This transcription is automatically generated. There may be unintentional errors.

Adam: Hello and welcome to the first episode in our new series, tales from the Cyber Lab. In this series, we’re going to be talking to industry experts about cyber security issues and topics that we’re finding the customers really want to know about. But today’s episode, I’m here with Eric. Eric, if you’d like to introduce yourself. Of course. Thank you very much.

Eric: My name is Eric Alter. I have been with Marsh for the last 18 years. We are the world’s biggest insurance brokers. I lead risk and cyber engagement for our corporate business.

Adam: For those of you that I may. My name is Adam Gleeson. I am the vendor alliance manager for CyberLab. So I look after all of our vendor relationships, as well as being a cyber strategy consultant.

Now, today, as Eric’s intro given away, we’re going to be talking about cyber insurance. and we’ll be following the same kind of format that we did in the last series. The podcast, the talking about what cyber insurance is, why we need cyber insurance and then and then going on to talk a little bit about how we do it and how we how you so prepare for this.

But in a deviation from the normal format, I think this one thing that the Eric flag to me and I agree completely in that cyber security as a business issue is something that I still see a lot of customers seeing it as this is an IT problem. And as we’ve had so quite an animated discussion about that, it’s not a light problem that it’s everyone’s problem is, is that it is not right.

Eric: I mean, I look at it very much from a health and safety lens. Everyone is responsible for health and safety, and the culture in the organisation is something that critically needs to be addressed. Everybody within the organisation has actually operational technology or any kind of outward facing technology, be it through their laptops, their mobile phones, etc., etc., is responsible for cyber safety.

Adam: Absolutely. Absolutely. And it’s also sort of, you know, having that understanding that that sort of follows on from that is that once everyone acknowledges and understands that everyone’s got their part to play in this, there’s an equal level of responsibility to a certain extent. But that is emphasised when you start to look at the costs of cyber insurance and the threats, the, the impact that they can have for the business and for everyone embracing and getting on board with it, then it becomes a bit more personal to that.

So they will be more defensive and they will be actively more suspicious of things like emails that maybe don’t quite look right. Or, you know, they have all the hallmarks of ransomware that they’re trying to sort of generate some kind of priority, or that they’re trying to get you to click on something or to go and enter into detail somewhere.

Eric: I mean, I think the issue is that cyber is not a security issue, a strategic issue. culture, like I said earlier, is absolutely key in this. You need to train people. You need to make people aware of what the threat landscape looks like. You need to test the threat landscape I issuing rogue emails to see if people click on them. You can set up your systems to demonstrate that it may not come from it’s coming from outside the organization. You can have a report phishing button on your outlook ribbon so that if people receive something they’re not sure about, they found it. There’s all kinds of stuff you can do, but it’s really about making sure that people understand that the disruption that the cyber is caused is absolutely massive.

The average downtime for an organization person, a serious ransomware attack is 19 days, and whilst you may have insurance cover in place to cover that. reputation, it’s going to be a struggle. And if you lose data specifically personally identifiable information, personal health information, reputational damage can be very severe.

Adam: It is. I’m going to stop you there because you’re actually resting more of a future okay Podcast. But thank you very much for that. This is something the training data security awareness training, phishing simulation that this kind of the user education piece is something we talked about in the last series of podcasts around training and enablement. So, if you’ve not seen that episode, I would definitely recommend you go back and have a look at that.

Okay, so moving on to cyber insurance. Now, what does cyber insurance mean? I can read out the market definition unless you’ve got it memorized.

Eric: Nope.

Adam: So Marshall defined cyber insurance, as a cyber insurance policy is also known as cyber security or cyber liability and shorts. It helps your business to recover losses and associated costs resulting from large scale breaches, business interruption, ransomware and other types of cyber attacks.

So I guess the question really is, what does it do?

Eric: Can we just to pedal back slightly? It isn’t just about criminal activity. It’s also about system failure. third party supply chain failure. So anything that disrupts your ability to function within the cyber environment is governed by policy. So what does the policy do? I was described insurance as a safety blanket. It’s something that you hope never to use.

Adam: Absolutely.

Eric: But when you do use it, you’re very glad you’ve got it.

Adam: Yes.

Eric: So the whole idea behind it is that it provides you with end to end support. So there are certain recommendations we make. So the first people you call when you think you suffered a breach are your lawyers because you need to establish privilege.

And after that you start informing the other parties how your insurance will then step in and put you in touch with crisis management. Or in our case, we’ve got our own crisis management. questions the management solution, which we can support. Our clients with. But it’s really just there to provide you with that support and protection in the first instance and then see you through your recovery and then return to business as usual.

Adam: So when does cyber insurance get involved? And we kind of touched upon this, and there’s this going to be a future podcast. We’re going to talk to a solicitors. So to touch on this, the legal aspect you just mentioned the but what’s, what is that the kind of that, that the workflow normally feels like when someone, you know, I’ve been hit with sort with, with a cyber attack. I’ve got cyber insurance, I contact the insurer up. What does that story.

Eric: so like so sorry to backpedal here again but you’ve got to look at it as a cyber incident. I suffered a cyber incident because the initial response very often tends to be not we’ve been attacked because there was because attacks are so prevalent. People are going to say when something the system starts to misbehave, it must be an attack.

Adam: It may be a system out to a very good point. Yeah, and I apologize because I should know better

Eric: it may be it may be an IoT failure and network failure, a hardware failure, a computer, a software failure. But when the incident happens and you’re not sure whether it’s incidental or accidental or criminal, contact the lawyers and talk to them about it, because you need to establish privilege in case it is something.

Adam: And I think and that’s for me, with with a technical background, that I don’t even think about that now, I’m aware that there’s the reputation of loss and stuff like that. And then there’s also regulatory compliance that, you know, you have a certain amount of time 72 hours, if memory serves you, you have to inform the ICO.

But it’s a much bigger, bigger picture though. Yeah. When it comes to to looking at a legal landscape as an

Eric: absolutely, you’ve got to establish privilege. You’ve got to make sure that you’re protected. You’ve got to make sure that the lawyers provide you with the most appropriate advice. They will tell you when to contact the ISO you got You’ve got 72 hours. So immediately contact the ISO when you’re not really sure what has happened, what data, if any, has been lost or compromised. It’s it’s just putting the cart before the horse in a way. So you contact your lawyers. After that, you contact your brokers and it will put you in touch with your insurers, or you got a record to your insurance and then, they will start working with you.

So it’s about having, forensic support. So it’s about making sure you understand what has actually happened. It’s about having crisis management support. So who do you communicate with? How do you communicate? With what state should you tell your clients? It’s about damage assessment. So, what has actually been damaged by the hack or by the incident? it’s about identifying what part of your network has been compromised or has been interrupted.

So there’s a lot of preparatory work that goes into your response. Because to take the response, well, everything’s down, everything’s out. No, might not be. So you need to get involved in forensics. So you need to look at the logs of your network to see when it starts to go wrong. You need to find out if something else is going on.

Now, if you receive an email saying, we’ve we’re holding your system to ransom, then you know pretty well what has happened. And again, the police will then tell you whether to contact, or sorry. The, the lawyers will then tell you whether to contact the police. who needs to be notified? Because the other thing you need to be aware of, if you have been attacked by a sanctioned entity, you cannot just engage, because if you do, then you could actually do your reputation and your balance sheet a lot more harm.

So if the sanctioned entity must always take legal and police advice before you engage, and you may well find that the police want to support you in that engagement.

Adam: And I think just just to go back, and such, your correction of me saying a cyber attack, we’re talking what actually managed to say was a cyber incident because that a cyber incident, as you alluded to, there were lots and lots of different things, you know, and that the insurance is there to help with all of those things as well.

Eric: Absolutely.

Adam: Know that especially with data breaches in particular. Yeah, that’s that’s where you need that legal support and what have you to, to make sure that your, you understand where you stand.

Eric: Absolutely. And I think one of the biggest challenges we face when engaging with clients is getting to understand, to understand what cyber means to them and what are the financial implications of a breach.

So, we come across some organisations who aren’t that worried if they suffer a breach because their data is encrypted or it’s protected, or it’s not that relevant of any value, you get some organisations where data is everything. So, in an organisation such as that, their inability to transact for a prolonged period of time can have a significant impact.

And if you’re in a highly competitive environment, such as logistics, you know, there was a case before Christmas where it very and then it just wasn’t mentioned for obvious reasons, were hit by a ransomware attack. And, they weren’t able to recover. So significant number of people lost their jobs and the business had to fold because the competitive environment was such, and the margins they were making were so tight at the moment they lost their ability to be customers, came in and took over because people still needed their goods and services delivered.

Adam: And it’s quite terrifying when you start to look at it in those kinds of terms. And that’s for environments. All for customers who operate in those kinds of, verticals. Then this, this stuff is really important to them. And that’s, you know, and hopefully you’re watching and you’ll get something out of this.

Cyber insurance has been around for quite a while, but I think the scope of it I originally said that it was, it was it was quite easy to get and which you correct me on. and the cost of, of cyber insurance has increased over the years, but I think as well as the scope of what the cyber insurance needs to cover increasing, it’s also the fact that obviously ransomware is becoming ever more prevalent as it has been over the last 5 or 6 years and that’s that, you know, when when people or customers talk about cyber insurance, the thing that is typically first and foremost in their mind is what if we get hit with ransomware?

Eric: Yeah, I mean, ransomware is not the biggest threat. Data extraction is the biggest threat. So a ransomware attack and this is really controversial, but you can almost say that a ransomware attack is a gift you know, they’re there you know, something’s going on, know

Adam: you’ve got an indication it’s not you’re not in that phase where they’re they’re you don’t know that they’re and that they’re creeping around, you know, exposing stuff and exfiltrating data

Eric: precisely. you do get organizations who want to attack and shipping actual trade data. They won’t look you down. They’ll take the data and they’ll disappear, because what they want is not data. you know, I mean, with a ransomware attack, there are potentially two demands. One, do you want your data back? Two, if you don’t give, if you don’t give us what we want, we’re going to release your data onto the dark web. And expose you to additional, you know, additional problems. So. And a ransomware attack isn’t instant. That isn’t the case. You’re right. We’re going to come in. We’re going to hold them to ransom. And that is it. There are stages in a ransomware attack.

Adam: Yeah. It’s it never ceases to amaze me just how much this stuff is run like a business now. It is all completely illegal and I’ve seen I mean, I remember that in one of the previous podcasts I talked about, I saw a, a support thread that was taken off the dark web of, people who were offering ransomware as a service, and it was a support ticket for a customer, all completely illegal. But it was exactly the kind of dialog that, you know, it wasn’t they weren’t being flippant or rude or, abrupt to the customer. They been very friendly and supportive.

Eric: And we had a great example of, well, we’ve had a great example of an organization that was hit by a ransomware attack, made the payment, got the, encryption key, but weren’t sure how to deal with it, and was struggling. So they called the helpdesk back and a very nice gentleman apologized profusely for the problems they were having and asked if he could come on to the network and he would help them, encrypt.

I mean, they said, why would you do that? Well, otherwise your reputation will suffer and people won’t pay the ransom. There was one quite well known ransomware organization that once they’ve been paid, and we’ll send you an email showing you how they got in. And. Yes, I read about that.  It’s quite it’s quite a remarkable world.

And you’re actually right. They’ve got a CEO, a CFO, a chief technology officer, an R&D department, and I help desk and the R&D department will see if they can find different ways and different mechanisms to access or lock down your network. And the help desk will provide the support once the R&D department succeeded.

Adam: Now, you touched upon this earlier and that is around that the insurance is there to prepare for the worst. It’s not something that you’re it it’s not I see customers weighing this up. It’s like, do I pay for the insurance or do I just run the risk? And if I get hit with ransomware, I’ll just pay the ransom. It’s I think this, this, this, this again, a later podcast I’m going to talk about the true cost of, of cyber incidents. but it’s you know, you said it’s there as, a means of luck results or a mechanism of lasting results.

Eric: Proportionality is key. So if your cyber exposure all n is running at 8 million pounds, you don’t need to buy a 20 million pound policy. Yes. And if you are turning over 5 billion a year, buying a 5 million policy would seem a little daft because it’s hard gonna touch the sides.

You’ve got to make sure that what you need to understand, what your exposure is, what the associated costs are, and then you need to marry that up with the limit that you’re prepared to buy, how much you’re prepared to pay for it, how much you’re prepared to invest in cyber security services to make sure that your network is protected.

So what is your total expenditure? How much of a deductible you have to take? you’re actually right. It’s an evolutionary market. And the other thing which makes cyber insurance slightly different is if you’re looking at a property policy, for instance, what is your cover flood fire, something hitting it. theft, you know, those kind of things, you know, where the threats are going to come from.

You know what it’s going to do with cyber. You haven’t got a clue. And the other thing with the cyber policy is you anticipate a cyber incident. You know, it’s going to happen. It’s just a case of when. Yeah, it’s one of those rare things which isn’t an if. If you an insure building. So if it does catch fire with the cyber policies its when we are attacked.

Adam: It’s, it really is a matter of time and but and it’s not necessarily and just to correct you it’s not necessarily when you’re attacked, it’s when a cyber incident occurs. It’s that could be it could not involve an external party at all. It could be as simple as someone emailing one customer’s data to a different customer.

And you know that that in itself can be damaging.

Eric: I mean, look, effectively in excess of 90% of all cyber incidents amounts to human error, be they criminal or be they accidental, incidental. Somebody does something they shouldn’t do. And that then leads to it sort of escalates very quickly. But because of the landscape in which we function, there is this immediate assumption.

Like I said earlier, what we’ve been attacked. We’ve already been breached. There’s something going on. And so you need to make sure you understand what has actually happened, because that has a material impact on how you engage with the outside world.

Adam: You just mentioned the word landscape. And that’s actually the sort of the final point that I wanted to talk around here. is that the insurance market, there’s there’s a lot of different stuff out there. Isn’t thereand it’s a case of finding the right one for you enough to often in many cases,

Eric: I completely agree. And that is actually slightly wider. So from our from our point of view, sector experience, and technical experience. But having somebody within your organization to understand your sector and has good technical knowledge is better than just having someone do an incredibly good technical knowledge but doesn’t understand your sector.

So that’s one thing to bear in mind. There are many different options for insurance. You’ve now got the disruptors which are active insurance. So rather than being reactive then far more engaged with your network, you know, throughout the insurance policy, but the main players are still very much leading the way and they’re still the ones who are looking to support clients.

Now, you’re absolutely right. The market’s been very volatile. we saw what I would refer to as a commoditized market about 4 or 5 years ago where premiums were low, deductibles were low, limits were high, and security demands were relatively low. Then criminal activity really, really expanded and exploded. And all of a sudden the insurers put their premiums up significantly, increased their deductibles, imposed controls and also were very reluctant to get involved in certain sectors.

So utilities, public sector, all those areas where there’s a huge amount of data and they may not necessarily be the best side of the trolls, but the market has really grown up over the last 4 to 5 years, and we’re now seeing rates stabilizing. And in certain cases coming down by about 5 to 10%. So that, you know, the insurers are the insurers have a massively important role to play.

The fact that they now have some really, really good people working there, has really helped. It’s really helped to stabilize the market and to create a degree of maturity.

Adam: Yeah, I mean, it’s I find it quite interesting and hopefully people watching this, that’s it’s when they’re looking at, you know what, how much are we going to have to pay and why is this.

It’s getting more and more expensive. and one of the other things that we’ll, we’ll, we’ll talk about in more detail in a moment is, is the requirements in order to, to get insurance. But the insurance brokers or the data companies have become more savvy that, you know, we’re getting burned because people aren’t patching their stuff or they’re not maintaining their firewalls and keeping them up to date.

So there’s there’s lots of these different things or there’s that, you know, there’s very little monitoring going on in the environment. So if we move on to how to get value from your your cyber insurance, and typically it’s like normally I would say how to do cyber insurance. But I think as you right, like rightly pointed out, this is something you’re paying for and you need to be getting the most out of it.

From a cyber insurance perspective and from from where you’re sat, what makes a low risk or a significant risk?

Eric: Okay. Well let’s look at the must haves. So multifactor authentication is a must have both for remote and admin access.

Adam: I think everyone should be doing that. Now. There’s not really an excuse not to

Eric: the other thing to bear in mind is that you could have a privileged access management solution. So privileged access management protects then the crown jewels. Your network, your hardware, your software, etc., etc. and only a few people should have access to that data. And if you’ve got a very large business with a lot of critical data, then you can actually say, okay, you have access to this system, you have access to that system, and you have access to that system, but none of you have access to all three.

You’re effectively managing the risk out of it and mitigating the risk out of it. patching and vulnerability scanning is critical. We still hear of organizations who run annual vulnerability scans. Absolutely not.

Adam: Oh yeah. If you don’t get me started on that, if you’re stopping ranting and raving.

Eric: So some of the other areas to look at, encryption. So if you encrypt the data that you can encrypt specifically identifiable information and the value of the data if it is compromised or stolen, significantly reduced.

Adam: And I’m going to ask you to say that again, because I think this is one of the the most pertinent messages that I want you to take away from this today. Those of you for yourself, the few of you who were watching this, if you lose that data and it’s encrypted, it it does the it does that that the the the threat that, the threat actor.

All the people who have actual data that it does them very little good because they can’t do anything with the data or it’s not personally identifiable, as you suggested, by anonymizing the data, so that even if they did get it, you can’t actually tie it back to an individual. So it becomes meaningless.

Eric: And if you have huge amounts of data going back over many, many years, identify what over what time frame you genuinely need to access that data.

So if you’ve got 10 million records and 8 million of those are more than five years old, and you only need to access those irregularly, take those 5 million, 8 million archive and take them off the network. Put them somewhere and if you do need to access them, you take the archive out, you plug a laptop into it, you get the data and then you work with it, but it just removes the size of the estate.

Adam: You cut down the attack surface

Eric: Precisely. Another big problems end of life systems. So a lot of organizations are still running end of life technology. If that end of life technology is internet facing, it should be replaced. If it is not internet facing, it should be segmented from the network and have an additional security around it.

If there is no support available. But it is critical to your infrastructure, and replacing it either isn’t practical or isn’t possible, or is financially just too restrictive, then make sure that you put additional protection around it, because a non-supported system is an easier way in

Adam: And I still I’m still coming across Windows 7 that occasionally I see windows XP and server 2003 and stuff like that and there’s no, no restrictions or control over them. Some of them are even you could get open Internet Explorer and browse the web on it. And it’s people maybe don’t realise just how vulnerable these operating systems are now, the sorts of things that an attacker. There’s so many exploits available for them now because because of different flaws that have been discovered that it will take an attacker seconds to be able to exert a system level control, access any cached passwords that may be on there, even if they’re encrypted. They’re fairly easy to decrypt nowadays.  it’s it’s a very easy way to lose a huge segment of your network very, very quickly.

Eric: Now let’s the simple things you can do be you need to have proper logging and monitoring. But one of the other things you can do is monitor your outbound traffic patterns. If you start to see your outbound traffic patterns spiking, then there is a significant chance that somebody is on your network and is exfiltrating data.

You need to make sure that you’ve got an endpoint detection response on everything. Connect to the network. And again, people think, well, an endpoint is a laptop or a light source of a printer or a photocopier, or a mobile phone or a tablet. Anything that’s connected to your network is an endpoint you need to manage your remote desktop environment.

You need to have email and web filters in place so that, you can’t look at certain size. It picks up road sites, it scans emails before delivery. to the end user. Some people say it takes too long at a millisecond.

Adam: So this is what you know, what’s which. I’m talking about an instant response. Now, this is something that I’ve talked about before and I talk to customers about it. But, you know, it’s good if you have an instant response plan. It’s better if you have actually practiced it. It’s best if you do that regularly.

Eric: Absolutely. And please do not just have your instant response plan on your now encrypted network.

Adam: Yes, I’ve heard of that.

Eric: And also, once you think something has gone gone wrong, do not communicate via email on your network because at this stage the attackers are reading your emails.

So we use something called the sickness platform, which is an offline communications and storage system. But where that isn’t available or where a client doesn’t have that, the easiest thing to do is to set up as a group WhatsApp and communicate that way.

Adam: It’s but that again, and it comes back to this investments you know whether it’s the investments inside security technologies or whether it’s the investment in manpower or man hours to improve the systems or indeed the investment in to develop a robust cyber incident response plan that you have something that people are well trained on and it’s something that’s familiar. Everyone knows where it is

Eric: and what it is. So and what you must have, you know, you must know what all your hardware is. You must know what all your software is, because in some cases, there can actually be damage to the system.

So you need to know as quickly as possible what you need to replace. And business interruption cover tends to be very sensible there because you are allowed to spend a pound and a penny if it saves money. So, you know, if if buying a piece of kit would normally cost 1,000 pounds and it’s going to take three months to get it, but for 1,100 pounds you can get within two weeks, it reduces the insurers exposure.

And they will then. But you know with the discussion agreed to that. But the critical thing is that you understand exactly what you are getting from your cyber policy, and that it’s not one of those policies. You say, well, I got the policy documentation. We’ve got it in one of our repositories. Marsh got it in one of their repositories, and we’ll just take it from there.

You’ve got to understand, and this is where the exercising again becomes very important. You’ve got to know how to respond because people do panic. And the one thing that organizations must bear in mind, in 99.99% of cases, the attack isn’t personal. They just want money.

Adam: Exactly. Yeah. It’s business. Business is business.

Eric: You know, if you’ve got a political activist, if you’ve got an anonymous coming after you, where there is a political reason why they’re doing what they’re doing, that’s slightly different.

But in the vast majority of cases, criminals just want money and they really don’t care what you do or who you are. So as we’ve seen with the current hack, where the criminals are asking for 40 million pounds to release, patient data, morally reprehensible, then think about it like that, they just want 40 million.

Adam: I know that another tidbit that we sold, you know, that I mentioned before, a lot of organizations say the expenditure on cyber security is almost not lost money, but it there’s no there’s no tangible ROI on it.

So it’s, you know, but as we’ve talked about, it’s an investment by by doing this you’re making the likelihood of an attack less likely. But you know, so you reduce the likelihood, but by making sure that you’re coordinating your plan and you’re prepared for it, it’s going to lessen the impact of such an attack as well.

Eric: But in the vast majority of cases, you could look at any kind of insurance policy like that. You’ve got I mean, look, you’ve got your, your, you know, your legal classes, employer liability in some cases product liability fleet. But apart from that nobody says you must ensure you’re building. Well you must insure you directors and officers, you know, it’s all about you have the choice to buy insurance. And it’s the kind of thing that yes, at a certain state, you do resent paying money and not getting anything back.

When you do get something back, because what you’re getting back is peace of mind. You have the ability to sleep at night in the knowledge that if the flag goes up, there are people there to help you and there is money there to reinstate you. You know, I, I had a claim I very cleverly managed to flood one of our bedrooms by putting something in the loft and, and, my insurer. Absolutely brilliant. And I mean absolutely superb. So therefore I got real value for that policy.

So all the money I’d spent in the years running up to that one claim, I didn’t think, oh, that was a waste of money. No. Am I glad I paid that! But they were there. And that’s what insurance is there for. And it is.

It is absolutely about investment. you know, you are protecting especially with, with with cyber and IT, you are protecting everything that allows you to run your business.

Adam: It’s been really good, has been absolute pleasure. Thank you very much for your time.

Eric: Thank you for the opportunity.

Adam: One thing before we go, if you’re interested in talking more about any of the points that we’ve raised here, probably my recommendation would be to start off with one of our posture assessments that will cover off and advise your, most of the key areas that are going to help you to be more insurable and to help to understand, and get the most out of your cyber insurance as well as being prepared against cyber incidents. Thank you, all. I hope you’ve enjoyed watching this and I’ll see you next time. Stay secure.

Disclaimer

This is a marketing communication. The information contained herein is based on sources we believe reliable and should be understood to be general insurance and risk management information only. The information is not intended to be taken as advice and cannot be relied upon as such. Statements concerning legal, tax or accounting matters should be understood to be general observations based solely on our experience as insurance brokers and risk consultants and should not be relied upon as legal, tax or accounting advice, which we are not authorised to provide.

Marsh Commercial is a trading name of Marsh Ltd. Marsh Ltd is authorised and regulated by the Financial Conduct Authority (FCA) for General Insurance Distribution and Credit Broking (Firm Reference Number 307511). Copyright © 2024 Marsh Ltd. Registered in England and Wales, Number: 1507274. Registered office: 1 Tower Place West, Tower Place, London EC3R 5BU.