Podcast

The Cybersecurity readiness podcast

This article was first published by Guy Carpenter here.

Eric Davis, Guy Carpenter’s Managing Director and Global Head of Cyber, made a feature appearance on The Cybersecurity Readiness Podcast with Dr. Dave Chatterjee, a professor, cybersecurity author, speaker and consultant.

In the episode Is Cyber Insurance Necessary?, Erica discusses at length about the different types of coverages, how underwriters evaluate and assess cyber risks, the current state of the market, re-insurance mechanisms, and more. She also offers valuable guidance on how to plan and approach cyber insurance-related decisions.

"If you're somebody who's feeling more exposed to ransomware, it's really important to look at those forensics, business interruption, and extortion payment coverages offered under the first party,” she said. “So, I would say it's really important to understand what coverages are most applicable given your class of business.”Guy Carpenter is working closely with our clients to share updates on the threat landscape, deliver cyber industry insights, construct relevant modeling scenarios, and design reinsurance placements to protect these portfolios. The industry is also adopting new risk mitigation, pricing and underwriting tactics in order to course-correct from the impact of expanding cyber risk.

TRANSCRIPT:

Introducer: Welcome to the Cybersecurity Readiness Podcast Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of A Holistic and High-Performance Approach. He has been studying cybersecurity for over a decade, authored and edited scholarly papers, delivered talks, conducted webinars, consulted with companies, and served on a cybersecurity SWAT team with Chief Information Security officers. Dr. Chatterjee is an Associate Professor of Management Information Systems at the Terry College of Business, the University of Georgia, and Visiting Professor at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee: Hello, everyone, I'm delighted to welcome you to this episode of the Cybersecurity Readiness Podcast Series. Today, I'll be talking with Erica Davis, Managing Director and Global Co-Head of Cyber for Guy Carpenter. Prior to this, Erica led Guy Carpenter's North America Cyber Center of Excellence. She has years of cyber professional and multi-line underwriting expertise. Erica is a key contributor to the public sector dialogue around cyber insurance, and has provided testimony to the House Small Business Committee as an expert witness in cybersecurity insurance. As a prominent leader in understanding cyber risk at an enterprise level. Erica has presented at the National Institute of Standards and Technology, and has contributed to several publications, events, articles, and interviews in the industry. Erica, welcome. Thanks for making time to share your thoughts and perspectives with the listeners.

Erica Davis: Thanks so much for having me.

Dr. Dave Chatterjee: So let's begin by talking about you, your professional journey. Your current role at Guy Carpenter.

Erica Davis: Sure, thanks. Thanks again for having me today. And yeah, you know, I really got started in the insurance industry by focusing on technology risk. And so I spent the first 10 years of my career at Chubb, underwriting all lines of business. So general liability, workers compensation, auto, intellectual property or as an emissions, but with a focus on information and technology risk. So always thinking about what's coming next in terms of emerging exposures. Before I moved over to Zurich, still in an underwriting capacity, still with technology, top of mind, but built their book of business, ultimately taking greater responsibility for general industry and financial institutions. And some other risk outside of that. But what I learned in staying closely connected to the technology risk was that there was an opportunity for cyber products, cyber insurance risk transfer solutions to find a home within the industry, as interconnectivity and reliance on technology grew.

And so I moved over to that side of the business with a specialization in cyber and professional liability in 2012. At that point, the industry was just beginning to grow its expertise. And truly its acknowledgement of how far reaching and massive cyber risk was going to become. And so, you know, Zurich wasn't alone in building specialized products and expertise in that space, and I worked there until about four years ago, about 2018. Still on the underwriting side, and focusing on cyber risk transfer products.

Ultimately, what I learned was that the insurance space was beginning to craft solutions for the business community, who are also becoming increasingly aware of how cyber risk could manifest, you know, within their organization and also outside of their four walls. So looking at various supply chain risks when it comes to cyber. And the industry at that point had grown to a size of about 4 billion and grocery and premium, still very small compared to some of the more traditional lines of business out there. But there was a lot of work to be done on the reinsurance side, which was the insurance that sits behind insurance companies kind of simply put, and there needed to be more expertise in that space in order to build capacity to grow and support the insurance side of the house. And so I made the move over to the insurance and reinsurance broking about four years ago. And I've been with a Guy Carpenter in increasing roles since that time.

Dr. Dave Chatterjee: Good to know. Thanks for the intro. So, you know, I had reached out to a couple of my CISO connections, I told them that I was going to be talking to you, and if they have any questions of interest. So one of them sent this to me, he said, Why should we get cyber insurance now? It seems that the last 12 to 18 months, the industry has moved away from insuring verticals, companies, or has made the cost of coverage so high, that it raises the question of why not just self-insure? How would you react to that statement or question?

Erica Davis: Yeah, so just to sort of set the stage for, you know, the buying community within cyber, about 40% of all organizations across the US purchase a cyber insurance product. And that number is more heavily skewed towards mid sized and large companies, more so than small micro mini sized organizations. Oftentimes, that's because there's been a more sophisticated risk assessment process in place for you know, cyber risk on those larger sized entities. And in the US, there's actually more buyers of cyber insurance than there are outside of the US. So a greater percentage of businesses buy. And the reason for that is largely driven by a regulatory environment. So businesses in the US are geared to protect private and confidential information in a way that's still developing outside of the US. Certainly, regions such as you know, Europe, UK, have strong regulatory position now that have developed and the buying habits of the business community have accelerated as a result of that. But even in the US, companies that have a more regulated or I should say, more regulatory sort of focused mindset, somebody like health care, financial institutions, were early adopters of the product. And your friend or your contact is correct that in the last 12 to 18 months, the price of cyber products has increased significantly.

What I what I would suggest is that really a reflection of the losses that have been paid out by the industry, so some pricing correction that's occurred because of that, but also an escalating risk environment where we've seen things like, you know, geopolitical tensions increase, we've seen ransomware threats increase, we see greater risk because of interconnectivity. And so you don't see pricing change without cause. Cyber products are still fairly inexpensive. When you look at the cost of other, you know, mandatory purchases within I'll call it the risk management package. But yes, you know, the businesses do need to take stock of what's at risk, what sort of digital assets they have, the discussion around whether to purchase a product is a very healthy risk management discussion, there will be potential businesses that instead elect to invest in their own information security, or should say, like architecture. And if that makes sense for them, then, you know, that's certainly a choice they can make.

It's not a mandatory purchase at this time. It's still discretionary in nature. And sorry, for the long winded answer, but I would just, I would just add to that, you know, cyber products are a little bit different than the traditional products that are offered by insurance companies, and that cyber products offer you pre-breach services. So things like discounted rates for forensics, public relation firms, you know, legal sort of breach coaches, all that which, you know, you can establish relationships with and access at a discounted rate, and then incident response services too so that if and when the bad event does occur, your resiliency and responsiveness has increased by having a product in place. So, prices have gone up. And yes, that's true, but I still think it's a very valuable product for businesses to consider.

Dr. Dave Chatterjee:  Good to know, good to know, in fact, I was reviewing a KPMG study where they surveyed senior information security professionals, and 74% of the respondents said they had no cyber insurance. And they mentioned mistrust of insurers honoring policies appeared to be one challenge. And they also mentioned that the market not being very mature, and I believe you've addressed that But then I'm just curious to know, as somebody who carries personal insurance of different types, one of the things that I worry about is when the time comes when I submit a claim, will the claim be honored? Will I have a good experience? What do you have to say, from the standpoint of a cyber risk insurer? 

Erica Davis: You know, I understand those those was reviewing a KPMG study where they surveyed senior information security professionals, and 74% of the respondents said they had no cyber insurance. And they mentioned mistrust of insurers honoring policies appeared to be one challenge. And they also challenges. Certainly I've heard them firsthand, especially in my mentioned that the market not being very mature, and I believe you've addressed that But then I'm just curious to know, as somebody who carries personal insurance of different types, one of the things that I worry about is when the time comes when I submit a claim, will the claim be honored? Will I have a good experience? What do you have to say, from the standpoint of a cyber risk insurer? underwriting days, I think, when we consider insurance, as buyers of products, we think about something like tangible assets, what if my home burns down, how much damage is there, you can see a fire you can smell a fire. Cyber Risk is different. Assessing its value is a challenge. The quantification of what happens if a cyber event occurs, is difficult to put a number on for many organizations.

And it gets even more complex when we think about measuring cyber risk outside of, you know, your own sort of entities four walls, and you look at supply chain, and you look at potential non physical impacts that could affect you. COVID is one example of where we saw that brought to life, right? We saw supply chain severely disrupted we saw transformation of data exchanges. So there's a lot of lessons to be learned there. But when we protect intangible assets, and we think about nonlinear exposures, like cyber risk, that's difficult. And having a product that appropriately addresses those issues is also challenging for the buying community understand, quite frankly, as an industry, I don't think we've done a really great job at defining it and helping businesses to to fully grasp what a cyber product offers. But we are getting better at it. We're definitely seeing adoption of the product increase. But I do we definitely have work to do as an industry to help businesses through those complexities.

Dr. Dave Chatterjee: True, very true. Many of the listeners are possibly thinking about cyber insurance, but they're not sure from where to start. What should be the next steps? What are some resources that they might find valuable? Any suggestions for them any recommendations?

Erica Davis: I think the best advice that I can give to businesses who are evaluating whether a cyber insurance product is the next step for them is is really to work with a specialist broker who understands the risk. I think right now, there aren't, there isn't a level of consistency across cyber products. Again, it's easy for the business community to understand, you need to work with a broker who can explain the differences. And those pre- and post- breach services to you which are a huge part of the value of a cyber insurance product, you need somebody who fully comprehends the nuance of the various policy languages that are out there and can make sure that they tailor a product and design a product that that fully suits the needs of the buyer. Some of this more specialized brokers can also provide the quantification services to help inform your decision of whether to buy a product or whether to invest in your own security or to self insure is the right answer for you.

Dr. Dave Chatterjee: Okay, good to know. And when, when someone is evaluating a cyber insurance policy. what are some elements that one should be looking out for? What are some what maybe if I would rephrase the question, what are some key elements of a good cyber insurance policy if there is anything like like that?

Erica Davis: So most of the cyber insurance products that are available, actually, let me reframe this a little bit. There are cyber coverages that can be offered through traditional lines of business, you might purchase a property policy and have some level of coverage available to you through something like business interruption, say something like downtime originating from a cyber related event, you might have something offered through general liability or professional liability that allows liability from a cyber related event.

When you purchase a cyber dedicated product. It is a hybrid between first party and third party. And so what I mean by that is the liability aspect. So something like network and security, privacy liability, some elements of media liability, but it also includes first party coverages. So things like your costs out of pocket for forensics response, something like, you know, legal services, something like public relations, and then most importantly, business interruption and dependent business interruption.

Some of the coverages that have gotten quite a lot of attention lately have been around the forensics of business interruption and extortion payments. That's largely because of the proliferation of ransomware over the last 36 months or so. So, you know, each of those coverages is is valuable, it really depends on what segment of the business you operate in. So if you're somebody like, you know, a health care provider, you definitely don't want to provide you don't you don't have a cyber product that only has, for example, like first party coverages, you want to make sure that you have liability aspects.

If you're somebody who's feeling more exposed to ransomware, it's really important to look at those frantic business interruption and extortion payment coverages offered into the first party. So I would say it's really important to understand, you know, what coverages are most applicable given your class of business?

Dr. Dave Chatterjee: Now, is it fair to assume that an organization that has very robust and mature cyber governance processes is likely to get a better deal?

Erica Davis:  So, yeah, I responded a few few different ways. So when we think about traditional underwriting of cyber risk, certainly the goal there is to differentiate customers based on their level of cybersecurity maturity. Your goal as an underwriter is to flesh out, you know, the good risk from the not so good risk and differentiate and either decline, the not so good risk, because it's certainly possible right now, the businesses aren't able to secure a cyber insurance because they just don't have risk controls that are up to a level of expectation. But even within that spectrum of good and not so good, being able to differentiate pricing and terms on the policy is a reflection of those practices and protocols in place.

It is important to mention that that cyber underwriting extends beyond pure evaluation of the level of security controls. And it includes things like, you know, culture resiliency, and stakeholder connectivity, and is your HR team, talking with your legal team and talking with your product dev team in, in, in practicing and promoting good cyber standards, and things like employee training, for example, can come into play. And so part of this is, is the security itself of an organization, but part of this is around the culture that's created. And then also, like, I know, I've talked about supply chain a couple of times, but how are you looking outside of your own organization and assessing risk across, you know, upstream, downstream and your entire supply chain?

Dr. Dave Chatterjee: Very interesting, very interesting. In fact, when you mentioned culture resiliency, you know, it resonates with me very well, because I recently published a book, where I talk about the importance of creating and sustaining a high-performance information security culture, and I provide organizations with scorecards to make an assessment along three dimensions -- commitment, preparedness, and discipline. So I'll be curious to know that based on your experience of assessing culture resiliency, what are the things that you all look for, as an insurance company?

Erica Davis: So, um, so, you know, a few different things there. Right. So, you know, kind of, you know, go back to the NIST guidelines, right? You have things like identifying your assets, and, you know, detecting Tricia evidence but it's also more around like the disaster recovery, right? How are you bringing your employees into the discussion? How are you identifying your key providers, suppliers, customers? How are you protecting and, you know, and restoring right, your sort of data assets if something does happen. So I think you know, this is an ongoing exercise happening within organizations.

Certainly the underwriting is also evolving as a result of that. I talked a little bit about, you know, a culture in this sort of like practice of resiliency, that's really easier to understand as an underwriter, when you have touch points with your customer. And the reality is, when we get into that small business space, particularly the micro minis, the expectations and the needs are going to shift when it comes to securing insurance, you're not going to be able to meet with every business that only has like 5,6,7,8,9,10 employees out there. And that's where you see a lot more technology augmented underwriting taking place. Things like the technical security scans to help evaluate risk are becoming much more commonplace. And they are relevant and increasingly common in the underwriting process in order to properly assess, you know, that there's customers that you can't talk to and speak through the resiliency culture.

Dr. Dave Chatterjee:  Sure, sure, and I'm sure it is safe to assume that even after an organization gets coverage, they will be continually assessed, right. Just to make sure that they they stay eligible for that, for that coverage. 

Erica Davis:  That is a really good question. So the way that these policies are structured, is that they are for an annual term. And so this is another area where we've seen a lot of improvement taking place within the cyber industry. You have more call it human touch underwriting during the range dual cycle. And that's an unfortunate reality, because obviously, your server risk, you know, is is 365 days a year.

But, you know, there are human limitations, right. And so as part of the renewal cycle, for the mid and large sized accounts, an underwriter will sit there and actually practically make their way through an underwriting questionnaire application. Very separately, many of the large global insurers invest in some of the security scanning that I mentioned. And their goal there is to be proactive with their policyholders to help identify vulnerabilities to help walk through any issues that they're discovering with any other policyholders that might have the potential for broader, you know, application on their client base, and proactively reaching out to those customers to talk through the issues separately, certainly in the small business base, and for the underwriters, or I shouldn't say the underwriters, for the insurers who are supporting that business, then increased and more regular reliance on the technology scans definitely takes place. And they will provide feedback throughout the policy year. And we're endeavoring to do that more and more frequently in order to shore up the security of these businesses who buy protection.

Dr. Dave Chatterjee:  And I think that's a great way for an organization to get a reality check on how they're doing from a cyber defense standpoint. So that is something that is definitely a strength of getting coverage from a provider and getting the external validation, external feedback.

Erica Davis: Absolutely. And I think I mean, that is the goal, right? The goal is to make the insurance more meaningful to drive adoption, to help people not just by the insurance, but by adequate insurance that ultimately improve the user experience.

Dr. Dave Chatterjee: You know, one more thing I wanted to share with you. I heard this from a practitioner, that if we buy a lot of cyber insurance, that often gives the impression that we are not good at cyber. And it poorly reflects on the CISO and the CISO function. Have you heard anything like this? Is that Is it a common sentiment? Or was this an outlier?

Erica Davis: Um, it feels like a common sentiment 10 years ago, and hopefully more of an outlier now. And I think when the cyber products were first becoming more commonplace, there was a struggle for investment where you know, somebody like a CISO might see it as a slight on their own capabilities. If a cyber insurance product was purchased, there was also a lot of noise around, well, if you just took that money that you were using to buy insurance and gave it to me instead, I'd be able to improve you know, our own controls, more appropriately. I think that sentiment has changed. In the last five to 10 years, there's been so much more connectivity across the risk management. And again, we talked about a culture resiliency and collaboration across stakeholders. We are now seeing more CISOs at the table part of these underwriting meetings, sharing their insights, actually, like engaging with the insurers to say what could we be doing better differently? You talked about validation earlier with the scans. Sometimes what we're finding is that in the underwriting community, when you provide the feedback to a business and say, "here's where you look good. And here's where there's areas of improvement." The CISO actually perks up and says, "See, I've been telling you this all along."

This is actually external validation now, from from, from insurers who assess my own peers as well. And it really validates a lot of what they've been messaging internally.

Dr. Dave Chatterjee: Absolutely. Let's talk a little bit about self-insurance mechanisms. To set up the question, I want to read out a couple of sentences from an article. In a perfect world, you may think that $2 billion in protection makes sense. Today, that sort of purchase is impossible. But you can develop a plan for getting there. It may involve buying what you can now and possibly topping it up with self-insurance mechanisms. Can you take it from here and shed some light on the different types of self-insurance mechanisms?

Erica Davis: Absolutely. So, you know, again, these, there's a lot of, you know, some of these questions are very rational and reasonable. And we have to acknowledge, first where we are as an industry, you know, the cyber market didn't exist. I shouldn't say that. People will argue it existed, okay, because there were certainly internet carve backs and technology carve backs and some small, narrow cyber coverages that existed years prior. But really, this industry is about 20 years old.

And currently, if every cyber writer took out their max line available, their max capacity available, you know, maybe you could get to about a billion in coverage. In reality, the largest organizations out there, no matter how they've quantify their cyber risk, aren't able to get coverage, excess of you know, whatever it is 700 750 million. So in your example, around 2 billion of coverage. There's they're absolutely right, that that level of capacity is not yet available in the market. We're working toward it. I mentioned earlier, some of the pricing correction that's happened. That's because of losses that have come in, when losses come in, these insurers do reassess how much capacity they want to put up on any one risk, right? So on any one business, how much coverage are you willing to offer, in a profitability challenged time, that level of capacity is going to reduce, and when things are performing really, really well, that level of capacity will increase. And currently, right now we're in more of a reduced time period because of the loss environment and the risk environment. So, you know, there's no way to get to 2 billion and cover for, you know, any one entity at this time as a broader industry, we're definitely working towards that.

Part of that is around differentiating the coverages more so the product itself being offered differently. Some of that is around the the the technologies that can be deployed in order to better understand you know, cyber risk, hygiene and maturity. But we just don't have those those challenges. Overcome yet there's still a lot of structural constraints that are restricting that level of capacity. As for organizations who are looking for more cover, certainly taking on some risk themselves evidences It showcases competence in where you are as an organization. So that's, you know, retaining more risk itself insured retentions we see captives becoming a more common discussion. So that's the idea of setting up vehicles where you can absorb some of that risk either down low, meaning when the loss first occurs, or buy some insurance then potentially set up a captive to take it on midway and then purchasing more insurance on top of that. But there's a number of different ways to do it. It's just at this point, given the Infancy of the market we are not able to scale the way you would find with more mature areas of the business.

Dr. Dave Chatterjee: So, you know, as I'm hearing from you a couple of inferences that I draw that the cyber security market is still premature it is, it is moving towards maturity and stability. I also heard that small businesses are not prone to getting cyber insurance. In fact, there is data that supports that. But all organizations should be encouraged, because it should be part of their overall cyber risk mitigation portfolio. But it's definitely not a substitute for strong robust governance measures. So you don't buy insurance so you don't have to do anything about it about cyber risk management. It's not a cop out. Having said that, what are some best practices that you notice, with organizations, and I ask this, from a reflective standpoint, say you have your work with a company that sought insurance. And then they were able to establish that expectation from a control standpoint, which got them the insurance coverage. And that actually propelled them, just the fact that they want to maintain the coverage, that propelled them to become more cyber hygiene conscious, and they stayed more prepared than ever before. So in other words, having cyber insurance gets the organizational attention. And that is a good thing. That that promotes, you know, efforts towards cyber resiliency, is there any merit to this influence of mine?

Erica Davis: Um, I think that, you know, when we look at the key risk controls that matter most and attaining cyber insurance, at this point, you're looking at multi factor authentication, MFA, for remote access. And we're looking at endpoint detection and response, you're looking at secured encrypted tested backups, we're looking at privileged access management. And we're looking at email filtering, and web security. Those are the technical controls that are in place and matter. And you mentioned the point around, you know, making the decision of whether to buy cyber insurance or kind of, in lieu of your own controls, I would say right now, where the market is, you know, given it's been capacity constrained, and given the fact that what we could call the hard market conditions, meaning that insurers are increasing prices, it's actually increasingly difficult to get cyber insurance protection without those key controls in place.

The softer touch issues are around the cyber incident planning and response and testing. So you know, if you have a cyber product, you can do like tabletops, with incident response, you have access to some of those key service providers, but even without them, you know, without a product, you know, you can put those plans in place. You can look at, you know, the employee, you know, awareness training that I mentioned earlier, the logging and monitoring of the network protections, you can look at end-of-life systems being replaced or protected, absences, a number of sort of like behavioral control tactics that can be implemented as well.

Those are softer touch. So you kind of even can't get to that point, or hear that feedback from a cyber insurer until you have those more technical controls in place I mentioned earlier.

Dr. Dave Chatterjee: appreciate you making the distinction between technical and then behavioral. I had one last question and that relates to behavioral controls or the softer touch as you were talking about, and that is, does the insurance company take into consideration of how actively engaged is top management? Is that a factor in the evaluation of an organization's cyber risk and subsequently, the decision of whether to give them coverage or give and how much stuff like that? Yeah.

Erica Davis: Yeah, no, absolutely. And sometimes, you know, to be completely honest, sometimes you don't have a lot of visibility in the underwriting process. So you might hear about it, but you don't necessarily know for certain. Here's what we do know though. You look at New York State and the The Financial Services sort of regulatory, you know, developments that were made several years ago. And what you can see is that there's definitely an expectation now around somebody like a CISO having a direct, you know, line of communication, if not a direct reporting relationship to C suite, you can look at C-suite who are increasingly under pressure to elevate their their cybersecurity and an expectation by consumers now that information, actually say corporate confidential information to is adequately protected. So I think that the needle is moving into this being almost like an ESG related issue. And I think that's validated by our discussions with, you know, rating agencies and other, you know, regulatory bodies that cybersecurity is, is very top of mind, it's instrumental to organization's long term health, we see the impact on something like shareholder perception and stock price when these big events occur, particularly if there's an element of negligence within them. And so, you know, this and it's not decreasing, right. It's only increasing. And I would say that has global relevance. That's not a US issue. It's it was, I would say, more of a US issue previously. But it's definitely becoming more and more prevalent, prevalent outside of the US as well. So, so absolutely, if, if, in the handwriting community, if you see top, you know, executive management, C suites paying attention to these issues, there's a level of confidence that the security team is going to get the attention the investment, and the financial needs met in order to secure the organization.

Dr. Dave Chatterjee: Fantastic. Well, on that note, we can end unless you have any final thoughts, anything else that we should have covered or talked about?

Erica Davis: No, I mean, the last thing I'll say is, you know, I know insurance as a whole can get it can get a bad rap. And I would, I really like to think of the cyber market is performing differently from that. There's huge amounts of investment and attention being paid to helping organizations understand the risk, helping them stay in front of it, proactively notifying them if you know, vulnerabilities are identified. And I look to the future and realize the needs aren't being met now, but there is so much work being done and so much left to do in order to make this, you know, a sustainable and relevant market. So, hopefully, the audience today found it helpful, but I'm available for any other follow-up. questions.

Dr. Dave Chatterjee: Absolutely, thank you so much for your time, it's much appreciated.

Erica Davis: Thank you. Appreciate it.

Dr. Dave Chatterjee:  A special thanks to Erica Davis for her time and insights. If you liked what you heard, please leave the podcast a rating and share it with your network. Also subscribe to the show so you don't miss any new episodes. Thank you for listening, and I'll see you in the next.

Introducer: The information contained in this podcast is for episode. general guidance only. The discussants assume no responsibility or liability for any errors or omissions in the content of this podcast. The information contained in this podcast is provided on an as-is basis with no guarantee of completeness, accuracy, usefulness, or timeliness.  opinions and recommendations expressed in this podcast are those of the discussants and not of any organization.