Joseph Carson:
Hello everyone. Welcome back to another episode of 401 Access Denied. I'm your host for today, Joseph Carson. I'm the Chief Security Scientist and Advisory CISO at Thycotic. It's a pleasure to be here with you today and we've got another important topic which many organizations really need to consider to look at the current strategy and current plans that they have for cyber insurance. So today I've got joined with me is Ann and Kevin. Ann, let's start with yourself and if you can give us a little introduction about what you do and what's the offerings and what your organization does.
Ann Irvine:
Sure. Yeah. I'm Ann Irvine. I'm Chief Data Scientist at Resilience Insurance. We are what's called an MGA. We're sort of most of the function of an insurance carrier. We sell cyber insurance policies to our policyholders. We do all of the underwriting, the pricing, the claims handling, the servicing during the policy period. Everything except hold the actual risk. The financial risks. We partner with insurance carriers to hold the risk. So as Chief Data Scientist, I work on modeling cyber risk. Really helping our underwriters evaluate the security of companies that have applied for insurance policies and also help our security team think about how to service customers once they've bought a policy.
Joseph Carson:
Awesome. And Kevin?
Kevin McGowan:
Yeah. Thanks. I'm Kevin McGowan. I'm a vice president on our underwriting team. I sit in Chicago. I help lead our strategy on the underwriting side. Work very closely with Ann and her team as well as our security team. And yeah, really just ... I'm an insurance industry veteran so came over here to Resilience, which Ann said we are an MGA and a bit different than a traditional insurance company and so working together with data science and security and then with insurance folks like myself to bring together a holistic insurance plus security offering for the cyber market.
Joseph Carson:
Awesome. For many years I've been, kind of more from side is just looking the outside inwards into this insurance industry and I've seen it from the days where I think it was Target had a cyber captive and we all looked at how the cyber captives work and how it was able to provide some financial support. Because I think at the time, five, six years ago, even a bit longer, it was all, I'd say, on tangible assets. It was the cost of the hardware but not so much the data and then data got a lot more valuable and the actual tangible costs of data became much more visible. So cyber insurance, of course, had to evolve over the years. I think even I worked quite a bit in that time where the insurance for cyber attacks was actually under the terrorism part of the insurance. So for a lot of the time they weren't even covered if they became a victim of a cyber attack because it was considered terrorism.
Joseph Carson:
So one of the things ... How have we evolved today? What's the current state of the cyber insurance industry, especially now considering that data is becoming an important aspect of the value of organizations? What's the current stance and is more organizations choosing the cyber insurance path today? I think I'll pass it on to Kevin.
Kevin McGowan:
Yeah. Sure. This is Kevin. I can take a crack at that one. Sure. The state of the cyber insurance market is a bit in flux right now, to be candid. I will say, it has come a really long way over the past, really, decade. Cyber insurance, as you alluded to, it's been around in some way, shape, or form for 20 years or so. Really more around in earnest in the last 10 with a lot of true purchasing and take up of standalone cyber insurance for organizations of all sizes. So as you mentioned, data became more valuable and a much bigger part of a company's balance sheet in a way and companies realized there was a need for this type of insurance and so over a long set of years the product evolved. And initially, you had coverage for essentially business interruption, meaning you relied on your website and it got hit with a DDoS attack. Website went down and you couldn't do business. Maybe there was a loss there. It didn't happen a lot but that was the idea. Then you evolved into what cyber insurance for a long time was most well known for and associated with which was data breaches.
Kevin McGowan:
You mentioned Target earlier. So think back to 2013, 2014. Big retailers like Target and Home Depot and some others had widely known, very public, large data breaches. So cyber insurance was responding to that and a variety of costs associated with that from both a first and third party perspective. And then of course, fast forwarding to today, I'm surprised it took us more than 30 seconds to mention ransomware, which is really the topic of the day in the cyber insurance market. In short, cyber insurance does cover many costs associated with ransomware. And as you can imagine, that is really the biggest concern for insurers right now and I mentioned the market being in flux, and by that I mean, in insurance lingo, the cyber insurance market is very hard right now, meaning rates continue to go up significantly, coverage is being pulled back in certain areas. So there is a lot of volatility right now because insurers are taking significant losses associated with ransomware. So at a high level, that's a primer, I would say, on the current state of affairs.
Joseph Carson:
Okay. Yeah. We have seen in the past year ransomware evolve significantly where it's more of a service and you've got organized crime which actually have made businesses out of. They consider it as a entrepreneurial business. And it no longer is just about disrupting the service but it's also a data exfiltration where it's actually taking the data out and threatening to disclose it. And hitting service providers which ends up it's not just one company, you end up with many companies all of a sudden. You look at the recent Kaseya. You have 1,000 companies all of a sudden just become a victim of ransomware. Not just one. So then I guess that accelerates the claims from multiple companies and they all have to take it on their own decision, rather they decide to deal with it and so forth. I guess that's having a major impact on the industry when you've got those types of, let's say, supply chain significant impacts. Correct?
Ann Irvine:
Yeah. The week after July 4th, just a few weeks ago, was pretty rough on a lot of insurance carriers. Most of the companies that were hit were relatively small businesses, but a lot of them did have cyber policies and there were a lot of claims. A lot of activity in the market for sure.
Joseph Carson:
Yep. And it went in combination. We had so much at the same time. Not only did we have the influx of major supply chain and ransomware cases but we also had to deal with Print Nightmare which opened the doors to many organizations to allow attackers in to deploy ransomware. So there was many things that all of a sudden was just a domino effect that attackers were waiting for that door to be opened. This major vulnerability comes out, they have that door, and now they can gain access easily and deploy malicious ransomware.
Joseph Carson:
So Ann, I've got a question for you in regards to what your role is and data analysts and, you mentioned earlier, risk. I have a question. This is something we've been doing in the industry for a long time is trying to determine the risk side of things. Because unfortunately in security, sometimes we find it very difficult to measure risk and analyze risk. So I'm just kind of curious into is the insurance industry actually bringing new ideas or new ways of trying to measure risk into the industry? Because it's definitely something we need to improve on to understand about what is the risk and how do we minimize that and ultimately, what coverage do we need? So can you give us some of the methodologies and approaches there?
Ann Irvine:
Yeah. First, sort of at a high level, what I love about working in the insurance business ... And I can say I'm not sure I fully expected this when I joined the company three years ago but I really think it's sort of played out to be true. Is that our incentives to truly, in an unbiased way, in a very scientific way, understand and measure risk correctly and accurately are very much there in a way that they're ... Previously I was working at a cybersecurity product company and we wanted to exaggerate the risks that we claimed we were solving for. And it's very hard to ... In the wild cybersecurity product marketplace that's out there these days, it's very hard to know what solutions are solving what problems and how big are those problems and how do we hold these vendors accountable for the things that they say they're fixing or preventing from happening. It's just very hard to quantitatively understand risk in that context. So what I love about the space that we're working in is our incentives are to be rigorous and take genuinely the most unbiased perspective on measuring organizational risk and help companies to understand their own risk and help them to improve their security posture in the most cost effective way.
Ann Irvine:
So the business level incentives that we have to do good data science, I just love. I think that's rare to find as a data scientist to feel like the business motivations behind the work are true and genuine and really trying to solve a problem in the best way possible. So I like working in this space. What do the methods look like? They look pretty different from standard insurance actuarial science. So in other lines of business, of course, the threat landscape changes much more slowly. So I think property insuring actuaries would say that the landscape of floods and hurricanes and so forth is changing. There's climate change and those risks are changing a little bit over time but it's nothing like the speed of change that we're seeing in the cybersecurity space. And it's a relatively new line of business. There's just less of a history of incidents to learn from from an actuarial perspective. So the methods necessarily are a little bit different and I think look more like data science and exploratory data analysis. Cybersecurity first. We use a lot of security experts to drive the way we think about our models more so than traditional actuarial modeling just because the actuarial data is not there in this market.
Ann Irvine:
So we take a domain expert driven modeling approach which allows us to keep in mind how the threat landscape is really changing really rapidly and allows us to incorporate the latest understanding of what threats are where and how frequent they are and how severe they are.
Joseph Carson:
I think that's a good point. Because one of the things I think in recent years has become much ... I think looking at trends in historical data, a lot of the problems were just most organizations didn't want it to be public. They swept it under the door and we didn't hear about it. And probably for many data breaches over the years we probably still haven't heard of half of them. And I think really regulations and governments are now forcing to disclose at least the victims because it's not just the organizations that's victims but it's also their customers and partners and employees that are also victims. So it's all part of that transparency side. And I think hopefully that is providing much more information into the insurance industry to get some more visibility and more data that you can actually do those analytics and understand about what's the threats. And one of the things, I look at a lot of different reports that tries to do that, such as the Verizon Data Breach Investigations Report or the Ponemon Report to really understand about what is the trends, what's the threats, what's the impact, and then try to do it that way.
Joseph Carson:
So can I get an idea? Let's say I'm a company coming to you and trying to understand about what types of questionnaires or conversations would we have in order for you to identify the risks? And let's say, if you were to do an underwriting or a policy for me, what types of things would you be looking for? What types of questions would you be asking me?
Ann Irvine:
You want to start that one Kevin?
Kevin McGowan:
Yeah. Sure. It's a good question and it's a process that has evolved a lot over time. And really, the function of Ann and her team for us at Resilience are an example of how it's evolved because if you're a middle market sized company, so a fairly large organization, potentially seeking cyber insurance as you said, you'd have a conversation with your insurance broker, talk about the risks, determine what type of cover you may need, and then the broker and yourself together would go out to the markets of which Resilience is one and seek options. Quotes for cyber insurance. And historically, you might fill out a couple fairly simple, true, just paper insurance applications with questions starting at a high level saying, okay, what is your business, what do you do, what are your operations, how large are you from a revenue standpoint. And then you might get into some questions around basic security hygiene. And then lastly, perhaps a section around well, have you had any cyber insurance claims or losses previously? And that was about it.
Kevin McGowan:
Today, that process still exists. Now, with the market hardening, as I mentioned, as a result of losses, as you can imagine insurers are pretty desperately seeking more information, more data to try and come up with the right answers, the right rates. And if you think about everything Ann described that she's working on and trying to pull in more data to the process. So now there are applications, as I mentioned, but they have evolved a lot in terms of the scope, the detail, the questions being asked. Right now in particular, there are a lot of additional specific supplemental applications tailored specifically to ransomware and they're following the MITRE attack framework and they're following kill chains in terms of the questions that are being asked. So there's a lot more security influence now. And then, especially at a place like Resilience, you're going to partner with a data science team, a security team to collect additional data from a variety of sources.
Kevin McGowan:
And then lastly I would add, sometimes with you as the prospective insured organization, you're often going to now get followup questions and so we often are having underwriting meetings and/or calls with several underwriters like myself on the line to ask a variety of questions and have a bit more of a true conversation. Because it's interesting, the whole art versus science concept. And the reality on the underwriting side is it's a blend of both. So we're trying to get as much detail as we can, but if you think about it, the more we can truly interact, have a discussion, you can start to pick up on some of the qualitative items too like culture of risk management at the organization. How overall committed to security are they? What does that dialog look like? And then the last piece I'd add is just I think insurers right now are also taking a view on does the organization that's seeking insurance ... Do they want to partner with their insurer? Because now you're seeing with cyber insurance in particular there's a lot more being offered and that needs to be offered beyond just the financial transaction of the risk transfer, if something bad happens you'll get a check. So trying to seek out that partnership I would say is kind of the last part of the process right now.
Joseph Carson:
Sounds like there's a lot of people involved. So two questions I've got related to this. What size is the team that needs to support, one, as you know from the underwriting to the security team to even legal side of things. And how do you make sure ... It sounds also that it's not a one size fits all. It sounds like almost every single one is almost unique and custom. So how big is the team in the background that does all of this? And second part is can you get to a point where it's one package for different organizations versus having it such that potentially every organization's unique? You end up with big inconsistencies I guess.
Ann Irvine:
Yeah. That is definitely one challenge. Resilience is a relatively small MGA and we have 12 or 15 underwriters. Something like that now, Kevin. So one challenge is certainly making sure that we keep our standards and approach consistent across this relatively large underwriting team, really a sales team. And that's truly where my team comes in in trying to standardize a lot of the information that they have access to. So we collect a bunch of security data. Again, driven by our security experts who tell us what's important and how to think about that data. We try to present it to underwriters through a single pane of glass so that they're all starting their investigations from the same place. So we present as much of that information in a consolidated view. We provide them with actually some language that they can use in some of these conversations with customers just to streamline their efforts a little more. We try to do as much of the science part of underwriting in an automated fashion and keep that part of it consistent. But there's absolutely an art in using that and interacting with customers on top of that.
Ann Irvine:
But I know the underwriting team, at least at Resilience, is in constant conversation and they meet all of the time and review each other's accounts and talk about how they're approaching different things and keep my team posted on what would be helpful to streamline their efforts and make them more efficient as well.
Joseph Carson:
Is that also considering things like automation, a lot of it, where possible? Because the one thing ... That's what I do in my job. We want to spend the time doing the things we enjoy doing and the things we don't enjoy doing we look at well, how can I automate that? How can I put in a script and make it more predictable? Is that something-
Ann Irvine:
Yeah. Totally. And this is sort of a funny ... I think there's a lot of fear out there in the world at large that AI and data science and all of these things are going to replace humans. Loss of human jobs. And that's certainly true for a lot of jobs that are fully automatable. I don't think underwriting in the market where we are underwriting, which are fairly large companies, we don't want to fully automate that. These companies are complex. They have their own specific issues. Like Kevin said, there's a lot of qualitative culture considerations that truly only a human can really evaluate at this point. So we're trying to take that automation as far as we can and then save the very valuable human underwriting time for focusing on the human elements that can't be automated.
Joseph Carson:
I agree. When we talk a lot about AI and say ... Really what I look at as AI is all about advanced automation. So doing things much more with multiple sources, much more advanced. And absolutely a lot of jobs will be automated. It just means that ... We have to break in into reality. It's about allowing us to do the more things we enjoy doing. You automate as much of the mundane tasks as possible.
Joseph Carson:
And that gets me ... One of the next theory is that I'm interested is that I do a lot of incident response and digital forensics. And every time I go into a incident ... You're looking either a security incident, you've got unauthorized access. You either have something like a service availability scenario or you've got basically confidential exposure where data's been stolen. And not all incidents are equal. So how do you deal with the many different types of cyber incidents and the variations that's out there? Because sometimes you're dealing with nation states, sometimes you're dealing with organized crime, sometimes you're dealing with a script kiddie. And not all incidents are equal. From you get a unauthorized access to a ransomware case. Ransomware of course basically can take multiple aspects of those. It's unauthorized access, it's data loss, it's basically service down. So you might have multiple components to deal with. How do you deal with, from an insurance perspective, all those many different ... I mean, in the security world, there's so many. There's cloud, there's on premise, there's multinational, there's different types of data, different types of regulation. So how do you deal with all of those different types of incidents and what would be the way to do underwriting for those?
Ann Irvine:
I'll take that first and Kevin probably has thoughts to add as well but from my perspective, what I want out of us handling those incidents is to treat them as data points that we can use to learn from and improve our models moving forward. And as I said before, the landscape of cyber security and these types of incidents is changing very quickly. So the analytic models that we're using are pretty expert driven. It's not the case that we have some fully supervised training dataset where we have things labeled as one and zero and we're predicting this happened or this didn't happen based on a simple feature set. It's not a clean classification or prediction problem by any extent. So things are changing quickly over time, and like you said, the types of incidents that we see are just very, very different. So we have categorized these things into the most common types of attacks. We do attempt to bucket them and then predict the probability of those higher level types of incidents occurring. But Resilience is fairly new. We've just started to collect our own claims and this is sort of an ongoing conversation, what is the data that we want to collect and have available in a structured way for us to learn from from a modeling perspective moving forward.
Ann Irvine:
And I like your description because my line that I'm always pitching over to our claims team is structured data is great, whatever you can categorize and label in terms of attack vector and type of incident is great, but I also want a few paragraphs that just describe what happened in as much detail as you have access to because I don't know yet what all of those features are that I want to learn from moving forward. And things are changing quickly and I want to make sure we have that full description. I don't think we're in a place right now where we can fully structure and fully categorize these incidents. So yeah, we're still treating our modeling as ... We said art versus science earlier from an underwriting perspective but also from a modeling perspective. It's very much an art right now as much as it is a science.
Joseph Carson:
Absolutely.
Kevin McGowan:
Yeah. I think this really useful-
Joseph Carson:
Kevin, did you want to add something?
Kevin McGowan:
Yes. I was going to say this is a really useful topic. And Ann just mentioned wanting that paragraph of information which isn't necessarily as easy to structure and analyze. But it's a good point because I can say on the underwriting side, you talked about all the different types of losses and threats and risks that are out there and right now there are more of them in simple terms and insurers are having more losses. So every day underwriters are looking at opportunities and more of them are coming off of a recent loss. And for that underwriter, whether or not they were involved with the prior loss, they're trying to learn, they're trying to ask questions and get as much of a narrative as possible, which is going to be in long form, whether written or shared verbally. Meaning, okay, you had an incident, ransomware or otherwise. How did this occur? What was the initial threat vector? Was it a phishing email? Was it open RDP? Was it lack of multifactor authentication? Trying to understand that narrative. Trying to understand certainly the financial impact. And then the last piece of, okay, well now, what are you doing differently? What security measures have you implemented or rolled out to prevent that from happening again?
Kevin McGowan:
That's a fairly basic concept from an underwriting standpoint but that is a lot of what's happening right now. And I think the other thing I would add is in your description, Joe, you talked about the different components of loss associated with unauthorized access or ransomware and I think, if nothing else, while it's been a bit of a struggle in the last year or two for insurers, it's actually a testament to the efficacy and the value of the product, that being cyber insurance, and the way it's evolved. Because that scenario you described of the different components of loss, there are parts of an insurance policy that are all being hit. So the policy is and was well designed. Meaning you have your upfront investigation cost. Okay, we have to bring in a law firm, we have to bring in a forensics firm. You mentioned DFIR. Then there might be a ransom payment. There might be regulatory inquiries. There might be downtime. Business interruption. There might be an actual ransom payment. And all those different things that I just described and more generally comprise different parts of a cyber insurance policy.
Kevin McGowan:
So I think taking it forward, what the market and what carriers are trying to figure out is exactly what we've been talking about. So how do we model those perils and those threats and how do we ask the right questions to best determine and predict ... Thinking about it from a data science perspective. And predict, okay, this company does not have security control X and that makes them this percent more likely to have this type of loss. Because, again, as they're currently constituted, for better or worse, the insurance policies are quite broad in nature in terms of they're not necessarily specifying we'll cover this type of hack or this type of loss but not the other one. The triggers that are there are fairly all encompassing when it comes to security breaches and data breaches.
Joseph Carson:
When I think about it, I always look for a comparison when I look at things and try to understand. And sometimes I use metaphors. And when I think about when you look at just even simple car insurance, when an accident or a claim happens, it's very specific. Either the driver drove into something or the car was parked and somebody hit them or all of a sudden there was this mystical scratch or dent that appeared or that it was broken into and something was taken out of it. It's always very specific. When we look at cyber side of things, when an incident happens, it's almost everything. All of those different options all hit at once. And I go through ... I'll just give you some of the things that goes through my mind when I get involved into an incident itself. When I think about going in and you're already dealing with an active security incident. The things that goes through my mind is did they have access to what main controllers or did they have access to what accounts? What systems does that mean that they have access to? You get into what type of data does that mean?
Joseph Carson:
They have access to these different systems. What applications are running on those machines? Is it proprietary? Is there source code? You get into is it personal information? Then you get into was it on premise? Was it the company's own systems or was it the cloud environment? Then you think about well, how long has this been going on for? Has it been going on for a month? A day? Is it three months? In a lot of cases what you end up finding is that the access has been there for maybe eight months or more but the actually active hands on keyboard attack has only been maybe four weeks or six weeks old. And it might even be multiple actors you're dealing with. You end up looking into what types of tools and techniques did they use? You're looking have they left backdoors so they can return or sell it off to other criminals to come back later? Then you think about well, have they stolen data? You start looking at your internet bandwidth and seeing did all of a sudden you have massive spike in data that exited the organization. And unfortunately, sometimes organizations are only looking at data coming in, not necessarily data going out. And this becomes a challenge.
Joseph Carson:
Then you don't know what data because they're doing maybe deep packet inspection coming in so they have a better understanding of what data's been downloaded but very little on information other than the size of data that's going out. Then you think about the entire timeline because a lot of the attacks, they clean up their evidence. They clear the logs and you end up with very little information to go by. And sometimes even I've went to the point where I'm looking at this server had the event logs cleared at this time and this other server had the event logs cleared about two minutes earlier. And this other server had it maybe a few minutes earlier. And you start looking and you're looking for breadcrumbs that allows you to put the ... It's like a jigsaw puzzle. You're putting the different pieces together to try and find out how they relate. And also what evidence is remaining.
Joseph Carson:
So all of those gets me into ... It's not just dealing with very specific cyber attacks. Usually involve many techniques. And also gets into then who's accountable? How do you get into the accountability side? Because if you go back to my metaphor, you'll either have it's the driver or the third party driver or you'll have somebody who broke in and you'll have the specific accountability. Did they park in the right place? Were they parked somewhere legally? In cyber, there's so many software, there's so many solutions, there's so many components being used. How do you get down to also accountability? How do you find out ... They might be using 10 different vendors and one vendor was maybe used in order to gain access. Another vendor was used in order to move laterally. Another vendor was used in order to take the data out. So for me, it's interesting. Traditional insurance is very complex so how do you take all those factors into play?
Ann Irvine:
Yeah. I'll speak to the first half of your comments first and then maybe get to the accountability part. There is certainly a lot going on from a forensics perspective when we investigate these incidents. I think, coming back to the question of underwriting and how do we model and predict for a new organization, is an attack going to happen and how much is it going to cost is really what we care about. And honestly, that's what companies care about too. We're talking about risk management here and that's what they want to know too. How much insurance do I need to buy? If I implement this security control, how much will risk go down? So questions like how many minutes between exfiltrating and deleting the logs during this attack, that data point's probably not relevant for predicting for a new organization is this going to happen or not. And I think the corollary to the car accident is there's actually a lot going with investigating a car accident. You can think about the city that it occurred in or maybe, in the US, the more specific zip code or maybe we should talk about particular street address. We can think about what minute it happened, what cycle of the traffic light. The person was moving through the intersection, if they were going east or west.
Ann Irvine:
There are all of these things happening in a car accident as well that might be considered as part of that investigatory process for, to your point, deciding blame. But for the purposes of predicting a car accident for another driver in the future, whether or not the person in this past accident was driving east or west or what cycle of the light they were passing through the intersection, that's probably not relevant. What's relevant is their driving history and maybe their age and the type of car they're driving and the zip code where they live or things like this. But the details about the investigation of that accident are not necessarily applicable to the future auto underwriting.
Ann Irvine:
And I think, again, the same is true for cyber insurance. I think what's less obvious in the cyber case is what the corollaries are between the driver's age and the car they're driving and the zip code where they live and whatever else is used in car insurance underwriting. Those other factors. Zip code might not actually be legal to use. I'm not sure. But what are those same things that are predictive of future losses that we can take away from incidents and reliably use predict future losses. And I think we haven't totally figured that out. One thing that I'm passionate about figuring out is figuring out what cybersecurity solutions a company had employed and how they were being used and then figuring out ... Again, coming back to what I said earlier, holding those cyber vendors accountable. If you're using this firewall, is it actually protecting you or not? Versus another similar company down the road that's using a different firewall vendor or none at all or whatever it is.
Joseph Carson:
And is it configured correctly as well.
Ann Irvine:
Exactly. Which is complicating for sure. So I think the analogy is maybe actually there and sort of strong. Comparing the auto crash with the cyber incident. Of course, there are a lot more car accidents in the world every day than there are cyber incidents. There are more people driving than there are organizations. So it's easier to learn from that data at a large scale. But again, yeah, the trick is really I think just figuring out what the nuggets of information are that we should be learning from these cyber incidents. But we don't know what those are yet, which is why I like those multi paragraph descriptions of what happened in as much detail as possible.
Ann Irvine:
In terms of accountability and placing blame, as Kevin said earlier, my understanding of most of the policies that are on the market today is that fault is not really a consideration when we're deciding whether to pay a claim or not. So if the firewall's not configured correctly and there's an intrusion and a loss, then that's covered. If an employee reuses their password in a completely irresponsible way and some threat actor is able to get into the system and steal some data, that's covered. Human error as well as malicious nation state activity is all covered across the spectrum. But Kevin, please correct me if that's not completely true.
Kevin McGowan:
No. That's spot on and it speaks to, as you said, what we were discussing before, in terms of the policies are broad in nature. There are many reasons for it. One of them, from an insurance perspective, has to do with the fact that cyber insurance as a product spawned out of professional liability insurance. So just essentially malpractice but for companies of any type of service, including technology companies. So the idea was some sort of error or negligence led to a security event. So now, you might still have that human error as Ann alluded to, but then in today's world we also see lots of malicious activity by hackers or state sponsored attacks, whatever the case may be. And they're all covered. I think the two pieces that are relevant in terms of essentially attribution from an insurance perspective in the cyber landscape, one is you mentioned service providers. And underwriters do try to look at vendor risk management because it does broaden the attack surface. As you said, you've got 10 different IT vendors and they've got varying levels of network access and are you, the insured organization, are you auditing the security of your third party service providers.
Kevin McGowan:
And the bottom line is if the insured organization has an event, and even if it was the initial fault of a service provider, it's generally expected to be covered. Now, on the back end, the insurer may get involved in subrogation and/or look at contractual provisions between the insured organization and perhaps that IT service provider that may have been at fault. So there could be some recovery there on the back end after the initial loss. But up front, the insurance policy generally is designed to respond even if the fault was of a third party provider. So that, as you can imagine, does add an element to the underwriting process. And then just the other piece of it that I think is very relevant in today's market which gets talked about more and more is attribution. When we're looking at some of these true headline events and the different concerns of well, who was behind this or who at least allowed this to happen and how can we stop that via sanctions or otherwise. So now I think there are more calls for essentially public/private partnerships and more government involvement to try and work on that attribution and actually bring consequences for the benefit of all these organizations that are being hit.
Kevin McGowan:
So I think there's more being done there. You can attest to, yeah, what does the DFIR look like? How much can you learn IP addresses, et cetera? Who really did this? Because oftentimes it isn't known. So I think that's an area that is being worked on at a lot of levels far beyond just insurance which could have a lasting impact.
Joseph Carson:
A thought came to mind is if you start looking at some places where, let's say, countries which are holding safe havens for cyber criminal gangs and if you do find attribution coming from those countries, could potentially governments hold those countries financially to pay the insurance claims that comes through this? Is that something that might be a consideration for the future? Because ultimately, need to find ultimately a source of where the insurance comes from. Who pays? Is that something that maybe some governments are looking into from a regulatory standpoint? If you have a cyber attack and it's major such as we had recently and you do find attribution to a particular country, for the government to hold that country accountable financially and maybe force them to pay the insurance or pay the claims. Is that something that might happen in the future? That might even consider those nation states to no longer provide safe havens if they become financially accountable.
Kevin McGowan:
Yeah. I think it's an excellent question and I think there's a lot of conversations happening at a lot of different levels right now that are headed at least that direction. Because you see a lot of chatter now, different government officials, different regulators will say, well, perhaps the answer is just banning payments of ransomware entirely. But then there's plenty of debate to that about well, is that actually effective and then what is a company supposed to do when there's no other option? And then I mentioned do governments need to get more involved and take more aggressive actions? Sanctions, financial, whatever the case may be. And I think there has been talks in Washington involving large insurance companies about well, should there be ... You mentioned terrorism insurance earlier and there's a federal backstop for that. Do we need some sort of federal backstop for large scale, systemic aggregation events that everyone is worried about, which we maybe haven't quite seen yet? But if something like that were to be created, to your point, would that perhaps cause the government, federal or otherwise, to maybe take more action to hold these countries, if they are involved, financially responsible.
Kevin McGowan:
Because right now, today, I don't think that's necessarily going to happen. I don't think the chain of events is quite there where the government is going to identify a country and then eventually come downstream and reimburse insurers. But this has become such a high profile item and it is on their radar. And again, if something like a federal backstop does get involved, I could certainly see things getting to that level.
Joseph Carson:
Yeah. I-
Ann Irvine:
I ...
Joseph Carson:
Go ahead.
Ann Irvine:
I think most of the regulation talk is more at a high level of holding entire organizations or countries accountable for the practice at large and it's issuing sanctions at large. I think the idea of holding governments accountable for specific incidents, this cost company X two and a half million dollars, now please reimburse this company two and a half million dollars for this discrete singular event, makes perfect logical sense but I don't know what the international regulation mechanism for that-
Joseph Carson:
How that will come to play.
Ann Irvine:
Yeah. For that transaction. But logically, of course, it sounds great. But I don't know how we could make it happen.
Joseph Carson:
Yeah. To your point Kevin, I think we're seeing the potential of it happening with some of the events of the past year. But I'd rather taking a proactive approach rather than waiting for that event to happen so you already have something in place. Because natural disasters do happen and I think we're waiting for the one that is similar to something that's major like a hurricane or like a tornado. Whatever it might be that causes serious disruption. That it'll be good to at least have the backing and support.
Joseph Carson:
This moves me into another segue into understanding about after understanding about the questions and the process you went through, what type of data do you need to continue gathering from customers? After I bought a policy and now I understand I've got underwriting. What type of data do I need to keep giving you and is it automated? Do I have a system in place that does it? Do people come into my environment to collect the data? What's the process to continue getting updated data? Because things change. I deploy a new solution, I might decide to get a new database. I might decide to get a new part of the business or acquire a company. What changes does that impact?
Ann Irvine:
Traditionally, the traditional cyber carriers don't collect any data in the middle of a policy period. They consider a company at the time of initial underwriting and then wait until that policy is up for renewal a year later to send out another questionnaire and just ask the same questions and ask if anything has changed. This is one area where we're trying to be a little bit different. So once organizations have bought one of our policies, we have an entire security arm of our organization that engages with them in a way that, yes, we're collecting data and that's helpful for us of course. But the primary motivation there is to help customers secure themselves better. So it's sort of an included consultation offering where if you buy our policies then we have this team of security experts that meet with you, do a deeper dive into your security, make some recommendations. What a lot of that ends up looking like is our security team partnering with the security team at the insured organization and helping them make a case to their own leadership team that it's worth investing in additional resources to implement whatever security drills or processes.
Ann Irvine:
So we do collect some data, again, as part of those consultations, but the primary purpose is to help the companies improve their security which is good for us and good for them.
Joseph Carson:
That leads me to another question. There seems to be a lot of different type ... Do you have any type of templates or reports or examples that companies can take a look that would be publicly available? That they could go and say, "Okay, I'm going to go down this path. I need to have a good understanding about preparing and getting ready." Is there anything that you have available that would give them examples or templates so they at least know or can already start going down the path of getting ready?
Ann Irvine:
Yeah. I don't think we have any of that kind of thing publicly available. I think organizations usually work with their brokers to get a sense for what insurance carriers are looking for and have those conversations with brokers to prepare for the applications and the questions that may come up. But Kevin, do you know of anything we have?
Kevin McGowan:
Yeah. But I think the one exciting piece on the topic that has changed is normally ... And this would be true with most lines of insurance as well. That normally the process only kind of goes one direction which is the insurers analyzing information on the front end. And they may ask some questions, some followup trying to get more clarity, and then make their decision of okay, we're willing to insure you at XYZ terms. But now in the cyber market, with the help of security teams, data science teams, it has broadened where now as an underwriter I can sit there and I can go to insurers and say, "We were able to identify XYZ security concern or vulnerability," and raise that to them. And then they can respond, ideally fix the vulnerability, and let us know. And I think that's an evolution of the process that it's a win for everyone. Because sure, as an insurer you're hoping, okay, I'm identifying a risk on the front end and hopefully getting rid of that risk and ideally that means they may not have a loss associated with that. But that's an added benefit for the insured or prospective insured that didn't used to be there. Essentially providing this additional advice versus just providing analysis and asking questions and then offering what you can offer.
Kevin McGowan:
But now saying, "We see this. We're going to help you manage your security risk on the front end." Versus just providing the insurance on the back end.
Ann Irvine:
The other thing I ... Folks love to hate on the insurance industry but it is an efficient market mechanism for making good change. I heard a broker say recently that if a customer comes to them who already is working with a broker for a property policy and comes to them and says, "I'm interested in getting a standalone cyber insurance policy as well," before they even send out applications and start interacting with carriers, apparently brokers are saying to organizations, "Are you enforcing MFA on your email?" And if the answer is no, then the brokers will say, "You're not going to be able to get coverage unless you do this." So security change is happening via the insurance market as a lever, which I think is just awesome for the whole world.
Joseph Carson:
And that's good. We go back to the same story of the car seatbelt where you couldn't get insurance unless your car actually had seatbelts. So same as basically security industry is that you need to practice security and you need to implement it in order to get insurance. So I think that's a positive direction is to force. One thing I'd love as well is that organizations that implement and do security should get discounts. So get something as a reward.
Joseph Carson:
Kevin, I have a question for you which I'm just interested in learning as well. Since you're an underwriter, how did you become an underwriter? And is it something that underwriters should get cybersecurity trained or is it something that even our audience from cyber security professionals should consider becoming underwriters? Is that a path? Are we starting to see cybersecurity underwriters? Is that something that is becoming a thing?
Ann Irvine:
We might have lost Kevin but I can say our, in general, cyber underwriters are coming from the insurance industry, not the cybersecurity industry. They are generally trained on the job I think. Some of them do take courses to further their cybersecurity understanding, potentially through Cybrary. One of the hosts of this podcast. Although I'm not sure. But they're generally insurance industry professionals. But yeah, I think more cyber expertise in that world is always helpful. Kevin and several others on our team have really become experts and it's great. It really helps them have productive conversations with companies who have applied for insurance. But it's at least half a sales role as well. So yeah, cybersecurity experts who are interested in this market and would like to do a little more salesy stuff maybe outside the chaos of the cyber vendor markets, yeah, it very much could be an option.
Joseph Carson:
Yeah. I definitely think there's many people of the audience would definitely be interested. This is a good time for people to consider careers where they've been working from home for a long time and maybe even doing some courses on Cybrary and other platforms that gives them an opportunity to look at other areas and widen their career and get into new things.
Joseph Carson:
So Ann and Kevin, it's been a pleasure having you on the show. It's been fantastic. Really hopefully the audience has got really up to speed and got a good understanding of where the state of cyber insurance is today and some of the things they can do in order to prepare. Because I think it's really important that in this industry we can't go it alone. We all have to work together and we all have to make sure that we're resilient as possible. Because ultimately the more resilient you are to different attacks and different events that happen, whether it being natural disasters, whether it being accidents, or whether it being cyber attacks, we want to make sure that we can continue moving forward. So Ann and Kevin, it's been fantastic having you on the show and I look forward to hopefully having you on again future. Maybe we'll learn more about new types of packages and how cyber insurance evolves in the future.
Joseph Carson:
So for the audience, it's been a pleasure having you. Hopefully you get some educational news today. And definitely if you're looking, reach out to Resilient and to Ann and the team and Kevin if you're looking for cyber insurance and looking for advice and direction. Ann, Kevin, it's been a pleasure. Thank you.
Ann Irvine:
Thanks so much Joe.