Cyber insurance – how to have success in the market
Paul: [00:00:29] Hello, everyone, and welcome to the latest edition of Insurance Business TV, a cyber special in association with Tokio Marine HCC Cyber and Professional Lines Group. Cyber, it seems, is one of those topics that’s really out of the news no matter where you are in the world. Over in Australia, for example, our sister website recently reported on an insurer itself being breached while here in the US, the LA School district recently reported a massive database hack. With the ongoing conflict in Ukraine adding to fears of politically motivated cyber incidents, it seems there’s just no getting away from the subject. But how can you actually get ahead of a topic that is constantly changing and developing? Well, in association with Tokio Marine HCC, Cyber and Professional Lines Group, we’ve brought together three of the top experts on the subject to discuss everything from prevention methods to cyber responses. So let’s welcome them. They are Alex Bovicelli, director of Threat Intelligence. Richard Savage, director of Cyber Incident Response. And Cameron Tognetti, senior Underwriter, Cyber and Tech. So gents, welcome to IBTV and I talked to the top there about changes. The cyber risk landscape has changed dramatically in the last few years, dare I mention a certain pandemic? So Cameron, I’m going to start with you. What type of controls does a cyber underwriter look for in today’s market?
Cameron: [00:02:07] Yeah. Thanks, Paul. Our underwriters are looking for controls that help mitigate three types of incidents in the cyber space business email, compromise, data breach and ransomware. All three of these really are not letting up. And ransomware in particular continues to heavily impact businesses of all sizes across the country. Some of these controls and procedures that really can impact insureds. Safety is multi-factor authentication, commonly known as MFA. This is an incredibly important line of defense and should be implemented and enforced for all employee email access, remote network access and admin accounts. MFA is really key mitigating bad actors ability to use an employee’s credentials, whether they obtained through phishing or other means. And because there is no silver bullet, it’s important to have additions to MFA, which could be endpoint protection or response. And an insurance defense is penetrated. We like to see strong backups that are immutable or encrypted as well.
Paul: [00:03:08] Yeah. Thank you, Cameron and Alex and Richard, if I can bring you both in. Talk to us about the prevention methods for ransomware and the other types of cyber attacks. Of course, as well. It’s going to be vital to mitigate those risks, isn’t it? Alex, I’ll come to you first.
Alex: [00:03:24] Yes. Like any attack, the best preventative tactic is really to ensure a security in depth approach. And what we mean by that is an approach that is multilayered and that it would actually prevent unauthorized access to the network, but also expedite a potential response to a breach. So this this security depth approach is really made out, made up of the things that we ask in the application process. So as Cameron mentioned, MFA for privileged access, but also a good patching cadence to take care of vulnerabilities that are Internet facing that could be exploited. Also, a good asset inventory is very important. We look for that. We want our customers to really understand their perimeter and their exposure. We want to limit remote access exposure and also good network segmentation, good monitoring. And as Cameron mentioned, a well configured EDR and antivirus solution is extremely important. And finally, of course, it’s secure backups, right? If all of the above fail.
Paul: [00:04:37] Okay, so it seems like a multi layered approach is vital. Richard, would you agree?
Richard: [00:04:42] Absolutely. In addition to what Alex said, I think ensuring that although a robust EDR solution or detection and response solution is in place, actually having someone monitor that solution, keeping eyes on alerts and responding actively to those alerts is super important. We’ve seen plenty of entities who have appropriate protections in place, still have incidents or issues because folks weren’t looking where they could have been or should have been at those times. Prevention in addition, training employees to not maybe click on certain things or be aware of threats is super important and things that businesses sometimes get away from in responding to things. So just to tie off of what you said there.
Paul: [00:05:22] And of course, when we’re talking about sort of getting ahead of those threats, we have to think about your cyber threat intelligence team as well. Alex, can you give us a little bit more detail about that team and who they interact with?
Alex: [00:05:35] Our main goal is essentially to prevent large compromises. And we do this by alerting customers at risk before these opportunities are actually exploited by the threat actors. And we provide a lot of remediation support as well. So we walk the client through the different steps on how to mitigate that exposure. We obviously track threat trends and we use proprietary tools to detect these very specific exposures that are currently being exploited by threat actors. We alert effective insureds, provide the remediation support, but also provide a continuous awareness of these threats. So it’s an ongoing process. It’s a very involved process. Our team is comprised of threat intelligence professionals that come from different backgrounds and they have a diverse experience in the field. We also rely on multiple partners and methodologies of collecting intelligence on these threats and how we can possibly detect them. So we have multiple collection methodologies for these for this, and we rely on a variety of partners. This is not just the vulnerability scanning issue, which is something that the industry has been aware of for a while. But there is a wide range of what we call TTPs tactic, techniques and procedures through which threat actors actually gain initial access to a network. And we essentially have to be constantly on alert and be able to to advise and detect those exposures. So it’s not just the vulnerability scanning, right? It’s all the initial access vectors, right? So there’s phishing, there is brute forcing, there is certain malware types. So it’s a variety of again, it’s a layered approach. We rely heavily also on our incident response team. I mean, they’re extremely valuable, Richard’s team, right? Because once they tell us how that compromise happened on that particular customer, we can then leverage that technical information to detect that exposure on additional customers and alert them and support them in remediating that exposure. So that’s how we prevent these sort of large scale compromises. We also interact a lot with our underwriting team. As Cameron will probably tell you. We provide a lot of on demand technical support. We also automate the process for them. So we want to make sure that all these different tools and processes that we use are automated so they can be used seamlessly within their risk selection process.
Paul: [00:08:20] Well, let’s talk a little bit, if we can, about that highly valued cyber incident response team. Richard, when a cyber attack occurs, I guess you need to think about the needs not just of the clients but brokers as well. So give us some insights there and tell us a little bit about the the technical expertise of the team.
Richard: [00:08:40] Absolutely. So fundamentally, availability is key, right? We have to be in a position to be available to our insureds it’s in the wake of a cyber incident and we’re available 24 seven 365 to assist our insurance with whatever they might be going through. And I think by being immediately available, we’re in a position to really assess the situation, assess the insurance situation from a technical perspective, and then be able to leverage our experience to assist with whatever response needs to occur in vendor engagement, in some cases, restoration advisement or assistance, disaster recovery assistance. And we can really be in a position to assess the insurance critical infrastructure their needs and help them respond as quickly as possible. We have a team of i.t. Focused individuals, people that have been working in information technology throughout their careers in various phases. So network administration, forensics, even managed services provider experience. We take those various backgrounds and can apply them in different ways and assisting our insurance throughout the lifecycle of an active cyber incident. And because of that availability and the level of involvement that we have, we can minimize the downtime our insurance are experiencing in the wake of an attack, which of course on the on the back end of that hopefully helps to minimize business income loss and exposure. We have that opportunity to just respond in real time and. Engage vendors that can actively assist. Further to what Alex mentioned, we have the opportunity because we are essentially on the front lines to in real time share sort of active threat intelligence. What kinds of things are affecting our insureds and how can we then be in a position to implement protections or communicate with other insureds and minimize further exposure down the line?
Paul: [00:10:31] Obviously a fantastic team and set up there. I just want to take advantage of having your time for a little bit longer, if you don’t mind, with one last question that I’m going to throw at each of you. That is quite simply, do you have a final tip or a key takeaway for brokers that are looking to have success in the cyber market? Alex, I’ll throw it at you first.
Alex: [00:10:53] Thank you, Paul. I think that the possibly the most important thing is to understand that cyber risk and threats are not going to go away and they’re going to keep developing and morphing into possibly more complex or wide ranging risk. So the important thing to understand, if I had one suggestion, I would basically suggest for brokers and underwriters to really to really inform themselves of the different cyber threats and trends and the different industries that might be affected by what in order to really assess risk properly.
Paul: [00:11:31] Okay. I know a good place where they can keep on top of those trends. Cameron, I’ll come to you next.
Cameron: [00:11:37] Yeah. Piggybacking off of Alex, it can be complex and it’s probably going to get more complex over time. So it’s my job to help. Speak of that in layman’s terms. So call an underwriter, talk through the issues, talk through the markets. That’s what we’re here for. And hopefully we can make it pretty simple for you.
Paul: [00:11:57] All right. Great stuff. Cameron is ready to answer our questions. Richard, let’s get a tip from you.
Richard: [00:12:02] Well, my thinking about piggybacking off of what they just said, having conversations with insurance about the kinds of risks that are out there and the kind of coverages that exist to help protect against those risks, at the very least, can allow them to start thinking about mitigating their own cyber exposures, perhaps putting some minor at the very least protections in place, but really understanding that these threats are real and inevitably attacks are going to occur as we move forward. So bringing that awareness up, I think is what’s super important.
Paul: [00:12:33] Yeah, And hopefully you’ve helped to raise some awareness today. Gents, that’s been fantastic. I really appreciate your time and for shedding some light on such a complex topic. Many thanks to Alex, Cameron and to Richard and of course to Tokio Marine HCC, Cyber and Professional Lines Group for all of the insights. No doubt we’ll have more cyber coverage for you soon. This news isn’t going to go away. So stay tuned right here on Insurance Business TV.