Adopting Zero Trust
Adopting Zero Trust
Cyber Insurance: Sexy? No. Important? Critically yes.
0:00
-1:14

Cyber Insurance: Sexy? No. Important? Critically yes.

Season 3, Episode 5: Cyber Insurance may not be the sexiest topic, but it’s an important piece of any mature cyber program. We chatted with a lawyer and a VC who share their perspective.

Catch this episode on YouTubeAppleSpotifyAmazon, or GoogleYou can read the show notes here.

There are many aspects of cybersecurity that are not classified as cool or sexy, but every component plays a role in securing people, data, and businesses. One particular aspect that is often seen as a necessary evil, even more so than policies and documentation, is cyber insurance. On one hand, you have a system that forces backstops to protect the organization in the event of an incident; on the other, requirements to not only remain insured but reduce premiums encourage businesses to invest more in securing the business.

This week we chat with Karl Sharman of Forgepoint Capital and Andy Moss of Reed Smith to better understand the role cyber insurance plays today.

TL;DR

  • Cyber insurance has evolved significantly, especially in the past five years. Originally seen as a cash grab, there’s been significant consolidation of providers.

  • Many companies started to see the importance of cyber insurance with the onset of the COVID-19 pandemic and the increase in cyber attacks.

  • The biggest potential change is around the availability and accessibility of cyber insurance to SMBs, which historically have not had the budget or resources for it.

  • Compliance and risk models are crucial in cyber insurance. Insurers consider a company's compliance with cybersecurity best practices when determining coverage and premiums.

  • Maintaining cyber insurance requires regular vulnerability assessments and staying ahead of the evolving threat landscape.

  • Open communication with insurers about potential vulnerabilities or changes in operations can help insurers provide more accurate coverage.

  • The cyber insurance market is continually evolving, and cyber insurance plays an integral role in a comprehensive cybersecurity strategy.

This Week’s Guests

Karl Sharman has more than a decade of recruitment experience behind him, especially for organizations tied to cyber insurance. He has helped build and scale teams across multiple types of businesses, including Fortune 500, pre-IPO, late-stage ventures, early-stage startups, security consultancies, and MSSPs. He now works for the VC firm Forgepoint Capital, which has a significant portfolio of companies that support organizations in getting and maintaining their cyber insurance or help after an incident occurs.

Andy Moss is a member of Reed Smith’s Insurance Recovery Group in the Litigation Department, concentrating his practice on the representation of companies and management as policyholders in insurance disputes involving directors’ and officers’ liability (D&O), professional and errors and omissions liability (E&O), data and network security and privacy liability (cyberliability), fiduciary liability (FLI), employment practices liability (EPL), fidelity bond and commercial crime insurance, and commercial general liability (CGL).

Editor’s Note

Elliot @ RSA

I’ll be floating around with a camera or hanging out at the Drata booth (#2133 in South Expo). If you track me down, I have a few AZT hats to give out and some Zero Trust stickers. I have one or two more interview spots available, so please reach out if interested (ev @ creatchaos.co). If you are hosting any spinoff events and would like coverage, let me know, and I will see if I can fit it into my schedule. Bonus points if you are doing anything cool that I can capture on camera, such as…

Chase Cunningham has a charitable effort in motion for the conference where he will be in a costume and running around.

Ransomware: To Pay or Not to Pay?

The next episode will feature two previous guests who will share their perspectives on paying or not paying for ransomware. Think of it as a natural continuation of this episode, but obviously, cyber insurance is there for this specific purpose (and others).

The Emergence of Cyber Insurance

Cyber insurance emerged as a niche sector within the insurance industry about 15 years ago. Initially, cyber insurance was an add-on to other policies. However, the realization of the unique nature of cyber risks led to the development of standalone cyber insurance policies.

In the early years, many companies, especially small and medium-sized businesses (SMBs), did not see the need for such coverage. However, the onset of the COVID-19 pandemic and the subsequent shift to remote work led to a rapid uptick in cyber attacks, notably ransomware. Companies began to recognize that cyber risks were everyone's problem, leading to a significant increase in interest in cyber insurance.

The Evolution of Cyber Insurance

Over the last five years, the cyber insurance industry has seen monumental changes. The evolution of threats and the sophistication of threat actors have led to volatility in terms and conditions. Insurers have had to continually adjust their offerings to ensure they are adequately covering the risks their clients face. This rapid change has led to increased expertise within the industry, with more specialized teams emerging in underwriting, claims, risk engineering, and cyber consultancy.

An interesting trend in the industry has been the rise of Managing General Agents (MGA), who have made access to cyber insurance easier for SMBs. This democratization of insurance access has been instrumental in expanding the cyber insurance market.

“For the first time, we're seeing that over the last two years. And I think that's where the big expansion in cyber insurance is going to be, is really at the SMB market. Like we're seeing with a cyber product perspective, like Huntress,” said Sharman.

Compliance Models and Factors in Cyber Insurance

Compliance and risk models play a crucial role in cyber insurance. Insurers take into account a company's compliance with cybersecurity best practices and standards when determining coverage and premiums. This compliance is not just about meeting minimum standards; it also involves genuinely enhancing the organization's cybersecurity posture.

Moreover, insurers also consider a company's ability to respond quickly to alerts and provide proactive services. These factors can significantly influence the cost of insurance and the insurer's willingness to provide coverage.

“It makes it a lot easier. The reality is that a lot of clients come to me and say, I'm not sure anybody's going to want to insure me. And there are certainly some companies that will look at your profile and decide they're not interested in bringing you on board,” said Moss.

Maintaining Cyber Insurance

Maintaining cyber insurance requires companies to continually assess their cyber risk profile and stay ahead of the evolving threat landscape. Regular vulnerability assessments and proactive measures to fortify security defenses are essential. Companies also need to keep abreast of industry standards and regulations to ensure they remain compliant.

Furthermore, it's essential to maintain open communication with insurers. Sharing information about potential vulnerabilities or changes in operations can help insurers provide more accurate coverage.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

AZT: Cyber Insurance

Elliot: Hello, everyone, and welcome back to Adopting Zero Trust or AZT. I'm Elliot Volkman, your producer, alongside our host, Neil Dennis. And today we're going to be covering a different aspect of cybersecurity. Now we obviously talk about modern cybersecurity systems and strategies and approaches and tactics and often as they relate to zero trust, but there is a much more broad spectrum system and component that really impacts us in many different ways.

So we have two experts, two guests to talk about different aspects of this. And we are going to be talking about insurance and cyber insurance and all the fun that comes along with that. So with that said, I'm going to do a couple of quick introductions or actually hand it off to do some quick introductions.

We'll go from there, but this is definitely going to be a All right, hold, let me filter this a little bit insurance is not necessarily the most exciting topic, but we have exciting guests with good interesting perspective. We'll make insurance and interesting topic. That's where we're going with this.

Andy, since you

Neal Dennis: real quick, I'm excited about this just because we haven't had this kind of topic before. I admit my naivety behind the scenes and what this, I know what it's supposed to be. I know what the overarching legal intent is, but actually figuring out this world and understanding the implications a little bit more straight from the horse's mouth.

This is going to be fun. I'm looking forward to it. So anyway I'll pass back.

Elliot: and this is also foreshadowing for an episode that comes slightly after this, which we will talk about ransomware and impact. And do you pay or do you not pay? And obviously insurance plays a pretty big factor in that. So anyways. Exactly. So Andy since you are the first time in maybe you can give us a little bit of background on yourself and your relation to cyber insurance.

Andy Moss: Sure. Happy to. And thanks for having me on. I am an attorney, a partner at a law firm called Reed Smith, LLP, which is an international law firm. I work out of the Chicago office of the firm. I've been doing this for 21 years. Actually today is my 21st anniversary in private practice. So that's a big deal and when you mentioned that insurance is not the, most exciting topic in the world I can tell you that nobody that I know, including all of my colleagues who do this came into this because they initially planned on doing it, it's one of those things where you might need to be persuaded and I don't mean by, having an arm twisted, but it actually is a somewhat Fascinating topic with just a very boring veneer.

And what I essentially do is I represent individuals and companies. Usually when individuals, it's members of boards of directors or senior management at companies. Who have disputes with their insurance companies. So I don't represent the insurer side, which is a very large part of the industry.

I represent a bit more of a niche part of it. And my focus has started out with director and officer and professional liability insurance. So this is the, type of insurance that most companies have to protect their management from various types of liability issues. But about 15 years ago, I was, privileged to have the opportunity to stumble into cyber insurance, which is at the time a very new thing.

It had been talked about for years. There was a brief stat where we were all worried about Y2K and planes falling out of skies and elevators crashing to the ground and the world coming to a swift end. And there were some early versions of this, but about 15 years ago, we started to see these policies in earnest and.

And it's still a very what I call emerging topic, even after all that time, as compared to other types of insurance markets, it's in many respects, still a little bit of the Wild West, and that's in part because the risks are shifting and very different than, what we what insurance underwriters and actuaries and everybody, has seen for, the decades and decades that insurance has been a thing.

I devote about 70 percent of my practice to counseling companies, both in the negotiation of cyber insurance policies, actually the contract negotiations themselves and handling everything up to disputes. If we have to You know, litigate against an insurance company or mediate or just simply fight it out until we can agree on, some number or something like that.

I do it all. So that's and that is 100 percent of my job. I. Am a full insurance geek in this regard.

Elliot: Amazing. So obviously you've got some context that you can provide to this conversation. But we are

Andy Moss: hope so.

Elliot: I hope so too, because I certainly know very little about this. On the other side of the spectrum, Carl is, I would say, a known quantity in our space, for the lack of better words. He's been adjacent to cybersecurity for a long time.

Carl, do you have a podcast too, floating around? I know you have an insane Okay.

Karl Sharman: to, yeah I changed it up for a newsletter instead called SecMoves, but I'll leave the podcasting to the experts like you.

Elliot: We'll bring you on as much as you want. It makes my life a little bit easier, but Carl is a known quantity in our space. He's an advisor. He now lives in the VC side of the house. If I'm not incorrect, but you've been in the space, the talent, how the folks work in there. But being on the investor and VC side of the house, that means you have a trust factor involved.

So organizations need cyber insurance to prove that. Tomorrow, someone's not going to come and lock up their systems, the ransomware, and basically your money goes to the burn pile. But that is where you come in. So Carl, maybe you can expand upon my sloppy introduction there and give a much better background on yourself.

Karl Sharman: course. Firstly thank you for having me on. It's a pleasure, but the, I think to give you an idea of us as ForgePoint Capital. So we're a cyber security specialized venture capital firm. So we have taken an interest since probably about 2017 2018 in the cyber insurance space.

So prior to this, I was actually a recruiter in the cyber security space, but cyber insurance was one of my specialisms. So I work with over 60 percent of the insurance businesses basically hiring. Underwriters, claims, cyber specialists for the cyber insurance community. Then when I moved to ForgePoint Capital the reason I got there was because of that background, because a lot of ForgePoints, percent of the portfolio has what we call the The string of pearls approach to cyber risk.

So we focus on cyber risk as a real specialism in our portfolio. And we have several companies that will be familiar to most people like Huntress that do EDR and do SMB, cybersecurity for the 99%. And they have a very cyber insurance focus in terms of how they approach their market. Then we have instant response companies like Surefire Cyber that go and investigate in partnership with the insurers and the law firms.

We have Converge Insurance, which is our cybersecurity MGA, which works on behalf of QBE globally and the insurance world providing the latest approach to how companies can go and get insured. And then we also have another company, which is Cybercube, which is the data risk sorry, the cyber risk analytics.

platform for the cyber insurance community. They have over a hundred insurance companies that use their analytics for underwriting, for account management in that respect. So we, yeah, we have a very much fundamental focus on this market, which is why it's so interesting to us. So I come from it from two angles, as you said, the talent market and actually the investment market of what we're seeing in this wider space.

Elliot: Wonderful. So thank you all so much for being here. We really appreciate you being here and sharing your perspective with our audience. I think just setting some context for y'all, primarily our audiences on the practitioner side. So they are the ones who interact with your portfolio, Carl, and then Andy on your side maybe defense and making sure that they're, tip top shape.

Thank you. I think the easiest question to throw out there and it's not going to be too hard to cover is maybe we can look back in time a little bit of when cyber insurance really just hit the market, felt like maybe a cash grab and your perspective on how drastically different that has changed over the last five plus years or more.

Andy Moss: I'll start if that's okay. It the change I think has been just monumental, and I think going back even farther than five years, but, we, I can think of, probably a really key moment in cyber insurance was, around the time of the beginning of the pandemic.

When everybody started working from home including me and, there was all of a sudden this, things like zoom and teams and platforms like this were, fairly new or became more utilized by your kind of average worker at the time there was a huge uptick in companies getting hit by.

Cyber attacks and namely ransomware, other more what we kind of traditional cyber attacks still happen. And I think at that point, there was a very rapid expansion of companies that, were interested in cyber insurance, even though it had been around for a decade or so.

Many companies still weren't buying it. It's expensive. It's not always available or at least not commercially feasible for smaller companies and submit type midsize companies. A lot of companies were depending on what kind of industry they were in or what kind of, whether they were customer or public facing or not, we're probably being told that they didn't need it.

And all of a sudden, everybody realized, this is everybody's problem, right? And, and along with the sort of expansion of risks, including, the sort of dramatic increase in ransomware, which you'll be discussing in the future episode and all that there's been, just very rapid change in the types of terms and conditions, plus all kinds of new Market participants Carl mentioned converge.

For instance, I was looking at converge policy just yesterday, actually the apart, outside of the traditional big carriers like your AI G's and chubs and travelers and Hartford's of the world. And, along with that, just a lot of variation and I would say volatility in terms and conditions.

Okay. Thanks. Which were spurred by both, just insurers trying to get their arms around what kind of risks they were actually being exposed to, which is if you're an insurer is obviously, what you do how to price this stuff so that, companies can actually buy it.

And use it how to, adjust these claims which, is a, I would say 5 years ago, the number of claims adjusters that I would deal with. And I will I'll emphasize that these are not always adversarial relationships with me. These are often, partnerships where we're all trying to, accomplish the same goal.

The degree of expertise that we see on behalf, on the part of the insurance companies has changed. For the better as more people have become, inserted themselves in the industry, become better educated develop those special, that expertise, just like me, when I first got into this and didn't know You know, how to find my way through it, just like anybody else.

And I would say overall, what we've seen is a huge improvement and a lot of steps closer to standardization, which I think is beneficial for my clients and, makes the world, the cyber world easier to navigate. But I think we're still quite a ways away from that happening, and I, and I think that's in part, again, due to, the evolving nature of the risks, the fact that the threat actors that we're concerned about are, just incredibly sophisticated people.

These are not, Guys in their basement necessarily. These are, these are, we could anything from state sponsored actors to, highly trained and very canny and clever, computer engineers who are, dealing with on the other side. Very sophisticated.

defenses that companies spend a lot of money putting into place. I think that this is going to be a continuing trend, for the future, probably indicate some that it's probably a good career for a lot of people to get into, obviously, but and it certainly keeps you busy and it's in a recession proof industry, which is also very nice.

But the but I think that the last five years have really been a key gelling point for this type of coverage.

Elliot: Awesome. Carl, on your end, obviously the portfolio that you work with, they help organizations meet the requirements to stay insured, but also hopefully prevent the need to ever have to cash it in all the, the coming to go as I go along with that. But maybe you can expand upon what Andy had shared with your perspective.

Okay.

Karl Sharman: I think.

If we think about the first ever cyber teams, they were probably ACE, which is now Chubb, West where a lot of the talent, now the leadership talent in cyber originated from, they all came from the same environment because Chubb were one of the very first pioneers of cyber insurance and then AIG and some of the others that Andy had mentioned, have then followed on.

But I think, when we think about where the team started, they were in the DNO. practices. They were in the TMT practices. No one saw cyber as its own division, really to about 2020, maybe 2019 if you were really ahead of the curve. So for 10 years, it had just been an isolated practice that you were adding on to some terms where you were just given some sort of cyber liability coverage.

And then over the time it's become its own policy. And that means that you've had your own team. So we've now been building our underwriting teams, claims teams, and then even so is even going more specialized to Andy's point now, which is there's risk engineering teams, there's cyber actuary teams, there's response teams, there's cyber consultants now being hired, CISOs being hired to go into these clients and actually help them and be able to prepare them, both.

Pre and post breach of anything that could and maybe will happen. And I think you've also seen acquisitions, right? You've seen CFC go and acquire Solace, security. You've seen Zurich go and acquire Speartip. You've seen Aon go and acquire Stras freeberg. So you've seen all these different acquisitions that have happened of cyber companies to get more cyber expertise in.

Because of one, the amount of money and the amount of policies that are being wrote in cyber, but two, because the amount of losses and that 2020 phase that Andy mentioned was a huge hit and a huge wake up call for cyber. And that's what the pricing, the rises. Pricing's pricing. Sorry, really came from because the insurers were taking a huge hit and up to that point, cyber had been very profitable and then took a hit.

Then he got really profitable again. Then he had another wave of ransomware and took another hit. Now it's very profitable again. So now prices are being talked about being lowered again. So we go through these cycles of As the threat actor innovates, and comes up with new technology new toys, technologies, however you want to see it, and they become more sophisticated, the insurance companies have a tendency to lower their rates, more companies get insurance, which is great because that's their backstop in their way, their last line of defense.

But then obviously then they get breached again. And then the insurances, insurance companies have to raise their rates. And I still think from a pricing perspective, we've been working a lot on this with like your cyber cubes and your converges of the world to make this more attractive to Andy's point of the SMB, the much more as hunters called it 99 percent of the of the rest of the world, because the 1 percent the JP Morgan's, the bank of America's have a lot of money to spend.

On cyber defense. Also have a lot of money for offensive security to be able to better protect their selves. They don't really need to worry about this. So what we have now is we've got the rise of the MGA over the last four or five years, rise of SMB insurance. And so now more people have got the access to insurance through their brokers, through, through direct to the MGAs, which is giving everyone the opportunity now to get cyber insurance.

For the first time, we're seeing that over the last two years. And I think that's where the big expansion in cyber insurance is going to be, is really at the SMB market. Like we're seeing with a cyber product perspective, like Huntress.

Neal Dennis: I have questions. I'm, Elliot knows this I'm a fledgling cyber history buff since I've lived this crap for, I gotta be nice to my career field. It's not crap, it is legitimately fun and exciting stuff in cyber. But, it's a load of crap as a whole because of how much stuff we've had to deal with just repetitively.

So I say this First question we talk about this revolution for cyber insurance, circa 2019, 2020. Obviously COVID is a big penultimate movement, right? I agree. Homeward bound people create a much larger attack service. Holy crap. What am I going to do now when I was just barely floundering around with the DDoS's I got for the last six years?

So now think about all the other fun stuff. So my, my curiosity question then, historically speaking, we had from roughly 2007, eight up until about 2014, the age of the mega breaches. You had your LinkedIn's, Home Depot's, TJ Maxx, Target, pick a flavor of the day over the course of about six, seven years where it's holy crap, which retailer or which bank or which, whatever's going to get popped now.

And how many more letters am I going to get in the mail for the LinkedIn's and all this other crap, right? So my curiosity question is. Cyber insurance is obviously a relatively new term, but did y'all see back then people talking about or maybe larger companies soliciting for coverage after these things started to happen back, in the mid 2000s, did y'all see like a desire and is maybe that some of the impetus towards where we ended up like in 2015, 2016 timeframe?

Yeah.

Andy Moss: right, Neil. I think, and I'll say that, having likewise been a veteran of some of those major. Mega breaches, as you put it. I've worked on a number of those and, some of my colleagues who are in sort of the incident response space obviously had, a lot of, dealings with those two and in that we dealt with both clients who were insured and not insured.

And I think, what was very interesting back then, I think just on the cusp of that age was that, the main driver for the client, my clients, at least, and, I recognize that I only really see what my clients do, and there's obviously a lot of other parties out there who I don't talk to their real fear was the liability, you mentioned getting those breach notices in the mail, that is, we call that a license to sue, colloquially because, that's what often prompts things, although there are other ways that, people learn now, but back then, that's how you learned.

And, you send those out and you were going to get a lawsuit. And they really thought, gee, we need to protect ourselves from, these enormous consumer class actions. Obviously, some of those mega breaches. I just, just to throw out, one that I actually worked on, this is public information.

The Anthem breach back in, God, what was that? 15, 16 years ago, I think, which involved like 81 million. Potentially affected people was basically anybody who'd ever submitted a piece of paper to anthem and all that subsidiaries a health care insurer And it was a huge deal and what a lot of companies learned in responding to these breaches and what I think really drove the Need for insurance at least in their mind that was a little different was you know it's one thing to think about liability and having to hire law firms to defend you and You Being stuck in intractable litigation and dealing with, big class actions and the negotiation, all the, complications that arise out of that.

That's obviously very expensive stuff to do, but when you're talking about like these mega breaches and things like that, imagine the cost of sending out 81 million letters, right? And then Of those 81 million, you probably get a pretty high percentage back as undeliverable or duplicative, and then you got to hire somebody to do that.

I think a lot of these companies recognize that, what we in the insurance world call first party costs. These are not what you're paying to say defend yourself in a court or paying out as damages, to class action members and things like that. We're talking about the money you pay out directly to like first responders forensic accountants forensic investigators, and more importantly, like the people who pick up the phone to say, to answer those questions from people say, I just got this letter in the mail.

What do I do? I need to You know, get new credit cards and, get, change my address and, run in a hide and live in a cave or something like that. That is, that was a very expensive proposition and, and I think what companies became very worried about was what I like to think of as the law of big claims, right?

It's easy to estimate, when you're talking about maybe thousands or somewhere under a million potential people, you've got to notify or be worried about their information being accessed. But when you start talking in the millions and tens of millions, the cost of dealing with that becomes, I think, a bit exponentially more expensive to deal with and no company can do it themselves, right?

And that's. That's what this insurance does pay for. There are obviously limitations in terms and conditions in these policies, they're not free money by any means, but and they require companies to take certain important steps to, in order to secure that. But, when they do it right, that this is what the insurance pays for.

And it's that initial outlay which is often incurred, within the first 12 months of dealing with these things as opposed to liability, which may take years to wind through the system. And frankly some companies have been successful in the liability front. I would say as a, the average consumer, whose information might have been accessed or something like that isn't really guaranteed.

I think a very high payout if they do sue in these cases, there are a lot of technical defenses there are a lot of, there's a lot of uncertainty over certain legal standards that, you know, between the federal courts and the state courts we also have 51 different states and currently real, no federal, no real federal regulation of this, that sort of applies nationwide.

So the main, the main thing that companies have really focused on is, cleaning this stuff up, fixing it quickly. thing. And that in itself is a very expensive proposition. And I think that's what really, in my view, drove A lot of companies over that precipice to say, look, this isn't necessarily something we can manage.

This is something where we do need a financial backstop and we need to devote financial resources to purchasing that. And that, of course, then led to, Once you get insurance underwriters involved, then they start asking questions about what are you doing to prevent this? And that is probably the subject of a whole nother podcast, or maybe you've already done it, about, what kind of defensive measures take place.

And I can tell you that at least, for the businesses that I counsel, especially in the larger end, many of them now have what I would call almost dedicated people within their IT and security departments that really. Spend, I would say six months of the year dealing with questions from insurance underwriters and, and I help them guide them through that, and this has become, I would say like part and parcel of doing business, today.

And I think that is something that started to develop back in 07 through 2010, and then of course, as Carl and I discussed earlier, really took off within the last four or five

Neal Dennis: Yeah, that's awesome. So I admit the fact that the cost of paper and postage, that's obviously a blatant thing, but

Andy Moss: shocked. Yeah.

Neal Dennis: something the average person would think about when they go to ask for cyber insurance you're going to have, if you've got a hundred million customers, you're potentially going to have to send a hundred million letters if something bad happens.

That alone is probably what metered mail still going to cost you around 30 cents per notification. Yeah. Anyway. Okay. Yeah,

Andy Moss: what if you got people in Europe or Asia or

Neal Dennis: I love it. Those are the fun things that you lawyer people get to figure out. So I'm happy for that. No, that's cool. That's legit. That's why I love this because this is, it's the weird things that obviously we don't work in that world. So we don't get to think about the weird stuff like that.

But you're right. It's not just the cost of mitigation or bringing in experts, which I'm going to ask you about in a minute. Cool. How that works from an insurance perspective, but it's the totality of costs beyond just, Oh I've got to fix a server and hire new employees. Now I've got to communicate this to hundreds of thousands, a million people or more, and then pay for that before you even get to litigation and legal issues.

So that's some of the fun stuff. Carl, I have a quick question for you, sir. And then Andy, I'd love for you to weigh in on this obviously as well. Y'all mentioned, obviously the insurance push now is Definitely down towards small business, S and B things, market space and stuff like that as well.

But out of curiosity, post world, post solar winds world. And knowing obviously this is happening in the 2020s asshole life that we had to live, pardon my language, but

Elliot: access to

Neal Dennis: obviously didn't have a great time with that.

Elliot: Archives.

It's

Neal Dennis: when we think about supply chain risk management, when we think about ICRM as a whole and things of that nature.

What are y'all seeing or is there anything yet really that allows like a larger company say, you know It doesn't have to be a fortune 500 but someone who has a somewhat okay awareness of what their supply chain looks like because most bigger companies have thousands if not tens of thousands of providers Of various things whether it's firmware whether it's actual software physical product digital product, but the list is robust I saw a survey that said the average company fortune 5000 company and above has a minimum of 1000 suppliers Within their piece digital suppliers of things digital not just physical and so my curiosity question carl Cyber insurance that helps uncluster the F that happens when supply chain issues occur like a solar winds or from a liability perspective, promoting and helping you move beyond being the one who's indirectly liable because you happen to be a solar winds type client or picking on solar winds because it's popular could obviously be anything else.

So curiosity question around that from an insurance perspective, how does that help with supply chain risk?

Karl Sharman: It's a good question. I may be harsh to say, but I'm not too sure the insurance companies have really figured this part out and maybe mainly because that's too complex. It's way too complex. They have to look at they have to take it as one risk factor, but it's one of a thousand, right? Like, Where actually are the breaches coming from?

And supply chain is much lower on that spectrum than where most of the breaches are happening. Because if you suspect that there's thousands of breaches, we've all got numb to the letters that are coming through because there's just breaches everywhere and it's spread everywhere. So you know, the insurance has to prioritize their time because it's still a small team.

And so they have limited resources in terms of what they can do. No matter what they charge, they're going to have limited resources, limited time to focus on different solutions. So what they will do is they will prioritize, getting information out. So they will use their instant response vendors and for Intel vendors, whether it's your cyber cube, security scorecards, bit sites, any type of product that they may be using.

And they do use security scorecard and bit site and them types of companies for this type of work. So they will look at third party. The issue is like I said, is that it's not always a direct impact. There are the anomalies out there and that's why we know them. Like SolarWinds because we know them because of, because we hear about it because everyone's been fascinated by it.

And unfortunately we're in a seller's market and we try and sell that so that more vendors can sell more, right? Let's be honest. So all the third party, the companies that provide third parties, and we have some of them, we have Interos and we have reversing labs as an example. And I think it's an important threat vector to look at, but it isn't, I wouldn't say it's still number one in terms of that's causing the most harm, to the cyber insurance industry.

And I think that's just where they have to prioritize yet. They will still use the IR vendors, the threat Intel vendors, the data vendors to get these notifications out to their mass clients in terms of, they need to patch this, or they need to be aware of this, or this is happening in the market.

So what they try and do. And this is where like a company like Berkshire Hathaway who want to invest in one, 1 billion company revenue and above, they will see any key threats that they see in that vertical, they will go and notify, and that's how the internal teams try and do it. If they see rumblings in healthcare, they will get a mass notification out to their healthcare companies to try and get ahead of it because no one wants that claim, but I haven't seen, and I could be wrong, in terms of what you're asking, any way that they've been able to, let's say, solve the supply chain risk.

Andy Moss: I generally agree with what Carl said. We get, I do get a lot of questions about, I would say, the top three concerns of my clients, in trying to assess one of the things I do is I look at, I essentially audit their insurance policies. I read them. Someone's got to read them, right?

And you'd be shocked how often people don't and they're certainly not easy to read, but we actually read these things and we think about deeply about, what the risks our clients are facing and then figure out, do these things work? Where are we going to have gaps in this coverage and, if we do, is there some way we can find a way to fill that gap, negotiate modified language, find sometimes another type of insurance policy or some other type of risk transfer vehicle.

There is, there are other ways to. Provide at least a financial backstop for some things, outside of the insurance world and in supply chain has been a very difficult one to do I think, as you noted, a lot of the, a lot of the well known breaches occurred.

In the supply chain. Target was an HVAC vendor. What I'm often seeing are bespoke software vendors, is another way in, especially when you're dealing with, say, a small coding company that provides some, a bespoke, product that's unique to a particular company or a particular industry sector.

Those companies don't always tend to be big. They often tend to be small. And, and they're obviously run by humans and humans are not infallible. And that's often the source of how, think bad things start. And, there's, a couple of ways, we've looked at this, 1 is, try to, find ways and, we can't do this without the agreement of insurance underwriters.

To, to, modify the coverage, to to take to address those risks and. And it's one thing to say let's just use Target, for example, someone fishes the HVAC system, there's some kind of portal into Target system, they get in, they put, then they commit a big data breach, Target by, Target had insurance, we, that was all public information.

And they used it and it responded in some ways and it responded. It didn't respond in some other ways that they wanted it to do it. And, all that stuff. But the, but it, what it doesn't, what it doesn't address is the financial risks that a lot of businesses have, between them and their vendors their supply chain vendors themselves, because then what did they do is that, if their supply chain vendor, Say is, let's say they're not like just an HVAC company.

Let's say they're processing all their employment, employee benefits information, so they've got employee health care information, social security numbers, sensitive data that you would find in someone's employment file. What if that company gets hacked, and, that company is obviously on the hook for their liability.

But so are you, right? You made the choice to put that stuff there. Does your insurance respond to that? And the answer is it may or may not, you know Again, there's a diversity of contract language that we're dealing with here. It's not standardized going to one of Carl's, portfolio companies versus another insurer, you're going to get different terms and conditions.

And it doesn't mean it's necessarily different. There are certainly different ways to draft contracts that may ultimately do the exact same thing, but you can never be guaranteed of that. And insurance is a, as a state regulated industry, which means you could have 50, one, different interpretations of the same language conceivably, and at least in the United States, and that doesn't even take into account what would happen in England or continental Europe or any other, China, Hong Kong, any other place where this stuff is being, judicially interpreted.

I think the, so there are a number of other tools that come into play here. Which I think go probably a bit beyond what we're talking about today, but, they tend to be things that, someone like me as an insurance practitioner have discovered are really part and parcel of my job in addition to reviewing insurance policy.

There are obviously agreements between companies that can, provide some kind of protection in these cases where, let's say, you get the company to pay you if they do something wrong that. Causes you liability now, is that insured? That's a good question. And that's actually a very controversial question, I would say, and it comes up very frequently because there are, a number of both practical and legal considerations that go into that.

Not to get into the philosophy of insurance, believe it or not, there is one, but as a general rule, you can't if you breach a contract with somebody, and you're. Have to pay, which is obviously an incredibly common thing everywhere. You typically can't ensure that as a matter of law, it doesn't in some states It doesn't even matter if the policy says you can you still not be able to because you know breaching a contract is not what's considered a legal wrong?

People breach contracts all the time

Elliot: this.

Andy Moss: You may have an agreement with somebody to, say, supply some product in exchange for money at a certain price. And, times may change. You may decide that this isn't really a great deal for you. It was last year. It isn't this year.

You want to go out, find greener pastures, it, it may be that paying, paying damages for breaching that contract turns out to be a better economic decision than staying with the contract. So you do it, right? And you pay those damages and, you might need to get a court involved to figure it out.

But the reality is you can't make that kind of economic decision and then turn around and expect an insurance company to cover it. Okay. That's not what they do. They don't. Insurance companies typically cover accidents and, unfortuitous things, and, having, a company at its highest level say, hey, this agreement isn't good for us.

We're just gonna, let's get out of this. Let's pay to get out of it, buy it out, basically, isn't something that insurance companies ever agree to cover. And some state courts will say, yeah, and you know what? If even if they did agree to cover, we're not going to allow it because it's against public policy.

We don't want, we don't want the existence of insurance dictating people's decisions in that way. And so when it comes to cyber For example, a lot of policies do contain what are called exclusions, meaning the policy doesn't cover, things like contract damages and or claims for indemnification by vendors or, other parties that you do business with and, in the cyber world, it's easy to think that, your responsibility for maybe failing to prevent a data breach or what have you is a totally separate thing, but the reality is those things are highly wound together and and, um, and what we see are, in fact, a lot of insurance underwriters, Demanding, when they're choosing to, or when they're trying to figure out whether they're going to issue a policy to by the way, which is often a 30 page plus application that requires.

In my experience, 15 people to put together, including me, to advise them on how to do it. Very, very tough project. But, in addition to going over all the things that you'd think a cyber liability insurer would want to see you know, what data do you have in the cloud, who are your cloud vendors, what are your various security protections?

How do you train your employees to avoid phishing? All that good stuff. They also want to see what your indemnity contracts are with, your major suppliers or vendors or professionals and things like that. Just in case you do something that's going to affect them and they're going to sue you or they do something that's going to affect your liability and give you some other claim there.

And I get a lot of questions. Can you ensure these things? And the answer is there just isn't a product out there that can do it. Even assuming you as it's legally possible. I don't think anybody's really figured out a good way to do it. And part of it is that there's just an incredible diversity of risks.

And relationships out there and know, even amongst two companies that say, do the same thing and directly compete. They don't do it the same way, obviously, and, and it also raises big questions about even if you could do that. Is it actually feasible to do that?

We get a lot of mid sized companies that need to, enter into contracts with, say, Amazon Web Services to get cloud computing, capacity. That's obviously a very large company. And, a company of that size can often go to you and say here are our terms and you take it or leave it, right?

You could go to Microsoft, you could go somewhere else. But these are our terms and we're just not going to negotiate them because, we have the market power to do that and you don't, in some instances that, Amazon or Microsoft might find themselves in the other side of that equation, more often not, but but that's, that's also the other thing.

It's like there's a I think insurance underwriters would be very if I were one, I'd be very concerned that, how do you control those negotiations, you can go in with a great plan, a great language that makes everybody comfortable, and the other side can say no, and then what do you do, do you need to work with that company, do you have a choice are the other choices You know, too expensive.

Are they even practical, so there, I think it's almost, there are too many unknowns in there putting aside the legal restrictions on doing

Neal Dennis: So we're going to play quick lightning round. I got two more questions. I want answers to real quick and we've got a few minutes left, which is awesome. I, like I said, I had my happy juice before, so I actually Taking my notes and writing down following questions here more so than I have in the past but so two quick questions.

Let me see which one I want to go with first. And you talked about cost. That's obviously front of mind for most people. Curiosity question 2 minutes or less each. How. How much does not just showing compliance, but following legitimate compliance and risk models help with your contractual discussions around the cost?

So we're obviously zero trust mentality on this side of the fence discussing these things. There's not, there's a framework now, but, whatever, it's newish. But if someone was to be able to come up and say, Hey, I've got zero trust or NIST standard X, Y, Z and this stuff, how much less complicated does it make the insurance discussion versus you having to say you should really go out and do X, Y, and Z?

So that's question one, cost perspectives versus compliance. And then two, the other part of that question is If you had to pick a compliance model for just the day to day average company, is there a particular one or two or three that you would point to standardization wise to make it less complicated for you to do your job?

Throwback to Andy first and then Carl.

Andy Moss: Okay. Yeah. On number one the, compliance versus cost. It makes it a lot easier. The reality is, a lot of clients come to me and say I'm not sure anybody's going to want to insure me. And there are certainly some companies that will look at your profile and decide, they're not interested in in, bringing you on board.

But for those that do, a lot of companies are often pretty surprised to find out that there might be quite a few players that are willing to insure them. The question is how much is that going to cost and investing that money upfront. Is a huge time saver, because, at the end of the day, the insurance company is trying to price risk and, while there's no such thing as a perfect risk, perfectly good risk here, the most sophisticated companies routinely run into problems because You know largely because the human factor I would say but also just because the sophistication of the attacker obviously, zero trust using NIST standards all that stuff, you know having dedicated people obviously using you know, the latest and greatest tools within reason that you can afford You know, and obviously money is a factor there for any business as well.

At the end of the day, if the underwriters are comfortable, you're going to get a better price on this insurance, which might mean one of two things. I don't think a lot of companies look at it as saving money, but I think I would say a good portion of my clients then take that money, that savings and reinvest it in buying more insurance if they can get it.

Because the reality is, for most companies that are in the middle, at the average, where, that bell curve, what have you I would say most of them probably feel that they don't have as much cyber insurance as they would like, either because they have very high deductibles.

Or retention, so they have to pay a lot up front or they just don't have the amount of limits that they really think they need. And that's not always the case, but it is a big point of anxiety at risk at the risk manager level. And having that investment up front means.

Better pricing and the better control over getting your claims cover.

Neal Dennis: Cool. Carl, real quick, your take, and then I'm going to wrap back up to that second part, which is your favorite standard. Or plural.

Karl Sharman: so I suppose like the, if we focus on the application process, that's got a lot more sophisticated, right? It was initially a few questions, very simple checkbox exercise. It was insured or not to insure, right? It was the decision. Now it's much more all comes into considering actuary considering actuary, considering the pricing.

has become much more, apparent. And so the whole process has become more sophisticated. So that's become really important. So if we consider like the evolution of risk ratings as an easy example, that has become part of the cyber insurance process, to, in order to get there.

And now we're going through the process of now. Doing penetration testing as part of the process installing EDR as part of the process, so it goes back to the old mentality of the car of like they put trackers in the car, in that respect. So if they put in trackers in the car, they can, the insurance company can monitor what speed you're going, how badly you're driving, stuff like that.

None of us really want that, but if you want a cheaper insurance model, There are models that now do that, right? So we've gone through this evolution of, how much control can we give the insurer where they know more? Because previously, the insurance companies didn't know anything. And we found they found that people were lying on the application.

And when it came to a breach, they didn't actually have MFA on. As an easy example, so the more they know, the more comfortable they feel, the better the pricing stuff like that. But we have to remember there's nothing like cyber insurance. We can talk about weather, which has been the most comparable means in terms of unpredictability around, around insurance, but there is nothing really like cyber, car is not the same because you don't have as many companies affected as you do with one accident.

It's just, there's just nothing relatable to it. So the last point I make on this is the insurance company offers a lot of complimentary services and they offer a lot of vendors, but yet the uptake is incredibly low. And that's mainly because you have to think about the buyer. The buyer is often the CFO with insurance.

It's not the cyber, it's not the cyber security team. So the thing that a lot of companies are having to change is who is in charge of this, who is buying this because the CFO just wants the lowest price. Okay. That's what often the main, the focus is. They want the lowest price. They just want to get the, get it so they can say to the board, I've got cyber insurance.

And so that makes it really challenging because that might not give them the right coverage if the right people aren't involved in that discussion. It also might mean that the technical expertise is not being managed. And so what we find is that The hardest thing is getting influence over the company, which comes back to my uptake, the uptake on EDR, the uptake on vendors, the uptake on services is very low because the CFO is the one leading that charge quite often or someone in general council seat.

And that's not the person doing cyber day to day. So we've still got a lot of mentality changes to make in cyber. And this is what I mean. It's not. This is what I find so interesting about cyber and cyber insurance is because it's got a long way to go in terms of that mentality. But coming back to how we started this conversation, it's incredibly boring, but also about to get very modern and about to have so much innovation around this topic that I think it could be one of the most interesting and high growth areas in cyber security.

Neal Dennis: So I'm going to ignore the NIST standard cause I don't want y'all legally upholding to give people a discount for saying this XYZ is better than others. But I know we're technically up on time, but I'm going to ask the question anyway. So my, my true second question. Carl, you alluded to this. I've been fortunate.

I've worked with a bunch of random and odd companies over the last few years in my own professional side on my own consultancy thing. One of the more recent things was a mitigation company that is brought in by their insurance provider. So they're a small firm. They're there simply to help Be project managers for when an event happens.

So they bring in their whole host of partnerships that they have with them and by proxy, they run these projects for whatever the breach or whatever the issue is. But they do this most of the time, either getting that phone call from a company that says Hey, Something's screwed up. I need help or the vast majority.

It's the insurance company Maybe the Andes of the world come down and saying hey, I have another one come fix it. Thank you. Here's your paycheck So Carl to your point talking about services I think for me that's the next step of the fascinating world here is that you know We think of insurance as a whole whether it's car insurance where there's home insurance pick a flavor we think of it more as a

Neal Dennis: to help us after an event.

We don't think about how it helps us build into mitigating an event or what those services are that it could bring to bear car insurance. Again, you get a crack in your windshield. It's not an accident. It's not an earth, earth shattering event. It's just a little bit, but most insurance companies want you to mitigate that before it becomes something worse, right?

They want you to go out there and they'll pay for you to fix your windshield for free. So all those who have good auto insurance liability only typically covers this. And then But it's a service that you don't think about. It's also like credit cards. You've got services on credit cards that help with insurance when you rent a car.

Things are those things that people don't consider. Last nugget, some of the key things, if y'all want to hit like minute on things people should consider about with their insurance provider, you mentioned vulnerability assessments and stuff as part of the actual assessment for quality. But I feel like those are things that people could come back and say, Hey, once a year, help us figure out if our security posture is this or X, Y, Z, or give us a list of preferred vendors that y'all have already vetted and validated.

So what are some of those things, Andy, that in Carl, that y'all would say, and then I think we've got like a minute and a half and then we got to run, but

Andy Moss: I'll be super quick on this. Those are all fantastic ideas. And, and as Carl mentioned, the uptake on these things is actually on, very low. And I'll say from my perspective, which is purely legal, there's a strong reason for that. And that is the concern over liability.

Companies don't have any attorney client privilege with their insurance companies. Once they turn over information that is potentially discoverable, which means like a plaintiff, if they do have, say, a big data breach and get a class action lawsuit, Could potentially get their hands on it.

Now that's not to say that insurers will not cooperate And fight tooth and nail just like my clients will to protect that information and they always do And we know that they you know, try as hard as they can you're talking about legal requirements that you know could potentially compel them to do it I think that's a major reason why they don't do it I think you know, but what they do in response is they do that those things You

Elliot: I'm

Andy Moss: choose to pay for those things and keep them within, their privileged fold.

And, as Carl mentioned, insurers, often lack that information and they want that information. The tricky balance is always trying to provide that information, but making sure that we don't create like a non privileged record that could be accessed by somebody else because, God forbid you get that information in front of a jury.

And, they could be spun in all kinds of ways. Why didn't you do this? Why didn't you do that? Why did you only do this once a year when, maybe you should have done it every month, that those kinds of things. And so I just wanted to leave it with that kind of practical legal issue that sort of, I always find underwriters don't really think about, but many of them, I'll say.

Are thoughtful people and most of them are thoughtful people and at the end of the day do get it and there are ways to work with them to do those things without without, creating at least, a big written record that, that the insurance company might be compelled to pack up and send to a plaintiff's lawyer.

Neal Dennis: Carl, any final words, sir, on that?

Karl Sharman: Yeah. No, of course. Andy's done the more legal version. So I'm going to do a bit more of the dreamer version a little bit. But the the I think we're heading towards a transparency phase of insurers wanting to be closer to their clients, especially on the broker side, because they're the ones who normally manage the relationship.

I think we, I hope long term that we're going to head where insurance is doing Don't punish for overcommunication. So I'm thinking about, moving on alerts quicker as one of my, as one of my biggest things that I'd love to see, not waiting till we go, Oh, it's a breach. Let's tell her insurance.

Can we move on this quicker? So if the sock, identify something and they can't manage it and they want to see if it's gone further, allow an incident response firm to come in. Where the insurance will cover that because that will save a hell of a lot of money for the insurance company longer term, if they can mitigate it and eradicate it very quickly.

The second thing is, I want more companies to take up more proactive services because, even simple thing of running through an event. Just practicing that whole thing. We never know how humans are going to react in that moment. And people have done some very silly things very quickly and got their data encrypted, made the wrong decision, gave over information they shouldn't have, some practicing that we've seen companies have some big successes by practicing this and actually then being able to put it into practice.

The third thing is I think cyber insurance Companies can innovate a lot of the industry because they have the data. They know the breaches. They know how people got in. They sit on substantial amount of data. And, we're very lucky at ForgePoint that we have an instant response firm and we have one of the biggest data lakes breaches, in the industry in our portfolio.

We do also see a lot of data, but I think the insurance companies have a way of, Being able to articulate that and see trends and see movement before anyone else does, a bit like our Cesar and Jen Easterly and co have got their messages out about key moves. I think the insurance companies have a real responsibility to act on some of that as well.

And I also think that. They could be the new VAR, like I think they could be the new value added reseller because they have the client base, they have the opportunity, to be able to sell in terms of that. And I think it's a really interesting role, especially the brokers could play in that in terms of, they're seeing so much technology, they're seeing what best practices are, they're a really great place to learn.

And then they could also be that reseller extension. And I think that could be a really unique place for the insurers to go.

Neal Dennis: fun. You'd hope that the legal stuff would get taken care of a little quicker. No,

Andy Moss: it might require a sea change in the law.

Neal Dennis: no, I think so. I'm going to wrap up that part, but I think that's a fascinating thought. Elliot, for our part, maybe we can find a way to do an episode on the things you don't realize you have access to and bring in the insurance crew. Maybe if we can get someone from DHS that finally wants to push through their legal issues, we've had opportunities to talk to DHS, but every time they offer their legal team tells them to shut up.

Andy Moss: I think you'd need to bring in all 50 attorney generals of every state. So it could be a little unwieldy,

Neal Dennis: yeah, thank y'all very much. This is legitimately, I have a lot more curiosity questions, but we'll have to save them for a later day.

Elliot: All right. And that takes us to the end of the episode. Andy, Carl, thank you so much for being here and sharing your perspective. As Neil alluded to, it sounds like we're going to. They have at least around two or three somewhere down the road. And you actually hit the nail on the head for where we're going next maybe next episode or somewhat similar is we're going to be chatting with ransomware with some previous guests that we've had and either you pay or you don't pay, but we already know the answer is going to be.

They don't want to pay. But we will get to that next and we will definitely bring you back in for around two when we get to it. So thank you all so much.

Andy Moss: to. Thank you. Happy to be on. Great talk.

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers, or companies of our hosts, guests or potential sponsors.

Discussion about this podcast

Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.