In the Cyber Security Simplified podcast, hosts Susanna Song and Dave Barton discuss the dilemma of whether to pay ransomware demands, highlighting the evolving stance of cyber insurance companies. Guest Tom Wetzel, a consultant in the cyber insurance field, explains how the industry is adapting by raising premiums and requiring policyholders to enhance their cybersecurity measures. Insurance policies are not standardized, making it crucial for businesses to choose knowledgeable agents. Companies must adopt proactive cybersecurity strategies and understand their risks to maintain coverage and manage potential ransomware attacks effectively.
Ransomware and Cyber Insurance
- The ongoing dilemma for businesses is whether to pay ransomware demands or resist to discourage future attacks.
- Cyber insurance companies are increasingly refusing to cover ransomware payments, affecting risk strategies.
- Business continuity is a significant factor in deciding whether to pay, especially for mid-market SMB companies.
"It's a multi-billion dollar issue and the bad guys are getting paid... If you're a mid-market SMB company, there's a pretty good chance you have to pay to keep your doors open."
- Paying ransomware demands may be necessary for business survival, particularly for small to mid-sized businesses lacking robust security measures.
Role of Cyber Insurance
- Cyber insurance policies vary widely, with no industry standardization in coverage.
- It's crucial to work with knowledgeable agents and carriers who understand cyber coverages.
"When you've read one insurance cyber insurance policy you've read just one... the industry is in the process of standardizing the language."
- The lack of standardization in cyber insurance policies means that coverage can differ significantly between providers, making expert guidance essential.
Expert Insight from Tom Wetzel
- Tom Wetzel, a consultant to cyber insurance agents, emphasizes the importance of choosing the right policy and agent.
- His experience spans decades in digital marketing and advising insurance companies on cyber security.
"I've been working in the digital marketing space for close to three decades... cyber security has been a primary focus."
- Wetzel's extensive experience highlights the growing importance of cyber security in the insurance industry and the need for informed decision-making.
Evolution of Cyber Insurance
- The cyber insurance industry is undergoing rapid changes, particularly concerning ransomware coverage.
- Ransomware is a significant segment of cyber claims, but not the only one, indicating diverse cyber threats.
- Companies often mistakenly believe that cyber insurance will fully transfer risk to insurers.
"The key thing is that ransomware is just... the biggest part of cyber claims... but it's not the only one."
- Ransomware is a major component of cyber claims, but other cyber threats also exist.
"The insurance companies are reacting to this and they... base their policies and their limits on statistics."
- Insurers are adapting policies based on statistical trends in cyber claims.
Ransomware and Insurance Coverage
- Ransomware accounted for 41% of cyber insurance claims in the first half of 2020.
- Insurers are raising premiums and requiring policyholders to enhance their cybersecurity measures.
- Coverage for ransomware is not being eliminated but is becoming more conditional.
"In the first half of 2020, ransomware attacks accounted for 41% of the total number of filed cyber insurance claims."
- Ransomware is a prevalent issue in cyber insurance claims.
"They're not going to all suddenly say, oh, we're not covering ransomware... they're going to raise the premiums."
- Insurers will continue to cover ransomware but with increased premiums and conditions.
Policyholder Responsibilities
- Insurers require policyholders to take proactive cybersecurity measures to maintain coverage.
- Security awareness training and understanding of risks are crucial for policyholders.
- Insurers assess a company's cybersecurity efforts before providing coverage.
"They're also going to require the policyholder... to perform certain functions on their side."
- Policyholders must actively engage in cybersecurity practices to qualify for insurance.
"Are you conducting security awareness training on behalf of your employees?"
- Employee training on cybersecurity is essential for maintaining insurance coverage.
Influence of Legislation on Cyber Insurance
- Various standards and legislation, such as PCI, HIPAA, Shield Act, CCPA, and GDPR, influence data protection.
- Insurers consider these standards when evaluating policies and premiums.
- Compliance with legislation can reduce claims and premiums.
"We've seen a lot of movement in the Shield Act in New York and CCPA in California... GDPR."
- Legislative measures across regions impact data protection and insurance practices.
"They're not just talking about it, they're taking co..."
- Insurers are actively integrating legislative standards into their policies.
Data Security in the Insurance Industry
- The National Association of Insurance Commissioners has developed a data security model law, adopted by 14 states, to enhance data security measures.
- New York is recognized for having the highest standard of data security requirements, considered the gold standard in the industry.
- Insurance companies are revising agreements with independent insurance agency partners to improve data security, recognizing agents as potential weak links in the digital ecosystem.
"The National Association of Insurance Commissioners has put together a data security model law which has been passed in 14 states."
- This quote highlights the legislative efforts to standardize data security measures across states, aiming to enhance the overall security framework in the insurance industry.
"New York has a very much higher standard of data security requirements which is largely considered the gold standard in the industry."
- New York's stringent data security requirements set a benchmark for other states and industries to follow, emphasizing the importance of robust data protection measures.
"Insurance companies believe that their agents are their weakest link...so you're going to have to do a better job."
- Insurance companies view their agents as critical points of vulnerability, necessitating improved data security practices and compliance among agents to safeguard the digital ecosystem.
Collaborative Efforts for Better Cybersecurity
- A new consortium of cyber insurance companies has been formed to advocate for stronger regulations and improved risk mitigation efforts.
- Insurance companies are taking cybersecurity seriously, recognizing their vulnerabilities and striving for improvements internally.
"There's a new consortium of cyber insurance companies who have come together to push for stronger regulations and better risk mitigation efforts across the board."
- The formation of a consortium demonstrates the industry's commitment to collective action in addressing cybersecurity challenges and enhancing regulatory frameworks.
"The insurance companies realize they have to do a better job themselves."
- Acknowledgment by insurance companies of their own cybersecurity vulnerabilities signifies a shift towards self-improvement and accountability in data protection.
Recommendations for Businesses
- Businesses should first understand their risks and vulnerabilities within their digital ecosystem, including third-party dependencies.
- Engaging with a secure cybersecurity partner and a specialized cyber insurance company is crucial for comprehensive protection and risk management.
- Cyber insurance companies are increasingly requiring businesses to implement proactive security measures as a condition for coverage.
"The first thing is to understand their risk...not just for themselves but for their vendors."
- Understanding the full scope of vulnerabilities, including those posed by third-party vendors, is essential for businesses to effectively manage cybersecurity risks.
"Find a cyber insurance company that has a specialty in cyber insurance that can offer you a variety of services."
- Partnering with specialized cyber insurance companies provides businesses with access to tailored services that address both pre-incident prevention and post-incident response.
Cybersecurity Program Essentials
- Insurance companies are demanding that policyholders establish a comprehensive cybersecurity program.
- A cybersecurity framework, such as NIST, is recommended for building a robust security program.
- The shift to remote work necessitates tools for data protection outside traditional office environments, including next-gen endpoint protection.
"Insurance companies are asking for a program...policyholders need to have a cybersecurity program."
- The requirement for a structured cybersecurity program underscores the importance of systematic and documented security practices for insurance coverage eligibility.
"A NIST is a great one for folks who are just thinking about it."
- The NIST framework is recommended for organizations starting to develop their cybersecurity strategies, providing a foundational structure for building effective security measures.
"You've got to have tools to protect the data wherever it is...having a strong next-gen endpoint play has got to factor in."
- The necessity of advanced endpoint protection tools reflects the challenges posed by remote work environments, where traditional security controls may be lacking.
Industry's Evolving Strategy
- The cyber insurance industry is re-evaluating its strategies following significant payouts, particularly in 2020, prompting a shift towards preventive measures and stricter policyholder requirements.
"Are you guys surprised it's taken the cyber insurance industry this long after paying out how many times especially in 2020 millions of dollars that finally they're rethinking their strategy?"
- The industry's delayed response to escalating cyber threats and financial losses highlights the need for a proactive and strategic approach to cybersecurity and risk management.
The Rise of Ransomware and Cyber Insurance
- Ransomware has been a persistent issue, but recent high-profile cases have increased awareness and urgency in addressing it.
- Legislative bodies and insurance companies are now more focused on cyber threats due to the financial implications of ransomware incidents.
- Smaller businesses are particularly vulnerable to ransomware attacks due to limited investment in cybersecurity measures.
"The only reason we're seeing it now is we've had two really high-profile cases that is drawing the attention and now everybody from the legislative perspective is going oh we got to fix this."
- High-profile ransomware cases have forced legislative action and increased public awareness.
"Insurance companies who paid four million dollars for the colonial pipeline ransomware event are going wait a minute you guys knew you had breach capability or problems that could lead to a breach and you did nothing so there's some negligence."
- Insurance companies are scrutinizing claims more closely, especially when negligence in cyber defense is evident.
Cyber Insurance and Due Diligence
- Cyber insurance should not be seen as a standalone solution but as part of a broader risk management strategy.
- Businesses must take proactive steps to prevent breaches to qualify for insurance coverage and favorable terms.
- Comparing policies and consulting with experts is crucial due to the complexity and evolving nature of cyber insurance.
"Don't consider cyber insurance as a the solution by itself it's not a risk of you're not transferring the risk to the insurance company you're just going to pay for it."
- Cyber insurance is not a substitute for robust cybersecurity measures.
"The insurance companies are going to tell you up front you have to do a better job of preventing breaches in the first place otherwise we may not insure you."
- Insurers require evidence of preventive measures before offering coverage.
Best Practices for Cybersecurity and Insurance
- Educating employees on identifying potential threats like phishing is essential.
- Implementing preventative controls closer to data, such as next-generation endpoints, can enhance security.
- Partnering with both insurance and cybersecurity experts can provide comprehensive protection and guidance.
"Teach your people how to identify the things that lead to ransomware right clicking on links opening files awareness has got to be top of list."
- Employee awareness and training are critical in preventing ransomware attacks.
"Find a partner who not just an insurance partner who understands insurance piece but a cyber security partner who can help you navigate cyber security."
- Collaboration with specialized partners can improve both cybersecurity posture and insurance outcomes.
These notes provide a detailed overview of the key topics discussed in the podcast, focusing on the importance of understanding and integrating cyber insurance within a broader cybersecurity strategy, the role of legislative and insurance scrutiny following high-profile ransomware cases, and best practices for businesses to mitigate risks.