Qualifying for cyber insurance is no easy task, nor is understanding all the nuances of the trends of understanding cyber insurance and how it can affect business decisions. At the Sophos Cyber Insurance event recently, the experts took questions from attendees about concerns they face today, offering advice and insights on how to qualify for policies, how decisions about when to apply could impact your ability to obtain coverage, and how proactive network security initiatives can aid an organization in reducing security risks, thus becoming a better cyber insurance prospect.
Following are highlights from the Q&A session with speakers Marc Schein, national co-chair of the Cyber Center of Excellence at the world’s largest insurance broker, Marsh McLennan Agency (MMA); James Tuplin, head of international at Mosaic Insurance; Natalie Graham, head of claims at Mosaic Insurance; Daniel Kasper, cyber risk researcher and economist at Cyber Economics; and Nicholas Cramer, senior director of global cyber risk partnerships at Sophos. Moderating the Q&A session was Sally Adam, Sophos director of marketing.
Question from Sally Adam: Is there a correlation between companies taking cyber insurance and ransomware attacks on those companies?
Answer from Daniel Kasper: Yes, very likely there is. It’s very hard to quantify, but during the Ukrainian – Russian war in recent weeks, we saw one of the largest ransomware attacks from the REvil group, exposing it as being very closely connected to the Russian government. Also released was evidence of a huge data leak including the chat logs. Analysis is going on currently, but from what we have seen so far, they are a criminal group that tries to get as much money as possible. If an organization has insurance coverage amount of 10 million, it will try to export 2 million.
Q: James, if there is full coverage for ransomware payments, how much cover is available for remediation costs?
Answer from James Tuplin: The policy should have various elements that we normally just split policies between the two elements. Let’s say you’ve got coverage for extortion. There may be a specific limit to an extortion payment, and there will also be coverage for the business interruption caused by the ransomware. There may be a specific limit to that.
There will also be coverage for actually fixing the problem, getting your IT forensic team to get rid of the ransomware and clean your computers. And again, you may find distinct limits for that as well. But all [policies] will come with a one, overall aggregate limit. If you can get a policy that has a 10 million limit, and you have full limits for each side, then it depends on the event.
Obviously, if you spend 10 million on just fixing the problem, there’s nothing left in your policy to pay the ransom or the business interruption. But in that sense, if you’re likely to face an event that big you should be buying more insurance so if you have 30, 40, or 50 million in commercial exposure, you have enough to spend on each of the elements.
Q: James, you only mentioned IT security business interruption coverage. How does this apply to operational technology, or OT, coverage?
A JT: It very much applies to OT as well as IT. It’s one of the areas that we’re digging into, even asking more questions than ever before, particularly across obviously the industrial manufacturing sectors where OT is obviously intrinsic to the operation of these type of firms. We want to see really good [network] segregation — that is probably the biggest key that your OT. It is very much segregated — an air-gapped DMZ. However, you [segregate] it from your IT network and protect the OT networks running in different factories [and] different countries or regions.
What we don’t want to see is something that gets into your IT [systems and] spreads into your OT laterally across multiple OT networks. Do we look for that segregation? We do look for the security you put in place. We do look to make sure how you control remote access to that OT — it is particularly important — the same as we ask if it is the end-of-life [hardware or software]. If so, how do you make sure it’s patched and upgraded? The same questions we asked for IT we want to see for OT. So if you are in that environment, yes, it is very important.
Q: Marc, here’s one for you. We’ve struggled to get the coverage that we need for our organization. This year has been next to impossible [to get coverage.] What do you recommend that we do?
Answer from Marc Schein: I would recommend working with your broker to make sure that they’re able to properly articulate all the safeguards that you have in place. We went over the 12 key controls in today’s presentation, making sure that you’re accurately presenting that to the marketplace — I think it is your best, first step in that direction.
Secondly, do you have a contractual obligation that’s requiring your smaller business to carry the significant higher amount of insurance? If you do, perhaps an underwriter may be more willing to provide that limit of insurance, rather than if it was just done on a one off basis. Oftentimes, you can have some type of benchmarking to see what your peers are doing; that might help an underwriter get more comfortable with producing higher limits. You might also want to consider taking on higher retentions. Perhaps that might be a way to get higher limits as well.
Q: Marc, how are benchmarks measured when it comes to cyber hygiene in an organization?
A MS: Great question. Each carrier has their own, different rating systems. Certain carriers are putting more emphasis on certain controls than others. We talked about the 12 controls on today’s presentation. These were the 12 controls that Marsh identified from an aggregated standpoint. These were not for a particular attendee or carrier, so how do they get incorporated into a benchmarking report? Oftentimes, you’ll see if we’re running a business interruption report to get an understanding of how quickly they’ll be able to get back up and running, these key controls will have a big, determining factor as to whether it’s a day, a month, or perhaps, you know, several months for them to get back up and running.
Q: Natalie, an attendee asked, if they have a minor event that could be handled internally, are they obligated to reach out to the insurance company and use their consultant to remediate the issue?
Answer from Natalie Graham: For some insurance policies, the answer is probably no. If there is a cyber incident and it can be resolved within your access, then, technically speaking, there is no obligation to notify your insurance company of it or to seek their consent to whatever steps you’re taking.
However, I would caution that it would always be prudent to do so anyway because there is never any telling whether the cost may escalate beyond what was anticipated. If you do come to make a claim on your insurance policy and you haven’t used a company that has been approved by your insurer, you may find it difficult to recover the costs. So, you don’t have to, but I would always suggest that you do.
Q: James, an attendee from an international company asks: Our UK company and our Australian subsidiary both have cyber insurance? Would it be better to have one policy for the two companies or joint policy?
A JT: That’s normally what we would expect — that you get one policy covering the entire division, or the entire company, including its subsidiaries. There are obviously some where we do see it. It depends on the structure of the company partnerships; particularly we quite often see partnerships buy individual policies per partnership, and that’s because they are kind of individually run and they are separated. That makes sense.
I’m assuming, in this instance, the network you use, whether it’s a HR program and accounting program, works across both entities. So, if you’re going to have an event, it will possibly go through both sides.
Having two policies, the insures might both insist that you use their providers to fix the problem, at which point they’re going to clash in the middle and you’re spending twice the costs on the same event. I would suggest you get one policy to cover both entities but with a larger limit. So rather than having two $5 million policies, I’d say get one $10 million policy to cover all of this. It’d be much easier in that sense when the event happens [there will be only one insurer whose rules you will need to follow].
Q: Natalie, did you have any comments from the claims side?
A NG: I think the only thing that I would add is that from a client’s perspective, it can cause complications if you had two policies that could respond to the same loss. And that’s because there are often conditions in each policy that says our policy does not respond if there is another policy that essentially covers the same loss. I think it’s that there isn’t necessarily a straightforward answer, but it is definitely worth talking to your broker to make sure that you’re not potentially prejudicing your position in case there was a loss, because it can be that these things are ultimately resolved, but it can cause additional complications if there are two responsive policies to one matter.
Q: I have one final question that I’d like to put to everyone and maybe go around the room here. Daniel, I’ll come to you first. If you have one recommendation for everybody attending this session, in terms of helping them with their cyber insurance, what would it be?
DK: Definitely look into cyber insurance. It’s just a question of time until everybody will have it in some form. And especially the smaller you are, the higher the utility is of the systems. I would suggest to everybody to look into it, [and think] most of them have already done given today’s topic.
Q: Natalie, from a claims perspective, one key thing for everyone to take away.
NG: My advice is if you do buy cyber insurance, don’t wait until you have an event to read the terms of that insurance. Make sure that you’ve read it in advance and make sure that you have the key information about whom to contact in the event of an incident because you may not have access to that information, depending on the incident at the time. Make a note of the key contacts so that you can really hit the ground running when and if an incident occurs.
JT: Why buy cyber insurance? The [adoption level] is still relatively low globally in this space but still the amount of times I’ve see someone counter with: We’ve had an event, it cost us X amount of money, and now we’re thinking about buying insurance. I wouldn’t wait.
And the other very cheeky suggestion is do not store your electronic and cyber insurance policy only in your own network. The number of times that that network goes down and all of your business plans and your recovery plans and your policy go down with it and you can’t actually then access it to know what you need to do, is laughable. So do keep a paper copy of it do store it elsewhere. And that way when you need it, it’s available.
MS: I would suggest you putting your best foot forward making sure that you’re working with your internal team, as well as your broker, focusing on those 12 key controls and presenting that well to the marketplace. It’s important to work with well-respected organizations that are well known, like a Sophos. Make sure that you have the right providers and basically tell the right story to the marketplace.
Nicholas Kramer: My recommendation would be to have an incident response plan. Everybody’s touched on pieces that go into that plan; insurance is part of that plan. Read through the [insurance] policy. The policy will inform you what happens in your incident response plan if your IT person calls you one day because suddenly there’s a ransom note. Having that plan will also allow you to know where your security is good and where it needs improvement.
When you talk to your broker, you’ll know how to inform that narrative that you’re going to go tell the carrier which again, you will hopefully get you the policy you need and, at some point down the road with years of no claims, maybe that policy, based on market conditions, also gets cheaper. So, have a plan, talk to a broker, invest in cybersecurity.
If you have any questions about Sophos products or services, please contact your Sophos representative. Watch the event on-demand to see the sessions in full.