September 15, 2020
At Intellectmap, we pride ourselves in our cybersecurity consulting and how we deliver cyber solutions tailored to our client’s needs. We also understand that, in the ever-evolving world of cyber threats, one can never be fully protected. Cyber insurance, also known as cyber liability insurance, is important to have should a prevention and mitigation strategy fail, and can financially protect a company in the event of an attack, a malicious employee, or even employee negligence. With this in mind, we set out to learn more about the industry by interviewing the following experts in cyber insurance:
- Tom Finan is a Cyber Growth Leader at Willis Towers Watson and a former cyber leader at the Department of Homeland Security.
- Stephen Viña is a Senior Vice President in the Cyber Practice at Marsh, and a former Chief Counsel for Homeland Security on the U.S. Senate Homeland Security and Governmental Affairs Committee.
- Peter Hedberg is Vice President of Cyber Underwriting at Corvus Insurance.
- Chris Shafer is the Assistant Vice President at Guy Carpenter’s Cyber Center of Excellence, a reinsurance broker.
- Dennis Logan is the Cyber Education & Marketing specialist for Professional Risks Solutions, a wholesale brokerage.
- Austin Hepburn is a National Wholesale Broker at Risk Placement Services Inc., specializing in cyber, professional and management liability.
- Mark McCarrick is Broker at Pro Writers, an insurance broker that specializes in cyber insurance.
Each of these experts offered us deep insights about the cyber insurance industry and where it may be headed in light of COVID. In this blog post, we summarize some of the main questions we asked in our interviews and the insights they provided, as well as some key takeaways from this experience.
Jump to a section
1. What do you look for when talking to a client for the first time?
To identify the best policy for you, brokers need a deep understanding of your company’s cyber risk profile. To do this, as Stephen explained, they examine factors such as risk tolerance, business operations, data, and cyber controls. After digging some more into the nuances of these categories, we took away two main insights.
Since cyber insurance is young and policies vary so greatly in what they cover, in order to ensure you are getting the best coverage for your needs, you’ll want a policy that’s tailored for you. For example, regarding social engineering, Austin brought up how some policies have begun to cover not only money but also goods that are sent in good faith to a fraudulent request. This could prove to be essential for a company in the manufacturing industry. Chris also highlighted that, while it would be great to have everything covered, sometimes companies need to prioritize for where their risks lie. For example, a manufacturing client may want to focus on business interruption, whereas a law firm may want to prioritize incident response and forensics: “it comes down to identifying and prioritizing where your risks are and what you can handle.”
Because there is no one-size-fits-all policy, and the language used by different insurers can be inconsistent, Stephen explained how crucial it is to have a broker who will work to understand the nuances of your business and then partner with you to craft a policy that is best tailored towards your needs. He also mentioned that since the risk environment quickly changes, “last year's policy might not reflect your organization's current cyber posture or business practices, or there might be changes in the regulatory or threat environment that call for changes in your cyber coverages,” so it’s important to keep future needs in mind when examining policies.
Brokers not only want to understand the needs of their client, but also the full risk scope the underwriter is covering. In addition to examining factors such as the sensitivity of data, they want to understand a company’s culture around cybersecurity. From the beginning, Tom seeks to answer questions such as “What is their philosophy as a company when it comes to managing cyber risk?” and “How is it relevant to the day-to-day goals and objectives of the business?”
When we asked Peter about the importance of a company’s cybersecurity to underwriters, he explained that if the cybersecurity strategy is bad, he simply declines the company’s application. If it’s mediocre, he’ll charge a higher premium, and if it’s great, he’ll give them the best price. As Tom informed us, this is a move that underwriters are increasingly making: “As the market learns more and more about what ‘good cybersecurity’ looks like, it's actually becoming more of a differentiator.”
2. Is a company safe from cyberthreat with just insurance? If not, what other measures do they need in place?
The general consensus was that, while cyber insurance is an important part of a company’s strategy, if a company doesn’t also focus on prevention and mitigation, not only are they exposing themselves to unnecessary risk, they’re also more likely to get worse coverage, higher premiums, or even no coverage at all. Dennis likened it to car insurance; just because you have insurance doesn’t mean you don’t have to buckle your seatbelt or use your turn signal.
When it came to measures companies should take, the easiest measure that everyone mentioned was enabling multi-factor authentication (MFA). “It's not a silver bullet, but it has been an effective thing we've seen right now in preventing business email compromise, which is generally the main vector for people to intrude in these organizations,” says Peter. The other measure everyone mentioned was having good awareness training for employees. However, Tom specifies that “it can't just be the checkbox cybersecurity training.” Rather, companies should strive to “get to that human element and that human psyche, to make it part of their DNA of how they conduct themselves.”
In addition to these two factors, many referred to the NIST framework as a great place to start for establishing a cybersecurity strategy. While there is no “one-size-fits-all,” as Stephen pointed out, some things worth considering when creating a strategy include risk assessments, penetration tests, encryption, data management, and data back-ups.
As many experts pointed out, their clients are often unsure as to whether they should be investing in cyber insurance or in prevention and mitigation. The consensus was that both are crucial to an effective risk management strategy. “I would encourage Chief Information Security Officers to be advocates for cyber insurance as a complement to the good work that they're already doing,” says Tom.
On one hand, even the best prevention and mitigation strategy is never foolproof. Dennis summarized it well when he said “Listen, it's not about you in particular. It's not even necessarily about your closest employee. It's about frankly, your worst employee, or your laziest, or your lackadaisical one who clicked something wrong.” Even a thorough training program can never fully eliminate the risk of human error.
On the other hand, as Tom brought up, “Cybersecurity insurance cannot be the sum total of a company's cybersecurity program. If you haven't done the basic building blocks of a program, the policy is really not going to help you. An underwriter is not going to want to cover 100% of the loss that could have been prevented or mitigated to some percentage lower.” Peter reiterated this claim, cautioning people to not have unrealistic expectations for cyber insurance. “People think that insurance is just going to buy everybody brand new servers, or get them totally virtualized with everything covered… We’re going to repair what the policyholder has to the best that we can do. That’s just a general limitation of insurance that gets misunderstood.”
3. What are some red and green flags people should pay attention to when evaluating a policy?
The main consensus was summarized by Mark, when he said, “If you’re getting the cheapest possible insurance… there’s a good chance you’re not going to be covered for what you need.” The same can be said about flexible coverage. Dennis pointed out a helpful rule of thumb: “if you feel like you have to select a lot of coverages, I would probably run because they’re trying to give you watered down coverage.”
One of the most notorious and most cited examples is an endorsement, such as those on a Business Owner’s Policy (BOP), a type of insurance package designed for small or medium businesses that bundles basic insurance. Peter explained that these endorsements are actually more of a way for an insurer to avoid liability rather than an affordable option for cyber coverage. When companies add a $25,000 endorsement for cyber, Peter warns, “That's not the insurance company saying, ‘Here's extra coverage’. That's the insurance company saying, ‘I don't want there to be a doubt that I don't have any liability for this. So, if something happens, I'll write you a $25,000 check and I'm done’.”
Austin also added that, while BOP endorsements are thankfully losing traction, another issue to be aware of is that they often cover only third party coverage (e.g. legal expenses when someone sues you after a breach) as opposed to first party coverage (e.g. recovery activities after your company gets hacked). “What we're actually seeing is about 90% of the losses and the claims are first party losses,” he says. “That’s obviously mainly ransomware and cybercrime coverages, and many of those BOP endorsements don't have either of those.” All of these endorsements are harmful because, as Austin pointed out, they instill a “false sense of security” in a client.
While it’s clear that the many unique needs of clients prevent the possibility of “one-size-fits-all policies”, there are certain elements of cyber insurance that were identified as absolutely necessary. When evaluating a policy, Dennis explained, the main area you want to make sure is covered is cybercrime, which includes events such as ransomware. “That’s the most important thing to have on there because that’s where, especially the BOP add-ons, try to skate away from coverage”. Diving deeper, two important areas to examine center business interruption and privacy liability. Business interruption encompasses losses that result from an attack to your business or to one of your vendors (sometimes referred to as contingent business interruption). An example of business interruption would be covering the lost profits or expenses if servers go down, either from an attack, or employee error. It could also include a ransomware attack. Privacy liability, on the other hand, comes in if you are, for example, sued by a customer in the event that their sensitive data was exposed, either as a result of an attack or human error. However, it’s important to note that if any of these events are caused by cybercrime, and cybercrime isn’t covered on a policy, insurers may not cover anything.
Mark noted that it was also important to pay attention to clauses related to full limits: “We're looking for full limits. And when I say full limits, if somebody buys a million-dollar policy, sometimes coverage can be sublimated to, $100,000 for this coverage or $250,000 within that coverage, but we want to see full limits on stuff like regulatory defense and penalties.” Peter seconded the importance of full limits, though he focused more on ransomware. He also noted that, regarding ransomware, you need to be careful that the main trigger for coverage isn’t just a brute force attack, like exploiting a vulnerability in software, but also social engineering, for example someone being tricked into sending credentials to a cybercriminal.
4. Is cyber insurance necessary for every business?
Although we recognize the obvious bias that comes with asking brokers and underwriters this question, we nevertheless found their responses insightful, with a couple takeaways standing out.
One thing everyone we spoke to agreed on was that every company could benefit from insurance, no matter how big or small, because everyone is at risk of cyber threat. When we asked Peter this question, his response was simply, “Can you think of any business right now that doesn't use email for its communications?”
Austin reiterated this, saying that smaller companies, or even lower-level employees sometimes mistakenly think they aren’t at risk of cyberthreat. “People think that, for example, putting a keystroke recorder on, ‘they would never do that to my laptop. Why would they, I'm just Joe Schmo?’ Well, that's why they're doing it to your laptop. You are Joe Schmo, and you're going to get them into the network that they want to get into.” Dennis also pointed out that smaller companies are equally liable in the event of a breach, especially for regulatory demands. “In some states, it can be up to $40,000 per record exposed, that they can charge the client for losing or leaking a record.”
Though everyone agreed that companies can all benefit from cyber insurance, a few experts offered up some advice for companies that might not be quite there yet. For example, Tom believes that while insurance is something that every company needs, “I don't know that everyone needs it at the same time…I actually think companies are well served if they first spend time with cybersecurity investments on their prevention and mitigation … and then figure out where there are gaps.”
Austin agreed, but acknowledged the high price tag: “No matter what industry you're in, no matter what you're doing, I think your company should have it. With that being said, some companies just can't afford it.” He added that, should a company choose to not get insurance, there needs to be a serious effort in awareness training. “Educate yourself. Educate the company. And it’s really important that it goes beyond just good practices.”
Interestingly, Tom pointed out that the process of evaluating cyber insurance alone can prove valuable to a company. “Even if they don't buy the policy, cybersecurity insurance is a great way to open up a conversation with people across the organization… And very often in that process, even in just the discussion stage, we're finding gaps, and that gives them an opportunity as a business to focus on that.” He also brought up that since insurance isn’t technical and is generally a familiar concept, examining cyber through that lens can be an easier way to bring the topic to the boardroom.
5. How do you see the industry changing in the next five years?
All the experts seemed to agree that cyber insurance, along with cybercrime, is still growing and evolving, and with time, these changes will be reflected in policies.
One point we heard a lot is that, as the industry matures, underwriters may become stricter with their limits and coverages. “Right now, the whole market in general with executive liability coverages is hardening, and cyber is hardening right along with it, to where there are carriers not willing to offer higher limits for cyber liability,” Austin revealed. According to Stephen, this ties in with underwriters looking more closely at how companies are handling cyberthreats. “Because of rising concerns over increased ransomware and social engineering attacks, underwriters are closely analyzing how their prospective clients are practicing risk management.”
In the long-term, Chris sees coverage growing for qualified companies, instead of shrinking. “As more companies start to buy and there's a better understanding of what the threat landscape looks like, I think cyber will continue to grow in the amount of coverage provided as well as the number of companies that are purchasing.” Mark went as far to say that as technology becomes increasingly important to a business, cyber insurance will be one of the first policies a company buys. Chris also predicts that future policies will be clearer, especially surrounding the notion of “Silent Cyber,” where a cyber event triggers other insurance policies: “I think coverage clarity around that whole realm is definitely an area of focus right now.”
While the full impact of COVID on the cyber insurance market remains to be seen, the industry was already changing well before COVID, Stephen explained. “I think COVID may accelerate some of these trends and some of these issues, so we’re starting to see that play out.” There were two issues experts cited the most: BYOD (bring your own device) and remote work.
In the past, BYOD has been a tricky area in cyber. As Mark pointed out, “A lot of insurance companies have language where the trigger only applies to devices owned by the company. So, for example, if I’m working for a consultant, I’m using my own computer and I get compromised, some carriers will deny that claim because the coverage doesn’t extend to personal devices.” But with the shift to remote work, he sees this changing. “We have a couple carriers who initially didn't have that in their wording. And then once COVID hit, and everybody started working remotely, they would issue endorsements that would say, ‘You know what, we’re going to amend our wording and broaden it.’”
BYOD aside, both underwriters and cybercriminals are aware of the increased distractions that come with remote work. As Tom put it, “distractions correlate directly to click rates, unfortunately. And that’s something that cyber criminals are keenly aware of and are taking advantage of.” Because of how these different work environments can impact a business’ cybersecurity, insurers are increasingly paying attention to how companies are transitioning. “I think a question brokers and underwriters alike are going to have is, ‘how are you securing the worker in his or her home environment? What are you changing?’” says Tom.
This shift is resulting in increased demands on both underwriter and buyer sides. As Stephen explained, the transition to remote work is prompting underwriters to scrutinize security controls differently and reevaluate their offerings: “The market’s definitely evaluating a variety of different parts of their insurance products in light of COVID.” On the other hand, Austin brought up how companies are asking for more from their policy, both as a result of remote work and the general rise in cybercrime. “A lot of insureds are starting to say, ‘we need to make sure that we're buying the Rolls Royce of an insurance policy.’”
While we’ve already touched on some common misconceptions, such as how insurance and prevention and mitigation are an “either/or,” here are a couple more that came up in our discussions.
One misconception that each of the experts mentioned was the belief that insurers don’t pay their clients’ claims. The consensus was that this is simply false. According to Stephen, “If you talk to any of your underwriters… I think they will tell you that they’re paying millions and millions in cyber claims, particularly related to ransomware and social engineering.” Peter seconded that, saying that a few years ago, loss ratios for cyber insurers were in the 20s, sometimes even the teens, but they have since skyrocketed.
According to Peter, this misconception stems from an unrealistic expectation of what is covered, which emphasizes the importance of having a good broker. For example, a common misconception surrounds whether cyber insurance covers war. As Tom explained, “The war exclusion has been mentioned a lot about excluding cyber claims. And a lot of those articles stem from NotPetya events, and that event actually stems from a property policy and the war exclusion involved in a property policy. So, I think that misses the point that this did not involve a cyber policy.”
While for some cases, such as NotPetya, the claim would actually fall under another policy, in other cases, people simply overestimate the role of insurance as a whole. “I think there’s just this misconception that anytime anything bad happens, it’s covered. It’s just not,” says Peter. “Read insurance. It’s designed to cover specific risks. And a good agent and a good broker will explain that, so an insured is not surprised if something is or is not covered.”
The claim that insurers want their clients to pay their ransoms is misleading. Essentially, Chris explained to us, “they’re trying to make it so that you don't get hit by ransomware to begin with, but if you do that you can recover as quickly as possible. Whether it's paying or not paying, comes down to the business' decision.”
Peter shared that in his experience, sometimes companies see paying the ransom as their only option, and if it gets to that point, it’s important to know that insurance is there to help. "Ransomware used to be a tiny fraction of what we do, I would pay maybe two or three of those claims a year, four or five years ago, and they were only like $10,000 apiece. Now, it’s like a whole service… Some demands are six figures. A lot of times we’re seeing them at seven figures.” In these cases, Peter was clear that insurers are there to help, should one decide to pay. “There's this weird sort of tacit agreement with law enforcement right now that we're going to continue to pay these ransoms. The reason why law enforcement is allowing us to do that is because frankly, the alternative is much, much worse.”
On the other hand, Stephen was also very clear that, should a company decide not to pay the ransom, insurance policies still provide value. “A cyber insurance policy offers so many other things beyond covering the ransom payment if a ransomware event does happen.” Some examples he provided include business interruption loss and costs of the forensic investigation, public relations, and replacement or restoration of compromised data, to name a few.
But ultimately, the goal behind insurance companies becoming more selective in who to cover and in giving better premiums to more prepared clients boils down to, as Chris explained, “trying to help create a situation where employees don't click the link and aren't infected to begin with. The whole point of insurance is to be there if it does happen, they're just trying to make sure it doesn't happen all that often.”
To sum it all up
- If you haven't already, familiarize yourself with your business' cybersecurity posture – underwriters want to know the risk you pose, and brokers want to know your business' unique needs.
- Underwriters were already getting stricter; the shift to remote work and subsequent rise in cybercrime has accelerated this process.
- Be wary of cheap plans, BOP endorsements, and flexible options – different verbiage can leave clients misinformed about their policy’s coverage.
- No one is immune to cyber threat; combining a solid prevention and mitigation strategy with a quality cyber insurance policy, is a critical step forward.
- Multi-factor authentication and thorough employee training are an easy and effective way to improve your cybersecurity posture; going deeper, every company benefits from having its own strategy, and the NIST framework is a good place to start.
- A good relationship with a broker who deeply understands cyber insurance is the best way to avoid misconceptions and ensure you have the right policy for your needs.
For fifteen years, Intellectmap has been providing secure, AI and cybersecurity solutions to companies of all sizes, with a particular focus on remote teams. We are dedicated to providing cybersecurity services that will go hand-in-hand with your business’s ideal cyber insurance policy, such as our cyber insurance consulting service, our personalized cybersecurity awareness training and our penetration testing and threat detection services. When you engage with Intellectmap, you are not simply getting a service, you are getting a team of trusted advisors for your company’s cybersecurity. If you’re unsure of the state of your company’s cybersecurity, sign up for a free consultation.
Back to Resources