Panelists:
Bob Guilbert (00:00:06): Good morning everybody, and welcome. I’d like to thank you for joining us today on our webinar hosted by Omega Systems. Today’s topic is called Cyber Liability Insurance: What’s Changing and How It Impacts Your Dolls and Cents. My name is Bob Guilbert, and I’ll be the moderator for today’s recorded panel session. And with that, our goal today is to empower you and to do so, we want to emphasize why we chose this particular topic as an IT consulting firm. Omega Systems actively keeps a pulse on what’s happening from the customers and what they’re facing on a day-to-day basis, especially what impacts the business, notably reputation, security, productivity, finances, growth, longevity are all points that need to be concerted. The cost of insurance, technology and expertise protect your business continues to spiral upwards for every business, regardless of classification or size. And if your business falls within a regulated industry, you’re subject to various requirements where these regulators take data privacy very seriously.
The trends we are seeing in the stories we are hearing regarding cyber liability insurance and cybersecurity trends are shocking. The list of questions and telling observations led us to just dig deeper. With this thought, this webinar will be a great opportunity to build together our resource connections to shed some lights on this subject. Our expert panelists have great insights onto how to control costs, how to mitigate exposure, and apply best practices. With that said, I’d like to welcome our three panelists, Meredith Bennett, VP at USLI, James Mignacca, CEO of Cavelo, and Ben Tercha, VP at Omega Systems. At this point, I’d like to give each of them a minute to introduce themselves and tell us a little bit about their company, about themselves, their current role, experience, and then we’ll jump right into the discussion. So with that, I’d like to have Meredith introduce herself.
Meredith Bennett (00:02:13): Thank you so much and thank you Omega Systems for inviting me to be part of this important conversation. My name is Meredith Bennett. I’m the Vice President and National Practice Leader for Technology, Arizona Missions and Cyber Liability at USLI. If you’re not familiar with USLI, we are an insurance company located in Wayne, Pennsylvania. We have branch offices across the United States and an office in Canada. We specialize in small businesses, and we’ve been writing some type of cyber coverage since 1997. So thank you again for having me.
Guilbert (00:02:51): Wonderful to have you, Meredith. Looking forward to your insights. James, if you can introduce yourself please.
James Mignacca (00:02:56): Thanks, Bob. And I want to thank Omega for me here today. So I’m the CEO of Cavelo. I have more than 15 years experience of various different cybersecurity companies, and at Cavelo we focus on data discovery, classification and how to prevent data loss. Thank you.
Guilbert (00:03:20): Thanks James. Excellent, Ben?
Ben Tercha (00:03:22): Good morning, Bob. Thank you for joining. My name is Ben Tercha, Vice President of operations with Omega Systems. Omega Systems is the leading managed services provider and managed security services provider. Our mission is to bring enterprise class technology services to small and medium businesses. In my role with Omega, I have the benefit of working with several customers and internal teams to develop and implement new products and service offerings. Our offerings allow our customers to focus on their core business while allowing Omega systems to handle the information technology, cybersecurity needs and requirements. Thank you everyone for joining, especially James and Meredith. I’m looking forward to our conversation today. It’s top of mind in our office and with our customers every single day.
Guilbert (00:04:05): Thanks a lot, Ben. With that said, attendees could actually submit questions via chat and we’ll try to address them as we go through the webinar here. But what I’d like to do is get the panelists to set the stage for us. So this is a question for all of you. Maybe Meredith you can start. Do you believe organizations can stay under the radar when it comes to cyber threats?
Bennett (00:04:27): Yes and no. I do think that hackers target specific businesses, whether it be government agencies or specific industries. I also think that hackers target low hanging fruit and if you don’t have proper security in place and they can see that you’re an easy target, they’re going to go after you. So the trick is, can you be one step ahead of the hackers? So I think that with proper security and things in place that yes, you possibly can stay ahead of them, but you can’t just set your security and leave it there forever, it’s going to change. It changes rapidly and the hackers are going to be evolving as well.
Guilbert (00:05:20): That makes a lot of sense. James, how about your perspective? Can you stand to the radar?
Mignacca (00:05:25): Sure. My perspective, it’s very hard to, and if you think about five years ago and the types of attacks that we used to see there were very targeted attacks, high profile attacks like Home Depot, Equifax, Marriott, et cetera, et cetera. Now what’s happening is they’re not sophisticated attacks, they’re more cybercrime related and cybercrime is up 6%. And ultimately what’s taking place is everyone’s a target and what they’re doing is they’re casting a wide net amongst everyone, and they’re basically running it like a business. And that net is like their funnel, their sales funnel, to basically go after their victims. The answer is certainly the industry’s changing, but it’s becoming harder to not be a target and certainly SMB and mid enterprise are an absolute target compared to what we used to see five years ago.
Guilbert (00:06:26): Thanks, James. Ben, your thoughts? You’re a technologist working a technology firm. What’s your perspective?
Tercha (00:06:31): Yeah, I echo what James and Meredith said. You can’t stay under the radar. Everyone is a target to the attackers and to James’ point, they run it like a business, but it’s become a legitimate business model. After organizations are attacked, they pay the ransom. We’ve legitimized that, right? So we’ve also seen kind of the trend that once you’re attacked once, you’re more than likely to be attacked again, or you’re a bigger target because if you’ve been attacked, you pay the ransom. Now you’re known in the community on the dark web essentially that you pay so they will target you more aggressively.
Guilbert (00:07:13): That seems like the beginning of a trend. Any other trends from your perspective that are worth sharing with the audience?
Tercha (00:07:21): That’s the one trend is there that the repeat attacks. The other trend that we start to see is increased privacy laws. We’re starting to see that get applied. PAs working on their privacy laws. Then also from a threat and protection perspective, it’s a leap-frogging. The attackers do one thing and then from a protection mechanism we do another. And then it just continues on and on. It’s been like that for 15 years. I don’t see that changing.
Guilbert (00:07:52): Thank you. James, what do you see in that space?
Mignacca (00:07:58): Yeah, certainly. I’ll talk about the trends in a second, but I believe we’re going to this technology shift and it’s because companies are adopting the cloud. I’ve talked to large banks that are going to the cloud and they don’t just go to one cloud provider, so it’s between five and 30. So your data is just inherently distributed and this digital transformation, companies that weren’t digital before are now because of covid and this distributed work model. So I would argue we were headed there anyways, but we used to sell cybersecurity 10 years ago and talk about the perimeter and used to keep all your data that you cared about inside the perimeter. Well now people are working from home, they’re working from their home offices or their motels and hotels and coffee shops, whatever it might be. And there’s a lack of perimeter that’s taking place.
And so arguably you have to look at the problem in a different way to solve it because your data is everywhere. And if you think about now with other trends that we’re seeing, they’re not sophisticated types of attacks that’s taking place. And I’ll just name one that we are seeing a lot of it’s the naming and shaming. So first off, they go out and they get ransomware that’s highly available on the dark web that they pay for. So you don’t have to be a really technical person to be able to do these types of attacks. And then they’re getting data, they’re exfiltrating it and they’re putting it on. They’re threatening to put it on the dark web if you don’t pay. And so that’s kind of the trends that we are starting to see that’s taking place today.
Guilbert (00:09:40): More devious, more ways to extract that pound if it’s working.
Mignacca (00:09:45): And it’s working, just working.
Guilbert (00:09:47): How about yourself Meredith? What are you seeing from a trends perspective? Obviously from the insurance side, there’s got to be obvious ones there too. Yeah.
Bennett (00:09:54): Definitely ransomware that’s not going away and that’s been getting more sophisticated as James and Ben have said over the past years. So we’re seeing more claims in ransomware. We’re seeing more claims in social engineering fraud and invoice manipulation, fraud. You’re tricked into sending payments to someone that is not the person that you think you’re sending it to. So that still continues to be a steady type of claim that we’re seeing, which is I would say a trend.
Guilbert (00:10:31): Do you have a view on how you think things are going to change for better or for worse in this space data protection classification over the next three years?
Bennett (00:10:40): Well, I think we’re already starting to see a shift, right? And that’s one of the reasons for this conversation is that cyber insurance is starting to become more strict with the security measures that they’re requiring of the policy holders starting to become more expensive. And I don’t think that that’s going away anytime soon. I think that we’re going to see that trend to continue until things start to stabilize a bit. If you think about insurance, fire insurance for a building has been around for hundreds of years. Cyber insurance is very, very new. And how a carrier determines their rates is based on their historic data. We don’t have a lot of history to go on and that’s not just USLI, that’s I’m talking industry wide. This is new. And so what rate was the correct rate? 20 years ago, that’s when we had zero history. Now we have 10, 20 years of history depending on when the carrier entered the marketplace.
That’s still really new from a perspective of coming up with the correct rates and the histories and the trends. So the ransomware attacks have increased because the social engineering has increased. Ransomware is also leading to large business interruption claims. So maybe you don’t pay the ransom, but your business is still not able to function because the ransomware is in your system and it takes time to get back up and running. So because of all those types of claims that are trending, that’s why you’re seeing premiums increase and you don’t think that’s going to go away next year. I think you’re going to continue to see that for the next few years.
Guilbert (00:12:25): It’s being targeted. It’s a big business in fact, so it makes sense that that’s going to continue evolving over the next several years until you get a baseline of data to know where it’s going. How about you, James, from that perspective in terms of I think it’s going to get better or worse relative to data classification? What’s your sense there?
Mignacca (00:12:41): Well, first off, let me echo what Meredith said. I absolutely agree. I think I would argue they’re raising the bar. And what’s raising the bar is also compliance and regulation. GDPR was a vehicle for change. Companies are absolutely now doing something about it, but what’s interesting is they’re really just enforcing that best practice, right? The preventative type of risk that you should be doing. And when it comes to the sensitive data, what I always tell our clients is you can’t look at your data as a one dimension anymore. You have to classify it because arguably data is not the same for each individual company. And whether or not it’s the personally identifiable information that compliance is pushing, like driver’s license, credit cards and passports, and in some cases what we find, and this is part of compliance as well. The client has to define what sensitive data is important to them and whether or not they’re intellectual property and their trademark secrets and things like that.
And ultimately what we find is data is absolutely everywhere and no one has a good handle on where their data is. We have one client who we were doing a data management exercise of discovering all their data and the CTO thought they had a good understanding of where their data was and arguably yes, but it was actually a human error where one of their legal staff ended up putting an audit file in a personal Dropbox by mistake. And so 85% of breaches happen through human error. So she didn’t intentionally do that. It was an absolute mistake. But if you think about that risk and the potential breach that could take place where it’s not encrypted, there’s weak passwords, et cetera, et cetera, and it’s got all your client information. So ultimately knowing where your data is important in how you protect it.
Guilbert (00:14:49): Proliferation of the data where what the data is, all facets that need to be considered. Then we received a question that came in from the chat, and it’s one regarding that “my premiums have gone from 7,000 to 30,000 a year because we didn’t have MFA or EDR or any type of managed security service, which is a major increase.” What are you seeing for what is driving these unexpected renewal increases? What’s the reason behind that?
Tercha (00:15:18): A lack of protection in the customer’s environment is the big one, right? So Meredith, I’m sure can attest to this is, and James said it, the bar has been raised higher. Years ago when we had customers who had to fill out the cyber insurance questionnaire was do you have a firewall? Do you have a great policy issued? We’ll talk to you again next year. And yeah, I can see Meredith laughing. It’s not that way anymore. So do you have EDR? Do you have MFA? Where do you have MFA? And at least the ones I’ve seen a lot has been, do you have MFA for email? Do you have it on remote access? Do you have it for privileged access? So the bar has been raised, there’s tighter constraints on what the issuers are requiring before they’ll bind coverage. And by not having those technical and security controls, the premium goes up or they aren’t issued coverage at all.
Guilbert (00:16:19): So it kind of leads to probably the types of claims that are being requested in terms of being submitted to the insurance company. So Meredith, what’s your view and the types of claims that you’re seeing across the board?
Bennett (00:16:32): Definitely ransomware, James and Ben both kind of touched on something that I think it all comes down to human error. I just want to repeat that. Ransomware, a lot of the times, the way that it gets in is somebody clicks on a link that they’re not supposed to and they enter their credentials or they just click on a link, right? So that’s human error. If you think about it. Are you properly training your employees? Are you creating a culture of security awareness?
We had a claim where a doctor’s office was in the process, this was several years back, doctor’s office was in the process of putting all of their paper records into electronic files, left all of the paper records just by the trash can, and the janitor took all those paper records and threw them in the trash can. One of the neighbors saw all of these files, these paper medical records in the trash can. And rather than call the doctor called the news station, your cyber policy can cover paper records. So people don’t usually realize that. But again, human error, simple mistakes. So that’s definitely trending.
Ransomware, we’re seeing a lot of claims, as I mentioned before, business interruption. A lot of the times we’re paying more for business interruption than we’re paying for the actual ransom. And then just the social engineering fraud, which goes back to human error again, you didn’t call to make sure that was really him that was requesting the money to be sent. You just trusted that it was an email from him and you wired it out.
Guilbert (00:18:32): I have a follow-up question to the different types of claims. And that was submitted by an individual here attending the session, and that is they noted that “in my experience, cyber liability insurance claims often don’t get paid out because of some reason, which is question, is that true or false? And then how can it be prevented?”
Bennett (00:18:57): I’m sorry that that’s the experience that that question asker had has had because of X. It could be several different reasons as to why that cyber policy didn’t respond. The biggest reason would be it’s excluded if it’s not covered, it’s excluded. So where is your cyber coverage residing? Is it a small endorsement on your BOP that’s probably not going to have very much coverage on it? Do you have a standalone cyber policy? What exclusions are on there? Maybe it wasn’t covered because did it fall under your deductible? So if you have a $50,000 deductible and the claim was only $25,000, that’s not going to be covered, right? Because under your deductible.
So how do you avoid that? I would say it’s really important to have that open conversation with your broker, whoever is selling you the cyber insurance, sit down with them, meet with them, tell them your concerns. I want to make sure that I’m protected for this type of scenario, this type of scenario, this type of scenario. Often I get questions from brokers asking if that’s covered and I’ll respond. It’s usually a hypothetical, it’s not really a claim, just want to make sure that I have this type of coverage. It could be a coverage that the carrier doesn’t offer, in which case maybe ask your broker to go look at a different carrier. It could be a coverage that if you’ve had the same carrier for 10 years, maybe it’s a new coverage that wasn’t offered 10 years ago and now it is. So make sure that when your renewal comes up that you’re again, that conversation with your broker to say, are there any additional coverages that are available on this policy? And again, reiterate your concerns as to what you want to make sure is covered. Ten years ago, I would say the major concern for a lot of people was are payment card industry fines and penalties covered if I have a lot of credit cards breached. There wasn’t that much talk of social engineering fraud. And so if nothing’s changed in your policy in the last 10 years, the carrier may not have added those additional coverages, which will cost you more too. So the more coverage that the carrier’s going to provide, the more expensive it’s going to be. So that’s something to keep in mind as well.
Guilbert (00:21:33): Got it. So it couldn’t be prevented potentially, but it requires a nice dialogue with your broker. I’m going to run this towards James, and this is really about the data. Obviously, people are important, understanding and being trained of course, but a lot of it comes down to the data. So I want you to speak to why is it important to understand the value of your data and why should you actually classify it? Why do you need to do this?
Mignacca (00:22:01): Sure. Thanks Bob. So what we see out there is there’s a lot of data and you have to look at things not in a one dimensional way that you actually have to classify because in a lot of cases, whether or not, and it’s different for every company, but certain types of data might be more important. And quite frankly, you might do something different to protect it. So it’s not a linear model anymore. You have to look at it in such a way that maybe it’s the credit card information that you absolutely don’t want to have breached. Your employee information that you don’t want breached. In some cases it’s trademark secrets and because there’s limited resources and budget, you can’t look at things across the board in the same way. You have to classify, not only is that a regulation and compliance mandate, but it’s just best practices.
And when it comes to your cost of breach, there’s no one way to do it. But what we do is we work with our clients to walk through an exercise of figuring out what’s important. First off, understanding what data they have, where it is and what’s important to them, and walk through what happens if this type of data gets breached. You don’t hear about organizations in the media when there’s a breach and data does not get exfiltrated. It’s only when data gets exfiltrated. And so ultimately, yes, there are ways you can do it. You can look at the IBM calculator, which I believe is about $150 per record for credit cards, passports and things like that, but it is an exercise that each organization needs to walk through. And really, when tying that into cybersecurity insurance, how do you know what your policy coverage is when you don’t know what your potential internal liability is if a breach takes place, right? So you might be actually overpaying for your insurance policy because you quite frankly don’t need it to be whatever it’s set to because your potential cost to breach is lower. And so it’s just best practice to walk through and figure out what your potential cost to breach is, understanding where your data is and being able to quantify that.
Guilbert (00:24:22): It is clear the why in terms of why it should be classified. Do you have a sense of where this data resides and where it’s usually discovered? And as a side question, how often should you be looking for this PII data?
Mignacca (00:24:39): So ultimately more than less, we do an exercise and we walk through based off of a point in time where your data is. And quite frankly, when we first do that exercise, data is everywhere and we warn our clients that’s very normal. But you have to walk through a data management exercise and say, okay, this type of data should be here but not over here. And a lot of times it’s very role-based, like finance data should be accessed by finance and they should have the data, but maybe it shouldn’t be in engineering’s hands. At the end of the day, it changes on a daily basis. There’s so much data out there, you have to be able to understand where your data is in a near real time. So daily, in a perfect world, if you could do it daily, yes, that’s the timeframe, that’s the cadence for being able to know where your data is.
Guilbert (00:25:36): Greater change of data is always happening in real time. So makes a lot of sense. So I know people on the phone probably are either using a form of public cloud or private cloud. So I’d like Ben’s perspective, are either of those implementations more susceptible to a cyber breach in some way?
Tercha (00:25:54): Yes and no, right? So it depends. When you look at public cloud out of the box, yes, it is more susceptible and that’s because it takes more controls, more time to get it secured. So let’s take Office 365 as an example. You can go on, create an account, Bob, you can set up your email account there, set a password and begin using it right away. Nothing’s going to stop you from not implementing any security. But what people don’t realize is that Office 365 login portal is exposed to the entire globe. Anyone could try to attempt to log in as you, they can sit there and guess and brute force a username and password combination. They have your email address. So that’s the first part. Second part is the password. They can brute force that account all day long and you’d never even know it unless you pay for the additional subscription options to get insight to that data.
You pay for the additional subscription options that allow you to implement an Office 360 fives case conditional access that says, my account can only be logged into from the United States or only these IP addresses. So your public cloud deployments out of the box require more implementation, more time to make them more secure. Conversely, on the private cloud at least, and I can speak from our examples, we go the opposite way, right? It’s secure out of the gate. We’re only allowing inbound access from the United States. We run multiple layers of IPS. We recommend and we sell to our customers a SIEM platform. That way we have that login event data, we have that insight and be able to perform analytics against where these attempts are coming from and be able to respond to it. So the answer in technology is always, it depends, right? But your public cloud implementations can be made equally or more secure sometimes than private cloud. It just depends how far you take that implementation and your willingness to invest the time and money into it.
Guilbert (00:27:52):
That makes perfect sense. I think it’s just important because I’m sure notably a number of people on the phone here are using one or the other. So it’s a good insight for them to have a kind of view for that perspective and making sure that they have asked their MSP or if they’re going directly to a public cloud provider if they’ve got the right implementations in place. I want to continue moving along in terms of some of the topical areas. And I want to ask James and Meredith, relative to insurers, basically to ask buyers what kind of insurance they need based on their level of exposure through data discovery and classification can help scope and benchmark this exposure. Can you guys comment on that perspective? Maybe James, you can start.
Mignacca (00:28:34): Sure. So let me start off by saying something. I recently had a conversation with one of our clients about, I think when cybersecurity is relatively new for everyone, and so is cybersecurity insurance. And I think some clientele, they opted to do cybersecurity insurance without doing the preventative type of risk benchmarks that they should be doing. And so ultimately what they’re saying is, I’m just going to go get the insurance for if something happens and then now something’s happening and there’s a breach and there’s a renewal and their fees are going up, et cetera, et cetera. Ultimately, whether or not it’s cybersecurity insurance or compliance and regulation, there are certain best practices that we all should be doing. And what we see is that’s not happening.
So I like to use the analogy, it’s like think about it like a house. A lot of folks, they tend to want to go get the alarm system for the house, but they haven’t done the best practices and making sure that the doors and the windows are secure and making sure that that’s an ongoing type of task. And so what we’re seeing is absolutely upon renewals, the insurance companies and compliance, they’re coming out and they’re just asking for what’s the best practice and there’s no one model. It could be, there’s all these different regulation and compliance. It is ultimately what are you doing to prevent breaches? And because it’s such a broad statement, folks really struggle to be able to provide any type of collateral. And it comes down to what we would call CIS benchmarks. How do you harden your endpoints, whether or not it’s vulnerabilities. We still hear about vulnerabilities and breaches related to that, again, knowing where your data is and being able to quantify it because if you can’t internally quantify it, how do you know what your potential risk exposure is? And insurance companies are now starting to ask those questions, those best practice questions. So it’s all kind of lining up to we need to take a step back. Everyone needs to take a step back and look at are we doing the best practices when it comes to passwords and benchmarks, patching and things like that.
Bennett (00:31:04): And when you’re applying for, sorry, Bob, when you’re applying for insurance, a lot of those best practices are going to be on the insurance application. So I would say too, if you’re answering something no, tell the carrier why you’re answering that. No, don’t just leave it no and not explain. So you may not have something in place that the carrier thinks is a best practice, but you may have something better in place. So let the carrier know that. And when it comes to the data, we do want to know how much data you have, where it resides. And the reason we want to know that is because what we’re getting to the heart of is how many people are we going to have to notify if you have a breach of all of the personally identifiable information that you have. So if you don’t have a handle on that, then that’s harder for us to come up for the correct rate for you. We want to know how many people we’re going to have to notify, which would also lead to how many people are we going to have to provide credit monitoring for. And if you don’t have a good idea of where all of your data resides, that automatically translates to increased forensics costs. I can tell you already that the forensics investigators cost more than the lawyers. So the longer it’s going to take for forensics to figure out what was taken, the higher that cost of the breach will start out at and continue to be.
Guilbert (00:32:34): So obviously the questions are getting much longer on the application forms. You just noted a couple, can you shed more light onto this, why this is happening? What’s in depth behind it?
Bennett (00:32:46): It’s because of the claims that the carriers are experiencing. Ben had said previously we would just say, do you have antivirus in a firewall? Great. We weren’t asking how your firewall was configured. We would just say, Hey, you have it. Now that we have some claims under our history, we are understanding how these claims are happening. And two factor is huge. We want to know if you’re using it and where you’re using it because that seems to be a great tool to help to stop a lot of these breaches.
Guilbert (00:33:25): Is that a requirement, from your perspective?
Bennett (00:33:30): It’s a requirement for many carriers depending on the class of business. So it’s going to vary carrier to carrier. I definitely think it’s a best practice, absolutely. And the carriers are going to be looking at that.
Guilbert (00:33:46): Got it. So I would think that there are a number of regulatory bodies or type of frameworks that firms should follow. I’m wondering, Ben, if you have any perspective on what they might be and what the organizations are?
Tercha (00:33:59): Yeah, NIST is a great framework to follow. CIS Benchmark Center for internet Security from a hardening perspective is also a great framework to follow. We have a lot of customers who use that, and that’s kind of what we use internally is our hardening baselines for our server networking, workstation hardening policies that we apply to our corporate environment and recommend to our customers.
Guilbert (00:34:22): Makes a lot of sense. Meredith, back to you. Obviously there are a lot of different coverages that I can choose, but what are the ones that I should be choosing to have on my cyber insurance policy? This is a lingering question we’ve been looking at.
Bennett (00:34:39): A loaded question for a carrier, you need all the coverages. It really depends on what you’re doing, right? So back to the data too. The carriers also want to know what type of data you may have access to. So maybe you’re not holding it, but maybe you’re walking into somebody’s office and we’ll have access to the entire hospital’s data. So we take that into account as well. So maybe you’re a consultant and you have a high cyber exposure because you are walking into a hospital and working on their system or something, but you’re not taking credit cards. So do you really need payment card industry fines and penalties? So that’s a question to discuss with your broker. But network security and privacy liability, that’s your basic cyber liability. You’ll also see that required in a lot of contracts.
Regulatory action, huge. So there’s regulatory agencies that can bring a claim against you. Is it that they’re coming after you because of a data breach or are they doing an investigation because you’re being accused of violating a privacy law? So there’s different ways that regulatory action can trigger. And depending on what you’re concerned about, you want to make sure that your policy has the right wording for regulatory action because sometimes it will only stem from if you had an actual data breach, not just a violation of a privacy law.
And then all of your first party expenses. So that’s when you have an incident occur, everything that goes into that incident. So we call those first party expenses, it’s usually going to start out with the IT forensics to figure out what happened, how they got in, what did they have access to while they were in there, are they still in? How do we get them out? And the breach coach, based on what the forensics team finds, they’ll communicate that with the lawyer and based on the state laws, that’s what tells us if we need to notify the people affected in those states or not.
Ransomware is the biggest coverage that we’ve probably mentioned so far in this webinar. Ransomware will fall under the insuring agreement usually entitled cyber extortion, and that would pay the ransom if that is what needs to happen. It also pays for a negotiator to negotiate with the hackers and usually a reward as well if those hackers are brought to justice.
Business interruption, big one because that’s going to be more costly most likely than the ransomware claim, cost to restore your data. And then there’s a lot of these other coverages, the social engineering, fraud, wire transfer fraud, invoice manipulation. These are all things that if you lose money. So those are coverages to look for if that’s a concern of yours.
Telecom fraud and utility fraud, those are coverages. If the hackers basically get into your system and either increase your utility bill astronomically, probably because they’re trying to use your systems to mine Bitcoin or if they’re making all kinds of crazy phone calls and they increase your telephone bill, we’ve seen that the telephone companies are usually try and work with the people who were affected. And usually they’ll say, okay, your telephone bill is $60,000. It’s usually only three grand. We’ll waive 30 grand, but you’re still on the hook for that other 30 grand. So if that’s something that you’re concerned with, do you have insurance that would cover that? That would fall under telecommunication fraud.
Guilbert (00:38:30): Thank you. That’s very comprehensive. Lots of coverage options of course. And I want to understand, and maybe this is for James and Meredith real quick, what kind of data reports do you need as an insurer when building these policies? And the second part of that is for James to basically say what type of reports can be generated through tools like yours? So why don’t you go first, Meredith.
Bennett (00:38:53): So we typically rely heavily on the application carriers that are writing much larger businesses may require different types of information, but we really just require, we look at the application, we don’t want to be taking too much. We don’t want any PII, right? Because then that puts us at a cyber risk. So we rely heavily on the application. But I did ask for something, I’m sure James could help with supplying us with something.
Mignacca (00:39:30): Thanks, Meredith. So that was great. I think first off, there’s no right or wrong way other than the fact that what we find is it really shouldn’t be a point in time. And so what we find is folks tend to do some type of an activity to put together a best practice report, a risk analysis report just before the renewal. And it’s really what we know is breaches happen on an ongoing basis. Data is a moving target. And so it’s important to build this into your operations on an ongoing basis. And so what we do is we start with the inventory and asset discovery and it really just starts with, okay, regulation and compliance have come out and said you need to know where your inventory is or your data and your assets, and then you need to do the classification with that and that checks the box.
But from an operational perspective, you need to know where your data is in order to protect it. We’ve had some cases where data was found somewhere where the organization had no idea it would ever reach that cloud computing, that cloud service that sometimes organizations don’t even know they have it. And in that case, they’re not looking at that on an ongoing basis in order to protect that data. And then just as important being able to track that data and know where it should be and where it shouldn’t be, and having that best practice ingrained in your organization. And then obviously doing the reports from an organization standpoint, and this is something that we see our clients, they do it on a quarterly basis, even if it’s not a compliance need, it’s a board need. It’s a fiduciary duty piece that if you can be proactive, and I think that’s the big word here is being proactive and show that you’re doing something you’re trying to lower your threat landscape is absolutely critical.
It doesn’t matter the format of the report, quite frankly. It’s just people, folks want to know that you’re trying to do something versus doing nothing or trying to do something only because there’s some type of event that’s taking place. And then that’s what we call the data loss prevention piece. And I talked about it earlier, which is that what’s the low hanging fruit in order to prevent data loss? And again, it’s like everyone tends to go to getting new firewalls and whether or not it’s MDR and that’s like the alarm system, but they just tend not to do the best practices that quite frankly we hear about in the news all the time where there’s vulnerabilities that allow these breaches to take place.
Guilbert (00:42:31): It makes sense when you start thinking about the fact is the people aspect is the technology, there’s the tools, there’s the insurance, and we talked about opening up this seminar talking about dollars and cents. So I want to cover spend quickly in the context of insurance spend. So two phase question for you, Meredith. How is the cyber insurance premiums calculated? And secondly, a softball question, what limit is the right limit?
Bennett (00:42:59): So insurance premiums are calculated based on the data that our actuarial team compiles and analyzes. And again, it’s a lot of historical data. Sometimes it can depend on the state that you’re in, what’s trending in that state, how they look at it. It could be your class of business, perhaps the insurance carrier is experiencing a lot of claims activity with tax preparers or lots of claims activity with a different type of class of business. So that may get a higher rate than a lower class of business. State definitely factors into it. Your deductible will typically lower the premium a bit. Your limits are definitely going to increase your premiums. So there’s a lot of different factors that can go into it based on what security measures you have in place based on that application, whatever else you share with the carrier, that will determine if maybe we have the ability to provide some credits to that account because you have excellent security in place.
And so we will credit the account sometimes if small business, it may just be minimum premium that we can’t go any lower because we’ve set a minimum premium already. So there’s a lot of different factors that are involved. And what limit is the right limit? That’s a tricky question. It goes back to what James had said earlier, understanding your data, it is huge because then that really helps to put it into context of what you’re at risk of losing. Sometimes it’s for a contract, you may think that you only need a million dollars worth of cyber insurance, but you may have a contract that says no, you have to have 5 million limits. I’ve been seeing a lot of requests recently for 10 million limits. And we’re talking about businesses that maybe make $250,000 a year and they want $10 million limits of insurance. It doesn’t really seem to go with the exposure and sometimes they’re able to talk those contracts down. That’s important to understand as well. If you’re a small business that’s joining us, sometimes these big companies have standard contracts and they just give that out to everyone. But if you go back to them and be like, are you sure that I really need to have $10 million of this particular type of coverage, they will sometimes work with you.
And then it also comes down to how are you going to be exposed, what’s the breach going to be? What are you worried about is going to be your worst day,
Guilbert (00:45:47): Right? Is it a guarantee that if you have a breach that the premium is going to go up?
Bennett (00:45:53): Typically if you have a claim, and this I think is across the board for most insurance, not just cyber insurance. If you have claims activity, your premium will increase. It depends on, sometimes it’s the carrier’s discretion, sometimes it’s written in their guidelines. If your claim exceeds X amount of dollars, they have to debit you 10% or 15%. So it can vary depending on the carrier and if it’s filed with the state or not. But typically if you experience a breach, the carrier will most likely debit your renewal the next year. It’s possible they may non-renew you. The cyber market is very volatile right now, and I’ve seen carriers non-renew for some claim activity. I can tell you one thing that we ask when we’ve had any type of claim when it comes up for renewal, we want to know what have you done since you’ve had that claim to prevent another claim of this nature? If the answer’s nothing, that’s not really a great answer in my opinion. I’ve done nothing. Well, it depends on what the claim was. Maybe it really wasn’t your fault, it was a hurricane or whatever. But if it was something that maybe it was an error or a breach, what have you done to prevent that type of claim from happening again? That’ll go a long way with the carrier.
Guilbert (00:47:24): That makes sense. While we’re talking about expense, Ben, from your perspective, how is it to implement, I’ll say strong cyber defense.
Tercha (00:47:33): Well, it’s going to depend to what we talked about earlier in our conversation. To James’s point of your data used to be in one perimeter. Now it’s all over the place. It could be in the cloud, could be on-prem, could be on mobile laptops that travel all over the US or the globe. But generally speaking, your prevention is more, is cheaper than what it costs to recover from that type of breach loss data or anything like that. The saying is, ounce of prevention is worth a pound of cure. And what we’re seeing, we’re doing a lot of security assessments right now for many different companies and we created a baseline matrix that says all for you from a cyber security practice perspective, you need to have these 15 things right? And it’s SIEM, it’s EDR, it’s the slide on the screen here. Security awareness training is key.
We went through this with one customer and they wanted us to change the matrix based upon the size of their business. And unfortunately it just doesn’t work that way. This is something everyone needs to have and it, it’s not us saying we aren’t the authority. These are our recommendations to all our customers because we see what’s happening if you don’t have these precautions, these protections in your environment. And what we’re also seeing from the cybersecurity provider perspective, right? The insurance providers are now starting here at this level and they’re going to continue to ramp it up. So let’s get these protections in place. So you’re prepared this year, but also you’re future against future years, future renewals.
Guilbert (00:49:08): So significant proactive approaches to cyber and having a good hygiene in the cyber space. But okay, here’s the obvious question. If a breach occurred, what steps should you be taking and should the ransomware ever be paid? Now I’ll leave the ransomware ever paid for Meredith, but what steps should you do from your perspective then?
Tercha (00:49:30): First step would be to reach out to your IT provider at the same time of calling your insurance carrier, your policy holder. Because usually Meredith kind of mentioned it early on when she’s going through her points was there’s usually a breach coach there who will coach the customer through the process. What happened, when did it happen, what did they have access to? And then we work side by side with them and we just deal with this with a customer. A few weeks ago there mail was breached in Office 365. They didn’t know what data was in that mailbox, what they had access to. So we help from the forensic perspective, what did they have access to, what potentially could they have seen or gained? And then we worked hand in hand with their legal counsel and the insurance provider to finalize the report and then subsequently bring that matter to close. But usually your first call should be to generally your IT support cybersecurity vendor to help stop that breach. The proper people are trained not to delete anything and that preserve those logs. So we can do a forensic investigation, but at the same time then calling your policy holder, your insurance agent, whatever you want to call it, because most policies will have a coach who is really an attorney will help guide you through this process.
Guilbert (00:50:51): Through the steps. And Meredith, should the ransomware always be paid?
Bennett (00:50:56): Sometimes. Sometimes we do pay it, but I would say please to just really echo what Ben said, please contact your insurance carrier. It does go back to a question that was asked previously of like, oh my experience, cyber policies don’t cover what I want it to cover. It’s really important to understand what the wording is in the contract that you have and discuss that with your broker. Some insurance carriers don’t allow you to incur any expenses and they won’t reimburse you for any expenses that you incur prior to contacting them and prior to getting their approval. So anybody that you go out and hire on your own before you get approval from the insurance company, there’s a possibility that that might not be covered. Does the insurance company want to pay on your behalf or do they choose to be reimbursed? That’s a good thing to understand when you’re calling Ben and Omega systems to do those forensics for you. Do you need to pay Ben directly or is the insurance company just going to pay on your behalf?
So really important to understand how your policy does work. If you have a breach and nine months later go to the insurance company, be like, oh yeah, by the way, we had this breach and this is everything we did. Here’s all my bills, please reimburse me. That might not be covered because we didn’t let them know until nine months later. So that kind of goes back to that other question. I forgot to mention that occasionally we do pay the ransomware. We do need to worry about if it’s a country that we’re not allowed to do business with. So it comes under the OFAC sanctions. So typically you’re going to have an exclusion for that, that we will not pay those countries that fall under that sanction. We try not to pay if we can restore the data, if we can get you back up and running, whatever is going to make the insured whole the fastest is really our goal. We want to get you back up and running as fast as possible. And unfortunately, sometimes that does mean paying the ransom. We’ll see if that changes with legislation, but it’s definitely not something that we want to do. And I know the FBI, if you ask the FBI should you pay the ransom, they’re going to tell you no every single time.
Guilbert (00:53:28): You touched on the point in terms of being able to recover data and basically resuming business operations. So I’m going to ask Ben, from your perspective, what are the best practices people can take? Kind of three dimensional on the technology front, any processes or what people should be doing from an organization perspective, because getting the business back up and operational is paramount. Getting the data available is paramount. So I’d love your perspective.
Tercha (00:53:54): Yeah, it’s defense in depth. So we talked about it early on, and this is the human error. 85% of breaches are caused by humans in some way, shape or form, whether it’s a misconfiguration clicked on the wronging. So that’s kind of, some people call that the last resort. So we’ll start there and work our way up. So your end users security oriented training is key. They are sometimes the biggest risk, but they can also be the human firewall. So we sell and we utilize a product that has a training module. One of the modules is being the human firewall, how to spot those fake links, how to make sure that the site you’re going to or what you’re instructed to go to is actually legitimate. We had a situation yesterday where our HR person got a phone call for a background, kind of a reference check for a previous employee, and he was instructed to go to a website and download this file and put a password in to open it.
I’m like, no, this seems very odd right now. It ended up being a completely legitimate request, but it’s things like that that if we didn’t take a stop, take them to stop and look at and analyze what we’re being asked to do here, it could have been kind of a disastrous situation. From there, kind of moving forward into the infrastructure side, a very strong firewall that’s managed by professionals. Firewalls aren’t set and forget anymore. That’s going to stop attackers from getting in, but also threats from going outbound. So if you do click on that link that takes you to a website or domain that was newly registered, your firewall more than likely will stop that outgoing connection request that would subsequently encrypt your data. And then lastly, if there is a breach and there is an event, having a solid backup and having a solid SIEM tool to be able to discover how that occurred, what happened, getting those logs out of the system.
Because what we see is when an attacker does get into the network, usually the first couple days they’re just looking, they’re monitoring, they’re assessing, they’re figuring out their attack plan, and then they execute. Usually it’s two, three o’clock in the morning. They’re very intelligent where they’ll time into their time zone, right? So they’ll know, all right, there’s no one on the network at this time. This is when I’m going to launch my attack. And usually that’s going after backups. If they can identify the backup system, they will wipe it. So make sure you have a backup system that has immutable backups that can’t be accessed without any type of MFA code backups that are replicated offsite. So if it does happen, you have another copy offsite, they wipe the system logs, so you don’t know how they got it. You don’t know what they did.
Did they get in through exchange? They get in through RDP. Was it an email? Right? You don’t know. And that’s key for a forensic investigation as well too. So it’s a very important, you have a tool that can aggregate and store all of your event logs off network, off of that environment that would’ve been impacted. Those are just kind of the high level things that we kind of worked into our matrix for our customers and said, when we talk to customers about securing their environment, here are the things that you must have and here’s why. Here’s why they’re important not only for the prevention and detection, but also for the restoration should the event happen.
Guilbert (00:57:06): It probably starts a lot with the people too, right? Clicking on those bad links. So I’m short, training is an important aspect.
Tercha (00:57:12): We’ve seen them both ways, but the trend has been really end user driven, right? It’s end users clicking on a link to Meredith’s point. They go to a fake office 365 portal, and these guys are good, the attackers are good. They make it look exactly like Microsoft. They could use a domain that you would think is Microsoft, but it’s not. And you put your credentials in. It doesn’t work one two times and use your, I just must be typing wrong and close it out. But you’ve now given them a username, an email address or a password, which they can then use to log into your account, sometimes unbeknownst to you behind the scenes and start using your account to initiate those fraudulent wire transfers, those fraudulent payment requests. So they’re crafty, and some of these attacks are targeted. They will target key individuals. They aren’t interested in the guy running the machine in the shop. They’re interested in the controller, the CFO, the CEO, people like that who are in a position of power, who would normally potentially authorize those types of requests. Those are the people that are being targeted in these spear phishing attacks that we see.
Guilbert (00:58:18): Thank you, Ben. I’m conscious of the time here. We’re coming up to the hour. I’m going to leave each of the panelists just 30 seconds to give their parting thoughts, wisdoms for this audience here, and we’ll wrap it up. So Meredith, why don’t you start?
Bennett (00:58:34): You’re broker is your friend. Have a really solid conversation with them about what you’re concerned with, what coverage you have, ask them to shop the account if you think that’s what needs to be done. There’s several carriers out there that offer all the cyber coverages that I mentioned. So just make your broker your friend and train your employees. Cybersecurity awareness training is key.
Guilbert (00:59:02): Thank you. James?
Mignacca (00:59:05): So data is what the bad actors want, so you need to know where your data is in order to protect it. And just as important, do the best practices that are in compliance and regulation to harden your network and your organization. Ensure that you can deter those types of breaches from taking place in the first place.
Guilbert (00:59:28): Thank you, James. Ben?
Tercha (00:59:29): Defense, in depth. Make your environment harder to get into. We’ve seen attackers will generally move on to easier or softer targets, right? If you have multiple areas of protection, MFA, these guys are going to just give up and move on to someone easier to penetrate, easier to breach because they know they’re out there.
Guilbert (00:59:49): Appreciate the insight. Panelists, I appreciate your commentary, your insights on this part of the business. I want to thank everyone for their time, the panelists level, the participants as well. As a participant, you’ll receive a short survey. We would love to get your feedback. This is a series, so we’ll be doing a number of these thought leadership webinars going forward. We’ll also answer a number of questions that were submitted in a document that you’ll receiving and keep your eye open for the next webinar that we are doing, what to do after breach. We thank you for your time today. Hope you have a wonderful day.
Without proactive, ongoing cybersecurity measures in place, it is only a matter of time before your business falls victim to a damaging cyberattack. And unfortunately, your insurance coverage will not save your business from certain financial losses and reputational damage if you cannot prove the existence of adequate preventive and responsive security strategies.
If you’re looking to bolster your security program to aid in your cyber insurance process, contact our security experts at Omega to get started.
Is your IT and cybersecurity program strong enough to meet the growing requirements of today’s cyber liability insurance providers? Get the latest scoop on what you need to secure new or renewal coverage.