Episode 22
Is Cyber Insurance Necessary?
"Security experts are split on cyber insurance and its place in business, with just as many arguing that it is a useless add-on as an essential business enabler." A KPMG study indicated that these policies were not overly trusted by business leaders. In this podcast episode, Erica Davis, Global Co-Head of Cyber, Guy Carpenter & Co, discusses at length the different types of coverages, how underwriters evaluate and assess cyber risks, the current state of the market, re-insurance mechanisms, and more. She also offers valuable guidance on how to plan and approach cyber insurance-related decisions.
Time Stamps
So let's begin by talking about you your professional journey, your current role at Guy Carpenter.
So, you know, I had reached out to a couple of my CISO connections, I told them that I was going to be talking to you and if they have any questions of interest. So one of them sent this to me, he said, Why should we get cyber insurance now? It seems that in the last 12 to 18 months, the industry has moved away from insuring verticals, companies, or has made the cost of coverage so high, that it raises the question of why not just self-insure? How would you react to that statement or question?
As somebody who carries personal insurance of different types, one of the things that I worry about is when the time comes when I submit a claim, will the claim be honored? Will I have a good experience? What do you have to say from the standpoint of a cyber risk insurer?
Many of the listeners are possibly thinking about cyber insurance, but they're not sure where to start. What should be the next steps? What are some resources that they might find valuable? Any suggestions for them, recommendations?
What are some key elements of a good cyber insurance policy?
Is it fair to assume that an organization that has a very strong or robust cyber defense in place is likely to get a better deal compared to another organization?
I'll be curious to know that based on your experience of assessing culture resiliency, what are the things that you look for, as an insurance company?
I'm sure it is safe to assume that even after an organization gets coverage, it will be continually assessed, to make sure they remain eligible for the coverage?
I heard this from a practitioner that if we buy a lot of cyber insurance, that often gives the impression that we are not good at cyber. And it poorly reflects on the CISO and the CISO function. Is this a common sentiment or just an outlier?
Let's talk a little bit about self-insurance mechanisms.
Is there any merit to this inference of mine: having cyber insurance gets organizational attention which in turn motivates efforts towards greater cyber resiliency?
Does the insurance company take into consideration how actively engaged is top management? Is that a factor in the evaluation of an organization's cyber risk and subsequently, and whether to provide coverage or not?
Memorable Erica Gates Quotes
"In the US, there are actually more buyers of cyber insurance than there are outside of the US. So a greater percentage of businesses buy. And the reason for that is largely driven by a regulatory environment."
"Cyber risk is different. Assessing its value is a challenge. The quantification of what happens if a cyber event occurs is difficult to put a number on for many organizations. And it gets even more complex when we think about measuring cyber risk beyond the four walls of the organization."
"Quite frankly, as an industry, I don't think we've done a really great job at defining cyber risk and helping businesses fully grasp what a cyber product offers. But we are getting better at it."
"If you're somebody who's feeling more exposed to ransomware, it's really important to look at those forensics, business interruption, and extortion payment coverages offered under the first party. So I would say it's really important to understand what coverages are most applicable given your class a business."
"It is important to mention that cyber underwriting extends beyond pure evaluation at the level of security controls. And it includes things like culture resiliency, and stakeholder connectivity, and is your HR team, talking with your legal team and talking with your product dev team in and practicing and promoting good cyber standards."
"I think the best advice that I can give to businesses who are evaluating whether a cyber insurance product is the next step for them is really to work with a specialist broker who understands the risk."
"Given the hard market conditions, meaning that insurers are increasing prices, it's actually increasingly difficult to get cyber insurance protection without those key controls in place."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach. He has been studying cybersecurity for over a decade,
Cybersecurity Readiness:authored and edited scholarly papers, delivered talks,
Cybersecurity Readiness:conducted webinars, consulted with companies, and served on a
Cybersecurity Readiness:cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:Management Information Systems at the Terry College of
Cybersecurity Readiness:Business, the University of Georgia, and Visiting Professor
Cybersecurity Readiness:at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Today, I'll be talking with Erica Davis,
Dr. Dave Chatterjee:Managing Director and Global Co-Head of Cyber for Guy
Dr. Dave Chatterjee:Carpenter. Prior to this, Erica led Guy Carpenter's North
Dr. Dave Chatterjee:America Cyber Center of Excellence. She has years of
Dr. Dave Chatterjee:cyber professional and multi-line underwriting
Dr. Dave Chatterjee:expertise. Erica is a key contributor to the public sector
Dr. Dave Chatterjee:dialogue around cyber insurance, and has provided testimony to
Dr. Dave Chatterjee:the House Small Business Committee as an expert witness
Dr. Dave Chatterjee:in cybersecurity insurance. As a prominent leader in
Dr. Dave Chatterjee:understanding cyber risk at an enterprise level. Erica has
Dr. Dave Chatterjee:presented at the National Institute of Standards and
Dr. Dave Chatterjee:Technology, and has contributed to several publications, events,
Dr. Dave Chatterjee:articles, and interviews in the industry. Erica, welcome. Thanks
Dr. Dave Chatterjee:for making time to share your thoughts and perspectives with
Dr. Dave Chatterjee:the listeners.
Erica Davis:Thanks so much for having me.
Dr. Dave Chatterjee:So let's begin by talking about you, your
Dr. Dave Chatterjee:professional journey. Your current role at Guy Carpenter.
Erica Davis:Sure, thanks. Thanks again for having me
Erica Davis:today. And yeah, you know, I really got started in the
Erica Davis:insurance industry by focusing on technology risk. And so I
Erica Davis:spent the first 10 years of my career at Chubb, underwriting
Erica Davis:all lines of business. So general liability, workers
Erica Davis:compensation, auto, intellectual property or as an emissions, but
Erica Davis:with a focus on information and technology risk. So always
Erica Davis:thinking about what's coming next in terms of emerging
Erica Davis:exposures. Before I moved over to Zurich, still in an
Erica Davis:underwriting capacity, still with technology, top of mind,
Erica Davis:but built their book of business, ultimately taking
Erica Davis:greater responsibility for general industry and financial
Erica Davis:institutions. And some other risk outside of that. But what I
Erica Davis:learned in staying closely connected to the technology risk
Erica Davis:was that there was an opportunity for cyber products,
Erica Davis:cyber insurance risk transfer solutions to find a home within
Erica Davis:the industry, as interconnectivity and reliance
Erica Davis:on technology grew. And so I moved over to that side of the
Erica Davis:business with a specialization in cyber and professional
Erica Davis:liability in 2012. At that point, the industry was just
Erica Davis:beginning to grow its expertise. And truly its acknowledgement of
Erica Davis:how far reaching and massive cyber risk was going to become.
Erica Davis:And so, you know, Zurich wasn't alone in building specialized
Erica Davis:products and expertise in that space, and I worked there until
Erica Davis:about four years ago, about 2018. Still on the underwriting
Erica Davis:side, and focusing on cyber risk transfer products. Ultimately,
Erica Davis:what I learned was that the insurance space was beginning to
Erica Davis:craft solutions for the business community, who are also becoming
Erica Davis:increasingly aware of how cyber risk could manifest, you know,
Erica Davis:within their organization and also outside of their four
Erica Davis:walls. So looking at various supply chain risks when it comes
Erica Davis:to cyber. And the industry at that point had grown to a size
Erica Davis:of about 4 billion and grocery and premium, still very small
Erica Davis:compared to some of the more traditional lines of business
Erica Davis:out there. But there was a lot of work to be done on the
Erica Davis:reinsurance side, which was the insurance that sits behind
Erica Davis:insurance companies kind of simply put, and there needed to
Erica Davis:be more expertise in that space in order to build capacity to
Erica Davis:grow and support the insurance side of the house. And so I made
Erica Davis:the move over to the insurance and reinsurance broking about
Erica Davis:four years ago. And I've been with a Guy Carpenter in
Erica Davis:increasing roles since that time.
Dr. Dave Chatterjee:Good to know. Thanks for the intro. So,
Dr. Dave Chatterjee:you know, I had reached out to a couple of my CISO connections, I
Dr. Dave Chatterjee:told them that I was going to be talking to you, and if they have
Dr. Dave Chatterjee:any questions of interest. So one of them sent this to me, he
Dr. Dave Chatterjee:said, Why should we get cyber insurance now? It seems that the
Dr. Dave Chatterjee:last 12 to 18 months, the industry has moved away from
Dr. Dave Chatterjee:insuring verticals, companies, or has made the cost of coverage
Dr. Dave Chatterjee:so high, that it raises the question of why not just
Dr. Dave Chatterjee:self-insure? How would you react to that statement or question?
Erica Davis:Yeah, so just to sort of set the stage for, you
Erica Davis:know, the buying community within cyber, about 40% of all
Erica Davis:organizations across the US purchase a cyber insurance
Erica Davis:product. And that number is more heavily skewed towards mid sized
Erica Davis:and large companies, more so than small micro mini sized
Erica Davis:organizations. Oftentimes, that's because there's been a
Erica Davis:more sophisticated risk assessment process in place for
Erica Davis:you know, cyber risk on those larger sized entities. And in
Erica Davis:the US, there's actually more buyers of cyber insurance than
Erica Davis:there are outside of the US. So a greater percentage of
Erica Davis:businesses buy. And the reason for that is largely driven by a
Erica Davis:regulatory environment. So businesses in the US are geared
Erica Davis:to protect private and confidential information in a
Erica Davis:way that's still developing outside of the US. Certainly,
Erica Davis:regions such as you know, Europe, UK, have strong
Erica Davis:regulatory position now that have developed and the buying
Erica Davis:habits of the business community have accelerated as a result of
Erica Davis:that. But even in the US, companies that have a more
Erica Davis:regulated or I should say, more regulatory sort of focused
Erica Davis:mindset, somebody like health care, financial institutions,
Erica Davis:were early adopters of the product. And your friend or your
Erica Davis:contact is correct that in the last 12 to 18 months, the price
Erica Davis:of cyber products has increased significantly. What I what I
Erica Davis:would suggest is that really a reflection of the losses that
Erica Davis:have been paid out by the industry, so some pricing
Erica Davis:correction that's occurred because of that, but also an
Erica Davis:escalating risk environment where we've seen things like,
Erica Davis:you know, geopolitical tensions increase, we've seen ransomware
Erica Davis:threats increase, we see greater risk because of
Erica Davis:interconnectivity. And so you don't see pricing change without
Erica Davis:cause. Cyber products are still fairly inexpensive. When you
Erica Davis:look at the cost of other, you know, mandatory purchases within
Erica Davis:I'll call it the risk management package. But yes, you know, the
Erica Davis:businesses do need to take stock of what's at risk, what sort of
Erica Davis:digital assets they have, the discussion around whether to
Erica Davis:purchase a product is a very healthy risk management
Erica Davis:discussion, there will be potential businesses that
Erica Davis:instead elect to invest in their own information security, or
Erica Davis:should say, like architecture. And if that makes sense for
Erica Davis:them, then, you know, that's certainly a choice they can
Erica Davis:make. It's not a mandatory purchase at this time. It's
Erica Davis:still discretionary in nature. And sorry, for the long winded
Erica Davis:answer, but I would just, I would just add to that, you
Erica Davis:know, cyber products are a little bit different than the
Erica Davis:traditional products that are offered by insurance companies,
Erica Davis:and that cyber products offer you pre-breach services. So
Erica Davis:things like discounted rates for forensics, public relation
Erica Davis:firms, you know, legal sort of breach coaches, all that which,
Erica Davis:you know, you can establish relationships with and access at
Erica Davis:a discounted rate, and then incident response services too
Erica Davis:so that if and when the bad event does occur, your
Erica Davis:resiliency and responsiveness has increased by having a
Erica Davis:product in place. So, prices have gone up. And yes, that's
Erica Davis:true, but I still think it's a very valuable product for
Erica Davis:businesses to consider.
Dr. Dave Chatterjee:Good to know, good to know, in fact, I
Erica Davis:You know, I understand those those
Erica Davis:was reviewing a KPMG study where they surveyed senior information
Erica Davis:security professionals, and 74% of the respondents said they had
Erica Davis:no cyber insurance. And they mentioned mistrust of insurers
Erica Davis:honoring policies appeared to be one challenge. And they also
Erica Davis:challenges. Certainly I've heard them firsthand, especially in my
Erica Davis:mentioned that the market not being very mature, and I believe
Erica Davis:you've addressed that But then I'm just curious to know, as
Erica Davis:somebody who carries personal insurance of different types,
Erica Davis:one of the things that I worry about is when the time comes
Erica Davis:when I submit a claim, will the claim be honored? Will I have a
Erica Davis:good experience? What do you have to say, from the standpoint
Erica Davis:of a cyber risk insurer?
Erica Davis:underwriting days, I think, when we consider insurance, as buyers
Erica Davis:of products, we think about something like tangible assets,
Erica Davis:what if my home burns down, how much damage is there, you can
Erica Davis:see a fire you can smell a fire. Cyber Risk is different.
Erica Davis:Assessing its value is a challenge. The quantification of
Erica Davis:what happens if a cyber event occurs, is difficult to put a
Erica Davis:number on for many organizations. And it gets even
Erica Davis:more complex when we think about measuring cyber risk outside of,
Erica Davis:you know, your own sort of entities four walls, and you
Erica Davis:look at supply chain, and you look at potential non physical
Erica Davis:impacts that could affect you. COVID is one example of where we
Erica Davis:saw that brought to life, right? We saw supply chain severely
Erica Davis:disrupted we saw transformation of data exchanges. So there's a
Erica Davis:lot of lessons to be learned there. But when we protect
Erica Davis:intangible assets, and we think about nonlinear exposures, like
Erica Davis:cyber risk, that's difficult. And having a product that
Erica Davis:appropriately addresses those issues is also challenging for
Erica Davis:the buying community understand, quite frankly, as an industry, I
Erica Davis:don't think we've done a really great job at defining it and
Erica Davis:helping businesses to to fully grasp what a cyber product
Erica Davis:offers. But we are getting better at it. We're definitely
Erica Davis:seeing adoption of the product increase. But I do we definitely
Erica Davis:have work to do as an industry to help businesses through those
Erica Davis:complexities.
Dr. Dave Chatterjee:true, very true. Many of the listeners are
Dr. Dave Chatterjee:possibly thinking about cyber insurance, but they're not sure
Dr. Dave Chatterjee:from where to start. What should be the next steps? What are some
Dr. Dave Chatterjee:resources that they might find valuable? Any suggestions for
Dr. Dave Chatterjee:them any recommendations?
Erica Davis:I think the best advice that I can give to
Erica Davis:businesses who are evaluating whether a cyber insurance
Erica Davis:product is the next step for them is is really to work with a
Erica Davis:specialist broker who understands the risk. I think
Erica Davis:right now, there aren't, there isn't a level of consistency
Erica Davis:across cyber products. Again, it's easy for the business
Erica Davis:community to understand, you need to work with a broker who
Erica Davis:can explain the differences. And those pre- and post- breach
Erica Davis:services to you which are a huge part of the value of a cyber
Erica Davis:insurance product, you need somebody who fully comprehends
Erica Davis:the nuance of the various policy languages that are out there and
Erica Davis:can make sure that they tailor a product and design a product
Erica Davis:that that fully suits the needs of the buyer. Some of this more
Erica Davis:specialized brokers can also provide the quantification
Erica Davis:services to help inform your decision of whether to buy a
Erica Davis:product or whether to invest in your own security or to self
Erica Davis:insure is the right answer for you.
Dr. Dave Chatterjee:Okay, good to know. And when, when someone
Dr. Dave Chatterjee:is evaluating a cyber insurance policy. what are some elements
Dr. Dave Chatterjee:that one should be looking out for? What are some what maybe if
Dr. Dave Chatterjee:I would rephrase the question, what are some key elements of a
Dr. Dave Chatterjee:good cyber insurance policy if there is anything like like
Dr. Dave Chatterjee:that?
Erica Davis:So most of the cyber insurance products that
Erica Davis:are available, actually, let me reframe this a little bit. There
Erica Davis:are cyber coverages that can be offered through traditional
Erica Davis:lines of business, you might purchase a property policy and
Erica Davis:have some level of coverage available to you through
Erica Davis:something like business interruption, say something like
Erica Davis:downtime originating from a cyber related event, you might
Erica Davis:have something offered through general liability or
Erica Davis:professional liability that allows liability from a cyber
Erica Davis:related event. When you purchase a cyber dedicated product. It is
Erica Davis:a hybrid between first party and third party. And so what I mean
Erica Davis:by that is the liability aspect. So something like network and
Erica Davis:security, privacy liability, some elements of media
Erica Davis:liability, but it also includes first party coverages. So things
Erica Davis:like your costs out of pocket for forensics response,
Erica Davis:something like, you know, legal services, something like public
Erica Davis:relations, and then most importantly, business
Erica Davis:interruption and dependent business interruption. Some of
Erica Davis:the coverages that have gotten quite a lot of attention lately
Erica Davis:have been around the forensics of business interruption and
Erica Davis:extortion payments. That's largely because of the
Erica Davis:proliferation of ransomware over the last 36 months or so. So,
Erica Davis:you know, each of those coverages is is valuable, it
Erica Davis:really depends on what segment of the business you operate in.
Erica Davis:So if you're somebody like, you know, a health care provider,
Erica Davis:you definitely don't want to provide you don't you don't have
Erica Davis:a cyber product that only has, for example, like first party
Erica Davis:coverages, you want to make sure that you have liability aspects.
Erica Davis:If you're somebody who's feeling more exposed to ransomware, it's
Erica Davis:really important to look at those frantic business
Erica Davis:interruption and extortion payment coverages offered into
Erica Davis:the first party. So I would say it's really important to
Erica Davis:understand, you know, what coverages are most applicable
Erica Davis:given your class of business?
Dr. Dave Chatterjee:Now, is it fair to assume that an
Dr. Dave Chatterjee:organization that has very robust and mature cyber
Dr. Dave Chatterjee:governance processes is likely to get a better deal?
Erica Davis:So, yeah, I responded a few few different
Erica Davis:ways. So when we think about traditional underwriting of
Erica Davis:cyber risk, certainly the goal there is to differentiate
Erica Davis:customers based on their level of cybersecurity maturity. Your
Erica Davis:goal as an underwriter is to flesh out, you know, the good
Erica Davis:risk from the not so good risk and differentiate and either
Erica Davis:decline, the not so good risk, because it's certainly possible
Erica Davis:right now, the businesses aren't able to secure a cyber insurance
Erica Davis:because they just don't have risk controls that are up to a
Erica Davis:level of expectation. But even within that spectrum of good and
Erica Davis:not so good, being able to differentiate pricing and terms
Erica Davis:on the policy is a reflection of those practices and protocols in
Erica Davis:place. It is important to mention that that cyber
Erica Davis:underwriting extends beyond pure evaluation of the level of
Erica Davis:security controls. And it includes things like, you know,
Erica Davis:culture resiliency, and stakeholder connectivity, and is
Erica Davis:your HR team, talking with your legal team and talking with your
Erica Davis:product dev team in, in, in practicing and promoting good
Erica Davis:cyber standards, and things like employee training, for example,
Erica Davis:can come into play. And so part of this is, is the security
Erica Davis:itself of an organization, but part of this is around the
Erica Davis:culture that's created. And then also, like, I know, I've talked
Erica Davis:about supply chain a couple of times, but how are you looking
Erica Davis:outside of your own organization and assessing risk across, you
Erica Davis:know, upstream, downstream and your entire supply chain?
Dr. Dave Chatterjee:Very interesting, very interesting.
Dr. Dave Chatterjee:In fact, when you mentioned culture resiliency, you know, it
Dr. Dave Chatterjee:resonates with me very well, because I recently published a
Dr. Dave Chatterjee:book, where I talk about the importance of creating and
Dr. Dave Chatterjee:sustaining a high-performance information security culture,
Dr. Dave Chatterjee:and I provide organizations with scorecards to make an assessment
Dr. Dave Chatterjee:along three dimensions -- commitment, preparedness, and
Dr. Dave Chatterjee:discipline. So I'll be curious to know that based on your
Dr. Dave Chatterjee:experience of assessing culture resiliency, what are the things
Dr. Dave Chatterjee:that you all look for, as an insurance company?
Erica Davis:So, um, so, you know, a few different things
Erica Davis:there. Right. So, you know, kind of, you know, go back to the
Erica Davis:NIST guidelines, right? You have things like identifying your
Erica Davis:assets, and, you know, detecting Tricia evidence but it's also
Erica Davis:more around like the disaster recovery, right? How are you
Erica Davis:bringing your employees into the discussion? How are you
Erica Davis:identifying your key providers, suppliers, customers? How are
Erica Davis:you protecting and, you know, and restoring right, your sort
Erica Davis:of data assets if something does happen. So I think you know,
Erica Davis:this is an ongoing exercise happening within organizations.
Erica Davis:Certainly the underwriting is also evolving as a result of
Erica Davis:that. I talked a little bit about, you know, a culture in
Erica Davis:this sort of like practice of resiliency, that's really easier
Erica Davis:to understand as an underwriter, when you have touch points with
Erica Davis:your customer. And the reality is, when we get into that small
Erica Davis:business space, particularly the micro minis, the expectations
Erica Davis:and the needs are going to shift when it comes to securing
Erica Davis:insurance, you're not going to be able to meet with every
Erica Davis:business that only has like 5,6,7,8,9,10 employees out
Erica Davis:there. And that's where you see a lot more technology augmented
Erica Davis:underwriting taking place. Things like the technical
Erica Davis:security scans to help evaluate risk are becoming much more
Erica Davis:commonplace. And they are relevant and increasingly common
Erica Davis:in the underwriting process in order to properly assess, you
Erica Davis:know, that there's customers that you can't talk to and speak
Erica Davis:through the resiliency culture.
Dr. Dave Chatterjee:Sure, sure, and I'm sure it is safe to
Dr. Dave Chatterjee:assume that even after an organization gets coverage, they
Dr. Dave Chatterjee:will be continually assessed, right. Just to make sure that
Dr. Dave Chatterjee:they they stay eligible for that, for that coverage. Is
Erica Davis:that it's a really, it's a really good question. So
Erica Davis:the way that these policies are structured, is that they are for
Erica Davis:an annual term. And so this is another area where we've seen a
Erica Davis:lot of improvement taking place within the cyber industry. You
Erica Davis:have more call it human touch underwriting during the range
Erica Davis:dual cycle. And that's an unfortunate reality, because
Erica Davis:obviously, your server risk, you know, is is 365 days a year.
Erica Davis:But, you know, there are human limitations, right. And so as
Erica Davis:part of the renewal cycle, for the mid and large sized
Erica Davis:accounts, an underwriter will sit there and actually
Erica Davis:practically make their way through an underwriting
Erica Davis:questionnaire application. Very separately, many of the large
Erica Davis:global insurers invest in some of the security scanning that I
Erica Davis:mentioned. And their goal there is to be proactive with their
Erica Davis:policyholders to help identify vulnerabilities to help walk
Erica Davis:through any issues that they're discovering with any other
Erica Davis:policyholders that might have the potential for broader, you
Erica Davis:know, application on their client base, and proactively
Erica Davis:reaching out to those customers to talk through the issues
Erica Davis:separately, certainly in the small business base, and for the
Erica Davis:underwriters, or I shouldn't say the underwriters, for the
Erica Davis:insurers who are supporting that business, then increased and
Erica Davis:more regular reliance on the technology scans definitely
Erica Davis:takes place. And they will provide feedback throughout the
Erica Davis:policy year. And we're endeavoring to do that more and
Erica Davis:more frequently in order to shore up the security of these
Erica Davis:businesses who buy protection.
Dr. Dave Chatterjee:And I think that's a great way for an
Dr. Dave Chatterjee:organization to get a reality check on how they're doing from
Dr. Dave Chatterjee:a cyber defense standpoint. So that is something that is
Dr. Dave Chatterjee:definitely a strength of getting coverage from a provider and
Dr. Dave Chatterjee:getting the external validation, external feedback.
Erica Davis:Absolutely. And I think I mean, that is the goal,
Erica Davis:right? The goal is to make the insurance more meaningful to
Erica Davis:drive adoption, to help people not just by the insurance, but
Erica Davis:by adequate insurance that ultimately improve the user
Erica Davis:experience.
Dr. Dave Chatterjee:You know, one more thing I wanted to share
Dr. Dave Chatterjee:with you. I heard this from a practitioner, that if we buy a
Dr. Dave Chatterjee:lot of cyber insurance, that often gives the impression that
Dr. Dave Chatterjee:we are not good at cyber. And it poorly reflects on the CISO and
Dr. Dave Chatterjee:the CISO function. Have you heard anything like this? Is
Dr. Dave Chatterjee:that Is it a common sentiment? Or was this an outlier?
Erica Davis:Um, it feels like a common sentiment 10 years ago,
Erica Davis:and hopefully more of an outlier now. And I think when the cyber
Erica Davis:products were first becoming more commonplace, there was a
Erica Davis:struggle for investment where you know, somebody like a CISO
Erica Davis:might see it as a slight on their own capabilities. If a
Erica Davis:cyber insurance product was purchased, there was also a lot
Erica Davis:of noise around, well, if you just took that money that you
Erica Davis:were using to buy insurance and gave it to me instead, I'd be
Erica Davis:able to improve you know, our own controls, more
Erica Davis:appropriately. I think that sentiment has changed. In the
Erica Davis:last five to 10 years, there's been so much more connectivity
Erica Davis:across the risk management. And again, we talked about a culture
Erica Davis:resiliency and collaboration across stakeholders. We are now
Erica Davis:seeing more CISOs at the table part of these underwriting
Erica Davis:meetings, sharing their insights, actually, like
Erica Davis:engaging with the insurers to say what could we be doing
Erica Davis:better differently? You talked about validation earlier with
Erica Davis:the scans. Sometimes what we're finding is that in the
Erica Davis:underwriting community, when you provide the feedback to a
Erica Davis:business and say, here's where you look good. And here's where
Erica Davis:there's areas of improvement. The CISO actually perks up and
Erica Davis:says, see, I've been telling you this all along. This is actually
Erica Davis:external validation now, from from, from insurers who assess
Erica Davis:my own peers as well. And it really validates a lot of what
Erica Davis:they've been messaging internally.
Dr. Dave Chatterjee:Absolutely. Let's talk a little bit about
Dr. Dave Chatterjee:self-insurance mechanisms. To set up the question, I want to
Dr. Dave Chatterjee:read out a couple of sentences from an article. In a perfect
Dr. Dave Chatterjee:world, you may think that $2 billion in protection makes
Dr. Dave Chatterjee:sense. Today, that sort of purchase is impossible. But you
Dr. Dave Chatterjee:can develop a plan for getting there. It may involve buying
Dr. Dave Chatterjee:what you can now and possibly topping it up with
Dr. Dave Chatterjee:self-insurance mechanisms. Can you take it from here and shed
Dr. Dave Chatterjee:some light on the different types of self-insurance
Dr. Dave Chatterjee:mechanisms? Yeah,
Erica Davis:absolutely. So, you know, again, these, there's a
Erica Davis:lot of, you know, some of these questions are very rational and
Erica Davis:reasonable. And we have to acknowledge, first where we are
Erica Davis:as an industry, you know, the cyber market didn't exist. I
Erica Davis:shouldn't say that. People will argue it existed, okay, because
Erica Davis:there were certainly internet carve backs and technology carve
Erica Davis:backs and some small, narrow cyber coverages that existed
Erica Davis:years prior. But really, this industry is about 20 years old.
Erica Davis:And currently, if every cyber writer took out their max line
Erica Davis:available, their max capacity available, you know, maybe you
Erica Davis:could get to about a billion in coverage. In reality, the
Erica Davis:largest organizations out there, no matter how they've quantify
Erica Davis:their cyber risk, aren't able to get coverage, excess of you
Erica Davis:know, whatever it is 700 750 million. So in your example,
Erica Davis:around 2 billion of coverage. There's they're absolutely
Erica Davis:right, that that level of capacity is not yet available in
Erica Davis:the market. We're working toward it. I mentioned earlier, some of
Erica Davis:the pricing correction that's happened. That's because of
Erica Davis:losses that have come in, when losses come in, these insurers
Erica Davis:do reassess how much capacity they want to put up on any one
Erica Davis:risk, right? So on any one business, how much coverage are
Erica Davis:you willing to offer, in a profitability challenged time,
Erica Davis:that level of capacity is going to reduce, and when things are
Erica Davis:performing really, really well, that level of capacity will
Erica Davis:increase. And currently, right now we're in more of a reduced
Erica Davis:time period because of the loss environment and the risk
Erica Davis:environment. So, you know, there's no way to get to 2
Erica Davis:billion and cover for, you know, any one entity at this time as a
Erica Davis:broader industry, we're definitely working towards that.
Erica Davis:Part of that is around differentiating the coverages
Erica Davis:more so the product itself being offered differently. Some of
Erica Davis:that is around the the the technologies that can be
Erica Davis:deployed in order to better understand you know, cyber risk,
Erica Davis:hygiene and maturity. But we just don't have those those
Erica Davis:challenges. Overcome yet there's still a lot of structural
Erica Davis:constraints that are restricting that level of capacity. As for
Erica Davis:organizations who are looking for more cover, certainly taking
Erica Davis:on some risk themselves evidences It showcases
Erica Davis:competence in where you are as an organization. So that's, you
Erica Davis:know, retaining more risk itself insured retentions we see
Erica Davis:captives becoming a more common discussion. So that's the idea
Erica Davis:of setting up vehicles where you can absorb some of that risk
Erica Davis:either down low, meaning when the loss first occurs, or buy
Erica Davis:some insurance then potentially set up a captive to take it on
Erica Davis:midway and then purchasing more insurance on top of that. But
Erica Davis:there's a number of different ways to do it. It's just at this
Erica Davis:point, given the Infancy of the market we are not able to scale
Erica Davis:the way you would find with more mature areas of the business.
Dr. Dave Chatterjee:So, you know, as I'm hearing from you a
Dr. Dave Chatterjee:couple of inferences that I draw that the cyber security market
Dr. Dave Chatterjee:is still premature it is, it is moving towards maturity and
Dr. Dave Chatterjee:stability. I also heard that small businesses are not prone
Dr. Dave Chatterjee:to getting cyber insurance. In fact, there is data that
Dr. Dave Chatterjee:supports that. But all organizations should be
Dr. Dave Chatterjee:encouraged, because it should be part of their overall cyber risk
Dr. Dave Chatterjee:mitigation portfolio. But it's definitely not a substitute for
Dr. Dave Chatterjee:strong robust governance measures. So you don't buy
Dr. Dave Chatterjee:insurance so you don't have to do anything about it about cyber
Dr. Dave Chatterjee:risk management. It's not a cop out. Having said that, what are
Dr. Dave Chatterjee:some best practices that you notice, with organizations, and
Dr. Dave Chatterjee:I ask this, from a reflective standpoint, say you have your
Dr. Dave Chatterjee:work with a company that sought insurance. And then they were
Dr. Dave Chatterjee:able to establish that expectation from a control
Dr. Dave Chatterjee:standpoint, which got them the insurance coverage. And that
Dr. Dave Chatterjee:actually propelled them, just the fact that they want to
Dr. Dave Chatterjee:maintain the coverage, that propelled them to become more
Dr. Dave Chatterjee:cyber hygiene conscious, and they stayed more prepared than
Dr. Dave Chatterjee:ever before. So in other words, having cyber insurance gets the
Dr. Dave Chatterjee:organizational attention. And that is a good thing. That that
Dr. Dave Chatterjee:promotes, you know, efforts towards cyber resiliency, is
Dr. Dave Chatterjee:there any merit to this influence of mine?
Erica Davis:Um, I think that, you know, when we look at the
Erica Davis:key risk controls that matter most and attaining cyber
Erica Davis:insurance, at this point, you're looking at multi factor
Erica Davis:authentication, MFA, for remote access. And we're looking at
Erica Davis:endpoint detection and response, you're looking at secured
Erica Davis:encrypted tested backups, we're looking at privileged access
Erica Davis:management. And we're looking at email filtering, and web
Erica Davis:security. Those are the technical controls that are in
Erica Davis:place and matter. And you mentioned the point around, you
Erica Davis:know, making the decision of whether to buy cyber insurance
Erica Davis:or kind of, in lieu of your own controls, I would say right now,
Erica Davis:where the market is, you know, given it's been capacity
Erica Davis:constrained, and given the fact that what we could call the hard
Erica Davis:market conditions, meaning that insurers are increasing prices,
Erica Davis:it's actually increasingly difficult to get cyber insurance
Erica Davis:protection without those key controls in place. The softer
Erica Davis:touch issues are around the cyber incident planning and
Erica Davis:response and testing. So you know, if you have a cyber
Erica Davis:product, you can do like tabletops, with incident
Erica Davis:response, you have access to some of those key service
Erica Davis:providers, but even without them, you know, without a
Erica Davis:product, you know, you can put those plans in place. You can
Erica Davis:look at, you know, the employee, you know, awareness training
Erica Davis:that I mentioned earlier, the logging and monitoring of the
Erica Davis:network protections, you can look at end-of-life systems
Erica Davis:being replaced or protected, absences, a number of sort of
Erica Davis:like behavioral control tactics that can be implemented as well.
Erica Davis:Those are softer touch. So you kind of even can't get to that
Erica Davis:point, or hear that feedback from a cyber insurer until you
Erica Davis:have those more technical controls in place I mentioned
Erica Davis:earlier.
Dr. Dave Chatterjee:I appreciate you making the
Dr. Dave Chatterjee:distinction between technical and then behavioral. I had one
Dr. Dave Chatterjee:last question and that relates to behavioral controls or the
Dr. Dave Chatterjee:softer touch as you were talking about, and that is, does the
Dr. Dave Chatterjee:insurance company take into consideration of how actively
Dr. Dave Chatterjee:engaged is top management? Is that a factor in the evaluation
Dr. Dave Chatterjee:of an organization's cyber risk and subsequently, the decision
Dr. Dave Chatterjee:of whether to give them coverage or give and how much stuff like
Dr. Dave Chatterjee:that? Yeah.
Erica Davis:Yeah, no, absolutely. And sometimes, you
Erica Davis:know, to be completely honest, sometimes you don't have a lot
Erica Davis:of visibility in the underwriting process. So you
Erica Davis:might hear about it, but you don't necessarily know for
Erica Davis:certain. Here's what we do know though. You look at New York
Erica Davis:State and the The Financial Services sort of regulatory, you
Erica Davis:know, developments that were made several years ago. And what
Erica Davis:you can see is that there's definitely an expectation now
Erica Davis:around somebody like a CISO having a direct, you know, line
Erica Davis:of communication, if not a direct reporting relationship to
Erica Davis:C suite, you can look at C-suite who are increasingly under
Erica Davis:pressure to elevate their their cybersecurity and an expectation
Erica Davis:by consumers now that information, actually say
Erica Davis:corporate confidential information to is adequately
Erica Davis:protected. So I think that the needle is moving into this being
Erica Davis:almost like an ESG related issue. And I think that's
Erica Davis:validated by our discussions with, you know, rating agencies
Erica Davis:and other, you know, regulatory bodies that cybersecurity is, is
Erica Davis:very top of mind, it's instrumental to organization's
Erica Davis:long term health, we see the impact on something like
Erica Davis:shareholder perception and stock price when these big events
Erica Davis:occur, particularly if there's an element of negligence within
Erica Davis:them. And so, you know, this and it's not decreasing, right. It's
Erica Davis:only increasing. And I would say that has global relevance.
Erica Davis:That's not a US issue. It's it was, I would say, more of a US
Erica Davis:issue previously. But it's definitely becoming more and
Erica Davis:more prevalent, prevalent outside of the US as well. So,
Erica Davis:so absolutely, if, if, in the handwriting community, if you
Erica Davis:see top, you know, executive management, C suites paying
Erica Davis:attention to these issues, there's a level of confidence
Erica Davis:that the security team is going to get the attention the
Erica Davis:investment, and the financial needs met in order to secure the
Erica Davis:organization.
Dr. Dave Chatterjee:Fantastic. Well, on that note, we can end
Dr. Dave Chatterjee:unless you have any final thoughts, anything else that we
Dr. Dave Chatterjee:should have covered or talked about?
Erica Davis:No, I mean, the last thing I'll say is, you
Erica Davis:know, I know insurance as a whole can get it can get a bad
Erica Davis:rap. And I would, I really like to think of the cyber market is
Erica Davis:performing differently from that. There's huge amounts of
Erica Davis:investment and attention being paid to helping organizations
Erica Davis:understand the risk, helping them stay in front of it,
Erica Davis:proactively notifying them if you know, vulnerabilities are
Erica Davis:identified. And I look to the future and realize the needs
Erica Davis:aren't being met now, but there is so much work being done and
Erica Davis:so much left to do in order to make this, you know, a
Erica Davis:sustainable and relevant market. So, hopefully, the audience
Erica Davis:today found it helpful, but I'm available for any other
Erica Davis:follow-up. questions.
Dr. Dave Chatterjee:Absolutely, thank you so much for your time,
Dr. Dave Chatterjee:it's much appreciated.
Erica Davis:Thank you. Appreciate it.
Dr. Dave Chatterjee:A special thanks to Erica Davis for her
Dr. Dave Chatterjee:time and insights. If you liked what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Introducer:The information contained in this podcast is for
Introducer:episode.
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.