The relationship between cybersecurity and insurance was the topic of discussion at a recent Black Hat “mini summit” held in Las Vegas. Industry experts gathered to explore ways in which the two sectors can collaborate effectively.
The summit addressed various aspects of cyber insurance, including the need for it, how it is assessed, and how Chief Information Security Officers (CISOs) can leverage it. Additionally, discussions focused on the challenges of underwriting cyber insurance in the face of evolving cybersecurity threats and trends, as well as the potential role of the federal government in protecting companies, insurers, and the economy from catastrophic cyberattacks.
One key point of contention was how cyber insurance premiums are calculated and the factors taken into consideration. Advocates for cyber insurance argued that having coverage alleviates the financial concerns of CISOs in the event of an attack. However, experts at the summit emphasized the importance of considering the costs associated with incident response and recovery, such as forensic investigations, downtime, and credit monitoring. They cited the example of a recent ransomware attack on Applied Materials, which reportedly cost the company $250 million.
Catherine Lyle, the head of claims at Coalition, stressed that even lawyers care about a company’s security following a cyberattack or network breach. She highlighted the role of active insurance in helping companies recover from such incidents. Lyle also pointed out that threat actors are becoming increasingly sophisticated, and their knowledge of the English language enables them to target specific folders containing a company’s financial records. This understanding aids them in identifying spending patterns and those with authority to approve financial transactions.
Phishing attacks, ransomware, business email compromise, and funds transfer fraud were identified as the most common types of cyber incidents. Lyle acknowledged that negotiating ransom costs in a ransomware attack presents a challenge, but she emphasized the need to consider the impact of money being sent out during any attack. Additionally, threat actors were found to spend an average of 42 days within a compromised network in 2022, twice as long as the previous year.
Ed Ventham, co-founder of cyber insurance broker Assured, highlighted the significant impact of business email compromise and ransomware on insurance policies. He explained that insurers often inquire about the preventive measures in place to mitigate these specific threats, such as endpoint protection, system monitoring, and prompt patching. However, these measures can vary widely from one customer to another.
Lyle underscored the role of insurance in preventing greater harm and reducing cyber insurance costs. She recommended implementing additional security measures such as multifactor authentication (MFA), conducting incident response rehearsals, and availing pre-claim assistance from insurance companies.
John Caruthers, executive VP and CISO at Triden Group, emphasized that while the concept of cyber insurance may have seemed unfamiliar in the past, it is now widely understood. He pondered whether cyber insurance is primarily for safety, compliance, or both. Caruthers argued that it should not be viewed as a substitute for a robust cybersecurity program, but rather as a motivation to enhance such programs.
Caruthers likened cyber insurance to the medical and automobile insurance industries, where historical data plays a significant role in determining insurance premiums. In cybersecurity, he explained, a list of minimum requirements is generated to achieve cybersecurity maturity, including MFA, incident response plans, backups, software patch management, remote access controls, supply chain management, and awareness training. He also noted that insurers consider end-of-life and unsupported software as higher risks.
The Black Hat summit provided insights into the ongoing dialogue between the cybersecurity and insurance industries. While challenges remain, the discussions highlighted the potential for collaboration and the role of insurance in mitigating the financial impact of cyber incidents. As cyber threats continue to evolve, finding effective ways to leverage insurance coverage will be critical for organizations seeking comprehensive cybersecurity strategies.