Is Cyber Insurance Necessary?

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

A Holistic and High-Performance

Approach. He has been studying cybersecurity for over a decade,

authored and edited scholarly papers, delivered talks,

conducted webinars, consulted with companies, and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is an Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia, and Visiting Professor

at Duke University's Pratt School of Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Today, I'll be talking with Erica Davis,

Managing Director and Global Co-Head of Cyber for Guy

Carpenter. Prior to this, Erica led Guy Carpenter's North

America Cyber Center of Excellence. She has years of

cyber professional and multi-line underwriting

expertise. Erica is a key contributor to the public sector

dialogue around cyber insurance, and has provided testimony to

the House Small Business Committee as an expert witness

in cybersecurity insurance. As a prominent leader in

understanding cyber risk at an enterprise level. Erica has

presented at the National Institute of Standards and

Technology, and has contributed to several publications, events,

articles, and interviews in the industry. Erica, welcome. Thanks

for making time to share your thoughts and perspectives with

the listeners.

Thanks so much for having me.

So let's begin by talking about you, your

professional journey. Your current role at Guy Carpenter.

Sure, thanks. Thanks again for having me

today. And yeah, you know, I really got started in the

insurance industry by focusing on technology risk. And so I

spent the first 10 years of my career at Chubb, underwriting

all lines of business. So general liability, workers

compensation, auto, intellectual property or as an emissions, but

with a focus on information and technology risk. So always

thinking about what's coming next in terms of emerging

exposures. Before I moved over to Zurich, still in an

underwriting capacity, still with technology, top of mind,

but built their book of business, ultimately taking

greater responsibility for general industry and financial

institutions. And some other risk outside of that. But what I

learned in staying closely connected to the technology risk

was that there was an opportunity for cyber products,

cyber insurance risk transfer solutions to find a home within

the industry, as interconnectivity and reliance

on technology grew. And so I moved over to that side of the

business with a specialization in cyber and professional

liability in 2012. At that point, the industry was just

beginning to grow its expertise. And truly its acknowledgement of

how far reaching and massive cyber risk was going to become.

And so, you know, Zurich wasn't alone in building specialized

products and expertise in that space, and I worked there until

about four years ago, about 2018. Still on the underwriting

side, and focusing on cyber risk transfer products. Ultimately,

what I learned was that the insurance space was beginning to

craft solutions for the business community, who are also becoming

increasingly aware of how cyber risk could manifest, you know,

within their organization and also outside of their four

walls. So looking at various supply chain risks when it comes

to cyber. And the industry at that point had grown to a size

of about 4 billion and grocery and premium, still very small

compared to some of the more traditional lines of business

out there. But there was a lot of work to be done on the

reinsurance side, which was the insurance that sits behind

insurance companies kind of simply put, and there needed to

be more expertise in that space in order to build capacity to

grow and support the insurance side of the house. And so I made

the move over to the insurance and reinsurance broking about

four years ago. And I've been with a Guy Carpenter in

increasing roles since that time.

Good to know. Thanks for the intro. So,

you know, I had reached out to a couple of my CISO connections, I

told them that I was going to be talking to you, and if they have

any questions of interest. So one of them sent this to me, he

said, Why should we get cyber insurance now? It seems that the

last 12 to 18 months, the industry has moved away from

insuring verticals, companies, or has made the cost of coverage

so high, that it raises the question of why not just

self-insure? How would you react to that statement or question?

Yeah, so just to sort of set the stage for, you

know, the buying community within cyber, about 40% of all

organizations across the US purchase a cyber insurance

product. And that number is more heavily skewed towards mid sized

and large companies, more so than small micro mini sized

organizations. Oftentimes, that's because there's been a

more sophisticated risk assessment process in place for

you know, cyber risk on those larger sized entities. And in

the US, there's actually more buyers of cyber insurance than

there are outside of the US. So a greater percentage of

businesses buy. And the reason for that is largely driven by a

regulatory environment. So businesses in the US are geared

to protect private and confidential information in a

way that's still developing outside of the US. Certainly,

regions such as you know, Europe, UK, have strong

regulatory position now that have developed and the buying

habits of the business community have accelerated as a result of

that. But even in the US, companies that have a more

regulated or I should say, more regulatory sort of focused

mindset, somebody like health care, financial institutions,

were early adopters of the product. And your friend or your

contact is correct that in the last 12 to 18 months, the price

of cyber products has increased significantly. What I what I

would suggest is that really a reflection of the losses that

have been paid out by the industry, so some pricing

correction that's occurred because of that, but also an

escalating risk environment where we've seen things like,

you know, geopolitical tensions increase, we've seen ransomware

threats increase, we see greater risk because of

interconnectivity. And so you don't see pricing change without

cause. Cyber products are still fairly inexpensive. When you

look at the cost of other, you know, mandatory purchases within

I'll call it the risk management package. But yes, you know, the

businesses do need to take stock of what's at risk, what sort of

digital assets they have, the discussion around whether to

purchase a product is a very healthy risk management

discussion, there will be potential businesses that

instead elect to invest in their own information security, or

should say, like architecture. And if that makes sense for

them, then, you know, that's certainly a choice they can

make. It's not a mandatory purchase at this time. It's

still discretionary in nature. And sorry, for the long winded

answer, but I would just, I would just add to that, you

know, cyber products are a little bit different than the

traditional products that are offered by insurance companies,

and that cyber products offer you pre-breach services. So

things like discounted rates for forensics, public relation

firms, you know, legal sort of breach coaches, all that which,

you know, you can establish relationships with and access at

a discounted rate, and then incident response services too

so that if and when the bad event does occur, your

resiliency and responsiveness has increased by having a

product in place. So, prices have gone up. And yes, that's

true, but I still think it's a very valuable product for

businesses to consider.

Good to know, good to know, in fact, I

You know, I understand those those

was reviewing a KPMG study where they surveyed senior information

security professionals, and 74% of the respondents said they had

no cyber insurance. And they mentioned mistrust of insurers

honoring policies appeared to be one challenge. And they also

challenges. Certainly I've heard them firsthand, especially in my

mentioned that the market not being very mature, and I believe

you've addressed that But then I'm just curious to know, as

somebody who carries personal insurance of different types,

one of the things that I worry about is when the time comes

when I submit a claim, will the claim be honored? Will I have a

good experience? What do you have to say, from the standpoint

of a cyber risk insurer?

underwriting days, I think, when we consider insurance, as buyers

of products, we think about something like tangible assets,

what if my home burns down, how much damage is there, you can

see a fire you can smell a fire. Cyber Risk is different.

Assessing its value is a challenge. The quantification of

what happens if a cyber event occurs, is difficult to put a

number on for many organizations. And it gets even

more complex when we think about measuring cyber risk outside of,

you know, your own sort of entities four walls, and you

look at supply chain, and you look at potential non physical

impacts that could affect you. COVID is one example of where we

saw that brought to life, right? We saw supply chain severely

disrupted we saw transformation of data exchanges. So there's a

lot of lessons to be learned there. But when we protect

intangible assets, and we think about nonlinear exposures, like

cyber risk, that's difficult. And having a product that

appropriately addresses those issues is also challenging for

the buying community understand, quite frankly, as an industry, I

don't think we've done a really great job at defining it and

helping businesses to to fully grasp what a cyber product

offers. But we are getting better at it. We're definitely

seeing adoption of the product increase. But I do we definitely

have work to do as an industry to help businesses through those

complexities.

true, very true. Many of the listeners are

possibly thinking about cyber insurance, but they're not sure

from where to start. What should be the next steps? What are some

resources that they might find valuable? Any suggestions for

them any recommendations?

I think the best advice that I can give to

businesses who are evaluating whether a cyber insurance

product is the next step for them is is really to work with a

specialist broker who understands the risk. I think

right now, there aren't, there isn't a level of consistency

across cyber products. Again, it's easy for the business

community to understand, you need to work with a broker who

can explain the differences. And those pre- and post- breach

services to you which are a huge part of the value of a cyber

insurance product, you need somebody who fully comprehends

the nuance of the various policy languages that are out there and

can make sure that they tailor a product and design a product

that that fully suits the needs of the buyer. Some of this more

specialized brokers can also provide the quantification

services to help inform your decision of whether to buy a

product or whether to invest in your own security or to self

insure is the right answer for you.

Okay, good to know. And when, when someone

is evaluating a cyber insurance policy. what are some elements

that one should be looking out for? What are some what maybe if

I would rephrase the question, what are some key elements of a

good cyber insurance policy if there is anything like like

that?

So most of the cyber insurance products that

are available, actually, let me reframe this a little bit. There

are cyber coverages that can be offered through traditional

lines of business, you might purchase a property policy and

have some level of coverage available to you through

something like business interruption, say something like

downtime originating from a cyber related event, you might

have something offered through general liability or

professional liability that allows liability from a cyber

related event. When you purchase a cyber dedicated product. It is

a hybrid between first party and third party. And so what I mean

by that is the liability aspect. So something like network and

security, privacy liability, some elements of media

liability, but it also includes first party coverages. So things

like your costs out of pocket for forensics response,

something like, you know, legal services, something like public

relations, and then most importantly, business

interruption and dependent business interruption. Some of

the coverages that have gotten quite a lot of attention lately

have been around the forensics of business interruption and

extortion payments. That's largely because of the

proliferation of ransomware over the last 36 months or so. So,

you know, each of those coverages is is valuable, it

really depends on what segment of the business you operate in.

So if you're somebody like, you know, a health care provider,

you definitely don't want to provide you don't you don't have

a cyber product that only has, for example, like first party

coverages, you want to make sure that you have liability aspects.

If you're somebody who's feeling more exposed to ransomware, it's

really important to look at those frantic business

interruption and extortion payment coverages offered into

the first party. So I would say it's really important to

understand, you know, what coverages are most applicable

given your class of business?

Now, is it fair to assume that an

organization that has very robust and mature cyber

governance processes is likely to get a better deal?

So, yeah, I responded a few few different

ways. So when we think about traditional underwriting of

cyber risk, certainly the goal there is to differentiate

customers based on their level of cybersecurity maturity. Your

goal as an underwriter is to flesh out, you know, the good

risk from the not so good risk and differentiate and either

decline, the not so good risk, because it's certainly possible

right now, the businesses aren't able to secure a cyber insurance

because they just don't have risk controls that are up to a

level of expectation. But even within that spectrum of good and

not so good, being able to differentiate pricing and terms

on the policy is a reflection of those practices and protocols in

place. It is important to mention that that cyber

underwriting extends beyond pure evaluation of the level of

security controls. And it includes things like, you know,

culture resiliency, and stakeholder connectivity, and is

your HR team, talking with your legal team and talking with your

product dev team in, in, in practicing and promoting good

cyber standards, and things like employee training, for example,

can come into play. And so part of this is, is the security

itself of an organization, but part of this is around the

culture that's created. And then also, like, I know, I've talked

about supply chain a couple of times, but how are you looking

outside of your own organization and assessing risk across, you

know, upstream, downstream and your entire supply chain?

Very interesting, very interesting.

In fact, when you mentioned culture resiliency, you know, it

resonates with me very well, because I recently published a

book, where I talk about the importance of creating and

sustaining a high-performance information security culture,

and I provide organizations with scorecards to make an assessment

along three dimensions -- commitment, preparedness, and

discipline. So I'll be curious to know that based on your

experience of assessing culture resiliency, what are the things

that you all look for, as an insurance company?

So, um, so, you know, a few different things

there. Right. So, you know, kind of, you know, go back to the

NIST guidelines, right? You have things like identifying your

assets, and, you know, detecting Tricia evidence but it's also

more around like the disaster recovery, right? How are you

bringing your employees into the discussion? How are you

identifying your key providers, suppliers, customers? How are

you protecting and, you know, and restoring right, your sort

of data assets if something does happen. So I think you know,

this is an ongoing exercise happening within organizations.

Certainly the underwriting is also evolving as a result of

that. I talked a little bit about, you know, a culture in

this sort of like practice of resiliency, that's really easier

to understand as an underwriter, when you have touch points with

your customer. And the reality is, when we get into that small

business space, particularly the micro minis, the expectations

and the needs are going to shift when it comes to securing

insurance, you're not going to be able to meet with every

business that only has like 5,6,7,8,9,10 employees out

there. And that's where you see a lot more technology augmented

underwriting taking place. Things like the technical

security scans to help evaluate risk are becoming much more

commonplace. And they are relevant and increasingly common

in the underwriting process in order to properly assess, you

know, that there's customers that you can't talk to and speak

through the resiliency culture.

Sure, sure, and I'm sure it is safe to

assume that even after an organization gets coverage, they

will be continually assessed, right. Just to make sure that

they they stay eligible for that, for that coverage. Is

that it's a really, it's a really good question. So

the way that these policies are structured, is that they are for

an annual term. And so this is another area where we've seen a

lot of improvement taking place within the cyber industry. You

have more call it human touch underwriting during the range

dual cycle. And that's an unfortunate reality, because

obviously, your server risk, you know, is is 365 days a year.

But, you know, there are human limitations, right. And so as

part of the renewal cycle, for the mid and large sized

accounts, an underwriter will sit there and actually

practically make their way through an underwriting

questionnaire application. Very separately, many of the large

global insurers invest in some of the security scanning that I

mentioned. And their goal there is to be proactive with their

policyholders to help identify vulnerabilities to help walk

through any issues that they're discovering with any other

policyholders that might have the potential for broader, you

know, application on their client base, and proactively

reaching out to those customers to talk through the issues

separately, certainly in the small business base, and for the

underwriters, or I shouldn't say the underwriters, for the

insurers who are supporting that business, then increased and

more regular reliance on the technology scans definitely

takes place. And they will provide feedback throughout the

policy year. And we're endeavoring to do that more and

more frequently in order to shore up the security of these

businesses who buy protection.

And I think that's a great way for an

organization to get a reality check on how they're doing from

a cyber defense standpoint. So that is something that is

definitely a strength of getting coverage from a provider and

getting the external validation, external feedback.

Absolutely. And I think I mean, that is the goal,

right? The goal is to make the insurance more meaningful to

drive adoption, to help people not just by the insurance, but

by adequate insurance that ultimately improve the user

experience.

You know, one more thing I wanted to share

with you. I heard this from a practitioner, that if we buy a

lot of cyber insurance, that often gives the impression that

we are not good at cyber. And it poorly reflects on the CISO and

the CISO function. Have you heard anything like this? Is

that Is it a common sentiment? Or was this an outlier?

Um, it feels like a common sentiment 10 years ago,

and hopefully more of an outlier now. And I think when the cyber

products were first becoming more commonplace, there was a

struggle for investment where you know, somebody like a CISO

might see it as a slight on their own capabilities. If a

cyber insurance product was purchased, there was also a lot

of noise around, well, if you just took that money that you

were using to buy insurance and gave it to me instead, I'd be

able to improve you know, our own controls, more

appropriately. I think that sentiment has changed. In the

last five to 10 years, there's been so much more connectivity

across the risk management. And again, we talked about a culture

resiliency and collaboration across stakeholders. We are now

seeing more CISOs at the table part of these underwriting

meetings, sharing their insights, actually, like

engaging with the insurers to say what could we be doing

better differently? You talked about validation earlier with

the scans. Sometimes what we're finding is that in the

underwriting community, when you provide the feedback to a

business and say, here's where you look good. And here's where

there's areas of improvement. The CISO actually perks up and

says, see, I've been telling you this all along. This is actually

external validation now, from from, from insurers who assess

my own peers as well. And it really validates a lot of what

they've been messaging internally.

Absolutely. Let's talk a little bit about

self-insurance mechanisms. To set up the question, I want to

read out a couple of sentences from an article. In a perfect

world, you may think that $2 billion in protection makes

sense. Today, that sort of purchase is impossible. But you

can develop a plan for getting there. It may involve buying

what you can now and possibly topping it up with

self-insurance mechanisms. Can you take it from here and shed

some light on the different types of self-insurance

mechanisms? Yeah,

absolutely. So, you know, again, these, there's a

lot of, you know, some of these questions are very rational and

reasonable. And we have to acknowledge, first where we are

as an industry, you know, the cyber market didn't exist. I

shouldn't say that. People will argue it existed, okay, because

there were certainly internet carve backs and technology carve

backs and some small, narrow cyber coverages that existed

years prior. But really, this industry is about 20 years old.

And currently, if every cyber writer took out their max line

available, their max capacity available, you know, maybe you

could get to about a billion in coverage. In reality, the

largest organizations out there, no matter how they've quantify

their cyber risk, aren't able to get coverage, excess of you

know, whatever it is 700 750 million. So in your example,

around 2 billion of coverage. There's they're absolutely

right, that that level of capacity is not yet available in

the market. We're working toward it. I mentioned earlier, some of

the pricing correction that's happened. That's because of

losses that have come in, when losses come in, these insurers

do reassess how much capacity they want to put up on any one

risk, right? So on any one business, how much coverage are

you willing to offer, in a profitability challenged time,

that level of capacity is going to reduce, and when things are

performing really, really well, that level of capacity will

increase. And currently, right now we're in more of a reduced

time period because of the loss environment and the risk

environment. So, you know, there's no way to get to 2

billion and cover for, you know, any one entity at this time as a

broader industry, we're definitely working towards that.

Part of that is around differentiating the coverages

more so the product itself being offered differently. Some of

that is around the the the technologies that can be

deployed in order to better understand you know, cyber risk,

hygiene and maturity. But we just don't have those those

challenges. Overcome yet there's still a lot of structural

constraints that are restricting that level of capacity. As for

organizations who are looking for more cover, certainly taking

on some risk themselves evidences It showcases

competence in where you are as an organization. So that's, you

know, retaining more risk itself insured retentions we see

captives becoming a more common discussion. So that's the idea

of setting up vehicles where you can absorb some of that risk

either down low, meaning when the loss first occurs, or buy

some insurance then potentially set up a captive to take it on

midway and then purchasing more insurance on top of that. But

there's a number of different ways to do it. It's just at this

point, given the Infancy of the market we are not able to scale

the way you would find with more mature areas of the business.

So, you know, as I'm hearing from you a

couple of inferences that I draw that the cyber security market

is still premature it is, it is moving towards maturity and

stability. I also heard that small businesses are not prone

to getting cyber insurance. In fact, there is data that

supports that. But all organizations should be

encouraged, because it should be part of their overall cyber risk

mitigation portfolio. But it's definitely not a substitute for

strong robust governance measures. So you don't buy

insurance so you don't have to do anything about it about cyber

risk management. It's not a cop out. Having said that, what are

some best practices that you notice, with organizations, and

I ask this, from a reflective standpoint, say you have your

work with a company that sought insurance. And then they were

able to establish that expectation from a control

standpoint, which got them the insurance coverage. And that

actually propelled them, just the fact that they want to

maintain the coverage, that propelled them to become more

cyber hygiene conscious, and they stayed more prepared than

ever before. So in other words, having cyber insurance gets the

organizational attention. And that is a good thing. That that

promotes, you know, efforts towards cyber resiliency, is

there any merit to this influence of mine?

Um, I think that, you know, when we look at the

key risk controls that matter most and attaining cyber

insurance, at this point, you're looking at multi factor

authentication, MFA, for remote access. And we're looking at

endpoint detection and response, you're looking at secured

encrypted tested backups, we're looking at privileged access

management. And we're looking at email filtering, and web

security. Those are the technical controls that are in

place and matter. And you mentioned the point around, you

know, making the decision of whether to buy cyber insurance

or kind of, in lieu of your own controls, I would say right now,

where the market is, you know, given it's been capacity

constrained, and given the fact that what we could call the hard

market conditions, meaning that insurers are increasing prices,

it's actually increasingly difficult to get cyber insurance

protection without those key controls in place. The softer

touch issues are around the cyber incident planning and

response and testing. So you know, if you have a cyber

product, you can do like tabletops, with incident

response, you have access to some of those key service

providers, but even without them, you know, without a

product, you know, you can put those plans in place. You can

look at, you know, the employee, you know, awareness training

that I mentioned earlier, the logging and monitoring of the

network protections, you can look at end-of-life systems

being replaced or protected, absences, a number of sort of

like behavioral control tactics that can be implemented as well.

Those are softer touch. So you kind of even can't get to that

point, or hear that feedback from a cyber insurer until you

have those more technical controls in place I mentioned

earlier.

I appreciate you making the

distinction between technical and then behavioral. I had one

last question and that relates to behavioral controls or the

softer touch as you were talking about, and that is, does the

insurance company take into consideration of how actively

engaged is top management? Is that a factor in the evaluation

of an organization's cyber risk and subsequently, the decision

of whether to give them coverage or give and how much stuff like

that? Yeah.

Yeah, no, absolutely. And sometimes, you

know, to be completely honest, sometimes you don't have a lot

of visibility in the underwriting process. So you

might hear about it, but you don't necessarily know for

certain. Here's what we do know though. You look at New York

State and the The Financial Services sort of regulatory, you

know, developments that were made several years ago. And what

you can see is that there's definitely an expectation now

around somebody like a CISO having a direct, you know, line

of communication, if not a direct reporting relationship to

C suite, you can look at C-suite who are increasingly under

pressure to elevate their their cybersecurity and an expectation

by consumers now that information, actually say

corporate confidential information to is adequately

protected. So I think that the needle is moving into this being

almost like an ESG related issue. And I think that's

validated by our discussions with, you know, rating agencies

and other, you know, regulatory bodies that cybersecurity is, is

very top of mind, it's instrumental to organization's

long term health, we see the impact on something like

shareholder perception and stock price when these big events

occur, particularly if there's an element of negligence within

them. And so, you know, this and it's not decreasing, right. It's

only increasing. And I would say that has global relevance.

That's not a US issue. It's it was, I would say, more of a US

issue previously. But it's definitely becoming more and

more prevalent, prevalent outside of the US as well. So,

so absolutely, if, if, in the handwriting community, if you

see top, you know, executive management, C suites paying

attention to these issues, there's a level of confidence

that the security team is going to get the attention the

investment, and the financial needs met in order to secure the

organization.

Fantastic. Well, on that note, we can end

unless you have any final thoughts, anything else that we

should have covered or talked about?

No, I mean, the last thing I'll say is, you

know, I know insurance as a whole can get it can get a bad

rap. And I would, I really like to think of the cyber market is

performing differently from that. There's huge amounts of

investment and attention being paid to helping organizations

understand the risk, helping them stay in front of it,

proactively notifying them if you know, vulnerabilities are

identified. And I look to the future and realize the needs

aren't being met now, but there is so much work being done and

so much left to do in order to make this, you know, a

sustainable and relevant market. So, hopefully, the audience

today found it helpful, but I'm available for any other

follow-up. questions.

Absolutely, thank you so much for your time,

it's much appreciated.

Thank you. Appreciate it.

A special thanks to Erica Davis for her

time and insights. If you liked what you heard, please leave the

podcast a rating and share it with your network. Also

subscribe to the show so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

The information contained in this podcast is for

episode.

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.