Cyber Insurance Claims & Denials

So maybe you want to start with a little introduction on what you are doing, where you work. Yes, thank you. I can start. My name pwc. I'm working in the cyber and privacy division of pwc and we are the huge expertise in identity access management and yeah, also in cyber risk topics.

And yeah, happy to share me, my experiences here. I'm Stephen, I work as head of IT infrastructure and security for Frankfurter Fox Bank, which is regionally operating cooperative bank in Germany. Actually the second largest one.

We have 1,500 employees and I am kind of representing the customer side in the cyber insurance space here. And my name is Ho Ho and I'm a seasoned consultant. In the past I was with many different other companies, like for example, price Waterhouse and Kuppinger Coal and doing much consultancy for insurance companies in the past. And currently I'm mostly occupied with identity and access. Thank You. Perfect. Thank you so much for your presentation.

Well, so we started this morning talking about the minimum requirements that the companies must prove in order to get that cyber insurance. What happened with the enterprises? So is it the same, what are the requirements that they have to accomplish in order to get the cyber insurance and is it hard to get how to, how to reach there? I can definitely confirm what the, the speaker said before that only doing risk transfer. Yeah. Without introduction of good cybersecurity is not an option anymore.

Yeah, it's totally different. Yeah. Cause the insurers, they recognize that Yeah, ransomware attacks race everywhere. Yeah. And it's much more expensive for insurance companies to mitigate at risk. Yeah. And now we see the, the criteria to get paid Yeah. In case of a ransomware attack Yeah. Are nearly impossible means a hundred percent MFA for all users. Which company can fulfill this requirement? Yeah. I think nobody, yeah, that's my opinion. Yeah.

If I, I'm just jumping here. At least we can't right now and we can't even like secure all the interactive accesses by MFA because our IT service provider just doesn't offer it. So we have a cyber insurance policy and they, they of course did an exclusion on the policy. So if we get hit by an attack that comes through this rector, they, they won't pay us anything and it still costs a quarter million euros per year. And I strongly opted for not, not, not sign in the contract, but nobody would listen to me here. Yes.

Well, it is not only the financial laws, it's also, you know, the operation disruptions that we were, were talking before. And, and here comes another question when we say, okay, so we need to have this minimum requirements, for example, the multifactor authentication. And you said, okay, so we cannot do this for all our employees. What can companies actually accomplish?

So what, what, what would be, you know, the requirements that they can actually accomplish in order to get it. So it's about, for most of the companies to protect their crown jewels, not the canteen and everything, but the real assets.

And so, but to recognize this and to narrow, narrow this in, you first have to start with the proper risk assessment. So it all all boils down to risk management, operational risk management. And once you have your risk appetite defined and the the measures implemented, then you can carve out that area where risk transfer would make sense. It could turn out that it doesn't make sense.

Yes, yes. Well actually there could be like the, the biggest problem I could say. That's why I have about something realistic. Let's say something that, that that could be done by the companies. Now do you think that the industries are more vulnerable nowadays? All the industries? Is there any particular industry that is more vulnerable against the cyber threats?

I, I, I only can talk about the financial industry. Of course, we are a bank and we are highly regulated. So we have all those processes already in place for quite some time. So we are ISO 27, KK certified. We have the, the regulatory requirements that have to be fulfilled, that are being audited on a regular basis. And we are doing quite a lot of stuff. What's the, the actual problem with cyber insurance thing here is that, that the assessment of your, of your level of resilience and your, and your risk exposure is just like every year being measured by, by a simple questionnaire.

And I think this just doesn't fit the needs and the requirements. Of course, if you say, okay, you have to have one 100% M F a and you say, okay, I have m f a like here and here, I, I don't have it here, but I have compensating controls and at least we with our, with our insurance company, don't get the opportunity to discuss the, these, these topics. It's either you have it or you don't. And I think that is something that definitely has to change also from, from the, from the insurance companies perspectives and from and from the insurance brokers perspectives as well.

I can confirm, confirm your observation because financial, financial industry is highly regulated since years. Yeah. With risk. Yeah.

F B I T, all these regulations, they have a huge amount of access control requirements in there. So on therefore financial industry is quite ahead with regards to maturity because I think, or we know that a lot of ransomware attacks cyber attacks have a credentialed tt Yeah. Or caused by credential tft.

So, and therefore protecting identities credentials is Yeah. Very, very important. And we have in other industries a lot of credentials if I think about energy ot. Yeah. And this is, this is a high risk because these credentials are very often not, not secured. Yeah. And proper controls are not in place for personalized identities and accounts. Yes. We see it in the healthcare industry and other industries. All the maturity is getting better and better. Yeah.

But OTs, from our perspective, a weak point. But in general, you can say the further you get on the path of digital transformation, the more vulnerability you will show in, in principle. So you have to mitigate all these risks that open up by on this path. Absolutely.

And, and actually, well nowadays, as we mentioned before, so digitalization is a must. And once you are, you know, online, you are already exposed. So then here comes another question. So then if we talk about the documentation that is required, for example, let's say in the case of a cyber attack and the company needs to actually go and claim to the cyber insurance company. So what is the documentation that enterprises should actually show? Or how can you prove that this is a particular attack that is in the policy?

Well, that's a very good question. In that case, I I I, I actually am not able to tell you how it would work at our company because in the whole process, I'm only involved in filling out this questionnaire and the rest has been Yeah, yeah. Buts true. That's the sad reality. Yeah.

And, and, and the rest is being dealt by our internal insurance department with the external insurance broker who then deals with the insurance company itself and, and on, on the whole track. There is no interaction with any technical people or any, any process people or, or, or, or something alike.

And yeah, you, you don't get any, any assistance or GUID guidance on that, on that pathway. So in our case, I would say it's, yeah, it's kind of a miracle then would be, and Yeah, I think this is exactly the point. And there's some task missing by the insurance companies. They should come up with an, with an audit they need not to do it themselves, however it should happen. So might be by some auditor or someone else so that we have a baseline that we can trust. And it's not just filling out Yeah, Yeah, exactly.

It's not, it's not only about the quality of your technical measures, it's only about maturity of your processes that you've built around it. Yeah. Yeah. Could we get more and more involved in these risk assessments, especially for cyber and we assist clients in selecting also policies, but the approach is always to start with the risk assessment. Know your risk. Yeah. Quantification of the risk and then introduction of appropriate controls. Yeah. Appropriate means for the higher risk, for the more, yeah.

Let me, let me say critical enterprise or enterprise data and applications. It's another risk appetite. Yeah. Than for yeah.

For, for others. And this is an appropriate risk assessment and for things that is pos po possible to, to ensure that. Yeah. Then there's 20, 30% what you can cover with, with, with the cyber risk insurance, but everything else you have to cover with own controls in line with the results of the risk assessment. Yeah. Yes. And I would advocate for being this as a standard procedure before closing. Yeah. You have me on your side too. Yeah.

So you, you mentioned about the risk assessment and here we have actually a, a question from the audience online. Is there a common approach among the insurance companies for this risk assessment in enterprises? So Again, in my case it's just, it's just this questionnaire. I think this is not a valid approach to, to a risk assessment. Right. So obviously not. Yeah. Because like I, I believe that it would depend as well, you know, on the different policies. Well maybe, maybe other comp, other insurance companies are dealing with that in a different way.

I can only, I can only speak for, for the one we use, I can help. Well because the way how risk assessments can be performed is standardized. Yeah. Standardized by Germany, by bsi. Yeah. And you can bit for, for some risks is good by the baseline this needs to be enriched Yeah. And adapted to the certain industries. And this is what audit firms do. Yeah. Because we close the, the gap in these questionnaires. Yeah. Because we do risk assessments not just for insurance policies. Yeah. That's more or less something. You can use it for that.

But the first approach for risk assessment is to find a project measures. And sometimes you can mitigate it with a risk transfer, but that's not the first idea. Yeah. So you can say that this risk assessment that, that you actually have in place, it actually helps to, the cybersecurity plan and indirectly is going, you know, to help to get the cyber insurance policy. So we say Exactly a proper, a prerequisite is a proper ISMS process in place. Yeah. That's from my perspective, one of essential prerequisites. Yeah. Long before technology. Yeah.

Technology is something you can introduce to automate protection of accounts. Yeah. But first thinking about technology, hey, let's buy a pump solution. Yeah. And then let's think about the process and the, the risk appetite. That's from our perspective, not a good idea What the thing is.

Of course, we have risk assessment processes in, in, in place. We are a bank in, in, in, in classical financial risks and as well as as operational risks. And of course there are outcomes of these processes, right?

So we, we have proof, we, we can, we have evidence of what we do and how we do. But the only question I get from the, from the cyber insurance companies, do you have a risk assessment in place? Yes or no? So they won't take the outcomes or the maturity level or, or or the, the, the, the own assessment of your risk exposure into consideration when constructing the policy. They just care about do you do risk assessment or, or do you not do risk assessment and they don't care for the outcomes. Actually That might probably come later once the damage is, Is there Totally, yes.

That's definitely too late. Yes.

Well, and, and as a final question from my end before going to the audience, because you, you were mentioning about the, the questionnaire. So what are the factors that enterprises should actually consider to minimize the risk of the denial?

So what, what are the factors that you should include in this, in these questionnaires? Like just to ensure that you're accomplishing it Well, I, I can, I can, I can just give some some bullets from, from the, from the actual questionnaire. Absolutely. So you have you, from, from our questionnaire, you have to have, at least for all remote accesses, you have to have MFA in place, you have to patch frequently.

They, they ask like kind of stupid questions. Like in, in, yeah. I mean you have, you have a, you have a technical vulnerability with a CVSs greater than nine and you ha do you patch that in under three days? This is completely out of context. Yeah. It doesn't, it doesn't, do you have network segmentation? Do you have firewalls in place? Do you have malware protection? Do you have network detection? The usual technical things, I mean like, like construct a prompt and throw it against CHATT and we will get the bullet list back. Yeah.

I would recommend one of the first questions should be do you have a risk management process in place? Yeah. So that's not, no, no technical measures that comes later.

Yeah, sure. MFA is one of the best things you can do, but a risk management process is mandatory. Yeah. So this is the first question that should be in the list. Yeah.

Hey, course. Would you like to add anything else?

Yeah, of course. It starts with the risk assessment, risk management process in place and okay. And then it comes down, boils down to the policies you have to be, have expressed the findings in corporate policies, implement them, and then everything comes into place that is discussed here. All the technology MFA and identity management and so on. But it should be followed up by awareness and training. So this is the human factor again, that comes into play. And this shouldn't be forgotten. Absolutely. We are technicians here, but it's the human side that sometimes makes the difference. Yes.

But not all the employees are. So then, you know, this is actually very important. Is there any question in the audience?

No, here in the room. Okay. The last thing that I will ask from you is just, you know, a sentence, a line of what here the, the audience should get out of this discussion. Maybe some recommendations, some advice or, or the most important bullet points that they should get after the discussion. I think the most important is to strengthen the own resilience in, in the corporation and only look for the residual risks that could be transferred. And this is eligible to transfer, not think of a cybersecurity in first place.

And there's something you could, should keep in mind, and this is related to resilience, this is the unknown unknowns which might happen. So threats that we still don't know, two vulnerabilities that didn't show up so far and they by by nature cannot be insured. They will not be covered in the insurance. So the own resilience is the major point here. Something else that you would like to add? I think I don't have anything to add here.

That's, that's pretty much it. Yeah. It Was very comprehensive.

Yeah, I can confirm that. And yeah, really introduction of the proper risk management pro process. That's important. Yeah. Great. Thank you so much for this, please and applause for this panel. Thanks for Having us. Great Insights. Thank you so much.