Introduction
After a career as an Operations Officer at the CIA focusing on cyber security, Jack Vines decided to take what he had learned to the private sector, first as a CISO and then Verisk Analytics where he led corp. dev and strategy. It was at Verisk where Jack first identified significant gaps in the existing cyber insurance landscape – namely, not enough understanding and leveraging of corporate security systems for real time security posture monitoring on behalf of risk holders. So with an ideal background to understand both the security and insurance realms Jack founded Measured Analytics and Insurance (Measured AI). Measured’s goal is to partner with small and medium enterprises (SMEs) to clearly identify pre-event exposure and remediation, provide the insurance coverage that they need and also provide post-event loss mitigation services with real experts, real people, and real help if ever needed.
AV8 has been working with Jack and the Measured team since 2021. Given the ever present and growing risk from cyber threat actors, we asked Jack to provide his insights and views on the state of cybersecurity and cyber insurance.
Global Cybersecurity Threat Landscape
AV8: Attacks, especially ransomware, seem to be perpetually on the rise (some surveys suggest 3/4 of orgs have experienced some type of attack). What can you tell us about the nature of the threats today – but also threat vectors that are on the horizon that we should be watching?
Jack Vines: Ransomware is certainly top of mind for everyone. At Measured AI we have one of the industry’s best repositories of ransomware attack data. Severity and frequency of attacks have been on the rise for at least 4 years. There are growing numbers of events, with more ransom demands but also higher consequences if ransoms aren’t paid. For the cyber insurance industry, this was a significant driver of losses into 2022.
However, something curious happened coincidental to the Russian invasion of the Ukraine – ransom attacks seemed to slow down – no doubt due to threat actors for hire being occupied. Also the insurance industry tightened their requirements given the loss history. Another important driver has been law enforcement’s emerging ability to track crypto-wallet ownership and seize assets in some situations. As such, this year we have seen a dramatic increase in financial fraud i.e., convincing a target to wire funds fraudulent bank accounts which are then liquidated quickly.
But in late 2022 and in the first half of 2023 year both the frequency and severity of breaches began to accelerate again. The frequency, magnitude (incl. types of systems and industries being targeted, plus ransom demands) and severity of these events – e.g., data being destroyed, new attacks on the same target 1 day later – are all going up. Unfortunately, it’s an arms race between threat actors, their targets and insurers – the latter two who are running to catch up with the former. That said, we haven’t really seen big systemic attacks from state actors recently, thankfully, even though the threat of all out cyber-war risk is certainly top of mind for carriers.
As the threat actors hone their processes they are becoming more and more sophisticated operationally and acting more “business-like”. For example, there was a situation recently where a target paid a 7 figure ransom but was not provided encryption keys to unlock their data. After some time, the company finally heard from a “supervisor” at the threat actor saying “we are so sorry…so and so was on vacation and no one was checking his email…if you ever have any questions or issues please contact me directly” and provided them their keys. So in other words, the threat actors are getting more and more professional and operationalized.
Enterprise Security Posture
AV8: What are some common mistakes companies (and public sector entities) are still making that are putting them at risk?
JV: Unfortunately, people are generally still the weakest link in the chain. For example, companies are operating on such short timelines today it’s common to hand out credentials to people who shouldn’t have them or more challenging – granting users way too many rights than they should have. We still see a lot of challenges with email security where security protocols aren’t configured properly, allowing lots of phishing emails through.
Further, the “shadow IT” problem where a group within a company quickly spins up servers in a public cloud environment, putting it on a credit card, but bypassing corporate security controls yet still accessing other corporate data repositories or systems can be a substantial threat vector. While processes and security are certainly getting better over the years, despite security teams and risk carriers banging the drum for better employee training, MFA, endpoint security, email phishing there are still large measurable gaps in these basic areas.
Another challenging area is the growing supply chain of vendors and services that companies rely on. It’s now not uncommon for even small to mid-size enterprises to have hundreds of vendors, and of course large global entities will have thousands all with so much more digital connectivity and access to data than before. It is very challenging to stay on top of all these 3rd parties from a security perspective and we expect a growing number of attacks coming through these 3rd parties. (Editor’s note: There have been some well publicized breaches that have come via a vendor like Toyota who had an automotive supplier compromised and Home Depot who had a vendor’s credentials harvested)
Regardless of these challenges and emerging threats, at Measured we believe that speed is of the essence and have made that part of our DNA. You must have real-time data coming from the insured to understand where they are vulnerable when a new threat is discovered elsewhere. It’s a game of “whack-a-mole” where you have to move as fast as the threats move to close potential gaps. Additionally, speed of remediation is vitally important when key corporate systems are at risk, another area where Measured shines. Adapting to these changes so quickly can be a challenge with legacy risk providers.
Current Challenges for the Cyber Insurance Industry
AV8: Let’s start with the customer base. Where do you see the customers for cyber-insurance today, where are their mindsets and what are their initiatives?
JV: Historically, a lot of new policies were small and medium size businesses with 1st time cyber policies (as well as very large enterprises who tended to self-insure). However, risk awareness is growing in all types of customers. At Measured we are seeing more sophisticated buyers than in the past, who started with basic coverage that perhaps was too expensive, didn’t meet their needs, or wasn’t providing them with real time insights regarding threats and risk, who are now looking for a more sophisticated and holistic risk partner.
Another interesting dynamic is that historically, cybersecurity tools were purchased by CISOs and CIOs while cyber-insurance coverage was purchased separately by CFOs (often through insurance brokers who were non-technical and couldn’t really assess risks). We are starting to see more integrated and holistic risk management programs that combine both, where there’s a comprehensive assessment of risk that can be mitigated by investment in security tools along with insurance required to cover risk that can’t be mitigated by these security initiatives.
It’s also important for the C-suite to understand the full cost of a cyber breach. For example, they understand that all parts of the business are impacted during a ransomware event and just paying the ransom is the tip of the iceberg. We need to help them understand all the other costs – like the costs of business interruption, reputational damage, fines and penalties if they can’t access servers for a certain period of time, or true costs of remediation if there is an incursion. And then take all this into account when thinking about appropriate coverages.
AV8: As part of this more holistic approach, how do you see companies partnering providers like Measured today?
JV: The industry has generally developed more skills and discipline in writing policies. We are starting to see the industry now pushing more requirements on customers i.e., for us to provide coverage you need to demonstrate not just MFA is in place but on which key systems; or not just endpoint protection, but how many endpoints are under protection vs. not. This is much different from a few years ago when all you had to do was answer 5 questions on a simple form to get coverage. Now, companies are more willing to share this information and collaborate more with companies like Measured who can give them real time threat information.
AV8: What are some unique approaches Measured is taking to respond to these changes in the landscape and industry?
JV: Speed and monitoring, which go hand in hand, are some of our core principals. We partner with industry leading security tools providers like Tenable and Sophos to ingest their data, analyze it in real time, quickly notify clients if they are at risk, and help them mediate threats. This takes a significant amount of technical expertise, systems interconnectivity, but also trust from our customers to partner with us in this way. For example, earlier this year we saw the MOVEit attack vector which exposed hundreds of companies using this common file transfer service. We saw it first on a Wednesday, assessed the impact on all our insured by Friday, and by the following Monday/Tuesday we helped our clients remediate the threat. You need to have systems, tools, capabilities and trust to make this happen.
AV8: And what about cyber-insurance pricing? Premiums were rising for some time. Where are things now?
JV: Industry pricing is a lagging indicator and well behind where actual risks are based on just looking at historical data. At Measured, because we see risk in real time, we feel that we have an advantage with regard to accurate and timely pricing of risk. That said, with the rise of ransomware the last several years, demand for coverage dramatically outpaced capital available from risk carriers which drove up prices markedly. However, in the last 6-9 months prices have stabilized as carriers have generally gotten better at pricing risk. But ability to price risk can change quickly and we still see true risk not being priced into the market. Currently the frequency and magnitude of cyber events are rising dramatically, and that risk is not being priced into the cost of insurance. As such, we expect to see a rise in claims in the future which will have upward pressure on pricing. Otherwise the market is not sustainable. Given this, we also expect to see more companies moving to self-insured given where pricing can be especially for companies with substantial risk.
Future of the Industry
AV8: To close out, give us your thoughts on what the cyber-insurance industry looks like in the coming years?
JV: As we mentioned already, speed and the growing interconnectedness of enterprise data and risk/insurance efforts is a trend from which there’s no going back. It will be difficult for companies who haven’t invested in these skills or can’t move at the pace required by the ever-changing threat landscape to thrive.
I also feel the industry will become much more global. Geographically, today the bulk of cyber policies are in the US and Europe. However, companies are operating globally. More importantly cyber events span across geographic boundaries, and the threat actors are global as well. We anticipate accelerating industry growth in Asia and Latin America including policies that span multiple countries, and regulatory frameworks that support this given how interconnected businesses are today.
0 Comments