Steven Maresca 00:01
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:10
Welcome to CyberSound. I’m your host, Jason Pufahl, joined today by Steve Maresca. Hey, Steve. So, we are going to revisit some of the older episodes, actually. So we realized that we’ve been doing this for the better part of four years now,
Steven Maresca 00:26
Just a while,
Jason Pufahl 00:27
Just a while, and we have a lot, we actually have a lot of really good content, but we also have a lot of content where sort of the topic has evolved or changed, and, you know, there’s still really relevant things that people are engaged in. So today we’re gonna talk a little bit about cyber liability insurance. For example, it’s a space where renewals are constant. So every year somebody’s looking at that, a lot of people still are getting new policies. And what we talked about, honestly, back in February of 22, episode 27 was ‘Cyber Liability: New Requirements to Get Insured.’ We spent some time talking about, really, what was a little bit of a surprise to a lot of potential policyholders, where they went from being able to do almost a one page application to a much more rigorous application that had a lot of technical requirements, like EDR and MDR as a specific expectation, implementing MFA, multi-factor authentication as an expectation, defining a little bit more clearly where MFA would need to be applied, defining a little bit more clearly what type of backup strategies would be in place, so very technical outcomes, but things that really weren’t the expectation even a year prior. And we talked a little bit in that podcast about the fact that the insurance industry underestimated how successful ransomware was going to be, really it cost them a lot of money, and then they realized, well, we need to, we need to have better rigor to evaluate the company, a company security profile, understand what our potential risks are. And so they kind of, they kind of quickly, sort of levied all these controls. They’re kind of blocking and tackling. I think in reality, a lot of these things are probably implemented now, but you deal with insurance questionnaire discussions too many time, all the time. And so you know what? What does it look like now and when really what’s changed?
Steven Maresca 02:24
Yeah. I mean, so retrospectively, that the timeframe of that earlier episode, which again, was three years ago, was sort of on the heels of renewals, including 150 300% premium increases, increases. That was a a course correction that the carriers made to recoup some of those costs because of ransomware, and the rigor added to some of those applications was again to increase the overall competence of the the insured entities. Both of those happened simultaneously, so every industry was impacted and hurting from that, and that’s the backstory. It’s sort of the framing that the fundamentals that they asked for then, like you said, were that the basics that we talk about all the time on this podcast, just to ensure good defenses. However, things have shifted now to be even more detailed, but more capabilities, operations focused, not so much foundational tools and capabilities,
Jason Pufahl 03:28
Because the assumption is that they’re in place?
Steven Maresca 03:29
Right, but how they’re used, what practices are attached to them? How successful are organizations in adhering to the practices that they’ve outlined? So things have changed. And it would be important to understand that even today, cyber liability insurance is considered a new product line from the perspective in the insurance industry.
Jason Pufahl 03:51
Yeah, it was like 15 years old?
Steven Maresca 03:53
Something like that, a little older in some areas, but it’d be in the early days under channel liability, or, you know, something like that, compared to, you know, loads of London insuring ships hundreds of years ago. So it’s brand new, and all the carriers are still finding their way and their risk tolerance. I think that there’s a coarse dividing line between old and new, maybe starting 2023-2024 where the market calmed a little bit, premiums didn’t increase as much, and the course correction was largely concluding. In the moment, you know, in the last couple of renewal cycles, what they’re asking for are more, how do you do backups? When’s the last time you performed a backup, verification, a test, how frequently do you scan for vulnerabilities? What are the things that you’re doing to resolve those vulnerabilities and help quickly? Prior to that, you know, carriers might ask, Hey, here’s this vulnerability you just experienced as a supplemental question, how did you handle it? It wasn’t formally included in,
Jason Pufahl 05:02
So is this more, is it more process documentation that you’re seeing now then?
Steven Maresca 05:05
They’re not asking for process documentation or evidence of it. They just want to know that you’re meeting. They want to know what time frames you’re meeting for certain things, how frequently you are performing those tests or risk assessments.
Jason Pufahl 05:17
Yeah, so it’s not so much, you know, have you run a vulnerability scan? Is, are you doing them quarterly or monthly?
Steven Maresca 05:19
Exactly, describe the frequency of your vulnerability scans. If you’re not able to supply a frequency, it’s a bigger, yeah, you know, mark compared to what it might have been otherwise. And I do think that many things still ring true, in the sense that, in comparison to our earlier episode, the guidance to use a broker to find the best rate to negotiate, to have carriers compete against one another, still remains accurate. It is an absolute requirement. It’s a conversation the market still has some variability, in the sense that some carriers care less about certain risks than others, and some have really simple applications, and some don’t, finding a good match is pretty important, and you can lower premiums that might have increased by shopping the market that way.
Jason Pufahl 06:12
So actually, I was going to ask about the lowering premiums. So shopping the market, that’s a standard process for any type of insurance. But is there, you know, can you demonstrate more rigorous security?
Steven Maresca 06:22
Absolutely, yeah, yeah. And I’ve seen premiums drop by $50,000 in some larger organization, because you can demonstrate you’ve made substantive improvements relative to those foundational requirements. And it’s an element of competition too. But yeah, you can save money by showing you’ve done the right things, because the broker has your prior application, the carrier has your prior information, they know that you’re now a lower risk. So it’s worth talking about with detail, because organizations can actually demonstrate forward progress. I think it’s important to understand too that there are other insurance products that may include cyber liability. It’s not as though you need to go full bore to a cyber carrier. Errors, error and omissions insurance in general, general liability insurance, sometimes they have cyber writers or additions that you can add on. Those might be the most appropriate approach for a smaller organization that doesn’t want to pay a full premium of a large cyber policy. So there’s shades of gray here. Actually, some interesting changes have occurred in the last year and a half or so. A lot of the carriers and the brokers alike are offering tools, occasional scans or reports about your current point in time appearance from a internet perspective, scans, they’re doing things that previously you would be expected as an organization to perform by yourselves. You get a perspective of what the insurer has. It’s a free benefit. You can run a tabletop exercise. There are lots of positives that come out of this, because they want to lower risk too, because it increases their bottom line.
Jason Pufahl 07:28
And you and you still get some ancillary benefits, such as maybe a security review or bore access to legal counsel, things like that. Yes, yeah, Have you seen any changes in their engagement strategy, engagement process during an incident, bringing different resources to bear than they did for three, four years ago, still focused largely on the say, notification and legal side, a little less maybe on the actual remediation space.
Steven Maresca 08:32
That remains accurate. Since 2022, since 2020 ransom negotiation is a much more common practice. It used to be less engaged. These days, it’s an expectation to some degree, in terms of counsel, on panels, in terms of some of the providers that might be called to the bear to assist they’ve improved. They know how to work with the market. They know how to recover from an incident better, but it remains largely notification focused, but that’s the primary liability to the cost liability to a carrier anyway, they’ve engaged in some other different ways, too, in the sense that for application renewals, many carriers, many brokers, now Have a portal. It’s not just a PDF anymore, so it is a lot less painful to supply information than it was previously,
Jason Pufahl 09:28
Partly because you provide information one year, and it can maybe,
Steven Maresca 09:31
And they reimport it, which is a materially new change for a lot of the entities out there. And it’s pretty important, because the applications are still getting more complex. I have one recently that I like to reference, that’s from a publicly traded corporation that it’s 75, 80 pages long.
Jason Pufahl 09:53
Oh, so hugely longer than they were before,
Steven Maresca 09:56
They, as publicly traded orgs, they have higher expectations and compliance requirements. So it’s maybe 20% more onerous. But the point is more that you really need those tools for renewals, because it just makes life easier.
Jason Pufahl 10:11
Yeah, I mean, it’s, honestly, it’s a surprise from so I don’t you, I don’t nearly deal with the insurance request that you do, yeah? So the last time I looked, you know, we probably saw, you know, five page, 10 page, some 20 page one, but nothing that was 80 pages.
Steven Maresca 10:24
It’s different. Okay, not all the carriers do it, but the ones that have the highest potential exposure certainly do. Yeah, they may ask for addendum, addenda applications like for bioinformatics, or certain privacy considerations, like the California privacy law for, you know, tracking pixels and things like that, that’s the stuff they’re checking for. Definitely didn’t three years ago. Yeah? So it’s really matured, absolutely, yeah, huge changes in three years.
Jason Pufahl 10:52
Yeah. I mean, you when you’re talking about some of the things that we talked about just, you know, just a few years ago, MFA is as basic as it gets, right. Everybody’s doing that now. EDR, MDR, maybe we’ll see a move to security operation centers or some other event aggregation tools. But the expectation is these tools are in place. So now it’s really demonstrating sort of greater rigor across the security space.
Steven Maresca 11:15
Demonstrate that you’re using the tools you have, that you’re monitoring within, within some sort of SLAs, that you’re acting upon the outcome of those tools, and furthermore sustaining that level of maturity, because they want to know that you’re evaluating for regressions and backtracking, which is the importance of pen tests, and the reason that they ask about vulnerability scanning
Jason Pufahl 11:36
So actually, that’s a question, are there thing, are there carriers asking for something as robust as a pen test, absolutely.
Steven Maresca 11:42
Yeah, yeah. It used to be considered a, you know, a medium priority in 2020, 2022, somewhere in that neighborhood. Now it’s pretty much high profile, not an expectation, per se. It’s standard fare, yeah, a desired item, okay, yeah, that has the nice to have.
Jason Pufahl 12:04
I mean, any any other major things you want to do update on.
Steven Maresca 12:08
I think it’s worth saying that some organizations still haven’t really fully invested in the bigger ticket items, like a SIEM or security information event management platform, logging, aggregation in general. Those are expensive and they are extraordinarily helpful in the context of an incident. If that budgetary outlay can be justified, not only do your day to day activities get a little easier, but your risk profile drops. And I think you save money in the long run with a premium, you may actually find that net some organizations do not pay as much as they expected because of potential reductions. So there’s a argument to be made to make those investments.
Jason Pufahl 12:48
I mean, that’s a positive, because I feel like the conversations we’ve had in the past have always maybe they brought a little bit more on speculation about you you might be able to save money if you’re able to do some additional things. Now, it sounds like that’s more baked in.
Steven Maresca 13:00
I’ve seen evidence that during many organizations over and over.
Jason Pufahl 13:03
Yeah, that’s a big change. That’s real positive change. Okay, if anybody wants to listen to it again, it’s, it’s episode 27 ‘Cyber Liability: New Requirements to get Insured.’ They’re not as new if you listen to the older episode, obviously, but, but the fact is, if you’re not doing the things that we mentioned in narrow deal, those are certainly baseline requirements, yeah, no matter what. So it’s still valuable. But I think the fact is, we’re three years removed from it. The space has changed a lot, matured a lot, and your orgs that want to sort of get sort of higher quality products, maybe at better rates, have opportunities.
Steven Maresca 13:36
And just to maybe reiterate something I said the last time around, if you’re an IT, Director of IT, CIO, anything that resembles that type of job function and you are not involved in cyber liability insurance, seek it out organizationally. You need to be there because someone else is replying
Jason Pufahl 13:54
Yeah, answering that questions on your back exactly, yeah. And we’ve seen too much of that too many times, yeah. So well, Steve, thanks. Thanks for joining as always. If you’ve got questions about this, really, Steve is our resident expert. There’s no, there’s no two ways about it, but it’s a space that I’m sure almost everybody’s thinking about or looking at. It’s hugely complex. And you know, we do enough that we can certainly provide answers. So we’re happy to chat about it. Hope you enjoyed this. Hope you got some value, and appreciate you listening. Thank listening.
14:24
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant. Stay resilient. This has been CyberSound.
