Episode 22

Is Cyber Insurance Necessary?

"Security experts are split on cyber insurance and its place in business, with just as many arguing that it is a useless add-on as an essential business enabler." A KPMG study indicated that these policies were not overly trusted by business leaders. In this podcast episode, Erica Davis, Global Co-Head of Cyber, Guy Carpenter & Co, discusses at length the different types of coverages, how underwriters evaluate and assess cyber risks, the current state of the market, re-insurance mechanisms, and more. She also offers valuable guidance on how to plan and approach cyber insurance-related decisions.



Time Stamps

01:56

So let's begin by talking about you your professional journey, your current role at Guy Carpenter.

04:52

So, you know, I had reached out to a couple of my CISO connections, I told them that I was going to be talking to you and if they have any questions of interest. So one of them sent this to me, he said, Why should we get cyber insurance now? It seems that in the last 12 to 18 months, the industry has moved away from insuring verticals, companies, or has made the cost of coverage so high, that it raises the question of why not just self-insure? How would you react to that statement or question?

09:26

As somebody who carries personal insurance of different types, one of the things that I worry about is when the time comes when I submit a claim, will the claim be honored? Will I have a good experience? What do you have to say from the standpoint of a cyber risk insurer?

12:17

Many of the listeners are possibly thinking about cyber insurance, but they're not sure where to start. What should be the next steps? What are some resources that they might find valuable? Any suggestions for them, recommendations?

13:47

What are some key elements of a good cyber insurance policy?

16:33

Is it fair to assume that an organization that has a very strong or robust cyber defense in place is likely to get a better deal compared to another organization?

18:36

I'll be curious to know that based on your experience of assessing culture resiliency, what are the things that you look for, as an insurance company?

21:14

I'm sure it is safe to assume that even after an organization gets coverage, it will be continually assessed, to make sure they remain eligible for the coverage?

23:48

I heard this from a practitioner that if we buy a lot of cyber insurance, that often gives the impression that we are not good at cyber. And it poorly reflects on the CISO and the CISO function. Is this a common sentiment or just an outlier?

26:05

Let's talk a little bit about self-insurance mechanisms.

30:17

Is there any merit to this inference of mine: having cyber insurance gets organizational attention which in turn motivates efforts towards greater cyber resiliency?

34:08

Does the insurance company take into consideration how actively engaged is top management? Is that a factor in the evaluation of an organization's cyber risk and subsequently, and whether to provide coverage or not?


Memorable Erica Gates Quotes

"In the US, there are actually more buyers of cyber insurance than there are outside of the US. So a greater percentage of businesses buy. And the reason for that is largely driven by a regulatory environment."

"Cyber risk is different. Assessing its value is a challenge. The quantification of what happens if a cyber event occurs is difficult to put a number on for many organizations. And it gets even more complex when we think about measuring cyber risk beyond the four walls of the organization."

"Quite frankly, as an industry, I don't think we've done a really great job at defining cyber risk and helping businesses fully grasp what a cyber product offers. But we are getting better at it."

"If you're somebody who's feeling more exposed to ransomware, it's really important to look at those forensics, business interruption, and extortion payment coverages offered under the first party. So I would say it's really important to understand what coverages are most applicable given your class a business."

"It is important to mention that cyber underwriting extends beyond pure evaluation at the level of security controls. And it includes things like culture resiliency, and stakeholder connectivity, and is your HR team, talking with your legal team and talking with your product dev team in and practicing and promoting good cyber standards."

"I think the best advice that I can give to businesses who are evaluating whether a cyber insurance product is the next step for them is really to work with a specialist broker who understands the risk."

"Given the hard market conditions, meaning that insurers are increasing prices, it's actually increasingly difficult to get cyber insurance protection without those key controls in place."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach. He has been studying cybersecurity for over a decade,

Cybersecurity Readiness:

authored and edited scholarly papers, delivered talks,

Cybersecurity Readiness:

conducted webinars, consulted with companies, and served on a

Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security

Cybersecurity Readiness:

officers. Dr. Chatterjee is an Associate Professor of

Cybersecurity Readiness:

Management Information Systems at the Terry College of

Cybersecurity Readiness:

Business, the University of Georgia, and Visiting Professor

Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, I'll be talking with Erica Davis,

Dr. Dave Chatterjee:

Managing Director and Global Co-Head of Cyber for Guy

Dr. Dave Chatterjee:

Carpenter. Prior to this, Erica led Guy Carpenter's North

Dr. Dave Chatterjee:

America Cyber Center of Excellence. She has years of

Dr. Dave Chatterjee:

cyber professional and multi-line underwriting

Dr. Dave Chatterjee:

expertise. Erica is a key contributor to the public sector

Dr. Dave Chatterjee:

dialogue around cyber insurance, and has provided testimony to

Dr. Dave Chatterjee:

the House Small Business Committee as an expert witness

Dr. Dave Chatterjee:

in cybersecurity insurance. As a prominent leader in

Dr. Dave Chatterjee:

understanding cyber risk at an enterprise level. Erica has

Dr. Dave Chatterjee:

presented at the National Institute of Standards and

Dr. Dave Chatterjee:

Technology, and has contributed to several publications, events,

Dr. Dave Chatterjee:

articles, and interviews in the industry. Erica, welcome. Thanks

Dr. Dave Chatterjee:

for making time to share your thoughts and perspectives with

Dr. Dave Chatterjee:

the listeners.

Erica Davis:

Thanks so much for having me.

Dr. Dave Chatterjee:

So let's begin by talking about you, your

Dr. Dave Chatterjee:

professional journey. Your current role at Guy Carpenter.

Erica Davis:

Sure, thanks. Thanks again for having me

Erica Davis:

today. And yeah, you know, I really got started in the

Erica Davis:

insurance industry by focusing on technology risk. And so I

Erica Davis:

spent the first 10 years of my career at Chubb, underwriting

Erica Davis:

all lines of business. So general liability, workers

Erica Davis:

compensation, auto, intellectual property or as an emissions, but

Erica Davis:

with a focus on information and technology risk. So always

Erica Davis:

thinking about what's coming next in terms of emerging

Erica Davis:

exposures. Before I moved over to Zurich, still in an

Erica Davis:

underwriting capacity, still with technology, top of mind,

Erica Davis:

but built their book of business, ultimately taking

Erica Davis:

greater responsibility for general industry and financial

Erica Davis:

institutions. And some other risk outside of that. But what I

Erica Davis:

learned in staying closely connected to the technology risk

Erica Davis:

was that there was an opportunity for cyber products,

Erica Davis:

cyber insurance risk transfer solutions to find a home within

Erica Davis:

the industry, as interconnectivity and reliance

Erica Davis:

on technology grew. And so I moved over to that side of the

Erica Davis:

business with a specialization in cyber and professional

Erica Davis:

liability in 2012. At that point, the industry was just

Erica Davis:

beginning to grow its expertise. And truly its acknowledgement of

Erica Davis:

how far reaching and massive cyber risk was going to become.

Erica Davis:

And so, you know, Zurich wasn't alone in building specialized

Erica Davis:

products and expertise in that space, and I worked there until

Erica Davis:

about four years ago, about 2018. Still on the underwriting

Erica Davis:

side, and focusing on cyber risk transfer products. Ultimately,

Erica Davis:

what I learned was that the insurance space was beginning to

Erica Davis:

craft solutions for the business community, who are also becoming

Erica Davis:

increasingly aware of how cyber risk could manifest, you know,

Erica Davis:

within their organization and also outside of their four

Erica Davis:

walls. So looking at various supply chain risks when it comes

Erica Davis:

to cyber. And the industry at that point had grown to a size

Erica Davis:

of about 4 billion and grocery and premium, still very small

Erica Davis:

compared to some of the more traditional lines of business

Erica Davis:

out there. But there was a lot of work to be done on the

Erica Davis:

reinsurance side, which was the insurance that sits behind

Erica Davis:

insurance companies kind of simply put, and there needed to

Erica Davis:

be more expertise in that space in order to build capacity to

Erica Davis:

grow and support the insurance side of the house. And so I made

Erica Davis:

the move over to the insurance and reinsurance broking about

Erica Davis:

four years ago. And I've been with a Guy Carpenter in

Erica Davis:

increasing roles since that time.

Dr. Dave Chatterjee:

Good to know. Thanks for the intro. So,

Dr. Dave Chatterjee:

you know, I had reached out to a couple of my CISO connections, I

Dr. Dave Chatterjee:

told them that I was going to be talking to you, and if they have

Dr. Dave Chatterjee:

any questions of interest. So one of them sent this to me, he

Dr. Dave Chatterjee:

said, Why should we get cyber insurance now? It seems that the

Dr. Dave Chatterjee:

last 12 to 18 months, the industry has moved away from

Dr. Dave Chatterjee:

insuring verticals, companies, or has made the cost of coverage

Dr. Dave Chatterjee:

so high, that it raises the question of why not just

Dr. Dave Chatterjee:

self-insure? How would you react to that statement or question?

Erica Davis:

Yeah, so just to sort of set the stage for, you

Erica Davis:

know, the buying community within cyber, about 40% of all

Erica Davis:

organizations across the US purchase a cyber insurance

Erica Davis:

product. And that number is more heavily skewed towards mid sized

Erica Davis:

and large companies, more so than small micro mini sized

Erica Davis:

organizations. Oftentimes, that's because there's been a

Erica Davis:

more sophisticated risk assessment process in place for

Erica Davis:

you know, cyber risk on those larger sized entities. And in

Erica Davis:

the US, there's actually more buyers of cyber insurance than

Erica Davis:

there are outside of the US. So a greater percentage of

Erica Davis:

businesses buy. And the reason for that is largely driven by a

Erica Davis:

regulatory environment. So businesses in the US are geared

Erica Davis:

to protect private and confidential information in a

Erica Davis:

way that's still developing outside of the US. Certainly,

Erica Davis:

regions such as you know, Europe, UK, have strong

Erica Davis:

regulatory position now that have developed and the buying

Erica Davis:

habits of the business community have accelerated as a result of

Erica Davis:

that. But even in the US, companies that have a more

Erica Davis:

regulated or I should say, more regulatory sort of focused

Erica Davis:

mindset, somebody like health care, financial institutions,

Erica Davis:

were early adopters of the product. And your friend or your

Erica Davis:

contact is correct that in the last 12 to 18 months, the price

Erica Davis:

of cyber products has increased significantly. What I what I

Erica Davis:

would suggest is that really a reflection of the losses that

Erica Davis:

have been paid out by the industry, so some pricing

Erica Davis:

correction that's occurred because of that, but also an

Erica Davis:

escalating risk environment where we've seen things like,

Erica Davis:

you know, geopolitical tensions increase, we've seen ransomware

Erica Davis:

threats increase, we see greater risk because of

Erica Davis:

interconnectivity. And so you don't see pricing change without

Erica Davis:

cause. Cyber products are still fairly inexpensive. When you

Erica Davis:

look at the cost of other, you know, mandatory purchases within

Erica Davis:

I'll call it the risk management package. But yes, you know, the

Erica Davis:

businesses do need to take stock of what's at risk, what sort of

Erica Davis:

digital assets they have, the discussion around whether to

Erica Davis:

purchase a product is a very healthy risk management

Erica Davis:

discussion, there will be potential businesses that

Erica Davis:

instead elect to invest in their own information security, or

Erica Davis:

should say, like architecture. And if that makes sense for

Erica Davis:

them, then, you know, that's certainly a choice they can

Erica Davis:

make. It's not a mandatory purchase at this time. It's

Erica Davis:

still discretionary in nature. And sorry, for the long winded

Erica Davis:

answer, but I would just, I would just add to that, you

Erica Davis:

know, cyber products are a little bit different than the

Erica Davis:

traditional products that are offered by insurance companies,

Erica Davis:

and that cyber products offer you pre-breach services. So

Erica Davis:

things like discounted rates for forensics, public relation

Erica Davis:

firms, you know, legal sort of breach coaches, all that which,

Erica Davis:

you know, you can establish relationships with and access at

Erica Davis:

a discounted rate, and then incident response services too

Erica Davis:

so that if and when the bad event does occur, your

Erica Davis:

resiliency and responsiveness has increased by having a

Erica Davis:

product in place. So, prices have gone up. And yes, that's

Erica Davis:

true, but I still think it's a very valuable product for

Erica Davis:

businesses to consider.

Dr. Dave Chatterjee:

Good to know, good to know, in fact, I

Erica Davis:

You know, I understand those those

Erica Davis:

was reviewing a KPMG study where they surveyed senior information

Erica Davis:

security professionals, and 74% of the respondents said they had

Erica Davis:

no cyber insurance. And they mentioned mistrust of insurers

Erica Davis:

honoring policies appeared to be one challenge. And they also

Erica Davis:

challenges. Certainly I've heard them firsthand, especially in my

Erica Davis:

mentioned that the market not being very mature, and I believe

Erica Davis:

you've addressed that But then I'm just curious to know, as

Erica Davis:

somebody who carries personal insurance of different types,

Erica Davis:

one of the things that I worry about is when the time comes

Erica Davis:

when I submit a claim, will the claim be honored? Will I have a

Erica Davis:

good experience? What do you have to say, from the standpoint

Erica Davis:

of a cyber risk insurer?

Erica Davis:

underwriting days, I think, when we consider insurance, as buyers

Erica Davis:

of products, we think about something like tangible assets,

Erica Davis:

what if my home burns down, how much damage is there, you can

Erica Davis:

see a fire you can smell a fire. Cyber Risk is different.

Erica Davis:

Assessing its value is a challenge. The quantification of

Erica Davis:

what happens if a cyber event occurs, is difficult to put a

Erica Davis:

number on for many organizations. And it gets even

Erica Davis:

more complex when we think about measuring cyber risk outside of,

Erica Davis:

you know, your own sort of entities four walls, and you

Erica Davis:

look at supply chain, and you look at potential non physical

Erica Davis:

impacts that could affect you. COVID is one example of where we

Erica Davis:

saw that brought to life, right? We saw supply chain severely

Erica Davis:

disrupted we saw transformation of data exchanges. So there's a

Erica Davis:

lot of lessons to be learned there. But when we protect

Erica Davis:

intangible assets, and we think about nonlinear exposures, like

Erica Davis:

cyber risk, that's difficult. And having a product that

Erica Davis:

appropriately addresses those issues is also challenging for

Erica Davis:

the buying community understand, quite frankly, as an industry, I

Erica Davis:

don't think we've done a really great job at defining it and

Erica Davis:

helping businesses to to fully grasp what a cyber product

Erica Davis:

offers. But we are getting better at it. We're definitely

Erica Davis:

seeing adoption of the product increase. But I do we definitely

Erica Davis:

have work to do as an industry to help businesses through those

Erica Davis:

complexities.

Dr. Dave Chatterjee:

true, very true. Many of the listeners are

Dr. Dave Chatterjee:

possibly thinking about cyber insurance, but they're not sure

Dr. Dave Chatterjee:

from where to start. What should be the next steps? What are some

Dr. Dave Chatterjee:

resources that they might find valuable? Any suggestions for

Dr. Dave Chatterjee:

them any recommendations?

Erica Davis:

I think the best advice that I can give to

Erica Davis:

businesses who are evaluating whether a cyber insurance

Erica Davis:

product is the next step for them is is really to work with a

Erica Davis:

specialist broker who understands the risk. I think

Erica Davis:

right now, there aren't, there isn't a level of consistency

Erica Davis:

across cyber products. Again, it's easy for the business

Erica Davis:

community to understand, you need to work with a broker who

Erica Davis:

can explain the differences. And those pre- and post- breach

Erica Davis:

services to you which are a huge part of the value of a cyber

Erica Davis:

insurance product, you need somebody who fully comprehends

Erica Davis:

the nuance of the various policy languages that are out there and

Erica Davis:

can make sure that they tailor a product and design a product

Erica Davis:

that that fully suits the needs of the buyer. Some of this more

Erica Davis:

specialized brokers can also provide the quantification

Erica Davis:

services to help inform your decision of whether to buy a

Erica Davis:

product or whether to invest in your own security or to self

Erica Davis:

insure is the right answer for you.

Dr. Dave Chatterjee:

Okay, good to know. And when, when someone

Dr. Dave Chatterjee:

is evaluating a cyber insurance policy. what are some elements

Dr. Dave Chatterjee:

that one should be looking out for? What are some what maybe if

Dr. Dave Chatterjee:

I would rephrase the question, what are some key elements of a

Dr. Dave Chatterjee:

good cyber insurance policy if there is anything like like

Dr. Dave Chatterjee:

that?

Erica Davis:

So most of the cyber insurance products that

Erica Davis:

are available, actually, let me reframe this a little bit. There

Erica Davis:

are cyber coverages that can be offered through traditional

Erica Davis:

lines of business, you might purchase a property policy and

Erica Davis:

have some level of coverage available to you through

Erica Davis:

something like business interruption, say something like

Erica Davis:

downtime originating from a cyber related event, you might

Erica Davis:

have something offered through general liability or

Erica Davis:

professional liability that allows liability from a cyber

Erica Davis:

related event. When you purchase a cyber dedicated product. It is

Erica Davis:

a hybrid between first party and third party. And so what I mean

Erica Davis:

by that is the liability aspect. So something like network and

Erica Davis:

security, privacy liability, some elements of media

Erica Davis:

liability, but it also includes first party coverages. So things

Erica Davis:

like your costs out of pocket for forensics response,

Erica Davis:

something like, you know, legal services, something like public

Erica Davis:

relations, and then most importantly, business

Erica Davis:

interruption and dependent business interruption. Some of

Erica Davis:

the coverages that have gotten quite a lot of attention lately

Erica Davis:

have been around the forensics of business interruption and

Erica Davis:

extortion payments. That's largely because of the

Erica Davis:

proliferation of ransomware over the last 36 months or so. So,

Erica Davis:

you know, each of those coverages is is valuable, it

Erica Davis:

really depends on what segment of the business you operate in.

Erica Davis:

So if you're somebody like, you know, a health care provider,

Erica Davis:

you definitely don't want to provide you don't you don't have

Erica Davis:

a cyber product that only has, for example, like first party

Erica Davis:

coverages, you want to make sure that you have liability aspects.

Erica Davis:

If you're somebody who's feeling more exposed to ransomware, it's

Erica Davis:

really important to look at those frantic business

Erica Davis:

interruption and extortion payment coverages offered into

Erica Davis:

the first party. So I would say it's really important to

Erica Davis:

understand, you know, what coverages are most applicable

Erica Davis:

given your class of business?

Dr. Dave Chatterjee:

Now, is it fair to assume that an

Dr. Dave Chatterjee:

organization that has very robust and mature cyber

Dr. Dave Chatterjee:

governance processes is likely to get a better deal?

Erica Davis:

So, yeah, I responded a few few different

Erica Davis:

ways. So when we think about traditional underwriting of

Erica Davis:

cyber risk, certainly the goal there is to differentiate

Erica Davis:

customers based on their level of cybersecurity maturity. Your

Erica Davis:

goal as an underwriter is to flesh out, you know, the good

Erica Davis:

risk from the not so good risk and differentiate and either

Erica Davis:

decline, the not so good risk, because it's certainly possible

Erica Davis:

right now, the businesses aren't able to secure a cyber insurance

Erica Davis:

because they just don't have risk controls that are up to a

Erica Davis:

level of expectation. But even within that spectrum of good and

Erica Davis:

not so good, being able to differentiate pricing and terms

Erica Davis:

on the policy is a reflection of those practices and protocols in

Erica Davis:

place. It is important to mention that that cyber

Erica Davis:

underwriting extends beyond pure evaluation of the level of

Erica Davis:

security controls. And it includes things like, you know,

Erica Davis:

culture resiliency, and stakeholder connectivity, and is

Erica Davis:

your HR team, talking with your legal team and talking with your

Erica Davis:

product dev team in, in, in practicing and promoting good

Erica Davis:

cyber standards, and things like employee training, for example,

Erica Davis:

can come into play. And so part of this is, is the security

Erica Davis:

itself of an organization, but part of this is around the

Erica Davis:

culture that's created. And then also, like, I know, I've talked

Erica Davis:

about supply chain a couple of times, but how are you looking

Erica Davis:

outside of your own organization and assessing risk across, you

Erica Davis:

know, upstream, downstream and your entire supply chain?

Dr. Dave Chatterjee:

Very interesting, very interesting.

Dr. Dave Chatterjee:

In fact, when you mentioned culture resiliency, you know, it

Dr. Dave Chatterjee:

resonates with me very well, because I recently published a

Dr. Dave Chatterjee:

book, where I talk about the importance of creating and

Dr. Dave Chatterjee:

sustaining a high-performance information security culture,

Dr. Dave Chatterjee:

and I provide organizations with scorecards to make an assessment

Dr. Dave Chatterjee:

along three dimensions -- commitment, preparedness, and

Dr. Dave Chatterjee:

discipline. So I'll be curious to know that based on your

Dr. Dave Chatterjee:

experience of assessing culture resiliency, what are the things

Dr. Dave Chatterjee:

that you all look for, as an insurance company?

Erica Davis:

So, um, so, you know, a few different things

Erica Davis:

there. Right. So, you know, kind of, you know, go back to the

Erica Davis:

NIST guidelines, right? You have things like identifying your

Erica Davis:

assets, and, you know, detecting Tricia evidence but it's also

Erica Davis:

more around like the disaster recovery, right? How are you

Erica Davis:

bringing your employees into the discussion? How are you

Erica Davis:

identifying your key providers, suppliers, customers? How are

Erica Davis:

you protecting and, you know, and restoring right, your sort

Erica Davis:

of data assets if something does happen. So I think you know,

Erica Davis:

this is an ongoing exercise happening within organizations.

Erica Davis:

Certainly the underwriting is also evolving as a result of

Erica Davis:

that. I talked a little bit about, you know, a culture in

Erica Davis:

this sort of like practice of resiliency, that's really easier

Erica Davis:

to understand as an underwriter, when you have touch points with

Erica Davis:

your customer. And the reality is, when we get into that small

Erica Davis:

business space, particularly the micro minis, the expectations

Erica Davis:

and the needs are going to shift when it comes to securing

Erica Davis:

insurance, you're not going to be able to meet with every

Erica Davis:

business that only has like 5,6,7,8,9,10 employees out

Erica Davis:

there. And that's where you see a lot more technology augmented

Erica Davis:

underwriting taking place. Things like the technical

Erica Davis:

security scans to help evaluate risk are becoming much more

Erica Davis:

commonplace. And they are relevant and increasingly common

Erica Davis:

in the underwriting process in order to properly assess, you

Erica Davis:

know, that there's customers that you can't talk to and speak

Erica Davis:

through the resiliency culture.

Dr. Dave Chatterjee:

Sure, sure, and I'm sure it is safe to

Dr. Dave Chatterjee:

assume that even after an organization gets coverage, they

Dr. Dave Chatterjee:

will be continually assessed, right. Just to make sure that

Dr. Dave Chatterjee:

they they stay eligible for that, for that coverage. Is

Erica Davis:

that it's a really, it's a really good question. So

Erica Davis:

the way that these policies are structured, is that they are for

Erica Davis:

an annual term. And so this is another area where we've seen a

Erica Davis:

lot of improvement taking place within the cyber industry. You

Erica Davis:

have more call it human touch underwriting during the range

Erica Davis:

dual cycle. And that's an unfortunate reality, because

Erica Davis:

obviously, your server risk, you know, is is 365 days a year.

Erica Davis:

But, you know, there are human limitations, right. And so as

Erica Davis:

part of the renewal cycle, for the mid and large sized

Erica Davis:

accounts, an underwriter will sit there and actually

Erica Davis:

practically make their way through an underwriting

Erica Davis:

questionnaire application. Very separately, many of the large

Erica Davis:

global insurers invest in some of the security scanning that I

Erica Davis:

mentioned. And their goal there is to be proactive with their

Erica Davis:

policyholders to help identify vulnerabilities to help walk

Erica Davis:

through any issues that they're discovering with any other

Erica Davis:

policyholders that might have the potential for broader, you

Erica Davis:

know, application on their client base, and proactively

Erica Davis:

reaching out to those customers to talk through the issues

Erica Davis:

separately, certainly in the small business base, and for the

Erica Davis:

underwriters, or I shouldn't say the underwriters, for the

Erica Davis:

insurers who are supporting that business, then increased and

Erica Davis:

more regular reliance on the technology scans definitely

Erica Davis:

takes place. And they will provide feedback throughout the

Erica Davis:

policy year. And we're endeavoring to do that more and

Erica Davis:

more frequently in order to shore up the security of these

Erica Davis:

businesses who buy protection.

Dr. Dave Chatterjee:

And I think that's a great way for an

Dr. Dave Chatterjee:

organization to get a reality check on how they're doing from

Dr. Dave Chatterjee:

a cyber defense standpoint. So that is something that is

Dr. Dave Chatterjee:

definitely a strength of getting coverage from a provider and

Dr. Dave Chatterjee:

getting the external validation, external feedback.

Erica Davis:

Absolutely. And I think I mean, that is the goal,

Erica Davis:

right? The goal is to make the insurance more meaningful to

Erica Davis:

drive adoption, to help people not just by the insurance, but

Erica Davis:

by adequate insurance that ultimately improve the user

Erica Davis:

experience.

Dr. Dave Chatterjee:

You know, one more thing I wanted to share

Dr. Dave Chatterjee:

with you. I heard this from a practitioner, that if we buy a

Dr. Dave Chatterjee:

lot of cyber insurance, that often gives the impression that

Dr. Dave Chatterjee:

we are not good at cyber. And it poorly reflects on the CISO and

Dr. Dave Chatterjee:

the CISO function. Have you heard anything like this? Is

Dr. Dave Chatterjee:

that Is it a common sentiment? Or was this an outlier?

Erica Davis:

Um, it feels like a common sentiment 10 years ago,

Erica Davis:

and hopefully more of an outlier now. And I think when the cyber

Erica Davis:

products were first becoming more commonplace, there was a

Erica Davis:

struggle for investment where you know, somebody like a CISO

Erica Davis:

might see it as a slight on their own capabilities. If a

Erica Davis:

cyber insurance product was purchased, there was also a lot

Erica Davis:

of noise around, well, if you just took that money that you

Erica Davis:

were using to buy insurance and gave it to me instead, I'd be

Erica Davis:

able to improve you know, our own controls, more

Erica Davis:

appropriately. I think that sentiment has changed. In the

Erica Davis:

last five to 10 years, there's been so much more connectivity

Erica Davis:

across the risk management. And again, we talked about a culture

Erica Davis:

resiliency and collaboration across stakeholders. We are now

Erica Davis:

seeing more CISOs at the table part of these underwriting

Erica Davis:

meetings, sharing their insights, actually, like

Erica Davis:

engaging with the insurers to say what could we be doing

Erica Davis:

better differently? You talked about validation earlier with

Erica Davis:

the scans. Sometimes what we're finding is that in the

Erica Davis:

underwriting community, when you provide the feedback to a

Erica Davis:

business and say, here's where you look good. And here's where

Erica Davis:

there's areas of improvement. The CISO actually perks up and

Erica Davis:

says, see, I've been telling you this all along. This is actually

Erica Davis:

external validation now, from from, from insurers who assess

Erica Davis:

my own peers as well. And it really validates a lot of what

Erica Davis:

they've been messaging internally.

Dr. Dave Chatterjee:

Absolutely. Let's talk a little bit about

Dr. Dave Chatterjee:

self-insurance mechanisms. To set up the question, I want to

Dr. Dave Chatterjee:

read out a couple of sentences from an article. In a perfect

Dr. Dave Chatterjee:

world, you may think that $2 billion in protection makes

Dr. Dave Chatterjee:

sense. Today, that sort of purchase is impossible. But you

Dr. Dave Chatterjee:

can develop a plan for getting there. It may involve buying

Dr. Dave Chatterjee:

what you can now and possibly topping it up with

Dr. Dave Chatterjee:

self-insurance mechanisms. Can you take it from here and shed

Dr. Dave Chatterjee:

some light on the different types of self-insurance

Dr. Dave Chatterjee:

mechanisms? Yeah,

Erica Davis:

absolutely. So, you know, again, these, there's a

Erica Davis:

lot of, you know, some of these questions are very rational and

Erica Davis:

reasonable. And we have to acknowledge, first where we are

Erica Davis:

as an industry, you know, the cyber market didn't exist. I

Erica Davis:

shouldn't say that. People will argue it existed, okay, because

Erica Davis:

there were certainly internet carve backs and technology carve

Erica Davis:

backs and some small, narrow cyber coverages that existed

Erica Davis:

years prior. But really, this industry is about 20 years old.

Erica Davis:

And currently, if every cyber writer took out their max line

Erica Davis:

available, their max capacity available, you know, maybe you

Erica Davis:

could get to about a billion in coverage. In reality, the

Erica Davis:

largest organizations out there, no matter how they've quantify

Erica Davis:

their cyber risk, aren't able to get coverage, excess of you

Erica Davis:

know, whatever it is 700 750 million. So in your example,

Erica Davis:

around 2 billion of coverage. There's they're absolutely

Erica Davis:

right, that that level of capacity is not yet available in

Erica Davis:

the market. We're working toward it. I mentioned earlier, some of

Erica Davis:

the pricing correction that's happened. That's because of

Erica Davis:

losses that have come in, when losses come in, these insurers

Erica Davis:

do reassess how much capacity they want to put up on any one

Erica Davis:

risk, right? So on any one business, how much coverage are

Erica Davis:

you willing to offer, in a profitability challenged time,

Erica Davis:

that level of capacity is going to reduce, and when things are

Erica Davis:

performing really, really well, that level of capacity will

Erica Davis:

increase. And currently, right now we're in more of a reduced

Erica Davis:

time period because of the loss environment and the risk

Erica Davis:

environment. So, you know, there's no way to get to 2

Erica Davis:

billion and cover for, you know, any one entity at this time as a

Erica Davis:

broader industry, we're definitely working towards that.

Erica Davis:

Part of that is around differentiating the coverages

Erica Davis:

more so the product itself being offered differently. Some of

Erica Davis:

that is around the the the technologies that can be

Erica Davis:

deployed in order to better understand you know, cyber risk,

Erica Davis:

hygiene and maturity. But we just don't have those those

Erica Davis:

challenges. Overcome yet there's still a lot of structural

Erica Davis:

constraints that are restricting that level of capacity. As for

Erica Davis:

organizations who are looking for more cover, certainly taking

Erica Davis:

on some risk themselves evidences It showcases

Erica Davis:

competence in where you are as an organization. So that's, you

Erica Davis:

know, retaining more risk itself insured retentions we see

Erica Davis:

captives becoming a more common discussion. So that's the idea

Erica Davis:

of setting up vehicles where you can absorb some of that risk

Erica Davis:

either down low, meaning when the loss first occurs, or buy

Erica Davis:

some insurance then potentially set up a captive to take it on

Erica Davis:

midway and then purchasing more insurance on top of that. But

Erica Davis:

there's a number of different ways to do it. It's just at this

Erica Davis:

point, given the Infancy of the market we are not able to scale

Erica Davis:

the way you would find with more mature areas of the business.

Dr. Dave Chatterjee:

So, you know, as I'm hearing from you a

Dr. Dave Chatterjee:

couple of inferences that I draw that the cyber security market

Dr. Dave Chatterjee:

is still premature it is, it is moving towards maturity and

Dr. Dave Chatterjee:

stability. I also heard that small businesses are not prone

Dr. Dave Chatterjee:

to getting cyber insurance. In fact, there is data that

Dr. Dave Chatterjee:

supports that. But all organizations should be

Dr. Dave Chatterjee:

encouraged, because it should be part of their overall cyber risk

Dr. Dave Chatterjee:

mitigation portfolio. But it's definitely not a substitute for

Dr. Dave Chatterjee:

strong robust governance measures. So you don't buy

Dr. Dave Chatterjee:

insurance so you don't have to do anything about it about cyber

Dr. Dave Chatterjee:

risk management. It's not a cop out. Having said that, what are

Dr. Dave Chatterjee:

some best practices that you notice, with organizations, and

Dr. Dave Chatterjee:

I ask this, from a reflective standpoint, say you have your

Dr. Dave Chatterjee:

work with a company that sought insurance. And then they were

Dr. Dave Chatterjee:

able to establish that expectation from a control

Dr. Dave Chatterjee:

standpoint, which got them the insurance coverage. And that

Dr. Dave Chatterjee:

actually propelled them, just the fact that they want to

Dr. Dave Chatterjee:

maintain the coverage, that propelled them to become more

Dr. Dave Chatterjee:

cyber hygiene conscious, and they stayed more prepared than

Dr. Dave Chatterjee:

ever before. So in other words, having cyber insurance gets the

Dr. Dave Chatterjee:

organizational attention. And that is a good thing. That that

Dr. Dave Chatterjee:

promotes, you know, efforts towards cyber resiliency, is

Dr. Dave Chatterjee:

there any merit to this influence of mine?

Erica Davis:

Um, I think that, you know, when we look at the

Erica Davis:

key risk controls that matter most and attaining cyber

Erica Davis:

insurance, at this point, you're looking at multi factor

Erica Davis:

authentication, MFA, for remote access. And we're looking at

Erica Davis:

endpoint detection and response, you're looking at secured

Erica Davis:

encrypted tested backups, we're looking at privileged access

Erica Davis:

management. And we're looking at email filtering, and web

Erica Davis:

security. Those are the technical controls that are in

Erica Davis:

place and matter. And you mentioned the point around, you

Erica Davis:

know, making the decision of whether to buy cyber insurance

Erica Davis:

or kind of, in lieu of your own controls, I would say right now,

Erica Davis:

where the market is, you know, given it's been capacity

Erica Davis:

constrained, and given the fact that what we could call the hard

Erica Davis:

market conditions, meaning that insurers are increasing prices,

Erica Davis:

it's actually increasingly difficult to get cyber insurance

Erica Davis:

protection without those key controls in place. The softer

Erica Davis:

touch issues are around the cyber incident planning and

Erica Davis:

response and testing. So you know, if you have a cyber

Erica Davis:

product, you can do like tabletops, with incident

Erica Davis:

response, you have access to some of those key service

Erica Davis:

providers, but even without them, you know, without a

Erica Davis:

product, you know, you can put those plans in place. You can

Erica Davis:

look at, you know, the employee, you know, awareness training

Erica Davis:

that I mentioned earlier, the logging and monitoring of the

Erica Davis:

network protections, you can look at end-of-life systems

Erica Davis:

being replaced or protected, absences, a number of sort of

Erica Davis:

like behavioral control tactics that can be implemented as well.

Erica Davis:

Those are softer touch. So you kind of even can't get to that

Erica Davis:

point, or hear that feedback from a cyber insurer until you

Erica Davis:

have those more technical controls in place I mentioned

Erica Davis:

earlier.

Dr. Dave Chatterjee:

I appreciate you making the

Dr. Dave Chatterjee:

distinction between technical and then behavioral. I had one

Dr. Dave Chatterjee:

last question and that relates to behavioral controls or the

Dr. Dave Chatterjee:

softer touch as you were talking about, and that is, does the

Dr. Dave Chatterjee:

insurance company take into consideration of how actively

Dr. Dave Chatterjee:

engaged is top management? Is that a factor in the evaluation

Dr. Dave Chatterjee:

of an organization's cyber risk and subsequently, the decision

Dr. Dave Chatterjee:

of whether to give them coverage or give and how much stuff like

Dr. Dave Chatterjee:

that? Yeah.

Erica Davis:

Yeah, no, absolutely. And sometimes, you

Erica Davis:

know, to be completely honest, sometimes you don't have a lot

Erica Davis:

of visibility in the underwriting process. So you

Erica Davis:

might hear about it, but you don't necessarily know for

Erica Davis:

certain. Here's what we do know though. You look at New York

Erica Davis:

State and the The Financial Services sort of regulatory, you

Erica Davis:

know, developments that were made several years ago. And what

Erica Davis:

you can see is that there's definitely an expectation now

Erica Davis:

around somebody like a CISO having a direct, you know, line

Erica Davis:

of communication, if not a direct reporting relationship to

Erica Davis:

C suite, you can look at C-suite who are increasingly under

Erica Davis:

pressure to elevate their their cybersecurity and an expectation

Erica Davis:

by consumers now that information, actually say

Erica Davis:

corporate confidential information to is adequately

Erica Davis:

protected. So I think that the needle is moving into this being

Erica Davis:

almost like an ESG related issue. And I think that's

Erica Davis:

validated by our discussions with, you know, rating agencies

Erica Davis:

and other, you know, regulatory bodies that cybersecurity is, is

Erica Davis:

very top of mind, it's instrumental to organization's

Erica Davis:

long term health, we see the impact on something like

Erica Davis:

shareholder perception and stock price when these big events

Erica Davis:

occur, particularly if there's an element of negligence within

Erica Davis:

them. And so, you know, this and it's not decreasing, right. It's

Erica Davis:

only increasing. And I would say that has global relevance.

Erica Davis:

That's not a US issue. It's it was, I would say, more of a US

Erica Davis:

issue previously. But it's definitely becoming more and

Erica Davis:

more prevalent, prevalent outside of the US as well. So,

Erica Davis:

so absolutely, if, if, in the handwriting community, if you

Erica Davis:

see top, you know, executive management, C suites paying

Erica Davis:

attention to these issues, there's a level of confidence

Erica Davis:

that the security team is going to get the attention the

Erica Davis:

investment, and the financial needs met in order to secure the

Erica Davis:

organization.

Dr. Dave Chatterjee:

Fantastic. Well, on that note, we can end

Dr. Dave Chatterjee:

unless you have any final thoughts, anything else that we

Dr. Dave Chatterjee:

should have covered or talked about?

Erica Davis:

No, I mean, the last thing I'll say is, you

Erica Davis:

know, I know insurance as a whole can get it can get a bad

Erica Davis:

rap. And I would, I really like to think of the cyber market is

Erica Davis:

performing differently from that. There's huge amounts of

Erica Davis:

investment and attention being paid to helping organizations

Erica Davis:

understand the risk, helping them stay in front of it,

Erica Davis:

proactively notifying them if you know, vulnerabilities are

Erica Davis:

identified. And I look to the future and realize the needs

Erica Davis:

aren't being met now, but there is so much work being done and

Erica Davis:

so much left to do in order to make this, you know, a

Erica Davis:

sustainable and relevant market. So, hopefully, the audience

Erica Davis:

today found it helpful, but I'm available for any other

Erica Davis:

follow-up. questions.

Dr. Dave Chatterjee:

Absolutely, thank you so much for your time,

Dr. Dave Chatterjee:

it's much appreciated.

Erica Davis:

Thank you. Appreciate it.

Dr. Dave Chatterjee:

A special thanks to Erica Davis for her

Dr. Dave Chatterjee:

time and insights. If you liked what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Introducer:

The information contained in this podcast is for

Introducer:

episode.

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.