What Will the 2022 Cyber Threat Landscape Hold?

What Will the 2022 Cyber Threat Landscape Hold?

Show Video

My name is Tanya Amidei, and I'm the program manager on the business development team at liberty company, and I'm honored to introduce to you our speakers for today, who are Tony McIntosh, Dan Law and Michael Ferris. Tony. thank you, Tanya, and thank you, everyone for joining us today to discuss the cyber landscape and what that may hold for us this year in 2022.

Joining us today we have Dan Law, vice president with cowbell cyber, one of today's leading cyber insurance carriers. And Michael Farris, CEO of ABA code, a leading cyber defense and security company I'm your moderator, Tony McIntosh, managing partner here with the liberty company, and it's a pleasure to be with you. Now, being a few months into this new year right now is really the perfect time to evaluate if you're doing enough to bring awareness to the threats your business is facing.

With growing concerns about cybersecurity reaching new heights, I don't think it's a shock that businesses everywhere are taking a look at how safe they are against these threats. And I'd be willing to bet that probably over 90% of us on this webinar have experienced some kind of cyber threat. An odd email request from a colleague, a magical inheritance offshore in Africa, or a password reset email out of nowhere. Some of the cyber goodies that we're going to cover today include facts about cyber insurance, some top industries associated with cyber claims, helpful Career Insights from cowbell and from ABA code. We're going to learn about some valuable levers you can pull down on and activate for better cybersecurity.

So as we get started here, let's set the table right with some facts about cyber. In many ways, cyber risk is its own pandemic, right? I mean, ransomware has quickly become the predominant strain. Some reports have estimated that volumes of attacks alone have increased anywhere from 200% to 300% in one. And that will likely double again as we look forward. And unfortunately for many of us, the majority of cyber events are directed at small to mid-sized businesses. Cyber criminals are also shifting to more advanced techniques in an effort to maximize their returns.

In addition to leveraging AI or artificial intelligence, they're also deploying supply chain attacks. You can think of it this way. Hackers covertly install malicious code into a software update, which is then installed by a large number of its users, effectively breaching numerous victims. So when we think about it, of course, small and midsize businesses are victims more right because cyber criminals are spending more than these companies typically are with their entire IT budgets. So the demands themselves are growing, and in many ways, they're growing exponentially. Many experts are citing that a ransom increase has increased over 50 to 80 percent, with remediation costs also doubling to $2 million, up from an average of 761,000 just two years ago.

Think about that. These increases can be attributed to the surging value of bitcoin, the increasing willingness of victims to pay, and then advances in intrusion techniques right with the growing market of cybercrime in general. So many companies can be hacked with ease as a result of outdated or unpatched software. Poor password hygiene. Open web ports. Unencrypted data in transit.

And a lack of endpoint protection. And you don't have to be a target to be affected. Cyber attacks can spread through your suppliers or your outsourced technology providers, leading to significant impacts even when you aren't the target. So many carriers and cyber defense firms have seen significant collateral damage from cyber incidents originating at separate companies.

Right, Michael Wright, Dan. All right. Hey, to jump in real quick, Tony. Sure one of those tech techniques with a remote workforce is remote desktop protocol, which effectively says if you work from home, this is how I access files and folders.

So we're seeing attacks. Two out of three attacks coming from that remote desktop protocol and a third of those coming from phishing emails, which most people are familiar with. So the remote workers definitely seen an increase in breaches, right? With today's world, that's exactly where everything is going, right? So I think the question becomes, what if your data is data storage provider is the target of a cyber attack and your data is compromised in the process? Are you prepared? That's a very good question to ask yourself as you're thinking about your cybersecurity defense. So as Michael was alluding to the combination of COVID lockdowns, the increase in remote work arrangements, the mass resignations and the resulting labor shortage is also providing an ideal environment for these ransomware attacks. With employees working at home, they may be distracted or disregarding security protocols.

New employees are often poorly trained, and the labor shortage is causing many employees, as we all know, to become stressed and overworked. So all of these situations, as Michael was alluding to decrease employee awareness, resulting in an increased likelihood of being breached. And despite all of that, less than 3% of small to midsize businesses have cyber insurance. That's a staggering, staggering number.

Dan, what have you seen in terms of the number of insurers that are just now buying cyber insurance relative to renewals? We do see quite a bit of first time buyers entering the cyber marketplace, and we're not alone or unique in that regard. All of our competitors in the space. The volume of submissions. The volume of inquiries coming in is significantly picking up month over month.

Numbers continue to grow pretty exponentially in terms of businesses wanting some assessment done, wanting to know what coverage would look like, where they're deficient and their protections to get a quote from us. So the awareness is certainly growing. I think that speaks a lot to what you folks are doing on the brokerage side, but also just general awareness and the news media about the events that are taking place out there, right? And so cyber insurance is important because of the obvious. In my opinion, cyber insurance is important because it provides affirmative protection, traditional insurance policies maybe inadequate to respond to cyber exposures.

A cyber policy is specifically designed to address these gaps and give you the affirmative protection against exposures that can really be difficult to understand. Cyber insurance is a complement to existing it teams supplementing their skills and protecting the business from the unknown. Michael, how do you engage it teams when you're working at deploying some of the levers that your clients pull down on in conjunction with, you know, some of what the cyber insurance carrier has brought in forward in terms of vulnerabilities or patchwork that's needed to take place? Yeah, we really help IT leaders leadership inside an organization, you know, address kind of two areas. One, it's the how do I implement these technologies, services and controls that are required to meet the application or the new liability policy? And then how do I effectively communicate our need for this to my c-suite, right to the CEO and the cfo? So that's what we spend a lot of time doing is more of the business discussion around cyber compliance and insurance.

Not only we transfer kind of the technical discussion into a business discussion that can be relayed to the c-suite, Michael, just to touch base on that point, I'm sure you would agree. We well, we used to get a lot of questions about if I implement x, y and z, what will my discount look like on my cyber insurance policy? And that's really not the name of the game anymore, and I'm sure you're seeing that as well. It's these are barriers to entry, to even getting coverage. Some of the tools and implementations that you would be handling on your side of the fence. So, yeah, 100, 100% not only is it just, you know, these are table stakes to do business on a go forward, but really companies should think about it as an offensive weapon, right? If I now have cyber liability insurance and I implement. Cyber security and a compliance program, I now can market that and use it, you know, my sales collateral material.

We have seen clients who have been proactive in doing this. Getting both of those components on board have an increase in revenue. So and use it as a, you know, offensive like I said, or a marketing component. All very good points.

The top five industries targeted these days by cyber criminals include some of the obvious right professional services manufacturing, retail, health care, financial services, and let's talk about some of the common claims that arise with these industries that we're seeing out there. Now, cybercrime, hacktivism, sophisticated attackers, they're all carrying out espionage on behalf of the beneficiary. And these are just some of the risks to consider, right? We've got vulnerabilities to cyber events.

It can be really high as many financial institutions are dependent on highly interconnected networks and critical infrastructures. With a high dependency on technology, most financial institutions will continue to see increased exposure to cyber risk. The digitization of medical records has resulted in an increased reliance on health care companies on computer systems to collect and transact highly sensitive personal health and medical data.

There is a high exposure to administrative errors due to the reliance on employees to input accurate information into systems. Legacy computer systems at health care companies are often segregated, which increases the potential that one event could have severe impact on operations. Whether online or brick and mortar retail companies often have many locations that may or may not operate on centralized it systems, they often have a reliance on complicated network or critical IT service providers with the potential dependency on websites due to the increasing number of online sales and aggregated amount of sensitive personal information due to the high frequency of financial transactions and loyalty programs. But with the amount of confidential data collected, the professional services sector is a popular target for cyber attacks, as you can imagine. For example, the information of funds a law firm or an accountant holds can be lucrative for an attacker.

And the reputational consequences for a form for a firm excuse me, suffering a breach can be highly damaging. The aggregation of sensitive client information has fueled an increase in cyber events impacting professional service firms in the recent years. Many manufacturers are leveraging the internet of things, iot, digitalization and cloud services, which all increase the impact of certain cyber events. There's been recent events impacting industrial control systems and supervisory control and data acquisition systems, which have had crippling effects on some of these manufacturing operations.

The hospitality sector covers a wide range of operations, from hotels to bars and restaurants across that industry. Cyber related exposures include large volumes of consumer and employee information on often heavy reliance on websites for customer bookings and loyalty program information that can lead to privacy issues as it can be a target of social engineering and phishing attacks. Media and entertainment companies often face cyber extortion threats and maybe target. That could be a target to sensitive material and content, distributed denial of service attacks or computer system outages may significantly impact broadcasting activities and the timely content delivery of those. The possession of sensitive personal information of subscribers compounds this exposure. Educational establishments are at risk due to sensitive data that they hold on students and staff.

Schools and universities have limited IT budgets and resources, so threats are both external and internal, whether it's from a student introducing malware into their network either maliciously or inadvertently, or a staff member not following protocol leading to a data breach. Technology companies are trusted by their clients and customers to be industry leaders in cybersecurity and the protection of data so increasing. They have an increasing risk of reputational damage that could follow a cyber event. Cyber events experienced by technology providers can also have an impact on their tech coverage.

So as cybercrime becomes more common and costly, cyber risk continues to increase for all organizations. The pandemic has shifted more of our work and lives online, as we've discussed, and the shift has introduced new vulnerabilities that are being aggressively exploited. Cyber insurance and private and proper cyber security play a key role in managing and reducing cyber risk. The framework that is built is extremely important, and as part of that foundation should be your cyber insurance carrier.

Now, cyber goes far beyond traditional insurance by providing technology and expert support before, during and after an incident occurs. And with that, I'm going to hand it over to my friend Dan Law with cowbell cyber to discuss their cyber assessments and the type of insights you can gain working with your carrier partner. Thank you, Tony.

I appreciate that. And really, that framework that you just laid out speaks very well to our approach in the marketplace to how we're looking at the cyber insurance and assessing the risk of those businesses that we're choosing to insure or choosing to not insure. So our approach really is that of a closed loop risk management take on cyber insurance. So initial assessments conducted will walk through that a bit. And what that looks like that drives the insurance product and the customization that somebody in Tony's seat can come up with for a particular business.

Not all of them are created equal. Manufacturing business that has downtime, we'll run into specific business interruption concerns that maybe another business may not face, and maybe it's a reputational risk for the law firm, whereas downtime might not be as important to them. So we look at the assessment, we look at the insurance coverage that we drive, and then we're really focused on this idea where Michael and his team can play a role as well on the improvement of that cybersecurity posture. So when we think about cybersecurity, we look at the cybersecurity framework and try to provide resources and support for our clients, our broker, our technology partners throughout that lifecycle there.

So as we step to the next slide and really look at that initial assessment that we're conducting folks like cowbell in the background today, we are looking at these cyber risk of some 22 million organizations throughout the United States largely focused on small and medium sized enterprises, so those businesses up to $250 million in revenue. And we are pinging firewalls. We're running outside and scanning on those organizations. We look at about 1,000 risk signals and data points in the background continuously on those businesses. So we are assessing your network security, your cloud security posture, your likelihood of cyber extortion events, and then we are comparing those scores. We drive it to an industry aggregate score and then a specific company aggregate score.

So what we are doing is within our framework, within our understanding of cyber risks, and it evolves continuously and evolves every day, every month with the changing threat actors, the changing threat landscape, different attack vectors. We're able to apply all of that knowledge to our assessment on the front end when a business is brought to us to assess and then drive that information further back to the insurance product and what we can provide to the insured in terms of resources and closing that loop there. So if we step to the next slide.

Uh, what are connectors that we've built within our technology framework really allow for a deeper assessment, you know, we're looking at security practices applied to cloud applications and email services. These really speak to some of those avenues that Tony talked about how people are getting into organizations. Is MFA applied everywhere? You're going to hear that whatever application you're completing for cyber insurance is going to include those questions these days. And really, not just is it enabled, but where is MFA enabled? Is it on mission critical systems? Is it on your cloud deployments? Is it within your email framework, data in the cloud and exposed on the internet without protection vulnerabilities and patch management? All of those sorts of things.

So we've built connectors, as we call them, with various technology platforms to further drive assessment and understanding of your cybersecurity posture of a particular organization, all within the framework of driving resources back to the insured, back to the broker, back to your technology vendors to improve upon your cyber resiliency and the posture that you've got there. I'm sure, Michael, you would agree. You know, one of the things that we drive to a lot of our clients is the cyber awareness training. I'm sure you would agree that's an important aspect of anybody's security posture, seeing that a lot of attacks are human error based. 100% Yeah, it's still one of the largest threat vectors is the employee.

But that you listed MFA multifactor authentication critical must have. We see one of the biggest reasons or hackers get a hold is these unpatched systems. And so, yeah, everything you're listing is just right on.

Yeah, it's really an interesting time in the market. I was going to call it a neat time in the market, but it's an interesting time in the market where there is. I've never seen more alignment between people in 3 distinctly different chairs like myself, Michael and Tony, and everybody trying to drive toward that same result with the insured.

You know, there's an understanding of the threats. There's an understanding of some of the technology practices that can be brought to bear what carriers are really looking at, how they're assessing the risk and all wrapped up in sort of driving resources and resiliency back to the insured to hopefully prevent attacks and prevent them from being shut down. You know, that day you get a claim reported is basically the worst day for an organization out there. You know, much more impactful typically than any work, Comp claim or property claim that they may have in the life of their organization.

Yeah, and you bring up a really good point, Dan I think there's a lot of misnomers out there in terms of, well, I don't need cyber insurance. My my credit card processing company told me that I'm good as an example. You know, these webinars are so important in driving edification and education to our clients and prospects and just the population in general. And to your point, you know, pulling together the three components that are really critical to a framework and having that alignment on your team, you know, provides you with an advantage in the marketplace.

Absolutely I agree, too, and I mean, we preach, you know, having cyber liability insurance to everyone we speak with, and I think there's still a bit of a mindset out there. Will it happen to me, especially for the small to medium enterprise? What data do I have and will it actually happen to me? And we can tell you, yeah, it's definitely not an if it is a win. A a small part of our business is digital forensics and incident response, and one had ransomware. We come in and help them out.

And most of those companies were doing things right inside their company. They just weren't doing the right thing. So having that policy is just it's a must.

And the training, to your point, Michael, that you brought up, I mean, that's really critical. We get emails monthly in terms of the amount of training that we have to do in cyber and the awareness that's really critical to your staff because that's where your vulnerabilities are. I mean, yes, they're in the obvious in terms of, you know, outdated software and you can provide solutions there, but then your biggest vulnerability is within your staff is within your teams. The human error component is what drives a lot of the claim activity that you see out there. Yeah, absolutely, absolutely. If you want great on the, you know, the assessment, the intake of data, the ingestion of that, the understanding of what risks of business faces, the threat actors, the threat vectors that we see are outside in scanning, then the scanning behind the firewall with our connectors that we're able to conduct.

All of it is done within the framework of driving insights and intelligence back to our clients to help them resolve issues that we've uncovered, help them get an understanding of how we're seeing their cybersecurity framework and how they can adjust things to improve upon their scoring for us, but ultimately the protection and resiliency that they're providing to their organization. So we drive a lot of understanding about, you know, our insights and intelligence step by step instructions that are insured can take to improve upon that resiliency and trying to close that loop to the best of our ability for our clients, which we think is really important and a service that we are, you know, really eager to provide to our insurers out there in the marketplace. You know, a lot of small and medium sized businesses, they are the source of attacks by sophisticated ransomware gangs, and it's because there are not significant IT budgets. It's because there are not, you know, a CISO on staff. And a lot of these organizations that has their finger on the pulse of the it framework has that 24/7 monitoring in place unless you're getting it from an outside firm like Michael would provide. So we think it's really important to provide those insights and recommendations and clear steps that somebody could take to check boxes to improve their framework a bit.

You know, that's a really good point, and I know that with some of our clients that we have insured with cowbell, we've seen these reports come back. We've seen your Team Activate education around, hey, this is what we're seeing. Here's what we need done prior to us coming online or, you know, initiating the policy, effectuating the policy. And I've seen it in real time with the IT department comes in and goes, wow, we had no idea that we were vulnerable. We thought we were good to go based on our understanding.

This is great information. This is great insight to be able to provide a better framework for that company. And it it worked its weight in gold. It seemed like so good stuff. So, you know, just to touch base on sort of the same things that Tony and we've been talking about here, you know, 85% of breaches involve a human element.

And that's sort of by design. You know, the threat actors are out there for small and medium sized businesses. They're throwing spaghetti against a wall to see what's going to stick. And eventually, somebody, you know, John Doe within the organization is going to click on that link, that's going to let somebody into that environment. It's important to know, as Tony alluded to earlier, that the budgets of these folks, these ransomware gangs, these are businesses where people are paid a salary to spend day and night focused on infiltrating your business and specifically on those industries that Tony alluded to earlier.

You know, a lot of those organizations cannot have downtime. I don't know many manufacturing businesses that run lean and can simply run another shift if they needed to make the widgets that they're trying to make. Most of them are already running at full capacity, which is why the ransomware gangs attack them because they know it can be a quick payment to get the systems back online.

Same thing for law firms with the critical data that they have insider information on businesses, potential mergers and acquisitions. Things of that, there is significant source of attacks simply because of the data they have and what it can be used for with the ransomware, the threat actors. So, you know, we continue to see the frequency, the severity increase across market segments. Ransomware really is sort of an epidemic, you know, appeared in 10% of incidents in 2021 which was double from the prior year.

A lot of this data is a little bit tough to come by and relies on public reporting of information, which we know is not very robust. There's not a significant framework for mandated reporting, although we do see some of that coming from the federal level for particular industries and, you know, utilities, government agencies, federal contractors and things like that should provide yet further details on the threat landscape. But but really, it tells a story of where, you know, rates and coverage elements and things like that have headed over the past 18 months and where we think they're going to continue to head in the future.

And I got a question for you, Dan and Michael. Since the activity that's been going on in Ukraine, have we seen an uptick in potential breaches or some kind of compromising of a system? Do you guys have come across within your subsets of clients where they've been reporting to you? Hey, we're seeing an uptick in activity or you guys are seeing an uptick in activity as a result of what's happened. So I can take that one first.

You know, we've got an increased awareness and definitely monitoring and information. We've been pushing out to sort of five industry segments that have been identified as sort of potential attack vectors for, you know, you're looking with the conflict potentially creating sort of a government mandate. So we would expect those financial institutions, those utility providers, you know, cities, state and local government and things like that to be really the source of attacks there when you've got ransomware gangs trying to make a point trying to retaliate for something. So we've got sort of a heightened sense of alert there. I don't believe that we've seen an increase in attacks as of yet, but some of these things have a bit of a longer tail on them. We we don't necessarily see them on day one.

Right systems get infiltrated and can rear their head, you know, six months down the pipeline. Sure yeah, and we're seeing increasing activity for sure. We have two security operation centers. Those are 24 seven, so we're tracking real time hackers all over the world. We can literally see shift changes, right? See see them do a shift change. And we've seen increased activity.

And then you have kind of macro economics happening where I'm sure a lot of your clients are in growth mode. So we're also seeing a lot of breaches and events happen during M&A transaction raising of capital, you know, things like that. And so hackers are aware of that activity, right? And during those events, that's where we see companies being very vulnerable. You know, that brings up a good point on the cyber insurance market continues to be challenging, as Dan alluded to, largely due to rapidly increasing losses.

So insurers are really reevaluating their books of business. I'm sure you're doing the same thing, Dan, on your end. But first time, you know, from our perspective, first time cyber insurance buyers are being highly scrutinized by the markets because of all those aforementioned components that are necessary mfa, endpoint protection, et cetera.

And with respect to renewals, in some cases, some insurers are being non renewed due to a lack of fundamental cybersecurity loss controls, as you're mentioning, Michael. And so not implementing those controls have significant impacts to coverage or renewal economics. And in general, some of these renewals that we've seen face reductions and limit capacity, increase retention and post sublimates for certain exposures, coverage restrictions or premiums that have doubled or tripled that really materially exceed budgets, right? And what those expectations are. So this is a good segue way. Let's discuss some of the ways to mitigate these by installing a better framework. With that, I'm going to introduce Michael Farris, as you've heard already speak CEO of ABA code leading cyber defense firm here in the US to talk about some of the Cybersecurity and compliance mechanisms that they can deploy.

Yeah, thanks, Tony. So we're really in the business of outside of the cyber liability policy and the assessment component, we're the group helping companies implement and manage a full cybersecurity and compliance program. And you'll see this unified cyber security and compliance message that we put out there.

And the reason we did that is because you can be secure and not compliant and compliant and not secure. And speaking of that, like the prior liability policies that were put out there, everyone knows that the renewals coming up, the controls and the requirements inside of that application are increasing. In a big part of that is that companies either weren't doing those things, implementing those things, or it really just wasn't enough. So that's why we always talk about cybersecurity and compliance unification in the same manner, because this is really where clients need to be us for a global firm. We have insight to threat vectors, threat actors, compliance activity all over the world.

We've really built out by the request of our clients a full cybersecurity and compliance program that consists of things like 24/7 monitoring, Cybersecurity Awareness training, vulnerability assessments and compliance readiness. So outside of a the cyber liability policy, which has certain requirements and a lot of those requirements, follow this nest framework, which is a great standard framework. A lot of your clients, you'll have to understand are having to meet multiple other standards. So if you're in the DOD supply chain, you might have to meet CMC.

If you're a software development company or you have a Sas product, you'll probably have to be SOC 2 compliant. A lot of manufacturers are ISO 9001 or 27001. If you're in California, you have to meet the CPA, right? That regional requirement.

So they're dealing with the liability part of it, that policy, but also other factors. And so so we can help on both sides. But it's good to understand that they're facing this compliance from many different areas. And then with us, you know, we collaborate. D'antoni groups like this legal, regulatory compliant audit certification firms. It's really good to understand the ecosystem that surrounds why companies have to make these decisions and the players involved, which is good.

In addition to that, we stood up a cyber applied research lab we call Carl, and this is where we'll regularly bring in a lot of these cybersecurity and compliance products, these software products and platforms, and we'll understand them. We'll train on them, we'll get certified in that way. When we're speaking with a client, they're always thinking about, well, what are these technologies and how many of them are there and how do they compete? They can have a business discussion and make business decisions around implementing new technologies inside of their stack or their program to make financial sense and business sense based on the industry they are in or their financial budget. And that's the smart way to go about it.

And then us, we like to say we eat our own dog food, so we not only help companies become compliant, but we meet those same standards as well, like being socked to ISO 27000 one, so forth. Next slide. We feel it's important, I think what Dan and Tony have been speaking about is really how do we have a business discussion with leadership right to address all these challenges? So for us, that's first and foremost, we were really born out of the boardroom, we like to say. But it's important to know how the CEO and the board is thinking, like what are their topics of concern and for CEO and the board, a lot of times it is governance and compliance, like how do I implement the right checks and balances between it and security, which there should be? There should be some separation of duties.

There should be that tax and audit component. What's my real exposure? What additional compliance standards should I face? It's good to understand how the CFO is thinking in finance right there about cost, but they really don't have enough visibility today to make those financial decisions. So when they're looking at a liability policy or implementing security controls, it's really how do you give them the awareness, visibility, kpis, metrics and Roi on that spend? Because that's what they need to know. If I spend x, what happens with y And if I spend more, do I get more? And so it's important to understand how that group is thinking. And then, you know, the CIO and it management, what they're dealing with out there. We're seeing just every day is the complexity and confusion.

One part of that is for every one of these controls that they need to fix to meet that policy, right? There are 38 products that do the same thing that say they're the best in the world. And so there's hundreds and hundreds of different products and technologies that are used in meeting these controls, and it's confusing. They don't have enough resources, knowledge, time to be able to do that.

And that's one thing that we help with is being able to evaluate that. But they're just dealing with that, that white noise, which makes it hard for them to make decisions. Next slide. So we've touched on these external forces driving compliance requirements and cybersecurity requirements. Obviously, the renewal component is huge. And they had on the renewal side of it.

Know what does that landscape look like a little bit further and what conversations are you having specific to the increase in the controls, right? Because the prior policy in this new renewal application is different. And I'd love to hear what some of the conversations you're having with your clients on that increasing controls and what they're saying. Dan, Dan, is that for you, buddy? Yeah, it might be.

I mean, what we're trying to do on our side is really get out in front of it and far in advance possible and engage with our insurers, with our brokers to explain what we may be looking at, what the landscape might look like to sort of prepare them for those conversations. And we're seeing a very strong willingness from our insurance to engage in that process, which is created by the awareness that the brokers, the technology partners are all creating there. So, you know, really a willingness to get engaged early on, figure out what it looks like, what steps need to be taken, what was maybe deficient last year, or the table stakes that will be applied to something this year at renewal. You know, we're committed ourselves to, you know, renewing what we've got on the books when it makes sense to do so outside of, you know, some significant changes to maybe a business operation or what it might be.

But but, you know, we're looking to provide that guidance. We've got those insights and the recommendations really at our fingertips and ready to apply. So, you know, a willingness from the client to engage on that stuff is super helpful for us in assessing and evaluating terms to put on the table for renewal. Yeah and I would say from my perspective, it's challenging when an insured is not as proactive as they should be in these areas, meaning they're trying to obtain cyber insurance. But they don't have MFA or endpoint protection as an example.

And then they're trying to go through this mad dash of how do I install that right now and make that work? So that way I can get that particular proposal or premium that seems to be more in line with my budget. However, that particular carrier is extending that premium because they assume that I have, you know, a well-established framework and security measures that meet their marks. And for us, it's more advantageous for our clients that have been more proactive in their approach to a proper framework and trying to better understand cyber, better understand the impacts that this can have to their business.

And then just the simple, very simple things to put in place, quite honestly, to make sure that renewals aren't as challenging. And then being engaged with a security vendor, much like the ABA code to help drive awareness, help drive more proactive approaches towards their cybersecurity framework and mindset has been more advantageous than the counter, where they're more reactive as a result of not being able to obtain the kind of terms that their expectations have. Yeah, and that's what I was good to see with, you know, going with our approach to really assisting and engaging with insurers. We've taken it a step to build a, we call it, the cowbell risk exchange where we've vetted some of these technology partners. Some of these, some of these providers, some of these folks that can engage with insurers. So when we identify those deficiencies, we've got a nice, smooth handoff, somebody for Tony to engage with that particular insurer to say, you don't have this, you can't get that.

But here's a solution that we can provide to you. Here's somebody that can get in here and solve those exactly what they're looking for industry specific solutions, specific folks that we've engaged with again, just around driving resources, driving efficiencies and driving that cyber resiliency to the insured. Yeah, that's exactly right, Dan, because what you and Tony mentioned before about the collaboration between groups like ours has never been in more lockstep. It's because of that, because we all know the new policies coming up right are going to have increased controls. So the back end of that is when that insured or potential insurer gets that and then they get with a risk or their IT teams.

A lot of times they just don't have the time of the people to be able to implement, right? So that bottleneck. And so we built a business on solving that bottleneck, right? Because we can implement and manage the entire thing, all of the controls. And so that's why this is a closed loop and it's so important that everyone works together. But that's what we're seeing, especially on the renewal side. And this is part of the reason we've created a new category.

We call it manage cybersecurity and compliance provider or MCP. And this is really what I spoke about before is unifying security and compliance because compliance when it comes to cybersecurity is a little bit broad, right? You have the insurance compliance component, but then you have all these other regulatory compliance components and. Similar to how we feel similar to what Europe has done is they have something called GDPR or it's every company, no matter what your size, industry sector, how many employees, you are required to meet a minimum level of cybersecurity maturity or they will find you.

And it's a big number. We don't have that yet. We have it mainly by industries or geography right now, but it is absolutely coming.

So our job, our goal was really to unify those two things and come up with CCP. And then next slide really gives you kind of an outline of what we call MCP core because most companies are taking a, you know, just a, you know, a product driven or a patchwork approach to security and/or compliance. And really, our thoughts is it's more of a programmatic approach. How do I implement a program map to a compliance standard inside of a maturity model with consolidated reporting right? And then how do you implement that program and not only gives what the it and the risk folks require, but it also speaks to and provides the non-technical c-suite what they require? And that's really our opinion and what we're seeing an industry being adopted. More is a little bit of a consolidation of suppliers because it's just it's overwhelming, overwhelming and more of a programmatic approach.

Next slide, and I'll briefly go through this, so again, we have two security operations centers, these are analysts who look at and monitor software and activity inside of systems. 24 hours, seven days a week, we're looking at threat actors and vectors all the time, every day. It's kind of the fundamental core component of our cybersecurity and compliance. All those components drive into is this, you know, 24/7 security operations center. Next slide.

And then it's important for us on the technical side to collaborate with the IT providers. So kind of the SOC knock model. And so the network operations center is kind of the health of your environment, uptime, things like that. The security operation center is more the immune system and the security of the environment, but it has that check balance component to it. And then for us, like Dan mentioned on this continuous assessment piece, we feel the highest bar really.

Where everybody should be trying to, should be trying to achieve is a continuous state of security and compliance and be able to approve it, right, real time any time that way, if a, you know, an insurance provider, a financial partner, a law firm, somebody a compliance regulatory compliance standard says, show me how mature are you, where you're meeting that standard or that policy that you can show them in real time. So we have a portal that effectively allows them to prove it. But being a continuous state of security and compliance? Next slide. All right, so what we've done is provided you with what we feel is a pretty active cyber framework, and cyber frameworks are going to be specific to each business. You need to have a broker, one in particular that love cyber insurance.

Liberty happens to love cyber insurance. You need a good carrier carrier is very important. You've got to have resources. Be able to pull down on and activate. Cowbell is one of the best out there, and you need a good vendor. You need a good vendor partner that understands your business can provide you with the solutions that makes sense in ABA code.

There's a barrier of defense, so we'd like to thank our audience for taking the time to learn about the cyber world as we continue our journey into 2020 to. Every business has a different cyber insurance and security need. We hope that we've provided you with some insights to properly build a cyber framework that you consider appropriate. With that, I'd like to open it up for any Q&A that may arise. I thank you so much, Tony, Michael and Dan, for sharing this extremely valuable cyber knowledge with us today.

We do have a few questions from our audience that I would like to present to you all. Tony, just once for you. I think you touched on this at the beginning of the presentation, but it would be great if you could reiterate what industry segments are suffering the most from cyber threats and data breaches. That's a good one. Also, pull on Dan for that one, but some difficult classes to ensure right now include health care, real estate collection agencies, title escrow municipalities as Dan mentioned, schools MSPs who managed service providers, utilities, law firms, technology companies, game developers and distributors as well. And then any kind of risk that has a high number of PII or THG records.

Dan, what else could you provide in context to that question? I would add some carriers having difficulties with manufacturing risks, which was one of the ones you noted in the slide deck there, but didn't just highlight. So again, it's really the ransomware and the downtime risk as it relates to business interruption, which is often a component of a cyber risk policy and really should be included in and any robust cyber policy there. So it's important to think about these industries, not just in relation to data theft and personal records, but it's really that loss of income in the event that their systems are hijacked and shut down. So the extortion threat that comes along with that, the payment of ransom, that's a portion of it. But the forensic costs to get back in the downtime in the business interruption exposure, those are significant cost drivers for any insurance claim that we're seeing that involves ransom or extortion these days. Yeah so your first party coverage is are really critical to be taking a close eye out and making sure that you understand the different various limits that get notched into your first party coverages to dance point business insurance, business interruption even contingent business interruption can be afforded in cyber.

Absolutely, absolutely so. But spot on with the industries that we typically see that are facing difficulty in the market, and that speaks to the claims aspect, right? That's where the claims are arising. That's where the significant dollars are. That's why the increased scrutiny and tougher to get coverage. Great question. Yeah, great question.

Michael, this question is directed towards you. What are the two most important cybersecurity initiatives you should implement to protect your company? Yeah, so outside of, you know, mfa, which we've spoken about, I think I know the two are continuous fishing training, Cybersecurity Awareness training for employees still number one, but it needs to be ongoing training. It can't be a project or point in time. It needs to be a continuous program, ongoing program. And then the other is what's called EMDR or 24/7 monitoring.

And the reason for that is a lot of companies will implement policies and procedures around cybersecurity or compliance. They'll even have an incident response plan. They may have done an assessment or a penetration test or have firewalls or antivirus or even MFA. A lot of these things we spoke about, but none of those things will tell you if a hacker is inside of your system right now or for six months stealing data, except for 24/7 monitoring.

It's the only thing. Well, thank you. Thank you for that. Here's another question for probably Dan and Tony.

What do carriers require of a company before buying cyber insurance? Question from my vantage point, I'll let Dan piggy back on top of it. Most carriers are requiring a completed ransomware application, multifactor authentication and fully implemented cybersecurity measures. Endpoint protection is important, although not completely critical to obtaining coverage.

What else would you say, Dan, that stands out as a requirement? Yeah, I would. I would echo that. I would say really the mfa, the multifactor authentication is a hot button item. You're going to see that from virtually every carrier out there.

And as I alluded to earlier, applied to various systems. So on the email service, on mission critical on cloud deployments, we're also looking for an incident response plan that's been tested. We want to see backup frequency of data and that those backups are stored securely offsite, segregated from a network and that the backups have been tested.

A lot of times. We have seen claimed scenarios where somebody indicated that they're backing up data. You know, every week, every day they go to Institute a backup and the backup has failed. Or is it or is encrypted as well or is useless to them because it didn't back up a specific system? And the backup needs to be disconnected. And segregated from the network, right? At least from what I'm from what I'm seeing. I'm not sure if that's a requirement of cowbell.

I'd say some other additional things that we've seen is requirements of next generation antivirus protection with endpoint detection and response, email filtering solutions I'm seeing now, as well as MFA for privileged users email and then, of course, remote network access. And then to Michael's point, earlier, we really look at the cadence of patching software, you know, in this day and age, you know, we continually see, you know, a critical flaw within the Chrome browser that requires people to proactively push and update this happen a couple of days ago. A security flaw. And when we're heavily reliant on large software suppliers and vendors out there, staying up to date with a patch cadence and making sure everything is done appropriately is really critical.

As new threat actors and new threat vectors are defined and uncovered sort of the zero day attacks, we need to be patching and aware of those things. Great, thank you for that. We have another question here. What are acceptable cybersecurity measures that a company should consider? And I think we just heard on that, but you know, again, it's the backup solutions that are disconnected or segregated from the network, antivirus protection with endpoint detection and then, you know, email filtering solutions as well as the MFA components are extremely important in terms of those cybersecurity measures that companies are asking questions around.

Yeah, I think the other thing that's important because that's a great question. A lot of companies don't know where to go to understand that. So what we tell them is follow a framework, right? So I know Dan brought up earlier about or Tony brought up about the missed, you know, framework. So what? This is a compliance cybersecurity compliance framework, and you can look it up online nest 800 171 or just look up the nest framework and how we see it. As if you're not required today to meet a compliance standard, then you should look at 3 and it's really the Cia's top 18 controls or 20 controls.

The next up would be this nest framework, which is a good, solid framework. If you follow that, do what they tell you, you're going to be in a pretty good spot. And then above that would be 27001 a little bit heavier left a lot of controls you don't involve, but with that framework, you do get a certification at the end, which some people like.

But I would say follow a framework, probably one of those three and that will get you on a good path. The point, and then I think this is a great question to wrap things up, but is there anything a company should watch out for with upcoming cyber renewals? Limits coverage. Watch out for ransomware. Extortion supplements, including co-insurance now. Social engineering callback requirements. I'm seeing cybercrime that excludes third party funds that are escrowed short periods of restorations.

Indemnity from business income and reputational harm is really important. So as Dan mentioned, your business interruption or your CBI, which is your first within your first party bucket, is important to be looking at. Also, what's important is considering a crime coverages, you've got your first, you got your third and you're going to have your crime coverage issues that are associated with the cyber policy. Those crime coverages will vary depending on carrier and what they cover.

So make sure you're looking at that and then make sure that your broker understands the definitions and the ensuring agreement with that carrier and that you're seeing some kind of comparison as you're going through your buy over each carrier. So you've got your carriers, you've got coverage and your understanding by a comparison. So you're making a very educated decision on what you're buying. What is the cost? What are you getting for that cost? What are the levers that you can pull down on are the things that I would be advising any company as they're looking at an upcoming renewal or a new policy. Dan, what else could you share in terms of things to look out for in upcoming renewals, I think was what the question was. No, I think I think you're spot on with that, Tony.

There's going to be a lot of pressure on rate. There's going to be put pressure on limits and pressure on retention, but making sure you've got a policy to address your needs. No two policies are really created equal. So having a broker that understands your business, what your needs are and then a policy to find around those needs and those exposures is really going to be the most helpful thing. And it's also getting in. It's now it's time, it's time to buy the policy because as the market continues to have pressure from a rating, environment standpoint is damaged, just alluding to premiums go up.

And as you have no experience in those rating environments or more challenging, the harder it is for you to obtain terms that could be within budget or are affordable first year out your first year out, you hope to do really well and then you've got a baseline of experience for that carrier to pull back on and draw to you as they're looking at your renewal each year, year after year. Great, thank you all. Michael, Dan and Tony, do you have any final comments before we wrap things up here? Nothing for me other than Thanks for the opportunity, and the audience appreciates the people spending some time with us today. Yeah, thank you very much for all of your time and your attention. Much appreciated. We appreciate the questions.

It great. Yeah all right. Thank you all so much. Thank you so much to our audience for joining us today. Please note that I will be following up with an email that includes the recording of this webinar, along with the cowbell e-book that will be included as an additional perk for all of you attendees today. Thank you to our speakers Tony, Dan and Michael and their contact information with on that last slide, so if you need anything from them, please feel free to reach out or you can reach out to me as well, and I will get you in touch with them.

Thank you all so much and have a great rest of your day.

2022-04-06 06:47

Show Video

Other news