Transcript of the conversation with Bruce Hoffman and Fractional Mateo I Fractional CTO I Leadership Advisor
Alyssa Butler
Good morning, everyone, or afternoon if you’re on the East Coast. Welcome to our LinkedIn Live. My name is Alyssa true at Butler. I am we are live. All right, let me mute myself. So there’s no cross contamination there. I am here with Sammy Basu, who is the CISO at careful security. Good morning, Sammy. Morning, Elisa. And also here with us is Scott Stanton, Director of threat and vulnerability management at Owens and minor. Good morning. Good afternoon, Scott, how are you doing?
Scott Stanton
Fine, how are you? Great, great.
Alyssa Butler
Thank you for being here. Yeah, thanks for having me. Our topic this morning. I keep saying this morning, I want them on the West Coast. Our topic today is cyber insurance and cyber security. I am going to get right into it. Our first question is Scott, will you talk about how cyber insurance fits into overall risk management?
Scott Stanton
Sure. So, you know, I’ve been running the cybersecurity and cyber protection programs for a number of different organizations, for many years, and with the evolution of cyber insurance over say the past 10 years or so, it’s really been interesting to see how cyber insurance now plays into formal risk management. You know, traditionally, if you look back at organizational risk management, you think of risk as a function of, of adverse impact of events happening. So, for example, you have a fire in your building, right, and then you look at the site, the likelihood of that fire happening, and then the impact of what that fire, the damage, the cost, the loss, that sort of thing happening. So when you look at that matrix, that two dimensional matrix of impact versus probability, you now have four potential outcomes of how you can handle those risks. So for example, if you have an event that is low probability and low impact, then you might just choose to accept the risk of that happening, you’re not going to do anything to try to mitigate it, if it happens, happens, it’s not a big deal might cost you $100, or $500, something like that. And you just then life goes on it similarly, if you have a situation where you have a high likelihood of it happening, but again, a low impact, you may choose to mitigate that risk, because you know, over time that that cost of that happening to you regularly, might add up. So for example, if you’re worried about somebody stealing something from your store, you might put a security guard in there, you might put in, you know, the theft, detection, you know, type stuff, CCTV or something like that. So you take some mitigating steps, but not, you’re not gonna go crazy on it, then you get into the high impact situations. So where you have high impact, low likelihood. So these are the things might might cost you 678 figures of impact to your organization, you’re going to you’re going to mitigate those in some way you’re going to in this case, risk transference. Where you transfer, the impact of that risk to another party, through insurance is one of the main ways you can do that, for those low likelihood scenarios. And then if you have a high likelihood, high impact scenario, that’s the kind of risk most organizations are going to choose to avoid. So whatever the the factors are, that got them into that high risk situation, they might exit that industry or exit that, you know, location, or whatever it is that’s causing the high risk. But that aspect of low likelihood, low impact for cyber is really where cyber insurance comes in. Right? So when we have scenarios that might have six, figure seven, figure eight figure impact on an organization from a cyber perspective, that’s where cyber insurance comes in to hopefully save the day or at least mitigate the impact to the company’s bottom line, if it does happen.
Alyssa Butler
Thank you. Um, so what does the cyber insurance cover and what does it cover? Yeah.
Scott Stanton
So it’s important to note that when it comes to cyber insurance, there’s two main types of coverages that happen. Basically, like if you think about the traditional home insurance that you might have, right, so you had the risk of a fire happening in your house or something, something catastrophic happening to your home. Basically, your home insurance company is going to pay you to either rebuild your home or replace your contents or things like that. But in cyber insurance is a little bit different. They have what’s known as both first party liability coverage. That’s when the cyber insurance carrier pays you For think for direct costs that you incur as a result of an event. But then there’s also what’s known as third party liability coverage. And third party liability coverage is when somebody else Sue’s you, as a result of a cyber event happening. So for example, credit cards get stolen, personal identifiable, information gets stolen, that sort of thing. Then when you get sued, cyber insurance covers some or all of of that judgment, or those damages or, or even the cost to defend in those situations. So when you break down the third party liability coverages and the first party liability coverages, you know, there’s a whole bunch of different things that they cover. So for example, when you talk about first party, then if you have like, an outage, as a result of a cyber incident, then it’s going to cover that interruption of business. If you have data that’s destroyed, they may cover the cost to recreate that data, or restore that data. If you’re being extorted. Or if you have a privacy event where you need investigations, forensics, notification, credit monitoring, all of those sort of fall into the first party coverages. And then the third party coverages again, if you get sued, then they cover a legal defense and damages if you lose the suit, they cover regulatory proceedings. So if the government’s doing things related to regulatory requirements for cybersecurity, typically from a failure to protect that private information. There’s also things like media liability. So if you have a lawsuit for content based injuries, like libel, slander, copyright, title, trademark infringement, that sort of thing, it can cover some of that, and penalties around things like PCI and other non regulatory but but still third party types of situations.
Alyssa Butler
Thank you. And then I did want to let people know who are watching live, we’re going to do a little q&a at the end. So if you have any questions for Scott, or for Sammy, please feel free to type them, I’ll check out check them out. And we’ll do a little q&a at the end. So let’s move into how cyber cyber insurance can be a driver to grow your existing security program at your company. Yeah,
Scott Stanton
great. So this is actually something that both in our organization that owns a minor, and it with with other CISOs and other peers that I’ve just talked to, this is this is a growing trend. And really what this means is cyber insurance is a top priority for not only CISOs. But also the executive leadership teams, you know, the CEO, the CFO, that you know that that executive team, as well as boards of directors, right, because they recognize that the ability to transfer cyber risk is pretty crucial in the overall organization’s risk management. And it’s a little bit rare, I would say that specific aspects of risk management get to that level, to the degree that it can drive the investments, the hiring, the technologies, and really the execution of the cybersecurity program being soaked so closely tied to cyber insurance. If the if an organization is at risk of losing its cyber security insurance coverage, sorry, cyber insurance policy coverage, that really changes the risk equation for an organization, right. So hopefully, you’re not in an industry where you’re at such high risk that you are uninsurable. There’s been a little bit of a risk of that as the cyber insurance market has tightened up a little bit in the past five to eight years. But I think largely speaking people, you know, different organizations are still insurable. So that’s a good thing. But obviously the premiums have gone up as a result of a lot of the payouts. But back to back to the original question. You know, when when you start talking to your cyber insurance broker and the different carriers that are considering that you’re considering for coverage, they’re all going to ask you questions about you know, your your cybersecurity program. We’ll talk a little bit more about that in a bit. I think that’s that’s the next question in line. But the the degree to which you can answer those questions to the cyber insurance brokers and the guy the carriers, so when they evaluate you or your organization, as for cyber insurance coverage, they will look at what you have or potentially what you don’t have, right, both of those matter So for example, if you’re missing EDR deployment, like if say, say your organization’s never invested in EDR, and you’re just running antivirus, that’s going to put you at a disadvantage from a cyber insurance coverage perspective. If you don’t have a proper sim, maybe you’re a small or midsize company, you’re looking for five or $10 million worth of cyber insurance coverage, which is a lot but but it’s not unreasonable. But then you go tell your broker that you don’t have a SIM, where you don’t have a security operations center that monitors your environment, you’re going to be a strong risk of not getting coverage if you don’t have some of those fundamental technologies and capabilities in your cyber program. And so, you know, there’s there’s, I wouldn’t say there’s a laundry list, but there’s definitely key capabilities, key technologies and key elements of your technology configuration, such as, for example, are you exposing high risk services out to the internet, like remote access services or remote desktop, if you say you are exposing those to the internet, your cyber insurance carrier is going to come back and say, Look, that’s a problem, you know, you either need to fix that. Or it’s going to either affect your, your coverage limits, your your deductibles, or we may not even be able to insure you at all based on some of these things that you you either have that are high risk, or that you don’t have that you need to have to protect yourself from cyber insurance. So ultimately, the, the the way, the seaso, the CFO, CEO approach, those investments directly impacts the ability to get maintain, get and maintain cyber insurance coverage, as well as the cost of that coverage, right? If you’re spending quarter million dollars a year, maybe even a half million dollars a year or more on your cyber insurance policy. And then your cyber insurance broker says, Well, if you do these do some of these other things, you can substantially reduce the cost of your policy, or increase your coverages, right? All of these aspects are variables in the insurance equation that at the cyber insurance carriers are now figuring out what’s most important, and actually preventing incidents from happening, but also responding quickly and containing them if they do happen. I know that was a lot, but hopefully, but
Alyssa Butler
fascinating. Yeah, I mean, this is very important, obviously, to think about. So kind of getting a little bit deeper into that. How do insurers evaluate organizations for cyber coverage? Can you just get into that a little bit more?
Scott Stanton
Yeah, sure. So typically, your cyber insurance policy is going to be good for one year. And so when you when you typically, you know, somebody under the CFOs organization, or whatever the the risk organization is, is responsible for, for insurance in general, in your organization, they have a broker that they work with, and they probably find a broker that deals specifically in cyber insurance. And so the when they engage the cyber insurance brokers, and then they’re going to look at all the different carriers that are out there. And typically, brokers that are savvy in cyber insurance will have their own questionnaires. But they may have to compile the questions or the format that all the other cyber insurance carriers are using for collecting all this information. But what they want to do is they want to collect all this information about your company, about your technology platforms, and specifically about your cyber insurance program. So and on top of that, they they may run their own assessments based on what your company is doing on the internet. So for example, there’s lots of companies out there that will give you a scorecard of your security profile of things that are Internet facing, right. So sometimes they’re very detailed. Sometimes they’re completely wrong. But but they’re definitely out there and insurance carriers are using them. So if they go out there and say, Hey, owns and minor, you have a huge, you know, inch internet footprint, you own 7000 domains out there, you’re running stuff on Windows Server 2003. And this, that and the other thing and and you don’t run TLS on anything, and it’s just just a terrible situation, right? Then that’s going to be part of that input for determining your coverage. But the other part of that input is that questionnaire, okay. And so that questionnaire is up to the organization to complete. When the organization gets that questionnaire, it’s going to have questions like, well, how many computers do you have? You know, how many users do you have? What kind of data do you have? That’s important from a breach disclosure perspective? So do you process credit card transactions? Do you take other financial account information? Do you collect personally identifiable information? Do you collect health records? And you know, so they have questions about the data that you process and that you store and manage, and from that they sort of deter erm, and, you know, what, what’s the likelihood that a third party breach would result in a class action lawsuit or things like that, that they would then be responsible for covering you? And then of course, they asked the technology specific questions. So, you know, what is your IT environment look like? What, you know, what Windows? Are you running? What Linux? Are you running? Are you running any unsupported operating systems like server 2003? Or server 2008? or soon to be 2012? Right? So if you’re running obsolete operating systems, you know, what’s your mitigation strategy for that? You know, they’ll ask you different questions about you know, how you do security in your environment, not just the technique, the technology platform itself. But do you have any virus? Do you have EDR? Do you have sim? Do you have IPs? Do you have it perimeter firewalls? Do you have internal firewalls other than your perimeter firewalls? Do you have micro segmentation or segmentation at all? So they’re going to ask you all these different questions, and then they’re going to also ask you to what degree you have these things implemented? Do you have them? You know, in some parts of your environment, like maybe you’re a conglomerate? And when you ask that question, you might say, well, we have it in this division, but not these other divisions. So there’s, there’s definitely an aspect of, do you have it partially implemented? Or do you have it fully implemented in your environment? And that that also matters substantially to the insurers? What are the key things to note though, about these questionnaires is they are binding in the sense that they, if you do not tell the complete truth in these questionnaires, that and you have a cyber incident, and you need coverage from that cyber incident. And it turns out that you are not entirely truthful about your questionnaire, your cover or your your claim can be rejected. You know, so if you say, for example, that you don’t have any windows seven in your environment, but then it turns out that you’ve had a pretty substantial breach a pretty substantial incident, that there’s the result of having windows seven in your environment, you could be at risk of not having your claim covered, right, or cloud paid. So that whole process of doing that assessment doing that questionnaire, it’s pretty substantial. It’s good. And and I’ll say this, you know, when we, when you when we did these assessments, I would say, five, seven years ago, the questions were pretty basic, you know, maybe they had 40, or 50 questions. You know, do you have any virus? Do you have firewalls? Do you have that kind of thing? How many? How many records do you have? Those questions have been around since the cyberinsurance came around. But the level of detail and specifically, the connection from the questions to what cyber insurance carriers are seeing actually works to prevent incidents, is substantially improved over the last five to seven years. So in other words, you’re getting more pointed questions about things like EDR? And which EDR? Do you use? More so than just just do you have antivirus in general, because cyber insurance carriers know that EDR is very effective at stopping malware, and stopping other attacks that hit the endpoints. They’re not infallible, of course, but but they substantially increase the likelihood of detecting somebody attacking you and even preventing in many cases.
Alyssa Butler
Thank you so much, Scott. We do have some questions rolling in. But I wanted to Is there anything else that you wanted to touch on before we go to the people?
Scott Stanton
But I would say, you know, going back to what we the the lead in from the prior question is how do you make cyber insurance a driver for your cyber program? That’s, to me the real takeaway, you know, all these elements of making sure that the cyber insurance program is not dropped? I would say that, aside from staying out of the news, you know, like the CISOs, number one priority is stay out of the news, right? Don’t have your company have a cyber incident, and be on the front page of the newspaper. That’s the CISOs number one priority. But I would say the CISOs number two priority these days, is don’t let your cyber insurance get dropped. You know, aside from not having a breach, and it does protect spread up there too. But I would also say, even if you have a breach, having cyber insurance is more important than preventing the breach because at least cyber insurance will offset the risk of the breach. So I don’t know how hot of a take that is. But I would I would say, you know, in my opinion, it’s more important to have cyber insurance than it is to stop the breaches because at least cyber insurance helps you manage the breach.
Alyssa Butler
I mean, that that makes sense. That makes sense. All right. We have a question from Kr s. Would it change the risk equation if we are migrating from one cloud service provider to another?
Scott Stanton
I have not seen cyber insurers ask about which cloud provider you use. Um, ultimately, the it’s more about configuration. So if you have a heavy cloud presence, they’ll ask, you know, do you have cloud security, posture management, and some of the other specific technology controls around cloud. But I have not seen them myself. Wait or prefer one cloud provider over another?
Alyssa Butler
Great. And then from Stephen Yang, what are certain ambiguous aspects that security consulting firms should remain mindful of, and which cybersecurity insurance providers might exploit or capitalize on with regard to insurance coverages? Those, you don’t want me to repeat that? Yeah, if
Scott Stanton
you could, I got the second part, say the first part, again,
Alyssa Butler
what are certain ambiguous aspects that security consulting firms should remain mindful of?
Scott Stanton
Ambiguous? Well, I’m not sure about the ambiguous I think the biggest things that consulting firms need to be aware of, is the practicality or pragmatic appetite, you know, aspects of their recommendations. So for example, if a if a, if a security consultant comes along and says, you know, maybe we did a penetration test for you, or, you know, we’re doing advisory on your identity and access management, or your privileged access management system, or your micro segmentation, or your data center migration, or whatever it might be that they’re, that they’re consulting on. It’s important for them to recognize that we don’t do technology for technology’s sake, we do technology for the outcomes. So making sure that if we implement security controls, that they are in fact, fully implemented, right? If you’re, let’s just say the consultant is doing a sim implementation, right? We want to make sure that the system is in fact fully implemented and is effective at detecting threats. These are the things that cyber insurance carriers when when they start asking those questions like, Hey, do you have an EDR? Do you have a SIM? Well, okay, if my consultant came along, and they implemented my sim, are they implemented by EDR, but we only got 40% implemented, or we’re not using all the features, or we didn’t turn on those aspects that were expected to be turned on, then that actually might affect the claim in the end, right. So if the EDR was turned, or let’s say EDR, in its default, configuration settings, if it’s not either, implemented fully, and we’re not using all the features and functionality of that platform, whether it’s updates, or you know, the the cloud based threat and threat inspections or things like that, then when it comes time to make the claim against that incident, they’ll look at that config, and the insurer will say, Well, yeah, you said you had EDR, but you got 80%, the functionality turned off. So they might end up denying the claim in those situations. So I think that’s probably the biggest thing to be mindful of is, when it comes to those consultants, you know, recommending settings or configuration to or doing the implementation, make sure it works. That’s what I meant by pragmatic in the beginning, in the beginning of my answer.
Sammy Basu
Is your dog barking in the background? That
Scott Stanton
is my dog, apparently, she wants to get on the webcam. And on the conference here.
Sammy Basu
I just want to add one point to what Scott said. Yeah, I think your dogs talking about how monitoring is important. You know, one thing, consulting providers when they are brought in to answer these questionnaires, there is a huge push from the company. We want this insurance, answer whatever you need to answer so that we don’t lose coverage. And consulting providers need to be mindful of answering it truthfully. So if they say, do you have network segmentation and psyche, we have a guest network and a corporate network that is not network segmentation. So they need to kind of, you know, like, look into the finer details and play the role of a neutral expert, rather than, you know, working on behalf of the company, to do whatever it needs to get that insurance right away. So take your time, and make sure you answer the questions truthfully, and provide that third party external perspective, which can be very valuable.
Alyssa Butler
Thank you. And then I love this question. Is there a cybersecurity score for cloud service providers like a credit card score?
Scott Stanton
I’m not aware of have a score for the providers themselves. You know, it’s very much like running your own data center in the sense that, you know, you can have an insecure environment, or you can have a secure environment. On the same provider, right, so yeah, I don’t I think I see where you’re going with that question. It’s not one that I have direct experience with in the sense of, hey, you know, should we choose GCP? Because they’re better than than the others or something like that? I don’t have an answer for you on that one. But I can tell you that at the end of the day, it comes down to are you actually secure or not based on, you know, the solution you’re building or the environment you’re hosting, in that cloud provider. So you know, make sure that you’re following those cloud providers recommendations for securing your environment, securing your platform, securing your software, or your SAS, whatever you’re building, make sure that you’re leveraging that cloud providers, security capabilities, whether it’s the auditing capabilities, the logging, the security, gateways, whatever it might be, right. And being able that when it when the insurance provider comes along and says, are you doing those things, you’ve got a good answer for a strong answer for them.
Sammy Basu
Perfect. And whoever asked this question, reach out to us after the LinkedIn live, we’ll be able to provide you more detailed guidance on how you can evaluate your security score, the common pitfalls and the best practices. So we do that for some of our customers. But thank you for the question.
Alyssa Butler
Absolutely. Well, we are wrapping it up. But I wanted to end with this one question that just there’s this is obviously a complex subject, the questionnaires are long, and you have to answer so truthfully. But what is one thing that, you know, companies can do to prep for qualifying for cyber insurance?
Sammy Basu
I would say careful security.
Alyssa Butler
There you go. Hire an expert. Yeah,
Scott Stanton
well, it definitely comes down to you know, the the level of investment that that company has already made, whether it’s in it or or cybersecurity, because you can’t go into the cyber insurance conversation and have that be the first time you’re thinking about cybersecurity. So if you don’t have a CISO, or director of cybersecurity, that is elevated in your organization, right. So don’t bury them down under infrastructure and under, you know, desktop support or something like that habit, a proper director level or higher role in an organization that’s accountable for cybersecurity and has been building that cybersecurity program for a while. Because otherwise, you’re gonna have people answering this questionnaire that don’t fully know the cybersecurity landscape and, and are gonna have a hard time answering those questions truthfully. Either because they don’t have a maturity or security program in the first place. Or, you know, they just don’t know what the answers are, because they just never they don’t know who’s who’s managing the antivirus who’s managing the firewalls that so that that without a central security organization is actually a really difficult difficult questionnaire to fill out. Especially if you don’t know the intent behind those questions. And you’re likely to say yes to everything, even if it’s not true. So, hopefully that helps you answer.
Alyssa Butler
Right. Thank you so much for all of your expertise on this, Scott. That’s that’s cyber insurance in a nutshell. Thank you guys for coming to our LinkedIn live. Thank you so much, Scott Stanton with Owens Meyer Sammy Basu with careful security. We’ll see you guys next time. Thank
Scott Stanton
you. Take care.
Sammy Basu
Thank you.