Hi, good morning everyone. Thanks for being here. And as Osman said, my name is Marina Antorno. I am research Analyst at Kuppinger Coal, and today we will talk about cyber insurance. This is a term that most of us here lately and especially because of the cyber threats that are in a rise. So in today's agenda we will discuss about the cyber threats, how this is, this is evolving also the question, is it the word having a cyber insurance policy? What are the minimum requirements for cyber insurance policy and how we can use the cyber insurance as a strategy for mitigation damage?
So l let's have first a picture of what is going on. You know, like what is the scenario nowadays, if we see the figures in 2022, we can see that the landscape of cyber threat is evolving rapidly and we can see that there are more and more sophisticated attacks.
And as long as the technology is progressing to protect the companies, it is also progressing to have more sophisticated threats. The ransomware, for example, are in arise since the pandemic. And also working from anywhere is something that is pushing or in pulsing as well. More attacks or more cyber threats, let's say.
Because you know of the use of VPN or trying to use zero trust or different accesses that people usually had. And it is likely that the traditional models that we had working from the offices are not coming back. So then it is really changed nowadays.
Also the economic disruptions. So this is actually something that is happening and there is a geopolitical crisis and it also increases the interest rates. So there are many, many things that we have to consider in this landscape, in this environment. And as well something that we can see after the pandemic is the increase in digitalization.
Because if you are not digitalized, you are out of the market nowadays. And let's discuss about some facts and figures. For those who know me, I am a statistician. So then this is actually the area that I like to, to point and to look at. If we talk about the breakout time that the, the attackers they actually use, if we compare 2021 to 2022, there was a reduce in this average time. So in 2021 it was an average of 98 minutes. When in 2022 it was 84 minutes.
There was also an increase in interactive intrusion campaigns in 2022 in comparison to 2021, which is an increase of 50%.
And it is a lot. And a survey that we performed here at Kuppinger call said or showed revealed that 67% of organizations see the ransomware as the most treated in cyber attack. But what is happening, not all the cyber insurance policies covered it because in the event of a ransomware it could be actually in, you know, incredible expensive. So then these are numbers that we also have to look at. Now the main question is the word having a saving insurance policy. And the main point here is to look at the fine print of the policies. So what isn't the small writing that we can see in this contract?
The first question that we have to actually look at when we see whether it is worth to have a cyber insurance policy is can anyone get a cyber insurance policy? And this is not a simple, and here is where we actually have a kind of gray area here to distinguish and to see, okay, perfect. So if I want to have a cyber insurance policy because I want to be covered in the event of a cyber attack, perfect, I can go maybe to an insurance company, but they will tell me, yes, hold on, we are happy to help you, but you need to, to accomplish some requirements.
For example, the companies must demonstrate security measures in place. So they have to prove that they have preventive measures against cyber attacks.
What happens if the company had a previous data breach incident for example? So this is also a big issue because it is very likely that this company has to prove that they really improve since that moment. And in many cases they have high chances of of not being granted. A cyber policy regulations, this is something that I would say science, the data protection regulation is something that we hear all the time.
What happen with compliance, what is happening with that? So this is something that organizations don't really see as a benefit. It is like a must. They have to ensure that they are compliant with the regulations regarding the privacy of the users and of the organizations. So then if the company for any reason doesn't comply with this laws or and regulations, it is very likely that they will not be insured the incident response plan.
So in the event of a cyber attack, does the organization have a plan in place? What is happening there is intercommunication between the departments.
Do you know how to sort it? And this is something that they have to prove that they have it, they have to demonstrate it, okay, yes, we have a plan and this is our plan. Then it is another discussion whether it could be improved or not, but they should have at least something in place cybersecurity training. So it is very important that all the employees know what to do.
In the case of a cyber tread, and this is something very interesting, I would say like all of us receive a phish email or no, someone who receive a phishing email or a message for example, okay, your DHL package is in somewhere, just click here. You know, and these kind of things with people who don't really have technical experience, it could be a problem, you know, they can receive an email, for example, with the name of someone from the company, download these files because I put them here, they just click and that's it.
So then the companies must ensure that the employees, they know how to act against these threats. And what happened with the industries, all the industries can get a cyber insurance policy.
Well sure, but not all of them will have to accomplish the same requirements or show the same security measurements. And at the same time, the rates are not the same. So the premium could be higher for companies like healthcare companies for instance, that they have a lot of sensitive information, very, very valuable data.
I ask a
Question. Yes?
Yeah, sure.
So behind that is company that provides the policy, right? Does the insurance company can, can
They gi gimme just a second that my colleague will approach a microphone, be better,
Ask the questions at the end of the session for the sake of yeah, coherency. Yeah.
Is it okay with you?
So we, we can go back to that, you know, at the end of the session because I, I, I really, I would really be interested in, in answering this. Now to summarize this part, so what do we have to do before having a seven insurance policy?
Well, first of all, there is an assessment risk, okay? So the insurance company put in place an assessment risk that the other company has to prove, okay, I take this, I take this, I take this requirement, et cetera, et cetera, right? Then having the requirements only or accomplish the requirement at the beginning doesn't mean that the company is safe to be insured along the time. So we need to actually have monitoring place.
So controls checking if everything is going well, if there are some updates, that is something that we have to change because as technology is changing the cyber threats as well and also our security plan has to change as well.
And then we need to demonstrate compliance with the industry standards and regulations. So it is not an easy task to actually get there, you know, it sounds like okay, yes, we we need to have a cyber insurance policy, but at the same time, yes, right? But they have to do all of this.
Now most of the companies are already doing this, but what happened, maybe like with the small companies that they are just starting and they want to be covered. So they have to actually walk through all this path. Now the responsibilities are not only from the insured company, the insurance company also has a responsibility on this. First of all, not all the policies are the same. So we have different policies, right? And different policies according to different needs, different premiums, different industries, okay?
So then it, it will actually set up the price and there are some exclusions that would be in our policies as well.
Okay? So then it, it is something that the insured company has to check, okay, what is covered in my policy, all the threats that I am concerned about are in this policy. And the insurance company has the obligation to provide legal assistance to actually verify, for example, if there was a particular cyber threat in the event of a cyber attack.
And the insured company has the risk of having a claim that is denied because, and, and, and here, here start, you know, like a, a kind of legal issue. What happened with the terminology? Because this is like a new part, let's say in the legal award because not all the terminologies are the same. So then we actually need to ensure that the parties that are signing the this contract or this commitment, both parts, they know what are they talking about? And here is the problem out of that.
So some companies brought to the trial another insurance company because they denied to actually pay the claim. One of the very famous care cases was the pharmaceutical company. They had a massive loss. There was a cyber attack that started in Ukraine and it was actually spreading, you know, across different regions and it caused like a super big damage. Now what happened, they claimed to the cyber insurance company, they went and say okay, so we want to claim about this one, we want to get our money for these damages because it was an act of war.
And the insurance company said no, this is not an act of war. How can you prove it? And then they went to the court and this was a trial that ran for many months. And in the end, the main gray area here was that in the US it was not really clear legally, okay, but how can we define an act of water, you know?
And there was like, there were a lot of meeting trying to agreements, et cetera, et cetera. Long story short, Merck actually won this case against the insurance company and they were paid 1.4 billion US dollars.
But there was not only the the case, there was another famous case with the Virginia Bank for example, where the hackers, they did a bid hit and it was considered one of the most impactful, let's say cyber attacks in terms of financial and banking. They lost 2.4 million and when they claim to the insurance company, insurance company said no, but we are not covering against this. And then they started this again and this all this problems started because not all the terminology was clear that the moment of signing up for the insurance policy.
So then this is what we actually talk about when we said okay, we need to actually see what is in the, in the fine print and there are more cases.
So these are just some examples. We know that there are more cases and this is why as well. The insurance companies are setting highest standards and they are trying to ensure because of course the insurance company, they want to make money, they don't want to lose it. So then you know, it has to be very clear in both parts.
So yes, it is great thinking about having cyber insurance policy, but there are some limitations that we need to consider. So what happened, for example with operation disruptions? So the insurance company is not an obligation to help in restoring the operations. This is not the responsibility of the cyber insurance company. Okay? So this is the responsibility of the insured, the payments, yes, it is actually good to think that the insurance company will pay or recover some damage, but it is not immediate.
There is an investigation in place, we just mentioned previously that legally they have the obligation to assist and start an investigation and see if this tread belongs to one of the threats that are in the policy.
So then it could actually have some delay. And on the other hand, how much is it actually covered? Because usually there is a limit, you know, so let's say that there is a ransomware attack and the hackers, the attackers, they claim for okay, we want 3 million US dollars, so maybe this is not covered, maybe you know, we cover only one part.
So then this is something that as well could be a limitation. And the ransomware is not always included in the policy and this is another big problem. So then if it is the tread that the organizations are concerned the most, so what is the point of having the cyber insurance policy if it is not covered, you know? So then it, it will depend on company to company. Now what are the minimum requirements there to have a cyber insurance policy and how we can get started?
Well there are many minimum requirements, okay?
It is not only just one and two as we said, there should be cyber security training for all the employees. It doesn't matter the position and the role they're in because you know anyone who has access for example, to an email is exposed, okay? Or even a cell phone just receiving an SMS with a link, okay? All the PCs, the laptops, all the devices that are used for the business, they must have an I dividers the updates. Okay?
So if we talk about the critical updates, so it happened many times and I've seen this that we have updates for example in our navigator, Google Chrome, Microsoft Edge five folks and people maybe they don't update it. So as long as they don't update it, it is actually easier to get in to break into. And this is another problem as well. So then employees must know that they have to update the systems, the company network must be protected using firewall.
What happened with the data?
The data also must have a backup because imagine that if there is a ransomware and part of the data is actually taken, we need to ensure that we still have access to that data. And there is actually a very famous case that happened in 2021 in the HSC in Ireland. So the attackers, they actually broke into the healthcare system and they took the data for the entire country, not only like from one region, the entire country. So the hospital, they had to stop the operations for two days.
They were only, you know, taken by note and papers this that were emergency and they took actually a while to recover. So it was a super big deal. And we are talking about the government. So we are not talking even like about an organization. So we are talking about something like this is a massive institution, there must be a penetration test. So scanning, vulnerabilities, checking if we still have vulnerabilities in the system, the companies must use endpoint protection and nutrition detection.
And super important that this is something that one of our colleagues was talking in our SE in in the previous sessions here in the aac you can see the recordings about passwordless and multifactor authentication. So then there should be different ways to actually identify yourself to access, especially now working from anywhere.
So something that I mentioned like a little bit before, but it is something that happens is maybe the companies, they accomplish all the requirements, they take all the the this list at the moment to sign up, but then during the time they, they fail and comply with this rules or these requirements. And if it happens and there is a cyber attack and they go to the cyber insurance policy and say, okay, so I want to claim because I suffer this attack, well it could happen that of course it will be actually denied.
So then it is extremely risky if we have all this in place and then we don't monitor, right? So then it is something that the companies must ensure as well, having auditors having controls, knowing exactly how to actually move with this and check that everything is up to date.
Now with all these issues and with all these complications, how can we actually use the savings insurance as a strategy, you know, to mitigate the damage? What would be the main point here? So we need to think first of all, recovery plan. All organizations must have a recovery plan.
So they have to demonstrate that they have a solid plan in place certifications. There are certifications that some of the insurance company actually required as aast. And if they don't, it is actually good to have for example, the ISO certifications. They will ensure the quality of your system, of your service security system. Now the highest standards that the cyber insurance policy actually set for the companies in the end is helping them so and directly they are actually, let's say, forcing organizations to have a solid and a robust plan.
So then if you have a robust plan in place, it is very unlikely or let's say less likely that you will have an attack and in the end it just end up being a guidance for the CSOs because if the cyber insurance companies are setting higher standards and you need to follow monitors, auditories updates, et cetera, et cetera, so then they are actually ensuring that the measures are in place.
Now of course it is not a replacement of an inadequate system, okay? So it is a kind of guidance. So then they know what they have to do to ensure that they are covered.
Now the advantages of having a severe insurance policy are many. So the first one that we can think is about the financial loss, but it is not only about the money of course. So some of the policies, they actually give the chances, let's say or or give some cost associated with recovery. Not all of them, but some of the plants they do, they force organizations to have an effective crisis management in place.
So then if they have a plan in place, it improves all the communication between the departments because if there is any anomaly in one of them, then they know what to do and they just interact with each other. And of course if they can interact with each other and they know and they improve this communication, it is actually most likely to start or restart the operations faster.
Minimize security risk. Well we are using identity management, we talk a lot about this in our sessions here in the aac.
And the point is, if we have appropriate identity access management, we ensure that the correct people is accessing the correct data, the correct files. And with this we are actually having more control over who is accessing what. And we protect in that sense the resources of the organization ensure compliance. Well. So if you must have a certification, then you are ensuring that the quality of your cybersecurity plan is actually good because you need to ensure that you are accomplishing all the requirements that these certifications are asking you for, for example, right?
So that this is very known as a quality insurance, let's say. Now to summarize a little bit, is it worth having a cyber insurance policy? Of course it is. Yes. So I'm not saying that with all this struggle or all these complications, it is not worth it.
It is worth it because here we need to think that we have different policies, different fees, different coverage, okay? So everything we visited according to the organization, so of course big enterprises, they will not have the same requirements as a small company.
Now the point is that if there is a highest standard that the cyber insurance policy are setting, all of them must meet this requirement up to certain extent the companies must demonstrate that they have a strong cybersecurity plan. So if they must show it and they must ensure it. So then of course it is actually as I said before away for the scissors they need to be up to date.
The constant monitoring of the cybersecurity plan. For example, this is another thing that it is very important. We will have a session later about using artificial intelligence in cybersecurity.
Well this is one of the topics that will be discussed and it is actually something that is happening now, artificial intelligence can actually help the companies as well and many enterprises are using it. Why? Because it actually helps to detect anomalies earlier. And if there are plans that are set up, let's say, and up to date and monitor, because of course we need the humans as well to monitor that everything is going well. So then we minimize the risk of a threat.
The cyber insurance policy as well ensures compliance because we will give the correct access to the correct people.
And this, this is, you know, something that it is very important when I talk for example, about databases and the access that people have to different tables, et cetera, et cetera. So I've been asked many times, especially with your students, so what happen, for example, if I provide access to a person and the person leaves the company, so if you don't remove the access, so well, then you are in a problem. So this is why as well, the monitors are actually very important. Let's say very crucial, very essential.
And having a cyber insurance policy mitigated financial loss, even partially, you know, it could be partially or you know, against different threats and it also assist in creating a stronger cybersecurity system. Well, this would be all from my end. There was a question in the audience that I, I'm happy to, to answer. Thank you so much for listening.
Thank you for the presentation.
Great one, thanks. So there are so many requirements for the companies, the IT organizations to prove this, prove that. What about the insurer in themselves? So I give them a lot of money, can they provide me the assurance? I mean every month I see an insurance company attacked. What about that part? Can they commit to this part
For me?
That's, that's true. Yes, yes, yes, that's true. Let me go back because I know where you were in the slides. So we were here, right with all the, the, the, the points, let's say that we have to accomplish.
So here, here there is a point that we need to consider it is true that we have to actually prove, okay, so I accomplished this minimal requirements, this, this and that, and what happened with the cyber insurance company? Well, they should also have it. Now the main issue is with the cyber insurance companies, they also have very sensitive data. So that's why they are, you know, like a high target for the hackers. My data is there.
Yeah, exactly. Not not only yours, like you mean like for your data, the enterprises. Something that happened to me personally, this is my, my personal experience, I was working in a company and after two years I left.
So, you know, imagine like I forgot about the company and everything. I was like doing my life. Yes. Like the HR called me and told me, hi Marina, we are calling you from this company that okay, yes.
Well, so we had a problem. We have here like a data bridge, there was a malware that just broke into the system and they took information of all our previous employees including you, so you're effective. And they say, okay, what, what should they do?
They say, well we informed the police, but in case that you receive something or there is like some transaction, you know, in your name. So imagine my situation like a civilian, you know, and yes, so this is actually as well a, a, a very big issue. I would say that they must be also up to date, maybe, you know, they have this system outsourced of course. So every company will have different cybersecurity system. I'm not the one who actually save for this, but this is actually a very, a very good point.
So I believe that they should actually accomplish exactly the same minimum requirements that they require from the rest. But there is nothing that we can actually do about it. We
Have an issue here. Maybe it's getting a bit interesting with you.
Yes, thank you. So first of all, yeah, mihail from IF insurance and the, so we are here, that's to answer your question.
But, but, but when you flip it around, it's, you can easily understand then the viewpoint, the angle of insurers because insurance covers the loss. That's the, like the fundamental thing.
So if you, and, and the loss which has previously been the for the risk which has previously been understood and like clearly stated there in the policy, and in order for us to understand the risk, we so insurance do not sign the risk, which they don't understand. Therefore they must have also expertise within company to ensure that kind of risk. So they need surveys to go and okay guys, what do we have? Because we need to understand what's there. And every company is unique in the how they're exposed to different risks. They are because companies are unique. Okay?
Excuse me, Miha, this is something that, that we call at the beginning that we said every company is different. There are different needs
Absolutely different. We need to understand positive
Yeah.
How, how we are exposed to the risk risk because we are taking those risks to us, to the company and that, but that's therefore it, it's, it's like overall increases the, the level of security then because you are like needed to, to to, to to, to show us the how exposed you are to risks. But then anyway, that's the, anyway, the easy part, the hard part, which he also has touched upon. When it's a claim, first of all, in, in, in cyberspace, how do you prove that the claim has, the event has actually happened sometimes? Well
This is, this is actually something that, you know, we talk here.
So yes, there are some legal terms, you know, or technical terms at this, you know, in the legal, when
You break obviously it's broken, it's like damaged. So, but here and the, and, and even more complicated question, how much loss did happen? So how much if this informa information costs, which you've lost or, or, or like it it has been leaked.
So, and it's very hard space and I'm, I'm we, I believe we don't do any cybersecurity, but, but that's how, how insurance works and I'm, I I'm, I'm still like, it's feel like, it's like very like, like area like, yeah. Which is not established yet. That's
The point. Thank you. Thank you for your comments, Miha. The last question, one last quick question, please.
Yes, you'll be fine.
Do the policies cover third parties? Because if an example be some, a third party works on, in a physical way, on a building or something, and then they somehow got access, this is an example like with Target, they got targeted in their point of sale system. So do the policies cover who caused the damages or can you ask that the third parties have cyber security protection?
It will depend actually in, in your, in your policy. So because, you know, as, as we mentioned, every policy is different.
So according to the business that you are managing, for example, if you are handling information of third parties, let's say meta, so they handle information of many third parties, like all of us, we actually give the information. So then, you know, it would depend very, very much in the, in the company and the policy that they're given. So there is nothing like establish or standard. Thank you so much for your question, for everything. Thanks a lot. Thank you Marina. Yeah.
