Cyber Insurance Experts Make a Case for Coverage, Protection

BLACK HAT USA – Las Vegas – Wednesday, Aug. 9 — Cybersecurity and insurance continued their awkward dance this week at a Black Hat "mini summit" where the two industries continued to refine the best ways they might work together.

Held on cyber insurance, the summit covered whether there is a need for cyber insurance, how it is assessed, and how CISOs can use it. Alternatively there are claims that underwriting is not keeping up with modern cybersecurity threats and trends, or even how (or why) the federal government could help protect companies, insurers, and the economy from the impact of a widespread, catastrophic cyberattack.

The points of contention are familiar: How cyber insurance premiums are calculated and which factors are taken into consideration. Insurance proponents argue that having cyber insurance keeps a CISO from worrying too much about the financial impact of an attack.

Nonetheless, cleanup costs from an attack, including the added expense of post-incident forensic investigations, downtime, and credit monitoring, also need to be considered, said experts at the Black Hat summit. The recent ransomware attack on Applied Materials was estimated to have cost the company $250 million.

Catherine Lyle on stage at Black Hat 2023. Source: Dan Raywood at Black Hat

Catherine Lyle, head of claims at Coalition, said despite all indicators to the contrary, even lawyers care about the security of your company, especially after an attack or network breach. "Active insurance is there to right the ship when it happens," she said.

Lyle said that as threat actors are becoming increasingly sophisticated, so has their understanding and knowledge of the English language, which helps threat actors who are non-English speakers find the folders containing company's financial records. "They know what you're spending and who has the power to sign the checks," Lyle added.

Since most attacks are enabled by phishing, incidents of ransomware, business email compromise, and funds transfer fraud are all increasing. However, any attack where money has been sent is more of a challenge, since in a ransomware attack there can be a process of negotiation to drive down actual ransom costs, Lyle said.

She also noted that threat actors are likely to dwell in a network longer, on average being 42 days in 2022, twice as long as the average time from a year previous.

Business email compromise, ransomware, and fund transfer fraud all affect an insurance policy enormously, noted Ed Ventham, co-founder of cyber insurance broker Assured. "BEC and ransomware are the two most frequent cyber insurance payouts from insurers," he added. "Most of the technical questions insurers ask are about finding out what controls are in place to prevent these attacks. What endpoint protection is in place? How are systems monitored and how quickly are they patched?" These factors vary widely from customer to customer.

Lyle said insurance exists to help prevent the greater harm and there are steps that can be taken to improve your security posture so that cyber insurance costs are reduced. These include adding adding multifactor authentication (MFA), rehearsing for incident response, and the insurance company help with pre-claim assistance.

View From the CISO

John Caruthers on stage at Black Hat 2023. Source: Dan Raywood at Black Hat USA

John Caruthers, executive VP and CISO at Triden Group, said that while the idea of acquiring insurance may have seemed quaint at one time, in 2023 everyone understands cyber insurance and its purpose, despite some nuance.

He also wondered aloud if cyber insurance is for safety, a compliance play, or neither. "It is not a replacement for a cybersecurity program, but a motivator to build better cybersecurity programs," he said.

Caruthers compared cyber insurance attempts to medical and automobile insurance industries, and said that in cybersecurity there isn't historical data, so a list of minimum mandatory requirements is generated to achieve cybersecurity maturity. These include MFA, incident response plans, and backups, but patch management, remote access controls, supply chain management, and awareness training are also worth considering.

Ventham also noted that end-of-life software is considered a higher risk for insurers; unsupported software is also a related issue and a challenge for insurers and customers alike.

"Exploiting unsupported software is one of the most common attack surfaces, and naturally end-of-life heightens this," Ventham noted. When insurers make their assessments they take into consideration the detection and monitoring capabilities that businesses have in place for this unsupported software. They will want to know what the software is being used for, whether it's Internet facing, and is it segregated from the rest of the network."