, Matthew. Right. Our time together has come to an end. So thank you, Matthew. Thank you, Neil. It's been absolutely fantastic to revisit this. No doubt we will revisit this again in another six months or a year's time.

Jim [: 00:45:27

Changes happen all the time in this industry. And I have. I mean, just the amount of change in the last two to three years has just been mind boggling from a security sense. I mean, Neil's been in it for 40 years and he knows what it was like ten years ago. No one cared. Now everybody cares and everybody's panicking about it, and that's positive. So thank you ever so much for coming and being with us and kind of going over those topics with us.

Matthew Clark [: 00:45:51

Pleasure. Thank you.

Jim [: 00:45:53

And thank you for listening. The latest edition of Razor Wire. It's always good to get feedback. Please feel free to reach out to us. You can reach out to us via LinkedIn or through our website, www.razorfilm.com. if you feel that there's something that we should cover, maybe a little bit more in depth, a new topic or something of interest to you or the community at large. Glad. Any recommendations or you want us to interview people, we'll reach out to those individuals.

Jim [: 00:46:19

So it'd be great to see what your feedback is. In addition, I do have a book recently come out, the Cyber Sentinels Handbook, a primer for information security professionals. Now, this book is very much geared up towards professionals, all levels of their career, be they starters, be they newcomers, be they people. Been in it for a little while and maybe looking for a little bit more direction, albeit the older ones looking to maybe reground themselves in some of the more important aspects of the trade that maybe they've forgotten over time. I've had lots of good feedback from a lot of different readers of lots of different levels, so please feel free to get yourselves a copy. We've got the e copy. We've also got the paperback copy. And if you don't want to spend any money, you can go on Kindle Unlimited and read the book for free there as well.

Jim [: 00:47:05

Thank you ever so much again. Look on after yourselves and we'll be seeing you again soon.