March 30, 2022

Is Cyber Insurance Necessary?

"Security experts are split on cyber insurance and its place in business, with just as many arguing that it is a useless add-on as an essential business enabler." A KPMG study indicated that these policies were not overly trusted by business leaders. In this podcast episode, Erica Davis, Global Co-Head of Cyber, Guy Carpenter & Co, discusses at length the different types of coverages, how underwriters evaluate and assess cyber risks, the current state of the market, re-insurance mechanisms, and more. She also offers valuable guidance on how to plan and approach cyber insurance-related decisions.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-22-is-cyber-insurance-necessary/

"Security experts are split on cyber insurance and its place in business, with just as many arguing that it is a useless add-on as an essential business enabler." A KPMG study indicated that these policies were not overly trusted by business leaders. In this podcast episode, Erica Davis, Global Co-Head of Cyber, Guy Carpenter & Co, discusses at length the different types of coverages, how underwriters evaluate and assess cyber risks, the current state of the market, re-insurance mechanisms, and more. She also offers valuable guidance on how to plan and approach cyber insurance-related decisions.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-22-is-cyber-insurance-necessary/

 

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast



Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of



Cybersecurity Readiness:

A Holistic and High-Performance



Cybersecurity Readiness:

Approach. He has been studying cybersecurity for over a decade,



Cybersecurity Readiness:

authored and edited scholarly papers, delivered talks,



Cybersecurity Readiness:

conducted webinars, consulted with companies, and served on a



Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security



Cybersecurity Readiness:

officers. Dr. Chatterjee is an Associate Professor of



Cybersecurity Readiness:

Management Information Systems at the Terry College of



Cybersecurity Readiness:

Business, the University of Georgia, and Visiting Professor



Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.



Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to



Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness



Dr. Dave Chatterjee:

Podcast Series. Today, I'll be talking with Erica Davis,



Dr. Dave Chatterjee:

Managing Director and Global Co-Head of Cyber for Guy



Dr. Dave Chatterjee:

Carpenter. Prior to this, Erica led Guy Carpenter's North



Dr. Dave Chatterjee:

America Cyber Center of Excellence. She has years of



Dr. Dave Chatterjee:

cyber professional and multi-line underwriting



Dr. Dave Chatterjee:

expertise. Erica is a key contributor to the public sector



Dr. Dave Chatterjee:

dialogue around cyber insurance, and has provided testimony to



Dr. Dave Chatterjee:

the House Small Business Committee as an expert witness



Dr. Dave Chatterjee:

in cybersecurity insurance. As a prominent leader in



Dr. Dave Chatterjee:

understanding cyber risk at an enterprise level. Erica has



Dr. Dave Chatterjee:

presented at the National Institute of Standards and



Dr. Dave Chatterjee:

Technology, and has contributed to several publications, events,



Dr. Dave Chatterjee:

articles, and interviews in the industry. Erica, welcome. Thanks



Dr. Dave Chatterjee:

for making time to share your thoughts and perspectives with



Dr. Dave Chatterjee:

the listeners.



Erica Davis:

Thanks so much for having me.



Dr. Dave Chatterjee:

So let's begin by talking about you, your



Dr. Dave Chatterjee:

professional journey. Your current role at Guy Carpenter.



Erica Davis:

Sure, thanks. Thanks again for having me



Erica Davis:

today. And yeah, you know, I really got started in the



Erica Davis:

insurance industry by focusing on technology risk. And so I



Erica Davis:

spent the first 10 years of my career at Chubb, underwriting



Erica Davis:

all lines of business. So general liability, workers



Erica Davis:

compensation, auto, intellectual property or as an emissions, but



Erica Davis:

with a focus on information and technology risk. So always



Erica Davis:

thinking about what's coming next in terms of emerging



Erica Davis:

exposures. Before I moved over to Zurich, still in an



Erica Davis:

underwriting capacity, still with technology, top of mind,



Erica Davis:

but built their book of business, ultimately taking



Erica Davis:

greater responsibility for general industry and financial



Erica Davis:

institutions. And some other risk outside of that. But what I



Erica Davis:

learned in staying closely connected to the technology risk



Erica Davis:

was that there was an opportunity for cyber products,



Erica Davis:

cyber insurance risk transfer solutions to find a home within



Erica Davis:

the industry, as interconnectivity and reliance



Erica Davis:

on technology grew. And so I moved over to that side of the



Erica Davis:

business with a specialization in cyber and professional



Erica Davis:

liability in 2012. At that point, the industry was just



Erica Davis:

beginning to grow its expertise. And truly its acknowledgement of



Erica Davis:

how far reaching and massive cyber risk was going to become.



Erica Davis:

And so, you know, Zurich wasn't alone in building specialized



Erica Davis:

products and expertise in that space, and I worked there until



Erica Davis:

about four years ago, about 2018. Still on the underwriting



Erica Davis:

side, and focusing on cyber risk transfer products. Ultimately,



Erica Davis:

what I learned was that the insurance space was beginning to



Erica Davis:

craft solutions for the business community, who are also becoming



Erica Davis:

increasingly aware of how cyber risk could manifest, you know,



Erica Davis:

within their organization and also outside of their four



Erica Davis:

walls. So looking at various supply chain risks when it comes



Erica Davis:

to cyber. And the industry at that point had grown to a size



Erica Davis:

of about 4 billion and grocery and premium, still very small



Erica Davis:

compared to some of the more traditional lines of business



Erica Davis:

out there. But there was a lot of work to be done on the



Erica Davis:

reinsurance side, which was the insurance that sits behind



Erica Davis:

insurance companies kind of simply put, and there needed to



Erica Davis:

be more expertise in that space in order to build capacity to



Erica Davis:

grow and support the insurance side of the house. And so I made



Erica Davis:

the move over to the insurance and reinsurance broking about



Erica Davis:

four years ago. And I've been with a Guy Carpenter in



Erica Davis:

increasing roles since that time.



Dr. Dave Chatterjee:

Good to know. Thanks for the intro. So,



Dr. Dave Chatterjee:

you know, I had reached out to a couple of my CISO connections, I



Dr. Dave Chatterjee:

told them that I was going to be talking to you, and if they have



Dr. Dave Chatterjee:

any questions of interest. So one of them sent this to me, he



Dr. Dave Chatterjee:

said, Why should we get cyber insurance now? It seems that the



Dr. Dave Chatterjee:

last 12 to 18 months, the industry has moved away from



Dr. Dave Chatterjee:

insuring verticals, companies, or has made the cost of coverage



Dr. Dave Chatterjee:

so high, that it raises the question of why not just



Dr. Dave Chatterjee:

self-insure? How would you react to that statement or question?



Erica Davis:

Yeah, so just to sort of set the stage for, you



Erica Davis:

know, the buying community within cyber, about 40% of all



Erica Davis:

organizations across the US purchase a cyber insurance



Erica Davis:

product. And that number is more heavily skewed towards mid sized



Erica Davis:

and large companies, more so than small micro mini sized



Erica Davis:

organizations. Oftentimes, that's because there's been a



Erica Davis:

more sophisticated risk assessment process in place for



Erica Davis:

you know, cyber risk on those larger sized entities. And in



Erica Davis:

the US, there's actually more buyers of cyber insurance than



Erica Davis:

there are outside of the US. So a greater percentage of



Erica Davis:

businesses buy. And the reason for that is largely driven by a



Erica Davis:

regulatory environment. So businesses in the US are geared



Erica Davis:

to protect private and confidential information in a



Erica Davis:

way that's still developing outside of the US. Certainly,



Erica Davis:

regions such as you know, Europe, UK, have strong



Erica Davis:

regulatory position now that have developed and the buying



Erica Davis:

habits of the business community have accelerated as a result of



Erica Davis:

that. But even in the US, companies that have a more



Erica Davis:

regulated or I should say, more regulatory sort of focused



Erica Davis:

mindset, somebody like health care, financial institutions,



Erica Davis:

were early adopters of the product. And your friend or your



Erica Davis:

contact is correct that in the last 12 to 18 months, the price



Erica Davis:

of cyber products has increased significantly. What I what I



Erica Davis:

would suggest is that really a reflection of the losses that



Erica Davis:

have been paid out by the industry, so some pricing



Erica Davis:

correction that's occurred because of that, but also an



Erica Davis:

escalating risk environment where we've seen things like,



Erica Davis:

you know, geopolitical tensions increase, we've seen ransomware



Erica Davis:

threats increase, we see greater risk because of



Erica Davis:

interconnectivity. And so you don't see pricing change without



Erica Davis:

cause. Cyber products are still fairly inexpensive. When you



Erica Davis:

look at the cost of other, you know, mandatory purchases within



Erica Davis:

I'll call it the risk management package. But yes, you know, the



Erica Davis:

businesses do need to take stock of what's at risk, what sort of



Erica Davis:

digital assets they have, the discussion around whether to



Erica Davis:

purchase a product is a very healthy risk management



Erica Davis:

discussion, there will be potential businesses that



Erica Davis:

instead elect to invest in their own information security, or



Erica Davis:

should say, like architecture. And if that makes sense for



Erica Davis:

them, then, you know, that's certainly a choice they can



Erica Davis:

make. It's not a mandatory purchase at this time. It's



Erica Davis:

still discretionary in nature. And sorry, for the long winded



Erica Davis:

answer, but I would just, I would just add to that, you



Erica Davis:

know, cyber products are a little bit different than the



Erica Davis:

traditional products that are offered by insurance companies,



Erica Davis:

and that cyber products offer you pre-breach services. So



Erica Davis:

things like discounted rates for forensics, public relation



Erica Davis:

firms, you know, legal sort of breach coaches, all that which,



Erica Davis:

you know, you can establish relationships with and access at



Erica Davis:

a discounted rate, and then incident response services too



Erica Davis:

so that if and when the bad event does occur, your



Erica Davis:

resiliency and responsiveness has increased by having a



Erica Davis:

product in place. So, prices have gone up. And yes, that's



Erica Davis:

true, but I still think it's a very valuable product for



Erica Davis:

businesses to consider.



Dr. Dave Chatterjee:

Good to know, good to know, in fact, I



Erica Davis:

You know, I understand those those



Erica Davis:

was reviewing a KPMG study where they surveyed senior information



Erica Davis:

security professionals, and 74% of the respondents said they had



Erica Davis:

no cyber insurance. And they mentioned mistrust of insurers



Erica Davis:

honoring policies appeared to be one challenge. And they also



Erica Davis:

challenges. Certainly I've heard them firsthand, especially in my



Erica Davis:

mentioned that the market not being very mature, and I believe



Erica Davis:

you've addressed that But then I'm just curious to know, as



Erica Davis:

somebody who carries personal insurance of different types,



Erica Davis:

one of the things that I worry about is when the time comes



Erica Davis:

when I submit a claim, will the claim be honored? Will I have a



Erica Davis:

good experience? What do you have to say, from the standpoint



Erica Davis:

of a cyber risk insurer?



Erica Davis:

underwriting days, I think, when we consider insurance, as buyers



Erica Davis:

of products, we think about something like tangible assets,



Erica Davis:

what if my home burns down, how much damage is there, you can



Erica Davis:

see a fire you can smell a fire. Cyber Risk is different.



Erica Davis:

Assessing its value is a challenge. The quantification of



Erica Davis:

what happens if a cyber event occurs, is difficult to put a



Erica Davis:

number on for many organizations. And it gets even



Erica Davis:

more complex when we think about measuring cyber risk outside of,



Erica Davis:

you know, your own sort of entities four walls, and you



Erica Davis:

look at supply chain, and you look at potential non physical



Erica Davis:

impacts that could affect you. COVID is one example of where we



Erica Davis:

saw that brought to life, right? We saw supply chain severely



Erica Davis:

disrupted we saw transformation of data exchanges. So there's a



Erica Davis:

lot of lessons to be learned there. But when we protect



Erica Davis:

intangible assets, and we think about nonlinear exposures, like



Erica Davis:

cyber risk, that's difficult. And having a product that



Erica Davis:

appropriately addresses those issues is also challenging for



Erica Davis:

the buying community understand, quite frankly, as an industry, I



Erica Davis:

don't think we've done a really great job at defining it and



Erica Davis:

helping businesses to to fully grasp what a cyber product



Erica Davis:

offers. But we are getting better at it. We're definitely



Erica Davis:

seeing adoption of the product increase. But I do we definitely



Erica Davis:

have work to do as an industry to help businesses through those



Erica Davis:

complexities.



Dr. Dave Chatterjee:

true, very true. Many of the listeners are



Dr. Dave Chatterjee:

possibly thinking about cyber insurance, but they're not sure



Dr. Dave Chatterjee:

from where to start. What should be the next steps? What are some



Dr. Dave Chatterjee:

resources that they might find valuable? Any suggestions for



Dr. Dave Chatterjee:

them any recommendations?



Erica Davis:

I think the best advice that I can give to



Erica Davis:

businesses who are evaluating whether a cyber insurance



Erica Davis:

product is the next step for them is is really to work with a



Erica Davis:

specialist broker who understands the risk. I think



Erica Davis:

right now, there aren't, there isn't a level of consistency



Erica Davis:

across cyber products. Again, it's easy for the business



Erica Davis:

community to understand, you need to work with a broker who



Erica Davis:

can explain the differences. And those pre- and post- breach



Erica Davis:

services to you which are a huge part of the value of a cyber



Erica Davis:

insurance product, you need somebody who fully comprehends



Erica Davis:

the nuance of the various policy languages that are out there and



Erica Davis:

can make sure that they tailor a product and design a product



Erica Davis:

that that fully suits the needs of the buyer. Some of this more



Erica Davis:

specialized brokers can also provide the quantification



Erica Davis:

services to help inform your decision of whether to buy a



Erica Davis:

product or whether to invest in your own security or to self



Erica Davis:

insure is the right answer for you.



Dr. Dave Chatterjee:

Okay, good to know. And when, when someone



Dr. Dave Chatterjee:

is evaluating a cyber insurance policy. what are some elements



Dr. Dave Chatterjee:

that one should be looking out for? What are some what maybe if



Dr. Dave Chatterjee:

I would rephrase the question, what are some key elements of a



Dr. Dave Chatterjee:

good cyber insurance policy if there is anything like like



Dr. Dave Chatterjee:

that?



Erica Davis:

So most of the cyber insurance products that



Erica Davis:

are available, actually, let me reframe this a little bit. There



Erica Davis:

are cyber coverages that can be offered through traditional



Erica Davis:

lines of business, you might purchase a property policy and



Erica Davis:

have some level of coverage available to you through



Erica Davis:

something like business interruption, say something like



Erica Davis:

downtime originating from a cyber related event, you might



Erica Davis:

have something offered through general liability or



Erica Davis:

professional liability that allows liability from a cyber



Erica Davis:

related event. When you purchase a cyber dedicated product. It is



Erica Davis:

a hybrid between first party and third party. And so what I mean



Erica Davis:

by that is the liability aspect. So something like network and



Erica Davis:

security, privacy liability, some elements of media



Erica Davis:

liability, but it also includes first party coverages. So things



Erica Davis:

like your costs out of pocket for forensics response,



Erica Davis:

something like, you know, legal services, something like public



Erica Davis:

relations, and then most importantly, business



Erica Davis:

interruption and dependent business interruption. Some of



Erica Davis:

the coverages that have gotten quite a lot of attention lately



Erica Davis:

have been around the forensics of business interruption and



Erica Davis:

extortion payments. That's largely because of the



Erica Davis:

proliferation of ransomware over the last 36 months or so. So,



Erica Davis:

you know, each of those coverages is is valuable, it



Erica Davis:

really depends on what segment of the business you operate in.



Erica Davis:

So if you're somebody like, you know, a health care provider,



Erica Davis:

you definitely don't want to provide you don't you don't have



Erica Davis:

a cyber product that only has, for example, like first party



Erica Davis:

coverages, you want to make sure that you have liability aspects.



Erica Davis:

If you're somebody who's feeling more exposed to ransomware, it's



Erica Davis:

really important to look at those frantic business



Erica Davis:

interruption and extortion payment coverages offered into



Erica Davis:

the first party. So I would say it's really important to



Erica Davis:

understand, you know, what coverages are most applicable



Erica Davis:

given your class of business?



Dr. Dave Chatterjee:

Now, is it fair to assume that an



Dr. Dave Chatterjee:

organization that has very robust and mature cyber



Dr. Dave Chatterjee:

governance processes is likely to get a better deal?



Erica Davis:

So, yeah, I responded a few few different



Erica Davis:

ways. So when we think about traditional underwriting of



Erica Davis:

cyber risk, certainly the goal there is to differentiate



Erica Davis:

customers based on their level of cybersecurity maturity. Your



Erica Davis:

goal as an underwriter is to flesh out, you know, the good



Erica Davis:

risk from the not so good risk and differentiate and either



Erica Davis:

decline, the not so good risk, because it's certainly possible



Erica Davis:

right now, the businesses aren't able to secure a cyber insurance



Erica Davis:

because they just don't have risk controls that are up to a



Erica Davis:

level of expectation. But even within that spectrum of good and



Erica Davis:

not so good, being able to differentiate pricing and terms



Erica Davis:

on the policy is a reflection of those practices and protocols in



Erica Davis:

place. It is important to mention that that cyber



Erica Davis:

underwriting extends beyond pure evaluation of the level of



Erica Davis:

security controls. And it includes things like, you know,



Erica Davis:

culture resiliency, and stakeholder connectivity, and is



Erica Davis:

your HR team, talking with your legal team and talking with your



Erica Davis:

product dev team in, in, in practicing and promoting good



Erica Davis:

cyber standards, and things like employee training, for example,



Erica Davis:

can come into play. And so part of this is, is the security



Erica Davis:

itself of an organization, but part of this is around the



Erica Davis:

culture that's created. And then also, like, I know, I've talked



Erica Davis:

about supply chain a couple of times, but how are you looking



Erica Davis:

outside of your own organization and assessing risk across, you



Erica Davis:

know, upstream, downstream and your entire supply chain?



Dr. Dave Chatterjee:

Very interesting, very interesting.



Dr. Dave Chatterjee:

In fact, when you mentioned culture resiliency, you know, it



Dr. Dave Chatterjee:

resonates with me very well, because I recently published a



Dr. Dave Chatterjee:

book, where I talk about the importance of creating and



Dr. Dave Chatterjee:

sustaining a high-performance information security culture,



Dr. Dave Chatterjee:

and I provide organizations with scorecards to make an assessment



Dr. Dave Chatterjee:

along three dimensions -- commitment, preparedness, and



Dr. Dave Chatterjee:

discipline. So I'll be curious to know that based on your



Dr. Dave Chatterjee:

experience of assessing culture resiliency, what are the things



Dr. Dave Chatterjee:

that you all look for, as an insurance company?



Erica Davis:

So, um, so, you know, a few different things



Erica Davis:

there. Right. So, you know, kind of, you know, go back to the



Erica Davis:

NIST guidelines, right? You have things like identifying your



Erica Davis:

assets, and, you know, detecting Tricia evidence but it's also



Erica Davis:

more around like the disaster recovery, right? How are you



Erica Davis:

bringing your employees into the discussion? How are you



Erica Davis:

identifying your key providers, suppliers, customers? How are



Erica Davis:

you protecting and, you know, and restoring right, your sort



Erica Davis:

of data assets if something does happen. So I think you know,



Erica Davis:

this is an ongoing exercise happening within organizations.



Erica Davis:

Certainly the underwriting is also evolving as a result of



Erica Davis:

that. I talked a little bit about, you know, a culture in



Erica Davis:

this sort of like practice of resiliency, that's really easier



Erica Davis:

to understand as an underwriter, when you have touch points with



Erica Davis:

your customer. And the reality is, when we get into that small



Erica Davis:

business space, particularly the micro minis, the expectations



Erica Davis:

and the needs are going to shift when it comes to securing



Erica Davis:

insurance, you're not going to be able to meet with every



Erica Davis:

business that only has like 5,6,7,8,9,10 employees out



Erica Davis:

there. And that's where you see a lot more technology augmented



Erica Davis:

underwriting taking place. Things like the technical



Erica Davis:

security scans to help evaluate risk are becoming much more



Erica Davis:

commonplace. And they are relevant and increasingly common



Erica Davis:

in the underwriting process in order to properly assess, you



Erica Davis:

know, that there's customers that you can't talk to and speak



Erica Davis:

through the resiliency culture.



Dr. Dave Chatterjee:

Sure, sure, and I'm sure it is safe to



Dr. Dave Chatterjee:

assume that even after an organization gets coverage, they



Dr. Dave Chatterjee:

will be continually assessed, right. Just to make sure that



Dr. Dave Chatterjee:

they they stay eligible for that, for that coverage. Is



Erica Davis:

that it's a really, it's a really good question. So



Erica Davis:

the way that these policies are structured, is that they are for



Erica Davis:

an annual term. And so this is another area where we've seen a



Erica Davis:

lot of improvement taking place within the cyber industry. You



Erica Davis:

have more call it human touch underwriting during the range



Erica Davis:

dual cycle. And that's an unfortunate reality, because



Erica Davis:

obviously, your server risk, you know, is is 365 days a year.



Erica Davis:

But, you know, there are human limitations, right. And so as



Erica Davis:

part of the renewal cycle, for the mid and large sized



Erica Davis:

accounts, an underwriter will sit there and actually



Erica Davis:

practically make their way through an underwriting



Erica Davis:

questionnaire application. Very separately, many of the large



Erica Davis:

global insurers invest in some of the security scanning that I



Erica Davis:

mentioned. And their goal there is to be proactive with their



Erica Davis:

policyholders to help identify vulnerabilities to help walk



Erica Davis:

through any issues that they're discovering with any other



Erica Davis:

policyholders that might have the potential for broader, you



Erica Davis:

know, application on their client base, and proactively



Erica Davis:

reaching out to those customers to talk through the issues



Erica Davis:

separately, certainly in the small business base, and for the



Erica Davis:

underwriters, or I shouldn't say the underwriters, for the



Erica Davis:

insurers who are supporting that business, then increased and



Erica Davis:

more regular reliance on the technology scans definitely



Erica Davis:

takes place. And they will provide feedback throughout the



Erica Davis:

policy year. And we're endeavoring to do that more and



Erica Davis:

more frequently in order to shore up the security of these



Erica Davis:

businesses who buy protection.



Dr. Dave Chatterjee:

And I think that's a great way for an



Dr. Dave Chatterjee:

organization to get a reality check on how they're doing from



Dr. Dave Chatterjee:

a cyber defense standpoint. So that is something that is



Dr. Dave Chatterjee:

definitely a strength of getting coverage from a provider and



Dr. Dave Chatterjee:

getting the external validation, external feedback.



Erica Davis:

Absolutely. And I think I mean, that is the goal,



Erica Davis:

right? The goal is to make the insurance more meaningful to



Erica Davis:

drive adoption, to help people not just by the insurance, but



Erica Davis:

by adequate insurance that ultimately improve the user



Erica Davis:

experience.



Dr. Dave Chatterjee:

You know, one more thing I wanted to share



Dr. Dave Chatterjee:

with you. I heard this from a practitioner, that if we buy a



Dr. Dave Chatterjee:

lot of cyber insurance, that often gives the impression that



Dr. Dave Chatterjee:

we are not good at cyber. And it poorly reflects on the CISO and



Dr. Dave Chatterjee:

the CISO function. Have you heard anything like this? Is



Dr. Dave Chatterjee:

that Is it a common sentiment? Or was this an outlier?



Erica Davis:

Um, it feels like a common sentiment 10 years ago,



Erica Davis:

and hopefully more of an outlier now. And I think when the cyber



Erica Davis:

products were first becoming more commonplace, there was a



Erica Davis:

struggle for investment where you know, somebody like a CISO



Erica Davis:

might see it as a slight on their own capabilities. If a



Erica Davis:

cyber insurance product was purchased, there was also a lot



Erica Davis:

of noise around, well, if you just took that money that you



Erica Davis:

were using to buy insurance and gave it to me instead, I'd be



Erica Davis:

able to improve you know, our own controls, more



Erica Davis:

appropriately. I think that sentiment has changed. In the



Erica Davis:

last five to 10 years, there's been so much more connectivity



Erica Davis:

across the risk management. And again, we talked about a culture



Erica Davis:

resiliency and collaboration across stakeholders. We are now



Erica Davis:

seeing more CISOs at the table part of these underwriting



Erica Davis:

meetings, sharing their insights, actually, like



Erica Davis:

engaging with the insurers to say what could we be doing



Erica Davis:

better differently? You talked about validation earlier with



Erica Davis:

the scans. Sometimes what we're finding is that in the



Erica Davis:

underwriting community, when you provide the feedback to a



Erica Davis:

business and say, here's where you look good. And here's where



Erica Davis:

there's areas of improvement. The CISO actually perks up and



Erica Davis:

says, see, I've been telling you this all along. This is actually



Erica Davis:

external validation now, from from, from insurers who assess



Erica Davis:

my own peers as well. And it really validates a lot of what



Erica Davis:

they've been messaging internally.



Dr. Dave Chatterjee:

Absolutely. Let's talk a little bit about



Dr. Dave Chatterjee:

self-insurance mechanisms. To set up the question, I want to



Dr. Dave Chatterjee:

read out a couple of sentences from an article. In a perfect



Dr. Dave Chatterjee:

world, you may think that $2 billion in protection makes



Dr. Dave Chatterjee:

sense. Today, that sort of purchase is impossible. But you



Dr. Dave Chatterjee:

can develop a plan for getting there. It may involve buying



Dr. Dave Chatterjee:

what you can now and possibly topping it up with



Dr. Dave Chatterjee:

self-insurance mechanisms. Can you take it from here and shed



Dr. Dave Chatterjee:

some light on the different types of self-insurance



Dr. Dave Chatterjee:

mechanisms? Yeah,



Erica Davis:

absolutely. So, you know, again, these, there's a



Erica Davis:

lot of, you know, some of these questions are very rational and



Erica Davis:

reasonable. And we have to acknowledge, first where we are



Erica Davis:

as an industry, you know, the cyber market didn't exist. I



Erica Davis:

shouldn't say that. People will argue it existed, okay, because



Erica Davis:

there were certainly internet carve backs and technology carve



Erica Davis:

backs and some small, narrow cyber coverages that existed



Erica Davis:

years prior. But really, this industry is about 20 years old.



Erica Davis:

And currently, if every cyber writer took out their max line



Erica Davis:

available, their max capacity available, you know, maybe you



Erica Davis:

could get to about a billion in coverage. In reality, the



Erica Davis:

largest organizations out there, no matter how they've quantify



Erica Davis:

their cyber risk, aren't able to get coverage, excess of you



Erica Davis:

know, whatever it is 700 750 million. So in your example,



Erica Davis:

around 2 billion of coverage. There's they're absolutely



Erica Davis:

right, that that level of capacity is not yet available in



Erica Davis:

the market. We're working toward it. I mentioned earlier, some of



Erica Davis:

the pricing correction that's happened. That's because of



Erica Davis:

losses that have come in, when losses come in, these insurers



Erica Davis:

do reassess how much capacity they want to put up on any one



Erica Davis:

risk, right? So on any one business, how much coverage are



Erica Davis:

you willing to offer, in a profitability challenged time,



Erica Davis:

that level of capacity is going to reduce, and when things are



Erica Davis:

performing really, really well, that level of capacity will



Erica Davis:

increase. And currently, right now we're in more of a reduced



Erica Davis:

time period because of the loss environment and the risk



Erica Davis:

environment. So, you know, there's no way to get to 2



Erica Davis:

billion and cover for, you know, any one entity at this time as a



Erica Davis:

broader industry, we're definitely working towards that.



Erica Davis:

Part of that is around differentiating the coverages



Erica Davis:

more so the product itself being offered differently. Some of



Erica Davis:

that is around the the the technologies that can be



Erica Davis:

deployed in order to better understand you know, cyber risk,



Erica Davis:

hygiene and maturity. But we just don't have those those



Erica Davis:

challenges. Overcome yet there's still a lot of structural



Erica Davis:

constraints that are restricting that level of capacity. As for



Erica Davis:

organizations who are looking for more cover, certainly taking



Erica Davis:

on some risk themselves evidences It showcases



Erica Davis:

competence in where you are as an organization. So that's, you



Erica Davis:

know, retaining more risk itself insured retentions we see



Erica Davis:

captives becoming a more common discussion. So that's the idea



Erica Davis:

of setting up vehicles where you can absorb some of that risk



Erica Davis:

either down low, meaning when the loss first occurs, or buy



Erica Davis:

some insurance then potentially set up a captive to take it on



Erica Davis:

midway and then purchasing more insurance on top of that. But



Erica Davis:

there's a number of different ways to do it. It's just at this



Erica Davis:

point, given the Infancy of the market we are not able to scale



Erica Davis:

the way you would find with more mature areas of the business.



Dr. Dave Chatterjee:

So, you know, as I'm hearing from you a



Dr. Dave Chatterjee:

couple of inferences that I draw that the cyber security market



Dr. Dave Chatterjee:

is still premature it is, it is moving towards maturity and



Dr. Dave Chatterjee:

stability. I also heard that small businesses are not prone



Dr. Dave Chatterjee:

to getting cyber insurance. In fact, there is data that



Dr. Dave Chatterjee:

supports that. But all organizations should be



Dr. Dave Chatterjee:

encouraged, because it should be part of their overall cyber risk



Dr. Dave Chatterjee:

mitigation portfolio. But it's definitely not a substitute for



Dr. Dave Chatterjee:

strong robust governance measures. So you don't buy



Dr. Dave Chatterjee:

insurance so you don't have to do anything about it about cyber



Dr. Dave Chatterjee:

risk management. It's not a cop out. Having said that, what are



Dr. Dave Chatterjee:

some best practices that you notice, with organizations, and



Dr. Dave Chatterjee:

I ask this, from a reflective standpoint, say you have your



Dr. Dave Chatterjee:

work with a company that sought insurance. And then they were



Dr. Dave Chatterjee:

able to establish that expectation from a control



Dr. Dave Chatterjee:

standpoint, which got them the insurance coverage. And that



Dr. Dave Chatterjee:

actually propelled them, just the fact that they want to



Dr. Dave Chatterjee:

maintain the coverage, that propelled them to become more



Dr. Dave Chatterjee:

cyber hygiene conscious, and they stayed more prepared than



Dr. Dave Chatterjee:

ever before. So in other words, having cyber insurance gets the



Dr. Dave Chatterjee:

organizational attention. And that is a good thing. That that



Dr. Dave Chatterjee:

promotes, you know, efforts towards cyber resiliency, is



Dr. Dave Chatterjee:

there any merit to this influence of mine?



Erica Davis:

Um, I think that, you know, when we look at the



Erica Davis:

key risk controls that matter most and attaining cyber



Erica Davis:

insurance, at this point, you're looking at multi factor



Erica Davis:

authentication, MFA, for remote access. And we're looking at



Erica Davis:

endpoint detection and response, you're looking at secured



Erica Davis:

encrypted tested backups, we're looking at privileged access



Erica Davis:

management. And we're looking at email filtering, and web



Erica Davis:

security. Those are the technical controls that are in



Erica Davis:

place and matter. And you mentioned the point around, you



Erica Davis:

know, making the decision of whether to buy cyber insurance



Erica Davis:

or kind of, in lieu of your own controls, I would say right now,



Erica Davis:

where the market is, you know, given it's been capacity



Erica Davis:

constrained, and given the fact that what we could call the hard



Erica Davis:

market conditions, meaning that insurers are increasing prices,



Erica Davis:

it's actually increasingly difficult to get cyber insurance



Erica Davis:

protection without those key controls in place. The softer



Erica Davis:

touch issues are around the cyber incident planning and



Erica Davis:

response and testing. So you know, if you have a cyber



Erica Davis:

product, you can do like tabletops, with incident



Erica Davis:

response, you have access to some of those key service



Erica Davis:

providers, but even without them, you know, without a



Erica Davis:

product, you know, you can put those plans in place. You can



Erica Davis:

look at, you know, the employee, you know, awareness training



Erica Davis:

that I mentioned earlier, the logging and monitoring of the



Erica Davis:

network protections, you can look at end-of-life systems



Erica Davis:

being replaced or protected, absences, a number of sort of



Erica Davis:

like behavioral control tactics that can be implemented as well.



Erica Davis:

Those are softer touch. So you kind of even can't get to that



Erica Davis:

point, or hear that feedback from a cyber insurer until you



Erica Davis:

have those more technical controls in place I mentioned



Erica Davis:

earlier.



Dr. Dave Chatterjee:

I appreciate you making the



Dr. Dave Chatterjee:

distinction between technical and then behavioral. I had one



Dr. Dave Chatterjee:

last question and that relates to behavioral controls or the



Dr. Dave Chatterjee:

softer touch as you were talking about, and that is, does the



Dr. Dave Chatterjee:

insurance company take into consideration of how actively



Dr. Dave Chatterjee:

engaged is top management? Is that a factor in the evaluation



Dr. Dave Chatterjee:

of an organization's cyber risk and subsequently, the decision



Dr. Dave Chatterjee:

of whether to give them coverage or give and how much stuff like



Dr. Dave Chatterjee:

that? Yeah.



Erica Davis:

Yeah, no, absolutely. And sometimes, you



Erica Davis:

know, to be completely honest, sometimes you don't have a lot



Erica Davis:

of visibility in the underwriting process. So you



Erica Davis:

might hear about it, but you don't necessarily know for



Erica Davis:

certain. Here's what we do know though. You look at New York



Erica Davis:

State and the The Financial Services sort of regulatory, you



Erica Davis:

know, developments that were made several years ago. And what



Erica Davis:

you can see is that there's definitely an expectation now



Erica Davis:

around somebody like a CISO having a direct, you know, line



Erica Davis:

of communication, if not a direct reporting relationship to



Erica Davis:

C suite, you can look at C-suite who are increasingly under



Erica Davis:

pressure to elevate their their cybersecurity and an expectation



Erica Davis:

by consumers now that information, actually say



Erica Davis:

corporate confidential information to is adequately



Erica Davis:

protected. So I think that the needle is moving into this being



Erica Davis:

almost like an ESG related issue. And I think that's



Erica Davis:

validated by our discussions with, you know, rating agencies



Erica Davis:

and other, you know, regulatory bodies that cybersecurity is, is



Erica Davis:

very top of mind, it's instrumental to organization's



Erica Davis:

long term health, we see the impact on something like



Erica Davis:

shareholder perception and stock price when these big events



Erica Davis:

occur, particularly if there's an element of negligence within



Erica Davis:

them. And so, you know, this and it's not decreasing, right. It's



Erica Davis:

only increasing. And I would say that has global relevance.



Erica Davis:

That's not a US issue. It's it was, I would say, more of a US



Erica Davis:

issue previously. But it's definitely becoming more and



Erica Davis:

more prevalent, prevalent outside of the US as well. So,



Erica Davis:

so absolutely, if, if, in the handwriting community, if you



Erica Davis:

see top, you know, executive management, C suites paying



Erica Davis:

attention to these issues, there's a level of confidence



Erica Davis:

that the security team is going to get the attention the



Erica Davis:

investment, and the financial needs met in order to secure the



Erica Davis:

organization.



Dr. Dave Chatterjee:

Fantastic. Well, on that note, we can end



Dr. Dave Chatterjee:

unless you have any final thoughts, anything else that we



Dr. Dave Chatterjee:

should have covered or talked about?



Erica Davis:

No, I mean, the last thing I'll say is, you



Erica Davis:

know, I know insurance as a whole can get it can get a bad



Erica Davis:

rap. And I would, I really like to think of the cyber market is



Erica Davis:

performing differently from that. There's huge amounts of



Erica Davis:

investment and attention being paid to helping organizations



Erica Davis:

understand the risk, helping them stay in front of it,



Erica Davis:

proactively notifying them if you know, vulnerabilities are



Erica Davis:

identified. And I look to the future and realize the needs



Erica Davis:

aren't being met now, but there is so much work being done and



Erica Davis:

so much left to do in order to make this, you know, a



Erica Davis:

sustainable and relevant market. So, hopefully, the audience



Erica Davis:

today found it helpful, but I'm available for any other



Erica Davis:

follow-up. questions.



Dr. Dave Chatterjee:

Absolutely, thank you so much for your time,



Dr. Dave Chatterjee:

it's much appreciated.



Erica Davis:

Thank you. Appreciate it.



Dr. Dave Chatterjee:

A special thanks to Erica Davis for her



Dr. Dave Chatterjee:

time and insights. If you liked what you heard, please leave the



Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also



Dr. Dave Chatterjee:

subscribe to the show so you don't miss any new episodes.



Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next



Introducer:

The information contained in this podcast is for



Introducer:

episode.



Introducer:

general guidance only. The discussants assume no



Introducer:

responsibility or liability for any errors or omissions in the



Introducer:

content of this podcast. The information contained in this



Introducer:

podcast is provided on an as-is basis with no guarantee of



Introducer:

completeness, accuracy, usefulness, or timeliness. The



Introducer:

opinions and recommendations expressed in this podcast are



Introducer:

those of the discussants and not of any organization.