Episode 22
Is Cyber Insurance Necessary?
"Security experts are split on cyber insurance and its place in business, with just as many arguing that it is a useless add-on as an essential business enabler." A KPMG study indicated that these policies were not overly trusted by business leaders. In this podcast episode, Erica Davis, Global Co-Head of Cyber, Guy Carpenter & Co, discusses at length the different types of coverages, how underwriters evaluate and assess cyber risks, the current state of the market, re-insurance mechanisms, and more. She also offers valuable guidance on how to plan and approach cyber insurance-related decisions.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-22-is-cyber-insurance-necessary/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach. He has been studying cybersecurity for over a decade,
Cybersecurity Readiness:authored and edited scholarly papers, delivered talks,
Cybersecurity Readiness:conducted webinars, consulted with companies, and served on a
Cybersecurity Readiness:cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:Management Information Systems at the Terry College of
Cybersecurity Readiness:Business, the University of Georgia, and Visiting Professor
Cybersecurity Readiness:at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Today, I'll be talking with Erica Davis,
Dr. Dave Chatterjee:Managing Director and Global Co-Head of Cyber for Guy
Dr. Dave Chatterjee:Carpenter. Prior to this, Erica led Guy Carpenter's North
Dr. Dave Chatterjee:America Cyber Center of Excellence. She has years of
Dr. Dave Chatterjee:cyber professional and multi-line underwriting
Dr. Dave Chatterjee:expertise. Erica is a key contributor to the public sector
Dr. Dave Chatterjee:dialogue around cyber insurance, and has provided testimony to
Dr. Dave Chatterjee:the House Small Business Committee as an expert witness
Dr. Dave Chatterjee:in cybersecurity insurance. As a prominent leader in
Dr. Dave Chatterjee:understanding cyber risk at an enterprise level. Erica has
Dr. Dave Chatterjee:presented at the National Institute of Standards and
Dr. Dave Chatterjee:Technology, and has contributed to several publications, events,
Dr. Dave Chatterjee:articles, and interviews in the industry. Erica, welcome. Thanks
Dr. Dave Chatterjee:for making time to share your thoughts and perspectives with
Dr. Dave Chatterjee:the listeners.
Erica Davis:Thanks so much for having me.
Dr. Dave Chatterjee:So let's begin by talking about you, your
Dr. Dave Chatterjee:professional journey. Your current role at Guy Carpenter.
Erica Davis:Sure, thanks. Thanks again for having me
Erica Davis:today. And yeah, you know, I really got started in the
Erica Davis:insurance industry by focusing on technology risk. And so I
Erica Davis:spent the first 10 years of my career at Chubb, underwriting
Erica Davis:all lines of business. So general liability, workers
Erica Davis:compensation, auto, intellectual property or as an emissions, but
Erica Davis:with a focus on information and technology risk. So always
Erica Davis:thinking about what's coming next in terms of emerging
Erica Davis:exposures. Before I moved over to Zurich, still in an
Erica Davis:underwriting capacity, still with technology, top of mind,
Erica Davis:but built their book of business, ultimately taking
Erica Davis:greater responsibility for general industry and financial
Erica Davis:institutions. And some other risk outside of that. But what I
Erica Davis:learned in staying closely connected to the technology risk
Erica Davis:was that there was an opportunity for cyber products,
Erica Davis:cyber insurance risk transfer solutions to find a home within
Erica Davis:the industry, as interconnectivity and reliance
Erica Davis:on technology grew. And so I moved over to that side of the
Erica Davis:business with a specialization in cyber and professional
Erica Davis:liability in 2012. At that point, the industry was just
Erica Davis:beginning to grow its expertise. And truly its acknowledgement of
Erica Davis:how far reaching and massive cyber risk was going to become.
Erica Davis:And so, you know, Zurich wasn't alone in building specialized
Erica Davis:products and expertise in that space, and I worked there until
Erica Davis:about four years ago, about 2018. Still on the underwriting
Erica Davis:side, and focusing on cyber risk transfer products. Ultimately,
Erica Davis:what I learned was that the insurance space was beginning to
Erica Davis:craft solutions for the business community, who are also becoming
Erica Davis:increasingly aware of how cyber risk could manifest, you know,
Erica Davis:within their organization and also outside of their four
Erica Davis:walls. So looking at various supply chain risks when it comes
Erica Davis:to cyber. And the industry at that point had grown to a size
Erica Davis:of about 4 billion and grocery and premium, still very small
Erica Davis:compared to some of the more traditional lines of business
Erica Davis:out there. But there was a lot of work to be done on the
Erica Davis:reinsurance side, which was the insurance that sits behind
Erica Davis:insurance companies kind of simply put, and there needed to
Erica Davis:be more expertise in that space in order to build capacity to
Erica Davis:grow and support the insurance side of the house. And so I made
Erica Davis:the move over to the insurance and reinsurance broking about
Erica Davis:four years ago. And I've been with a Guy Carpenter in
Erica Davis:increasing roles since that time.
Dr. Dave Chatterjee:Good to know. Thanks for the intro. So,
Dr. Dave Chatterjee:you know, I had reached out to a couple of my CISO connections, I
Dr. Dave Chatterjee:told them that I was going to be talking to you, and if they have
Dr. Dave Chatterjee:any questions of interest. So one of them sent this to me, he
Dr. Dave Chatterjee:said, Why should we get cyber insurance now? It seems that the
Dr. Dave Chatterjee:last 12 to 18 months, the industry has moved away from
Dr. Dave Chatterjee:insuring verticals, companies, or has made the cost of coverage
Dr. Dave Chatterjee:so high, that it raises the question of why not just
Dr. Dave Chatterjee:self-insure? How would you react to that statement or question?
Erica Davis:Yeah, so just to sort of set the stage for, you
Erica Davis:know, the buying community within cyber, about 40% of all
Erica Davis:organizations across the US purchase a cyber insurance
Erica Davis:product. And that number is more heavily skewed towards mid sized
Erica Davis:and large companies, more so than small micro mini sized
Erica Davis:organizations. Oftentimes, that's because there's been a
Erica Davis:more sophisticated risk assessment process in place for
Erica Davis:you know, cyber risk on those larger sized entities. And in
Erica Davis:the US, there's actually more buyers of cyber insurance than
Erica Davis:there are outside of the US. So a greater percentage of
Erica Davis:businesses buy. And the reason for that is largely driven by a
Erica Davis:regulatory environment. So businesses in the US are geared
Erica Davis:to protect private and confidential information in a
Erica Davis:way that's still developing outside of the US. Certainly,
Erica Davis:regions such as you know, Europe, UK, have strong
Erica Davis:regulatory position now that have developed and the buying
Erica Davis:habits of the business community have accelerated as a result of
Erica Davis:that. But even in the US, companies that have a more
Erica Davis:regulated or I should say, more regulatory sort of focused
Erica Davis:mindset, somebody like health care, financial institutions,
Erica Davis:were early adopters of the product. And your friend or your
Erica Davis:contact is correct that in the last 12 to 18 months, the price
Erica Davis:of cyber products has increased significantly. What I what I
Erica Davis:would suggest is that really a reflection of the losses that
Erica Davis:have been paid out by the industry, so some pricing
Erica Davis:correction that's occurred because of that, but also an
Erica Davis:escalating risk environment where we've seen things like,
Erica Davis:you know, geopolitical tensions increase, we've seen ransomware
Erica Davis:threats increase, we see greater risk because of
Erica Davis:interconnectivity. And so you don't see pricing change without
Erica Davis:cause. Cyber products are still fairly inexpensive. When you
Erica Davis:look at the cost of other, you know, mandatory purchases within
Erica Davis:I'll call it the risk management package. But yes, you know, the
Erica Davis:businesses do need to take stock of what's at risk, what sort of
Erica Davis:digital assets they have, the discussion around whether to
Erica Davis:purchase a product is a very healthy risk management
Erica Davis:discussion, there will be potential businesses that
Erica Davis:instead elect to invest in their own information security, or
Erica Davis:should say, like architecture. And if that makes sense for
Erica Davis:them, then, you know, that's certainly a choice they can
Erica Davis:make. It's not a mandatory purchase at this time. It's
Erica Davis:still discretionary in nature. And sorry, for the long winded
Erica Davis:answer, but I would just, I would just add to that, you
Erica Davis:know, cyber products are a little bit different than the
Erica Davis:traditional products that are offered by insurance companies,
Erica Davis:and that cyber products offer you pre-breach services. So
Erica Davis:things like discounted rates for forensics, public relation
Erica Davis:firms, you know, legal sort of breach coaches, all that which,
Erica Davis:you know, you can establish relationships with and access at
Erica Davis:a discounted rate, and then incident response services too
Erica Davis:so that if and when the bad event does occur, your
Erica Davis:resiliency and responsiveness has increased by having a
Erica Davis:product in place. So, prices have gone up. And yes, that's
Erica Davis:true, but I still think it's a very valuable product for
Erica Davis:businesses to consider.
Dr. Dave Chatterjee:Good to know, good to know, in fact, I
Erica Davis:You know, I understand those those
Erica Davis:was reviewing a KPMG study where they surveyed senior information
Erica Davis:security professionals, and 74% of the respondents said they had
Erica Davis:no cyber insurance. And they mentioned mistrust of insurers
Erica Davis:honoring policies appeared to be one challenge. And they also
Erica Davis:challenges. Certainly I've heard them firsthand, especially in my
Erica Davis:mentioned that the market not being very mature, and I believe
Erica Davis:you've addressed that But then I'm just curious to know, as
Erica Davis:somebody who carries personal insurance of different types,
Erica Davis:one of the things that I worry about is when the time comes
Erica Davis:when I submit a claim, will the claim be honored? Will I have a
Erica Davis:good experience? What do you have to say, from the standpoint
Erica Davis:of a cyber risk insurer?
Erica Davis:underwriting days, I think, when we consider insurance, as buyers
Erica Davis:of products, we think about something like tangible assets,
Erica Davis:what if my home burns down, how much damage is there, you can
Erica Davis:see a fire you can smell a fire. Cyber Risk is different.
Erica Davis:Assessing its value is a challenge. The quantification of
Erica Davis:what happens if a cyber event occurs, is difficult to put a
Erica Davis:number on for many organizations. And it gets even
Erica Davis:more complex when we think about measuring cyber risk outside of,
Erica Davis:you know, your own sort of entities four walls, and you
Erica Davis:look at supply chain, and you look at potential non physical
Erica Davis:impacts that could affect you. COVID is one example of where we
Erica Davis:saw that brought to life, right? We saw supply chain severely
Erica Davis:disrupted we saw transformation of data exchanges. So there's a
Erica Davis:lot of lessons to be learned there. But when we protect
Erica Davis:intangible assets, and we think about nonlinear exposures, like
Erica Davis:cyber risk, that's difficult. And having a product that
Erica Davis:appropriately addresses those issues is also challenging for
Erica Davis:the buying community understand, quite frankly, as an industry, I
Erica Davis:don't think we've done a really great job at defining it and
Erica Davis:helping businesses to to fully grasp what a cyber product
Erica Davis:offers. But we are getting better at it. We're definitely
Erica Davis:seeing adoption of the product increase. But I do we definitely
Erica Davis:have work to do as an industry to help businesses through those
Erica Davis:complexities.
Dr. Dave Chatterjee:true, very true. Many of the listeners are
Dr. Dave Chatterjee:possibly thinking about cyber insurance, but they're not sure
Dr. Dave Chatterjee:from where to start. What should be the next steps? What are some
Dr. Dave Chatterjee:resources that they might find valuable? Any suggestions for
Dr. Dave Chatterjee:them any recommendations?
Erica Davis:I think the best advice that I can give to
Erica Davis:businesses who are evaluating whether a cyber insurance
Erica Davis:product is the next step for them is is really to work with a
Erica Davis:specialist broker who understands the risk. I think
Erica Davis:right now, there aren't, there isn't a level of consistency
Erica Davis:across cyber products. Again, it's easy for the business
Erica Davis:community to understand, you need to work with a broker who
Erica Davis:can explain the differences. And those pre- and post- breach
Erica Davis:services to you which are a huge part of the value of a cyber
Erica Davis:insurance product, you need somebody who fully comprehends
Erica Davis:the nuance of the various policy languages that are out there and
Erica Davis:can make sure that they tailor a product and design a product
Erica Davis:that that fully suits the needs of the buyer. Some of this more
Erica Davis:specialized brokers can also provide the quantification
Erica Davis:services to help inform your decision of whether to buy a
Erica Davis:product or whether to invest in your own security or to self
Erica Davis:insure is the right answer for you.
Dr. Dave Chatterjee:Okay, good to know. And when, when someone
Dr. Dave Chatterjee:is evaluating a cyber insurance policy. what are some elements
Dr. Dave Chatterjee:that one should be looking out for? What are some what maybe if
Dr. Dave Chatterjee:I would rephrase the question, what are some key elements of a
Dr. Dave Chatterjee:good cyber insurance policy if there is anything like like
Dr. Dave Chatterjee:that?
Erica Davis:So most of the cyber insurance products that
Erica Davis:are available, actually, let me reframe this a little bit. There
Erica Davis:are cyber coverages that can be offered through traditional
Erica Davis:lines of business, you might purchase a property policy and
Erica Davis:have some level of coverage available to you through
Erica Davis:something like business interruption, say something like
Erica Davis:downtime originating from a cyber related event, you might
Erica Davis:have something offered through general liability or
Erica Davis:professional liability that allows liability from a cyber
Erica Davis:related event. When you purchase a cyber dedicated product. It is
Erica Davis:a hybrid between first party and third party. And so what I mean
Erica Davis:by that is the liability aspect. So something like network and
Erica Davis:security, privacy liability, some elements of media
Erica Davis:liability, but it also includes first party coverages. So things
Erica Davis:like your costs out of pocket for forensics response,
Erica Davis:something like, you know, legal services, something like public
Erica Davis:relations, and then most importantly, business
Erica Davis:interruption and dependent business interruption. Some of
Erica Davis:the coverages that have gotten quite a lot of attention lately
Erica Davis:have been around the forensics of business interruption and
Erica Davis:extortion payments. That's largely because of the
Erica Davis:proliferation of ransomware over the last 36 months or so. So,
Erica Davis:you know, each of those coverages is is valuable, it
Erica Davis:really depends on what segment of the business you operate in.
Erica Davis:So if you're somebody like, you know, a health care provider,
Erica Davis:you definitely don't want to provide you don't you don't have
Erica Davis:a cyber product that only has, for example, like first party
Erica Davis:coverages, you want to make sure that you have liability aspects.
Erica Davis:If you're somebody who's feeling more exposed to ransomware, it's
Erica Davis:really important to look at those frantic business
Erica Davis:interruption and extortion payment coverages offered into
Erica Davis:the first party. So I would say it's really important to
Erica Davis:understand, you know, what coverages are most applicable
Erica Davis:given your class of business?
Dr. Dave Chatterjee:Now, is it fair to assume that an
Dr. Dave Chatterjee:organization that has very robust and mature cyber
Dr. Dave Chatterjee:governance processes is likely to get a better deal?
Erica Davis:So, yeah, I responded a few few different
Erica Davis:ways. So when we think about traditional underwriting of
Erica Davis:cyber risk, certainly the goal there is to differentiate
Erica Davis:customers based on their level of cybersecurity maturity. Your
Erica Davis:goal as an underwriter is to flesh out, you know, the good
Erica Davis:risk from the not so good risk and differentiate and either
Erica Davis:decline, the not so good risk, because it's certainly possible
Erica Davis:right now, the businesses aren't able to secure a cyber insurance
Erica Davis:because they just don't have risk controls that are up to a
Erica Davis:level of expectation. But even within that spectrum of good and
Erica Davis:not so good, being able to differentiate pricing and terms
Erica Davis:on the policy is a reflection of those practices and protocols in
Erica Davis:place. It is important to mention that that cyber
Erica Davis:underwriting extends beyond pure evaluation of the level of
Erica Davis:security controls. And it includes things like, you know,
Erica Davis:culture resiliency, and stakeholder connectivity, and is
Erica Davis:your HR team, talking with your legal team and talking with your
Erica Davis:product dev team in, in, in practicing and promoting good
Erica Davis:cyber standards, and things like employee training, for example,
Erica Davis:can come into play. And so part of this is, is the security
Erica Davis:itself of an organization, but part of this is around the
Erica Davis:culture that's created. And then also, like, I know, I've talked
Erica Davis:about supply chain a couple of times, but how are you looking
Erica Davis:outside of your own organization and assessing risk across, you
Erica Davis:know, upstream, downstream and your entire supply chain?
Dr. Dave Chatterjee:Very interesting, very interesting.
Dr. Dave Chatterjee:In fact, when you mentioned culture resiliency, you know, it
Dr. Dave Chatterjee:resonates with me very well, because I recently published a
Dr. Dave Chatterjee:book, where I talk about the importance of creating and
Dr. Dave Chatterjee:sustaining a high-performance information security culture,
Dr. Dave Chatterjee:and I provide organizations with scorecards to make an assessment
Dr. Dave Chatterjee:along three dimensions -- commitment, preparedness, and
Dr. Dave Chatterjee:discipline. So I'll be curious to know that based on your
Dr. Dave Chatterjee:experience of assessing culture resiliency, what are the things
Dr. Dave Chatterjee:that you all look for, as an insurance company?
Erica Davis:So, um, so, you know, a few different things
Erica Davis:there. Right. So, you know, kind of, you know, go back to the
Erica Davis:NIST guidelines, right? You have things like identifying your
Erica Davis:assets, and, you know, detecting Tricia evidence but it's also
Erica Davis:more around like the disaster recovery, right? How are you
Erica Davis:bringing your employees into the discussion? How are you
Erica Davis:identifying your key providers, suppliers, customers? How are
Erica Davis:you protecting and, you know, and restoring right, your sort
Erica Davis:of data assets if something does happen. So I think you know,
Erica Davis:this is an ongoing exercise happening within organizations.
Erica Davis:Certainly the underwriting is also evolving as a result of
Erica Davis:that. I talked a little bit about, you know, a culture in
Erica Davis:this sort of like practice of resiliency, that's really easier
Erica Davis:to understand as an underwriter, when you have touch points with
Erica Davis:your customer. And the reality is, when we get into that small
Erica Davis:business space, particularly the micro minis, the expectations
Erica Davis:and the needs are going to shift when it comes to securing
Erica Davis:insurance, you're not going to be able to meet with every
Erica Davis:business that only has like 5,6,7,8,9,10 employees out
Erica Davis:there. And that's where you see a lot more technology augmented
Erica Davis:underwriting taking place. Things like the technical
Erica Davis:security scans to help evaluate risk are becoming much more
Erica Davis:commonplace. And they are relevant and increasingly common
Erica Davis:in the underwriting process in order to properly assess, you
Erica Davis:know, that there's customers that you can't talk to and speak
Erica Davis:through the resiliency culture.
Dr. Dave Chatterjee:Sure, sure, and I'm sure it is safe to
Dr. Dave Chatterjee:assume that even after an organization gets coverage, they
Dr. Dave Chatterjee:will be continually assessed, right. Just to make sure that
Dr. Dave Chatterjee:they they stay eligible for that, for that coverage. Is
Erica Davis:that it's a really, it's a really good question. So
Erica Davis:the way that these policies are structured, is that they are for
Erica Davis:an annual term. And so this is another area where we've seen a
Erica Davis:lot of improvement taking place within the cyber industry. You
Erica Davis:have more call it human touch underwriting during the range
Erica Davis:dual cycle. And that's an unfortunate reality, because
Erica Davis:obviously, your server risk, you know, is is 365 days a year.
Erica Davis:But, you know, there are human limitations, right. And so as
Erica Davis:part of the renewal cycle, for the mid and large sized
Erica Davis:accounts, an underwriter will sit there and actually
Erica Davis:practically make their way through an underwriting
Erica Davis:questionnaire application. Very separately, many of the large
Erica Davis:global insurers invest in some of the security scanning that I
Erica Davis:mentioned. And their goal there is to be proactive with their
Erica Davis:policyholders to help identify vulnerabilities to help walk
Erica Davis:through any issues that they're discovering with any other
Erica Davis:policyholders that might have the potential for broader, you
Erica Davis:know, application on their client base, and proactively
Erica Davis:reaching out to those customers to talk through the issues
Erica Davis:separately, certainly in the small business base, and for the
Erica Davis:underwriters, or I shouldn't say the underwriters, for the
Erica Davis:insurers who are supporting that business, then increased and
Erica Davis:more regular reliance on the technology scans definitely
Erica Davis:takes place. And they will provide feedback throughout the
Erica Davis:policy year. And we're endeavoring to do that more and
Erica Davis:more frequently in order to shore up the security of these
Erica Davis:businesses who buy protection.
Dr. Dave Chatterjee:And I think that's a great way for an
Dr. Dave Chatterjee:organization to get a reality check on how they're doing from
Dr. Dave Chatterjee:a cyber defense standpoint. So that is something that is
Dr. Dave Chatterjee:definitely a strength of getting coverage from a provider and
Dr. Dave Chatterjee:getting the external validation, external feedback.
Erica Davis:Absolutely. And I think I mean, that is the goal,
Erica Davis:right? The goal is to make the insurance more meaningful to
Erica Davis:drive adoption, to help people not just by the insurance, but
Erica Davis:by adequate insurance that ultimately improve the user
Erica Davis:experience.
Dr. Dave Chatterjee:You know, one more thing I wanted to share
Dr. Dave Chatterjee:with you. I heard this from a practitioner, that if we buy a
Dr. Dave Chatterjee:lot of cyber insurance, that often gives the impression that
Dr. Dave Chatterjee:we are not good at cyber. And it poorly reflects on the CISO and
Dr. Dave Chatterjee:the CISO function. Have you heard anything like this? Is
Dr. Dave Chatterjee:that Is it a common sentiment? Or was this an outlier?
Erica Davis:Um, it feels like a common sentiment 10 years ago,
Erica Davis:and hopefully more of an outlier now. And I think when the cyber
Erica Davis:products were first becoming more commonplace, there was a
Erica Davis:struggle for investment where you know, somebody like a CISO
Erica Davis:might see it as a slight on their own capabilities. If a
Erica Davis:cyber insurance product was purchased, there was also a lot
Erica Davis:of noise around, well, if you just took that money that you
Erica Davis:were using to buy insurance and gave it to me instead, I'd be
Erica Davis:able to improve you know, our own controls, more
Erica Davis:appropriately. I think that sentiment has changed. In the
Erica Davis:last five to 10 years, there's been so much more connectivity
Erica Davis:across the risk management. And again, we talked about a culture
Erica Davis:resiliency and collaboration across stakeholders. We are now
Erica Davis:seeing more CISOs at the table part of these underwriting
Erica Davis:meetings, sharing their insights, actually, like
Erica Davis:engaging with the insurers to say what could we be doing
Erica Davis:better differently? You talked about validation earlier with
Erica Davis:the scans. Sometimes what we're finding is that in the
Erica Davis:underwriting community, when you provide the feedback to a
Erica Davis:business and say, here's where you look good. And here's where
Erica Davis:there's areas of improvement. The CISO actually perks up and
Erica Davis:says, see, I've been telling you this all along. This is actually
Erica Davis:external validation now, from from, from insurers who assess
Erica Davis:my own peers as well. And it really validates a lot of what
Erica Davis:they've been messaging internally.
Dr. Dave Chatterjee:Absolutely. Let's talk a little bit about
Dr. Dave Chatterjee:self-insurance mechanisms. To set up the question, I want to
Dr. Dave Chatterjee:read out a couple of sentences from an article. In a perfect
Dr. Dave Chatterjee:world, you may think that $2 billion in protection makes
Dr. Dave Chatterjee:sense. Today, that sort of purchase is impossible. But you
Dr. Dave Chatterjee:can develop a plan for getting there. It may involve buying
Dr. Dave Chatterjee:what you can now and possibly topping it up with
Dr. Dave Chatterjee:self-insurance mechanisms. Can you take it from here and shed
Dr. Dave Chatterjee:some light on the different types of self-insurance
Dr. Dave Chatterjee:mechanisms? Yeah,
Erica Davis:absolutely. So, you know, again, these, there's a
Erica Davis:lot of, you know, some of these questions are very rational and
Erica Davis:reasonable. And we have to acknowledge, first where we are
Erica Davis:as an industry, you know, the cyber market didn't exist. I
Erica Davis:shouldn't say that. People will argue it existed, okay, because
Erica Davis:there were certainly internet carve backs and technology carve
Erica Davis:backs and some small, narrow cyber coverages that existed
Erica Davis:years prior. But really, this industry is about 20 years old.
Erica Davis:And currently, if every cyber writer took out their max line
Erica Davis:available, their max capacity available, you know, maybe you
Erica Davis:could get to about a billion in coverage. In reality, the
Erica Davis:largest organizations out there, no matter how they've quantify
Erica Davis:their cyber risk, aren't able to get coverage, excess of you
Erica Davis:know, whatever it is 700 750 million. So in your example,
Erica Davis:around 2 billion of coverage. There's they're absolutely
Erica Davis:right, that that level of capacity is not yet available in
Erica Davis:the market. We're working toward it. I mentioned earlier, some of
Erica Davis:the pricing correction that's happened. That's because of
Erica Davis:losses that have come in, when losses come in, these insurers
Erica Davis:do reassess how much capacity they want to put up on any one
Erica Davis:risk, right? So on any one business, how much coverage are
Erica Davis:you willing to offer, in a profitability challenged time,
Erica Davis:that level of capacity is going to reduce, and when things are
Erica Davis:performing really, really well, that level of capacity will
Erica Davis:increase. And currently, right now we're in more of a reduced
Erica Davis:time period because of the loss environment and the risk
Erica Davis:environment. So, you know, there's no way to get to 2
Erica Davis:billion and cover for, you know, any one entity at this time as a
Erica Davis:broader industry, we're definitely working towards that.
Erica Davis:Part of that is around differentiating the coverages
Erica Davis:more so the product itself being offered differently. Some of
Erica Davis:that is around the the the technologies that can be
Erica Davis:deployed in order to better understand you know, cyber risk,
Erica Davis:hygiene and maturity. But we just don't have those those
Erica Davis:challenges. Overcome yet there's still a lot of structural
Erica Davis:constraints that are restricting that level of capacity. As for
Erica Davis:organizations who are looking for more cover, certainly taking
Erica Davis:on some risk themselves evidences It showcases
Erica Davis:competence in where you are as an organization. So that's, you
Erica Davis:know, retaining more risk itself insured retentions we see
Erica Davis:captives becoming a more common discussion. So that's the idea
Erica Davis:of setting up vehicles where you can absorb some of that risk
Erica Davis:either down low, meaning when the loss first occurs, or buy
Erica Davis:some insurance then potentially set up a captive to take it on
Erica Davis:midway and then purchasing more insurance on top of that. But
Erica Davis:there's a number of different ways to do it. It's just at this
Erica Davis:point, given the Infancy of the market we are not able to scale
Erica Davis:the way you would find with more mature areas of the business.
Dr. Dave Chatterjee:So, you know, as I'm hearing from you a
Dr. Dave Chatterjee:couple of inferences that I draw that the cyber security market
Dr. Dave Chatterjee:is still premature it is, it is moving towards maturity and
Dr. Dave Chatterjee:stability. I also heard that small businesses are not prone
Dr. Dave Chatterjee:to getting cyber insurance. In fact, there is data that
Dr. Dave Chatterjee:supports that. But all organizations should be
Dr. Dave Chatterjee:encouraged, because it should be part of their overall cyber risk
Dr. Dave Chatterjee:mitigation portfolio. But it's definitely not a substitute for
Dr. Dave Chatterjee:strong robust governance measures. So you don't buy
Dr. Dave Chatterjee:insurance so you don't have to do anything about it about cyber
Dr. Dave Chatterjee:risk management. It's not a cop out. Having said that, what are
Dr. Dave Chatterjee:some best practices that you notice, with organizations, and
Dr. Dave Chatterjee:I ask this, from a reflective standpoint, say you have your
Dr. Dave Chatterjee:work with a company that sought insurance. And then they were
Dr. Dave Chatterjee:able to establish that expectation from a control
Dr. Dave Chatterjee:standpoint, which got them the insurance coverage. And that
Dr. Dave Chatterjee:actually propelled them, just the fact that they want to
Dr. Dave Chatterjee:maintain the coverage, that propelled them to become more
Dr. Dave Chatterjee:cyber hygiene conscious, and they stayed more prepared than
Dr. Dave Chatterjee:ever before. So in other words, having cyber insurance gets the
Dr. Dave Chatterjee:organizational attention. And that is a good thing. That that
Dr. Dave Chatterjee:promotes, you know, efforts towards cyber resiliency, is
Dr. Dave Chatterjee:there any merit to this influence of mine?
Erica Davis:Um, I think that, you know, when we look at the
Erica Davis:key risk controls that matter most and attaining cyber
Erica Davis:insurance, at this point, you're looking at multi factor
Erica Davis:authentication, MFA, for remote access. And we're looking at
Erica Davis:endpoint detection and response, you're looking at secured
Erica Davis:encrypted tested backups, we're looking at privileged access
Erica Davis:management. And we're looking at email filtering, and web
Erica Davis:security. Those are the technical controls that are in
Erica Davis:place and matter. And you mentioned the point around, you
Erica Davis:know, making the decision of whether to buy cyber insurance
Erica Davis:or kind of, in lieu of your own controls, I would say right now,
Erica Davis:where the market is, you know, given it's been capacity
Erica Davis:constrained, and given the fact that what we could call the hard
Erica Davis:market conditions, meaning that insurers are increasing prices,
Erica Davis:it's actually increasingly difficult to get cyber insurance
Erica Davis:protection without those key controls in place. The softer
Erica Davis:touch issues are around the cyber incident planning and
Erica Davis:response and testing. So you know, if you have a cyber
Erica Davis:product, you can do like tabletops, with incident
Erica Davis:response, you have access to some of those key service
Erica Davis:providers, but even without them, you know, without a
Erica Davis:product, you know, you can put those plans in place. You can
Erica Davis:look at, you know, the employee, you know, awareness training
Erica Davis:that I mentioned earlier, the logging and monitoring of the
Erica Davis:network protections, you can look at end-of-life systems
Erica Davis:being replaced or protected, absences, a number of sort of
Erica Davis:like behavioral control tactics that can be implemented as well.
Erica Davis:Those are softer touch. So you kind of even can't get to that
Erica Davis:point, or hear that feedback from a cyber insurer until you
Erica Davis:have those more technical controls in place I mentioned
Erica Davis:earlier.
Dr. Dave Chatterjee:I appreciate you making the
Dr. Dave Chatterjee:distinction between technical and then behavioral. I had one
Dr. Dave Chatterjee:last question and that relates to behavioral controls or the
Dr. Dave Chatterjee:softer touch as you were talking about, and that is, does the
Dr. Dave Chatterjee:insurance company take into consideration of how actively
Dr. Dave Chatterjee:engaged is top management? Is that a factor in the evaluation
Dr. Dave Chatterjee:of an organization's cyber risk and subsequently, the decision
Dr. Dave Chatterjee:of whether to give them coverage or give and how much stuff like
Dr. Dave Chatterjee:that? Yeah.
Erica Davis:Yeah, no, absolutely. And sometimes, you
Erica Davis:know, to be completely honest, sometimes you don't have a lot
Erica Davis:of visibility in the underwriting process. So you
Erica Davis:might hear about it, but you don't necessarily know for
Erica Davis:certain. Here's what we do know though. You look at New York
Erica Davis:State and the The Financial Services sort of regulatory, you
Erica Davis:know, developments that were made several years ago. And what
Erica Davis:you can see is that there's definitely an expectation now
Erica Davis:around somebody like a CISO having a direct, you know, line
Erica Davis:of communication, if not a direct reporting relationship to
Erica Davis:C suite, you can look at C-suite who are increasingly under
Erica Davis:pressure to elevate their their cybersecurity and an expectation
Erica Davis:by consumers now that information, actually say
Erica Davis:corporate confidential information to is adequately
Erica Davis:protected. So I think that the needle is moving into this being
Erica Davis:almost like an ESG related issue. And I think that's
Erica Davis:validated by our discussions with, you know, rating agencies
Erica Davis:and other, you know, regulatory bodies that cybersecurity is, is
Erica Davis:very top of mind, it's instrumental to organization's
Erica Davis:long term health, we see the impact on something like
Erica Davis:shareholder perception and stock price when these big events
Erica Davis:occur, particularly if there's an element of negligence within
Erica Davis:them. And so, you know, this and it's not decreasing, right. It's
Erica Davis:only increasing. And I would say that has global relevance.
Erica Davis:That's not a US issue. It's it was, I would say, more of a US
Erica Davis:issue previously. But it's definitely becoming more and
Erica Davis:more prevalent, prevalent outside of the US as well. So,
Erica Davis:so absolutely, if, if, in the handwriting community, if you
Erica Davis:see top, you know, executive management, C suites paying
Erica Davis:attention to these issues, there's a level of confidence
Erica Davis:that the security team is going to get the attention the
Erica Davis:investment, and the financial needs met in order to secure the
Erica Davis:organization.
Dr. Dave Chatterjee:Fantastic. Well, on that note, we can end
Dr. Dave Chatterjee:unless you have any final thoughts, anything else that we
Dr. Dave Chatterjee:should have covered or talked about?
Erica Davis:No, I mean, the last thing I'll say is, you
Erica Davis:know, I know insurance as a whole can get it can get a bad
Erica Davis:rap. And I would, I really like to think of the cyber market is
Erica Davis:performing differently from that. There's huge amounts of
Erica Davis:investment and attention being paid to helping organizations
Erica Davis:understand the risk, helping them stay in front of it,
Erica Davis:proactively notifying them if you know, vulnerabilities are
Erica Davis:identified. And I look to the future and realize the needs
Erica Davis:aren't being met now, but there is so much work being done and
Erica Davis:so much left to do in order to make this, you know, a
Erica Davis:sustainable and relevant market. So, hopefully, the audience
Erica Davis:today found it helpful, but I'm available for any other
Erica Davis:follow-up. questions.
Dr. Dave Chatterjee:Absolutely, thank you so much for your time,
Dr. Dave Chatterjee:it's much appreciated.
Erica Davis:Thank you. Appreciate it.
Dr. Dave Chatterjee:A special thanks to Erica Davis for her
Dr. Dave Chatterjee:time and insights. If you liked what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Introducer:The information contained in this podcast is for
Introducer:episode.
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.