As cyberattacks grow in frequency and severity, cyber insurance has never been more important. But rising risks can also mean rising premiums. How do you improve your security posture and minimize your premiums, while maximizing the value cyber insurance offers? In this episode, we talk to Florence Levy, Executive Vice President at INSUREtrust, a specialist cyber insurance broker. Florence offers fascinating insights on the interplay between cyber insurance and cybersecurity practices – and the increasing role brokers are playing in helping clients improve their security posture and resilience. Find out what underwriters look for when evaluating your risk profile and the importance of threat prevention, detection, and response in assessing your cybersecurity awareness and maturity.
What We'll Cover
Secureworks Interview with Florence Levy
Sally: Welcome to today's show, all centered on cyber risk. And I'm delighted to be joined by Florence Levy, Executive Vice President at INSUREtrust. Welcome Florence.
Florence: Thank you so much, appreciate that!
Sally: Oh, my absolute pleasure. So perhaps to start us off, perhaps you could give a little bit of an introduction about yourself, but also INSUREtrust and everything that you are doing.
Florence: That sounds great. I'm very much looking forward to this discussion today. So, a little bit about me. I've been in commercial insurance for the last 23 years, focusing solely on cyber insurance brokerage, and I recently joined the leadership team of INSUREtrust, which is a wholesale specialty cyber brokerage firm. Those of you listening might be asking, well, what is a wholesale insurance broker? So really at a high level, an insurance broker is an intermediary between a company that buys insurance, the insured or policyholder, and the insurance carrier.
This relationship is much like a real estate agent who puts the deal together between the home buyer and seller. However, not all insurance brokers or agents have cyber insurance expertise, which is where wholesale firms come into play. So really the easiest way to describe what we do here at INSUREtrust is that we are like the Managed Service Provider or MSP, of cyber insurance for those brokers or agents who don't have the desire to hire an in-house team, or potentially don't have the budget, but need additional expertise because cyber insurance is very specialized. Many brokers have expertise in multiple lines of insurance but here at INSUREtrust we focus only on cyber insurance. So, if you're working with a broker that doesn't have cyber expertise in house, you can still use us as your outsourced cyber insurance expert.
Sally: I really love that and I also wanted to bring to the fore the background of INSUREtrust as a pioneer in this space. I believe you were the first organization to develop holistic insurance in this space, like when the internet first came to the fore. The trajectory of innovation in this area I thought was really impressive – and in the market at the moment as well. I’ve seen this while attending the RSA conference this past week, and also generally. For example, Lloyd’s of London have been making announcements over the last few weeks about the nature of cyber insurance and how it's changing. I think there could be a little bit of confusion or ambiguity around its role in cybersecurity strategy. Perhaps we can unpack that a little bit for the audience as well. How would you state the role of cyber insurance in this strategy and the value it brings?
Florence: That's a great question. At its core, cyber insurance is really a risk financing tool. But when it comes to your overall cybersecurity posture, I wouldn't recommend that you take your IT budget and spend it all on proactive security measures, or alternatively, put it all towards cyber insurance as your only backstop. They really work to complement each other, and I would certainly argue each is equally important. I think it might be helpful just to give a high-level summary of what cyber insurance actually covers. In doing that, I can explain it in the easiest terms by putting it in two buckets.
The first bucket is third party liability, so damages that a company may owe to a third party for a cyber event that's caused by that organization or potentially even one of your vendor partners. And then there's the bucket of first party costs, which is when an organization spends its own internal funds to deal with and respond to a cyber event.
So cyber reliability, or that third party coverage, can really manifest itself in a variety of ways. It could be lawsuits, third party demands, regulatory fines, or penalties and other fines, like those coming out of the payment card industry. And then first party coverage has many many buckets of insurance, which is why cyber insurance can be confusing to explain sometimes, because they can all be related or interrelated.
One incident can potentially trigger multiple insuring agreements. But in general, those first party costs include costs associated with responding to a cyber incident. For example, fees for hiring breach counsel, fees to hire a digital forensics firm to investigate a cyber incident, the potential notification of a breach to affected individuals or regulatory agencies, and credit monitoring costs or public relations fees to help manage any potential reputational issue that could follow from a cyber event.
That's one bucket. Another bucket in the first party category can be extortion expenses – the cost of investigating the credibility of a ransomware threat when you need to negotiate with the bad actors. Also, the cost of hiring a third-party firm that specializes in that. Things like cryptocurrency payments and compliance checks all fall into the bucket of extortion expenses for a ransomware-type event.
There's some coverage available typically for cybercrime-related losses that stem from things like social engineering or invoice manipulation. There's also a bucket for cyber business interruption losses i.e., the costs associated with your network going down, which might lead you to lose revenue or pay extra to get it back up and running. And finally, the cost to restore lost or exfiltrated data is usually contemplated in these policies as well.
I just threw a lot at the audience there. I know it's a lot to take in, but really what I hope we're conveying today is that cyber insurance brings a lot of value. We're just coming out of a hard market where carriers were really, quote unquote, correcting premium rating models because they have paid so many losses in this area.
Sally: Absolutely, I've been reading a lot about that. And I think you also brought to the fore really nicely the array of challenges that organizations are addressing and the need for coverage that goes across all those different elements and the accumulation of costs that can occur to navigate these different challenges. I think it's really important to set those out and avoid some of the confusion around that. Awareness is so key.
So, if a firm doesn’t have cyber insurance right now, what are you seeing insurance companies looking for to help organizations maybe reduce those premiums?
Florence: It's another great question. And I love this question because I’ve been focused on cyber insurance my entire career and have really had an opportunity to see how the product and the solution have developed over the years.
I would say in the early years of cyber underwriting, it was really focused overall more on the governance of your security program, but now it's very much based on technical cybersecurity controls. However, there isn't really one silver bullet where an underwriter looks at you and says, oh, you're a great risk because you do this one thing.
From a security prevention perspective, it's really the sum of all parts. It's not just one specific security control. That being said, I would say that underwriters are focused mostly in three main areas. The first one is prevention and preparation for a cyber event, then the detection and response of a cyber incident, and finally the recovery and resilience capabilities that you have in place should you be victim to a cyber event. And within each category there are really a lot of different subsections of topics and lines of questioning. But I would say, in today's cyber market, there are really certain minimum thresholds of insurability, although your individual industry class and company size are still important factors.
So, for example, the smaller you are the less underwriting scrutiny you may have around certain controls. However, if you’re in a high hazard class such as healthcare payment processing, gaming, municipalities, higher education etc. you really need to have strong security controls to be even considered an insurable risk.
Then finally – organizations ask this all the time and Sally, you mentioned this as well – is there a direct correlation between controls and premium? What I would say is premiums are made up of a multitude of factors. That includes your security controls, your overall security posture, general market conditions, cyber-specific market conditions, your loss history, proactive planning, your organizational structure, and your industry size. So, the list sort of goes on and on. And as I said previously, it's really the sum of all parts when it comes to how underwriters view your risk.
Sally: I think making that really clear is so important, particularly with the rate of change in the cybersecurity space in different verticals over the last few months. Take utilities, for example, and the sector’s increased threat vectors – not just ransomware, but even killware. With so much change, things are always going to be evolving. There's always going to be that personalization and also the impact of education in organizations, and how much training has been put into cybersecurity. There are so many elements coming into play, so thank you for sharing that.
So again, let’s drill down a little bit more. I appreciate we can't get too specific, but I know a lot of listeners ask for tangibles. So, if you already have a cyber insurance policy right now, what would you recommend as ways to improve or differentiate your position to potentially secure better renewal terms? Again, I appreciate there's no one size fits all but perhaps you have some general advice that people can take away and think about for their organization.
Florence: Absolutely. It's really all about demonstrating to underwriters your cyber incident preparation and response readiness and evidencing those strong security controls as well. It's not just about checking a box, it's a matter of your overall cybersecurity awareness and maturity, and the associated processes and procedures to support that. And I would say sometimes that can't just be answered in an application form. It may need to be supplemented by a discussion with the underwriter so that you can go into a bit more detail and really demonstrate that. I would emphasize the maturity of your controls really, above and beyond minimum requirements.
I would also recommend getting out in front of your insurance renewal so you can assess where your controls are at least six months in advance. This gives you time to try to address any deficiencies and really present your best security posture going forward into that renewal. This is where your cyber insurance risk advisor should be consulting with you to help you prioritize your IT spend as it specifically relates to insurance.
Without getting into too much detail – I know the audience here is probably very familiar with these things – I've mentioned these critical security controls many times, but I haven't actually identified what they are. I would love to list out the top few, if you will, that are considered key.
So, multi-factor authentication for remote access and administrative privilege controls are definitely high on the list. As is endpoint detection and response, or EDR. With so many people accessing corporate networks outside of just the office environment, that's really important – secured, encrypted, and tested backups.
When the bad guys bring ransomware threats, they always try to attack those backups, so making sure you have your house in order there is very important. Another key control is privileged access management and limiting the number of these accounts. These are really the keys to your network. When attackers compromise them, they may have almost unlimited access to your organization. Then there’s patch management and vulnerability management, focused on the cadence and what those critical patches are. And the last few, as you already mentioned Sally, are cyber incident response planning and testing. It's very, very important to be able to demonstrate that.
It’s also critical to have policies and procedures in place like business continuity, disaster recovery, and of course incident response planning, as well as cybersecurity awareness training and phishing testing.
So, just to reiterate, the recommended solution overall is not just to invest in controls or purchase cyber insurance. It's both. And I think organizations will see that many companies are actually requiring that you have cyber insurance when you contract with them. So, it's also a belt and suspenders approach. The one other thing I do want mention, as it relates to specifically those organizations that are familiar with the renewal cycle and the renewal process from a cyber insurance perspective, is that there are many pre and post cyber incident resources available through your insurance carrier that you should ask about if you're not already aware.
So, my final point on all of this is that cyber insurance isn't just a financial vehicle. There is also a services element to the offering, and if you don't know about this, it's great to be able to ask and understand what all those offerings are.
Sally: Those added value services you were talking about I think are absolutely key.
I love the way that you covered all the holistic elements that come into play with this, including things like identity management because I see that as absolutely a rising area at the moment. And also, just going back to the beginning with things like 2FA that can negate up to 98% of some threats for certain types of organizations and certain vehicles. There's a lot that even smaller organizations can do as their foundation. So, it's great to look at that entire suite of protection. It's a balance at the end of the day, isn't it.
Maybe just as a final point, I'm just thinking about some of the things we're experiencing in the world at the moment, particularly around economic conditions, the ability to do more with less, and tightening budgets in corporations across the world. Where do you see the role of managed services here, perhaps at a higher role or heightening this role for managing cyber risk?
Florence: Another great question. Hiring trusted and reputable firms in this space from a managed services perspective is certainly the better option than trying to do it yourself if you don't have the expertise.
Really this brings the conversation full circle to what I mentioned at the beginning of the podcast as it relates to insurance brokers. You want to hire the experts, those who do this day in and day out, the quality managed service partners who can potentially provide both pro-active and reactive capabilities. From a cyber perspective, these really matter.
Certain industry classes might be more likely to leverage managed services, and those offerings really can be effective solutions for industries or companies that are either budget constrained or need a more scalable solution – or scalable expertise.
Sally: I think you've really unpacked something so useful with so many takeaways for the audience here, things that people can really apply and think about in their organization. With all the changes and vectors of change in the world right now, I think that the power of partnership has probably never mattered more. And insurance is right up there as a key concern for many and an opportunity to help protect at the same time.
I would love to speak to you for longer, but I know we have to keep it tight for our podcast. Thank you, Florence, for joining us today.
Florence: Thanks, Sally.
Sally: And thank you everybody for watching and listening and joining us on Let's Talk SoC. It's been a great episode and we'll be back very soon with more.