Ep. 20: How (and Why) to Make Friends with Your Cyber Insurer

Insurance gets a bad rap generally, and yet when it comes to cyber insurance, the relationship between an enterprise and its insurer can (and should) be anything but adversarial.

It is far wiser to see your cyber insurer as a partner, so you can leverage the wide variety of tools, industry-wide info-gathering, and overall expertise that these insurers have to offer. We discuss here how cyber operates as a unique specialty within the insurance world, and the specific skills and services a top-notch cyber insurer should be able to provide.

Host: Mike Curran, vp of global talent, Tanium
Guest: Peter Hedberg, vp of cyber underwriting, Corvus Insurance

[iFrame]

Show notes

For more info on cyber insurance, check out our articles in Focal Point, Tanium’s award-winning online cyber news magazine, and these other useful resources.

• Make Friends with Your Cyber Insurance Agent, Part 1—Why It Matters | Focal Point
• Make Friends with Your Cyber Insurance Agent, Part 2—The Steps to Take Now | Focal Point
• Cyber Insurance Rates Have Dropped a Lot. What Gives? | Focal Point
• 5 Myths – and Realities – About Cyber Insurance | Focal Point
• How the Ukraine War Impacts Cybersecurity Insurance | Focal Point
• Does Getting Cyber Insurance Have to Be So Painful? | Tanium
• Risk Assessments That Can Ease Your Cyber Insurance Underwriting Journey | Tanium (data sheet)
• Organizations Leveraging Tanium with Their Cyber Insurance Providers – The Power of Certainty | Tanium (white paper)

Transcript

The following interview has been edited for clarity.

Unlike a property policy that you buy at the beginning of the year [and put] on a shelf and you hope you never have to make that call or deal with it, cyber is an ongoing dialogue between a carrier and the policy holder. It is a relationship unlike any other in the insurance industry, and that’s because the risk and the exposure are evolving throughout the year.

Mike Curran: Insurance agents are often compared to dentists: They’re necessary but sometimes associated with painful procedures and events. Hi, I’m Mike Curran, VP of global talent here at Tanium, and today on Let’s Converge, we’re going to discuss how and why you should get to know your cyber insurer.

When an attack occurs, it’s going to be kind of a scrambled environment, and that’s not the time to begin a relationship with your insurer. Today I’m joined by Peter Hedberg. Peter is the VP of cyber underwriting at Corvus Insurance. Peter has 20-plus years of experience. Corvus is powered by an artificial intelligence platform that is deployed to scan and spot cyber risks in their client’s environment. And we’re going to get into that in a minute. But first and foremost, welcome to the podcast, Peter.

Peter Hedberg: Thanks for having me, guys.

Curran: Well, we’re calling this podcast “How and Why to Make Friends with Your Cyber Insurer,” and we will get to the how, but let’s start with the why. Why should companies make friends and get to know their cyber insurer?

Hedberg: I think insurance, like the dentist, it’s somebody you don’t want to see very often. And I think when it comes to dealing with insurance and insurance agents, I think people say, look, this is somebody who’s going to take my money and hand me a piece of paper. That’s the big criticism of insurance, and I understand it. There’s a lot of history of insurance to indicate that people didn’t get the value they expected.

Cyber is very much an exception in that regard, and unlike a property policy, where you buy at the beginning of the year, get your policy, put it up on a shelf and hope you never have to make that call or deal with it, cyber is an ongoing dialogue between a carrier and the policyholder. Now it is a relationship that’s unlike any other in the insurance industry, and that’s because the risk and the exposure are evolving throughout the year.

I’ll give you a great example: We do a lot of active scanning on our policy book. A property insurer doesn’t stop by midterm to check on buildings. They don’t care. They haven’t made an investment in that. That’s not how they do it. They’ll do it once a year, whereas we’re scanning monthly, quarterly, and when new exposures arise. So in March of 2021, we had the on-premises Microsoft Exchange Vulnerability that got released. We were able to scan all of our customers, figure out who had that exposure and get in touch with them midterm on the policy. Now, I have no contractual mechanism to make them comply, but I can tell you that a lot of them called me back and said, I didn’t know about this, thank you. And they patched.

So that’s an active style of risk management that you don’t really see with a lot of other types of insurance.

Curran: That’s interesting. When you talk about cyber insurance companies having tools, talk a little bit about the tools that you guys have and how you deploy them.

Hedberg: So we do a lot of outside scanning, and you’d be surprised at what we can get from those scans. We can find critical vulnerabilities, especially with remote desktop, which is currently a very large exposure still, especially with publicly exposed ports. We can find out what type of email gateway you’re using or if you’re using one at all, or if you’re just going to use whatever native filtering you’re getting from your email service. All of that feeds into a score, and that score translates to a rate for us. Now, the stuff that’s behind the firewall that we can’t scan for obvious security reasons, we can ask a lot of that on an application. So we’ve had to blend traditional underwriting with our technical capabilities to arrive at pricing for our insureds.

Curran: So Peter, tell me about pixel-tracking software and why it’s an issue.

Hedberg: It’s a great question. I think there’s a lot of focus on what we call first-party risk within cyber right now, and that’s ransomware and network interruption and business lost income and all those sorts of things. But unfortunately one thing we’ve been seeing rise is what we call third-party risk. And that’s risk that’s brought by the plaintiff’s bar. Very creative lawyers are now starting to use arcane and kind of obscure laws to bring lawsuits, especially class action lawsuits. They’re targeting laws that have what are called private right of action, which allows plaintiffs to bring damages or just allege some sort of violation of a law against a third party.

One of the prominent ones we’ve seen now is pixel-tracking software. And the reason why it’s dangerous is a lot of organizations use it and don’t know they’re using it, and they may have engaged with a marketing consultant or some advertising agency that has engaged or used that software and didn’t tell them because it’s just considered standard.

So what pixel-tracking software does is actually track the movements and the navigation of users on a website, and if they can figure out the IP address of whatever user, you can actually relatively [easily] turn up an identity. The challenge with this is, especially with healthcare, if you’re on a healthcare website and you have your IP address and say you’re looking at knee surgeries or whatever the expertise of that hospital is, that could reveal some diagnosis on your part and for who you are. And that information is being collected and it’s being used for marketing purposes. So you’ve more or less kind of given away some health information about yourself, and you never really consented. Or if you did, you consented to a very long privacy policy on a website that you’re not going to read and was not probably made very clear to you.

So if you notice when you go to websites now, they’re very big on disclosing to you that they’re going to put a cookie on your website if you want it and you make those selections. Well, that’s not a process that’s been happening for pixel-tracking software for a really long time. No one’s ever disclosed that they’re doing it. So we’re seeing a really big rise in what we call wrongful collection lawsuits. It’s not just isolated to pixels. That one’s grabbing most of the headlines right now, but we’re having issues with biometric collection, especially with manufacturers where people have to thumbprint in or eye-scan in and that sort of thing.

And again, the disclosures just aren’t robust enough. And so the plaintiff’s bar, unfortunately – I call them the legal hackers. So I’ve got my hackers and then I’ve got my legal hackers and they’re very, very creative at this.

So unfortunately that’s triggering more losses that we haven’t really anticipated. It’s hard to price for it and it’s kind of hard to underwrite. The big question we ask now is what data do you collect? Why do you collect it? How long do you hold it and do you really need it?

I think there’s a feeling that data is oil, right? It’s the new oil, so let’s get as much of it as we can. But it’s not, I mean, it’s the new liability.

Curran: Are there certain industries that are more susceptible to the pixel tracking software?

Hedberg: Right now financial institutions to a certain extent, but really it’s healthcare. The focus is on healthcare, and as you’ve probably seen in the news, healthcare is a continued target for ransomware, too. So unfortunately healthcare organizations have it coming from both ends, the first and the third party.

Curran: OK. Interesting. So I imagine cyber insurers have a team on hand if an attack occurs. What’s the makeup of that team? Who’s the first call and how does that deploy? If an attack occurs, what kind of team would you put on the case?

Hedberg: Yeah, absolutely. So this is my first public service announcement. There will probably be a couple, but when you have a ransomware attack or an event, your first call should probably be to your IT director if they’re not involved to try to assess what’s going on. But the second call should be to your insurer. Unfortunately, we have a lot of situations where people get very scared, for good reason. They’ll call a forensics company to try to ascertain what’s going on. They’ll run up a huge schedule of work and then they’ll bring us all those costs and they’ll say, here, you’re the insurer, you pay.

Unfortunately, mechanically, that’s not how it works. We have relationships with several vendors. We have preferred rates with them, we have longstanding relationships with them, and we have them teed up to engage in that work right away. Not only are you getting the benefit of the rates that we’ve negotiated, but you’re also getting the benefit of our work vetting them to make sure that they’re going to do a good job.

Every single IT company that you work with, every single in-house counsel or outside counsel that you work with is going to tell you they’re an expert in this. Statistically, they’re probably not. So the relationships that we’ve gone out and vetted and secured are firms that we know are going to get the job done and they’re going to get it done at a very reasonable price. So that team gets engaged. So the first person that gets engaged is us. We then refer to what we call a breach counsel or a breach coach that’s typically an attorney. So a law firm gets assigned and then they act as the general contractor. They find out what all the exposures are — do we have privacy liability exposed? Do we have data exposed? And how much is the ransom and who’s asking for it? And that’s when we’ll engage forensics, data forensics.

Curran: OK.

Hedberg: Further down the line within a claim, we may engage in accounting forensics to figure out what the actual loss was on your income. But yeah, that’s typically the triangle: us as the insurer, the breach coach, and then forensics. That’s what forms the team that is engaged in solving these.

Curran: Interesting. So, Peter, let’s say I’m a client. How am I going to get a comfort level that the team that you’re going to recommend to manage the attack is the best team? I mean, how do you continually vet the folks that you put on as your preferred providers, whether it’s threat management or whatever function it may be? How do you go about vetting the team that Corvus recommends?

Hedberg: Really, it’s based on the relationship – the length of those relationships and the experience that’s being brought to the table with those individuals. Cyber has been around long enough now that we’ve gained a very good familiarity with the competence of certain individuals. Now, whether they change the brands on their business card, I understand that and that’s fine, but we know who these teams are and we know how well they perform. That’s what we do as an insurer; we’re maintaining those relationships so you don’t have to go out and vet all those.

Also, just another public service announcement to any of the policyholders: The relationships that we have, we don’t put behind some sort of firewall. You’re welcome to know who they are. We have what we consider a panel of preferred vendors that we use. You’re welcome to ask for it anytime, and we’ll provide it. And if there’s one in particular that you have a relationship with or you’d like to secure ahead of time, those are arrangements that can be made typically.

Curran: As a client, I can imagine they would love that transparency and the velocity that comes from a team that’s used to working with each other, which is going to be important at the beginning of an attack. But overall, how open are clients to suggestions and do you get pushback – especially if it’s the first attack they’ve had? I mean attacks happen on a regular basis, but if it’s the first attack, I mean, how open are clients to suggestions?

Hedberg: I’ve actually found this kind of interesting. There’s been an evolution. So at the outset, most of our clients have said, “Pay the ransom, do whatever we have to do to get us up. And we’ve been the one that’s come back and said, “You don’t have to pay the ransom; the integrity of your backups are sufficient. We haven’t detected enough exfiltration that we think that you need to pay for a deletion key.” So it appeared that we, as the insurer, didn’t want to pay a ransom because it would increase the cost. But that really wasn’t the case. It was just a wiser use of your money to just restore your system with what we have now.

What’s ended up happening now is public perception for paying ransoms has really turned negative, and I don’t blame them. These ransoms are buying bombs to kill Ukrainians. It’s kind of what’s happening. So one of the things we have now is we have policyholders that don’t want to pay the ransom, and it’s our recommendation to actually pay the ransom because the integrity of the data that they have on their side is not good enough and it may actually inhibit their business going forward, and maybe it does make the most sense to pay that ransom. So when we talk about friction right now, it really is about whether you pay or not. And I don’t have a good answer for you in general because every single circumstance and situation calls for a different answer right now.

Curran: Yeah, I can imagine. So we talked a little bit about the why. Let’s get to the how. What’s the right agent and what questions should I be asking a cyber insurer if I’m having initial conversations?

Hedberg: Having a good agent when it comes to this is a little bit harder than you might think. It’s a very new area of insurance.

Most insurance agents have a really good competency in general, liability, property, auto, all the traditional lines of insurance. You’re going to want to have an agent that has a specialty department. Specialty is a very small segment of insurance, but it covers what we call the sexy stuff: directors and officers liability, employment practices liability, professional, or what we call E&O. But another thing they handle is cyber. So you want to make sure that your agent has a competency with that or an individual that’s designated as their cyber person.

They’re also, if they’re worth their salt, going to be able to answer a lot of technical questions. So you don’t just put your insurance buyer or your CFO in front of them; you can bring your IT director in the room and have a pretty nerdy conversation about what’s on that application. The sign of a pretty good agent is if they can go deep on that stuff, because it’s technical now.

And it used to be the finance department, that was their discipline. They bought the insurance. They didn’t care what other departments thought about the impact of that insurance, necessarily. It was about what was good for the company, what’s the price, what are the terms? This conversation needs to involve IT departments now, so the agents need to have people who can talk to IT directors. And so that’s a discipline that’s now starting to emerge more with agents, but if you’re looking for a good agent, that’s what you want to be looking for. Somebody who can have those conversations on the agent side.

Curran: Yeah, that makes a lot of sense considering how unique every attack is. There’s some commonalities, of course, but every attack, depending on the customer’s IT environment, is going to be unique. So you need somebody who can peel back the onion. So that makes a lot of sense.

Are you seeing a lot of risk officers at companies that typically didn’t have them before? Is that something you’re seeing more of in the market?

Hedberg: Yeah, the C-suite’s getting to be kind of crowded. There’s a lot more chairs now.

Curran: Yeah, the CRO is not the chief revenue, it’s the chief risk officer as well, not just revenue officers. Right?

Hedberg: Yeah, we’re going to need to standardize these at some point too. I’m very happy to see the discipline of CISO getting adopted at organizations now. So it used to be the IT director and then general counsel held some of the privacy, but now CISO is sort of hybridizing those responsibilities and they’re turning corporate security into a boardroom concern.

I think boardrooms looked at IT for many years as a cost center – this is just what it costs to put computers in people’s hands and get the job done. Now, after all of these high-profile events, boards realize that they have a huge exposure here too. So they want to make sure they have an individual on the board who speaks that language and is entrusted with the hygiene of the organization. So I’m heartened to see that become a discipline. Unfortunately, there is a dearth of CISOs in the market, so if you’re a security analyst and that’s something you want to take on… – because it’s one thing to be a security analyst; it’s quite another thing to sit on a board and have all that responsibility.

Being a CISO is hard. You’re the goalie of the industry, OK? You will not get praised when you do your job every day and [the company is] safe. You will take a massive hit if for some reason you do get hacked. It’s not fair: These guys wake up every day, they do a phenomenal job, and they don’t usually get praised for it. So just consider the psychology of that for a second.

Curran: That makes a lot of sense.

So that kind of leads to the question of when it’s good times, and you’re not getting attacked and you’re not being called and you’re doing your job as a CISO. What is the proper cadence to keep in touch with your cyber insurer when there’s no crisis going on?

Hedberg: Well, a lot of cyber insurers have online tools now that offer self-assessments and that offer continued reporting to me. I would let the conversation get initiated by your carrier. I don’t think you need to be the one to check in, although I do think it’s worth logging in to check what your latest score is and what the feedback is there. But I think you can depend on a good insurer to get in touch when they have to.

So, you should be proactive if there are concerns that the insurer had, say, Hey, I need EDR deployed within 60 days in order for these terms to remain intact. OK, deploy the EDR. But generally speaking, we’re seeing the claims first. We’re seeing the bad stuff, and if we think it’s relevant to your organization, we’re going to get in touch. We’re going to send that email. We’re going to say, Hey, we scanned. We think you have a Log4j exposure or we think that you’re using MOVEit as a file transfer protocol right now, software. So trust me, we’ll be getting in touch. It’s our job. We’re the risk managers as well.

Curran: Perfect. So from your seat, you see multiple industries deal with attacks and … companies looking to prevent attacks. What kind of trends would you say for the next one to three years that you see for cyber insurance specifically becoming more prominent… [Compared to] three years ago, it’s a different environment today, and obviously there were geopolitical events that caused a lot of that. But what do you see going forward? There’s the unknown, of course, but other than the unknown, what do you see going forward for the cyber insurance industry?

Hedberg: I think that two things are going to happen. I think ransomware is going to become more of a casualty. It’s going to become actuarially predictable to a certain extent. I don’t think it’s going away. We increase our standards. The bad guys find a new way, and it’s this ladder game that we do with them, unfortunately. And so there will be continued antagonists in that regard.

I think one thing we’re going to start to see – and trust me, when you talk to operational people, they always say don’t let IT run your business. But there is one glaring exception.

I think IT is going to start getting heavily involved in data management. How much data are we keeping? Why are we keeping it? Is it relevant? Is there a business case for it? If we don’t need it, we need to get rid of it.

Again, I think that a huge piece of covering your third-party liability right now is just jettisoning data you don’t need. And I think a lot of organizations, especially operations, don’t want to get rid of it because again, they think that there’s some business use or some need for it. Y’know, it’s oil. So I think we’re going to see some tension there.

And I think we’re going to see the plaintiff’s bar get more creative. I mean, they’ve already scored some early wins with pixel and, again, arcane legislation: video protection privacy act or old wiretapping laws from the 1960s. So we’re starting to see a lot of activity there, and I don’t think that’s going to end anytime soon. So that’s where I see it going.

Curran: Yeah, I would agree. I think data hoarding seems to be pretty common. You’re not using the data, you have no use for it in your business, but it’s still in your environment. So flushing that out, and I think GDPR and some of these other things are forcing those actions, but the more data, as you say, hygiene takes place, the less risk you’re going to have in the business. So that makes a lot of sense.

Is there anything else you’d want to share today about cyber insurance, where it’s at and where it’s going?

Hedberg: There are a lot of choices out there for cyber insurance right now. When your broker comes back to you and shows you a marketing sheet, they’re going to show you some pretty widely varied prices. Let them guide you on who the right carrier is. We’re working with those agents every day and presenting what we do and why we do it better or why, say, we want manufacturers versus healthcare, why we may be specialized in that line. So don’t be surprised if you see some kind of inconsistency in those numbers when they come back on quotes. The marketplace is still very… I’ll call it diverse. There’s a plurality of carriers and what they want.

Curran: It sounds like you’re not only providing cyber insurance, you’re also providing a lot of education to companies.

Hedberg: Yes, we are. And again, that’s kind of a big differentiator from other types of insurance. We have a huge vested interest in people listening right now and policyholder engagement.

Curran: Got it. Well, thanks Peter. Appreciate your time today.

Hedberg: My pleasure.

Curran: I’ve been talking with Peter Hedberg, VP of cyber underwriting at Corvus Insurance.

If you’d like to learn more, check out Focal Point, Tanium’s award-winning online cyber news magazine. We’ve got links to articles in the show notes. Or visit Tanium.com/p for publications.

To hear more conversations with today’s top business leaders and security experts, make sure to subscribe to Let’s Converge on your favorite podcast app. And if you liked this episode, please give us a five-star rating.

Thanks for listening. We look forward to sharing more cyber insights on the next episode of Let’s Converge.