Cyber insurance rates rose drastically in 2021, driven by the spike in frequency and payouts of ransomware claims. Many insurers tightened coverage terms and conditions while raising premiums 130% in the US in Q4 on average (Marsh).
To assess the trends and prepare for upcoming renewals, Enabling hosted a webinar with:
- Melissa Ventrone, Lead Attorney of Clark Hill’s Cybersecurity, Data Protection, & Privacy Practice
- Doug Schulkin, Technology & Cyber Executive at Travelers
- Bill Smith, CIO Emeritus of JMT Engineering and current Advisor at Enabling
The riveting discussion provided several key takeaways, captured here. Below you can see the full transcript from the recording, with questions from the audience and key points from the panelists in bold. Enjoy!
Legal and Insurance
- Cyber insurance carriers expect customers to have Multifactor Authentication. While it’s easy to check the MFA box, it’s not trivial to extend to all services and identities. Other emerging expectations include cybersecurity training and SSO.
- If someone answered the cyber questionnaire untruthfully or incorrectly, and a breach occurred related to how they answered, they would not be covered. Take that application very seriously.
- Insurance carriers do not expect that every box is checked. Every organization has different risks.
- Make sure your cyber insurance has a provision or (optional) rider for business interruption insurance, to cover you when one of the companies you rely on gets electronically disrupted.
- Conduct risk assessments with business leaders on all systems and services to define RTO/RPO.
- Eliminate unnecessary data. Keep a backup of a small subset to quickly restore business. Set expectations to management that it could take weeks to fully restore terabytes of data.
- Exercise your incident response plan every six months. Conduct a third party audit every year.
- Stress test vendors every year and understand their responsibilities and yours. Their involvement could arise in breach litigation.
- Spend lots of time on roles and responsibilities, and who’s going to say what, and who’s not.
Mitigating and responding
- If you have a plan, run the plan (which should be printed in a binder).
- Disconnect affected systems from the network so to eliminate any path. Maintain the logs.
- Don't be afraid to open a claim immediately. Don’t go too far on your own. Don’t pay and expect the insurance carrier to reconcile later.
- During a breach, don’t over (or mis) communicate. Say “We're experiencing a system interruption. We’re working to restore systems and will update as quickly as possible.”
And now for the audience’s questions and the terrific dialog that followed (also recorded here)!
What’s keeping you up at night?
Melissa (attorney): I'm looking at it from my clients’ perspective, and the one thing that keeps me up at night is their inability to respond quickly to a cyberattack. It's not really a matter of “if” you're going to face, but “when”, and will they be able to respond in a way that they can continue to operate and mitigate damages?
Bill Smith (CIO-emeritus): I’m concerned about a trend where the FBI identified at least 50 entities across 10 critical infrastructure areas that have been affected by the Ragnar Locker ransomware. Industries like manufacturing, energy, financial services, government, and even IT. We've seen ransomware’s disruption to the supply chain. It concerns me that these are getting bigger and more disruptive.
Doug (cyber insurer): The thing that keeps me up at night is ransomware. That's the trend we're seeing, and specifically attacks through the admin level. We're going to spend a lot of time talking about what we can do about that.
What is trending in cyber insurance and legal?
Doug (insurer): Ransomware is the biggest trend right now. What we love to see on the insurance side, and I believe I'm speaking for the industry, not just my company, is Multifactor Authentication. There are tons of stats on the reduction in risk, but it really protects entities top to bottom. Even if a bad actor gets in, if multifactor authentication is present, it makes it harder to hop around within the entity.
Melissa (attorney): When we see ransomware, we're also seeing the extortion of data, which adds to the overall cost and complexities of a response. From a legal perspective, I would like to see clients get rid of data that’s not needed, to go on a data diet. You can see documents in a filing cabinet, but you don't see electronic documents. People have retention policies that they've never audited. The US doesn't have laws that say you must delete things. But if you did delete things, you would reduce your attack surface.
Bill (CIO): Melissa, I'm going to say that from the CIO perspective, it's hard to get an organization to pay attention to that. They don't necessarily look at it as a productive use of time, but I know that when people must decrypt everything, it can take weeks if not months to recover. Excellent point about reducing data because it reduces the time to restore.
The FBI's position is not to pay the ransom. What’s your position (pay or not pay)?
Melissa (attorney): If you're fully encrypted and they've got your backups, and if there's no way for you to operate other than to get the decryption key, then I think the company is going to have to pay. On the data exfiltration side, I think when we first started to see more attackers take data, there was a real interest in keeping that information out of the public. I think at a certain point we're going to tip that scale and the data is going to be out there anyway. So instead of focusing so much on recovering the data or paying the ransom to do so, we should look more at it from a protection perspective. But I don't know necessarily that our technology or the tools have yet come on the market to do that.
The other thing too from a decryption standpoint is sometimes when people are answering questions on an insurance application, they may not necessarily understand the question that they're answering. There's a ton of embedded questions, like do you have backups? Have you tested the backups? Are there backups segmented? When you tested them, did you restore in a time that makes sense? We've worked with companies who have backups, have tested the backups, but then when they get into a ransomware situation, it's 20 hours to restore one server and they have 270 servers. It's going to cost them less, not just in dollars, but in lives, to pay that for that decryption key.
Doug (insurer): Nobody wants to pay. The client does not want to pay, our government doesn't want us to pay, and insurance carriers don't want to. Can we, do we? Sure, but it's a case by case business decision. We’re really emphasizing prevention as an industry. The claims that we see, many of them, and the bad ones, could have been prevented with just some very basic security.
How Should we Quickly Restore from Backups?
Chris (moderator): Melissa brings up this topic of backup segmentation and the time it takes to restore. It’s important to set expectations for risk managers and business leaders. Even if you have solid backups, and you have backups for the last, say, 10 years of your ERP system, that will take weeks if not months to restore. What you want to do is say “OK, we need last week’s data for sure, because that's what we're going to work on this week.” Then, keep a safe, immutable (unencryptable) copy of last week's content, so that in the event of a crisis, you can quickly restore this small data set to get your finance and accounting back online with the data that they really need to transact right now.
Bill (CIO): Right, you can’t restore everything at once. In my experience, we went through a process where we did a risk assessment of every system, every service, and we sat down with the business owners of each and prioritized. Now the first response is that everybody says, “I need my stuff immediately.” But the reality is they don't, and you must prioritize so that when you get into that event, you know the most critical systems to get operational, and to what degree. I'll say it was an arduous process, but it also helped establish recovery point objectives and recovery time objectives for each system and service.
Chris (moderator): Thank you, Bill, and without a prioritized restoration, every business manager who wants their system back will bang on the CIO’s phone to get them all back, distracting the response team from the real work.
How often do you conduct incident response tabletop exercises and security assessments?
Bill (CIO Emeritus): Probably not frequently enough but at least every six months, we’d stress test on our incident response plan. We used a security consultant’s perspective, because while we thought we were doing the right things, we wanted verification. Just like a financial audit, we did a security audit once a year.
Melissa (Attorney): I wanted to pick up on that Bill. We have seen this move from an IT problem to an organizational problem. We do see more cross departmental conversations because that audit piece is not just a security piece, it's a legal piece. You have statutes out there that require organizations to audit certain things, and not just audit logs, but security processes. We're also seeing more emphasis on auditing third party vendor management programs. Not just that you have contractual controls in place, but that you're confirming that the third party vendor is doing what they say they are doing. It's a regulatory consideration and it could be a question during litigation.
How do you manage third party risks?
Chris (moderator): To a point Melissa just made about the third party risk profiles. In December, Kronos, the massive time reporting and payroll company, was ransomed themselves. This is the trend in the industry now, where bad actors go after somebody who serves a bunch of organizations at once. They’re increasing the pressure for the bigger SaaS providers to pay the ransom. Few companies that Bill and I talk to about their readiness stress tests their vendors. You must ask them questions like, “who has access to our data” and “what's the process for alerting us if there's a breach?”
One more point about these yearly audits and stress tests. You must have the fortitude to do something about it. There's value in knowing that something is wrong or at risk but giving your tech people the budget and the time to address them is as important as knowing in the first place.
Melissa: You know, I spoke at the International Payroll Professionals Association conference recently, and the ransomware attacks came up, and the discussion about preparation. One of the questions that came up was this disparity in bargaining power, so when you have a company that's very large and you're working with companies that are smaller, how do the smaller companies get the larger companies to understand or disclose information. You're not going to get Salesforce or Amazon to change its terms and conditions for a Mom and Pop Pizza Shop. Understand what their parameters are and what your parameters are, you're going to be in a better position to respond when they suffer an attack.
What is Business Disruption insurance?
Doug (Cyber insurer): I’ll add that this is 2022 so everybody is relying upon someone else electronically in the supply chain. There is insurance for business interruption for when one of the companies that you rely on gets electronically disrupted. Be sure to talk to your insurance agent about “Am I protected so that if one of the people I rely on goes down. What is my recourse is if you don't have this insurance?”
Bill: That’s disruption insurance, and not necessarily your cyber insurance policy, right?
Doug: Great question! It’s an optional coverage that lives inside of our cyber coverage. Please don't confuse this with the property and casualty business interruption. That example is like a transformer falls over and the ice cream shop can't make ice cream anymore because their refrigerators don't work. Most people carry that insurance, but I'm talking about electronic disruption when somebody you rely on is down. Not all carriers offer it so check out your policy with your agent.
Will a cyber carrier interview someone in person rather than just have them check the boxes?
Doug: We do risk control and do send human beings to the client, particularly if you're larger and operations are more complicated. We will have somebody there to meet you in person if you want it, but we default to the application because your average layperson does not want to deal with us!
Are there some emerging de facto standards that must be in place to be covered?
Doug (Insurer): The absolute biggest thing is multifactor authentication.
Melissa (Attorney): It’s not just multifactor authentication but multifactor authentication on all systems where you have information. The one other thing I would really like to see is cyber security training. We see that people implement multifactor authentication, but then they haven't trained people on the ways that attackers bypass multifactor authentication.
Bill (CIO Emeritus): I would add this about multifactor authentication. There are a lot of configurations variables, especially with conditional access. There are people out there who are knowledgeable, so leverage their experience that make sure you set it up properly. The other default should be single sign on, and using multifactor for all your SaaS
Melissa: There are vendors where you still need to have your own login and password for their systems that bypass system multifactor authentication. In 2022 it just makes me bang my head against a brick wall going why not?
What percentage of revenue is allocated to security spending?
Chris: In 2019, one survey showed 15% of IT budget was spent on security, and another showed 12.5%. It’s getting harder to measure since with Microsoft, at least, security is bundled in with other licensing. There's a dichotomy there because a lot of that expense is still spent on traditional on-premises and networking security. Since we’re not in an office anymore, that model is purposeless. New vectors are often credential compromise through email. Rearrange your thought process. The big expensive firewalls and intrusion detection systems for your shrinking data centers are not protecting your vulnerable devices and identities that are connected to cloud services. See chart at the bottom for an example of this lag in the cloud.
Is there any incentive from insurance carriers if the organization has passwordless authentication?
Doug: I haven't seen it personally. I know what it is, and I would not be surprised to see it make its way into insurance, but unfortunately, I don't have an official answer for you.
Chris: My gut feel is that this is out a year or so for the cyber insurance carriers to think about.
Is there a point where if you check "No" in too many boxes on the questionnaires that you don't get covered, or your rate goes up?
Doug: This is an excellent question and probably with the best ones you're going to hear today. The answer is that it’s as unique to the company is getting coverage. The first step in the whole risk assessment is what kind of business you’re running. On one end, there are tech companies that are holding the bag, they're storing data and ensuring its safety for their customers. At the other end of the spectrum is a K-12 educator. So their two applications will be different because the risk of those two entities is very different, and the tolerance from the insurance carrier is going to be different. I think a lot of folks think that insurance carriers want every single box checked yes. That's not correct. We understand that at some point it will hurt you if you go too far with the controls. There must be some risk being taken so it really is a dance between you and your agent, your insurance carrier, your lawyer, and the tech firm you're working with.
When an incident occurs what single step should attendees take to get on the right track?
Bill: A lot of times people think to turn off the computer, but I believe that's the wrong thing to do. You want to disconnect from the network so to eliminate any path, but you want to maintain the logs and information that would be valuable for the investigation.
Melissa: I'm going to second what Bill said. A lot of people think to call insurance or call an attorney, but the first thing you should do is take steps to mitigate the risk from a technical perspective. It should be outlined in your incident response plan which should be somewhere not saved on the electronic system that’s been impacted. We ask people about their incident response plan, and some say, “yes it's on all the devices that are encrypted.” Print that out somewhere and take those steps that are outlined.
Doug: I agree with these folks. If you have a plan, run the plan. As the insurance guy here, I'll tell everybody that no two policies are alike on this topic. The carriers have different tolerances. If this was a house fire, how much of the house fire should you be putting out with your extinguisher versus calling 911. We all know from our home policies you just negligently let your house burn and don't do anything, the insurance carrier is going take an issue. The same thing applies here. I live in Baltimore County where we’ve had very famous cyberattacks, and the entities tried to take matters into their own hands for too long and made things exponentially worse.
Chris: In that plan, have a point person or people who know very specifically how to open a claim on a Saturday morning when the person that sold you the policy isn't in the office, when you need help.
When should an organization open a claim?
Doug: Don't be afraid to open a claim immediately. There's so much more harm that can happen if you don't open it versus opening it when you don’t need to. You make a great point Chris. Part of that plan is what to do on Saturday and Sunday and the holidays, and to have that 800 number in your binder.
Are there things that an organization shouldn’t attempt to do from a legal perspective that may cost them as they go too far without involving a forensic analysis or an attorney?
Melissa: There are so many that I've seen. If your email is up, don't put in writing “look what this person has done he violated our policies”. I've seen that email! Don't delete all the encrypted data because you know your backups are good without checking the backups. Don't go out and tell customers that you got hit by a ransomware attack, because you're not going to be prepared yet to handle that response. Once you say something publicly or you put it in writing you can't take it back. People have said things that have been used against them in litigation, and courts have pointed to them as reasons to not grant motions to dismiss. Be careful about how you handle it.
The organization has to say something to its own employees to its customers if there are systems that are affected. What should they say?
Melissa: You’re legally allowed to say whatever you want, but if you say you're “having an incident, and (y)our systems are affected,” you're going to get 1,000 calls from customers. My suggestion is to say “We're experiencing a system interruption. We’re working to restore systems as quickly as possible. We will update ASAP.” Put up a splash page or something like that. Don't say that you're “having system maintenance issues” because that's not accurate. You are having a system interruption if something happened, and you taking your systems down to contain it is still a system interruption. Within the first hour or so, put something like that up because people are familiar with “system interruptions.” Be careful not to start that flood of questions that distract you from taking steps to mitigate.
Chris: This is where in your plan you have roles and responsibilities. The person that constructs or perhaps even has this email ready to send to a distribution list isn't the same person who's the commander of the incident. Ensure the right people are on the incident response team.
Bill: In the organization I came from, we spent a lot of time on communication and roles and who's going to say what and who's not going to say anything. It's kind of like a fire drill. You want to know where to go and where to meet and who's going to do what.
What’s the worst case scenario? Under what circumstances have claims not been paid out?
Doug: I don't have a specific example, but it goes back to somebody trying to do everything themselves, getting way over their heads, and making the situation worse.
Melissa: That's a really difficult thing to answer. I have seen that there are problems when companies go out and spend $1,000,000 on mitigation before they ever talked to their insurance company. Insurance is going to have a problem with that because often the policies have a requirement to get consent or approval before you do. I can't advocate enough that you have an open channel of communication with the insurance company if you have an incident.
If someone answered untruthfully or incorrectly due to misunderstanding on their insurance questionnaire, and the breach occurred because of how they answered, how would that be handled?
Doug: That’s a very sensitive question, and the default answer is that we would not cover it. There's going to be some concepts of good faith that would be argued in court, so I can't just say yes or no, but it complicates your situation. What I will tell you now is take that application very seriously, make sure you understand it, and if there's anything close to a question bring your agent and the carrier to make sure you get it right.
What is the one thing organizations get wrong when responding to incidents?
Melissa: Well, if you ask an attorney to limit our answer to one thing, that's the most difficult thing! It's really taking that wrong first step. From a preparation perspective, sit down and really understand from an organizational perspective what that first step is – which should be the preservation and containment of the incident.
Doug: Make sure you are with the right insurance carrier, and that they have the right tech responders and lawyers. Make sure they themselves could survive a catastrophe, where say an Amazon level company goes down and lots of people are bringing claims. Where are you in line, and if the carrier is small, would they be able to pay all their limit losses? I urge everybody to make sure that they have confidence in their in their agent and carrier.
Bill: My first step happens before there's an incident. Be prepared. Have a plan and recognize this as a business issue not an IT issue. If your business leadership isn't fully aware, then you have a responsibility to educate them.
Thank you to the panelists and to the participants for their terrific questions! We're not going anywhere, and neither are these risks. Follow us on social media for more related news