This is the third in our collection of Naked Security Podcast minisodes for Week 4 of Cybersecurity Awareness month.
To access all four presentations on one page, please go to:
https://nakedsecurity.sophos.com/tag/sos-2021
This time, we talk to Dr Jason Nurse, Associate Professor in Cybersecurity at the University of Kent, about the controversial topic of cyberinsurance.
Cyberinsurers often get criticised for “caving in” to ransomware criminals, but in an IT crisis, having the right policy could prevent the collapse of your business.
Jason explains how to deal with this dilemma.
LISTEN TO THE AUDIO
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
READ THE TRANSCRIPT
[FX: MORSE CODE GREETING AND SYNTH VOICE]
PD. Hello, everybody – welcome to the Security SOS 2021 webinar series.
My name is Paul Ducklin, and today I am joined by Dr Jason Nurse.
Jason is an Associate Professor in Cybersecurity at the University of Kent.
And as you can see, today’s topic is the intriguing sounding “Cyberinsurance, does it help or hinder cybercrime?”
Tricky question!
So, Jason, to kick off, explain to us what cyberinsurance is, and most importantly, how is it similar and how is it different from the insurance we’ve all got used to on things like cars and houses?
JN. Thanks Paul, and thanks for those joining in to listen today.
So, cyberinsurance has jumped onto the scene for a few years now, but it’s actually existed for quite a while.
The general aim behind cyberinsurance is that it is insurance that covers things like IT incidents – in particular, things like security incidents.
That is how it’s probably much more well known these days.
But it can also cover things such as human error, loss of data and different things like this.
The general idea is just like with car insurance.
So, if you have car insurance or house insurance, you purchase this so that in scenarios where something bad happens, for example, you get into a car accident or, with the house, someone breaks into your home, or if there’s a flood or leak…
…the point is that the insurance provider is this party whom you pay premium amounts to, let’s say once every year or once every month, depending on your setup, and it allows you to call them up in the case of an incident and say, “Hey, this has happened. Can you support me through this?”
Support could happen in various different ways: for example, it could be financial support, so they help you to get back up on your feet in case of a cyberincident.
Let’s say there has been a break-in or loss of data – your insurance provider can put you in contact with, for example, forensics teams and incident response teams, and they can also help cover some of that cost around the incident.
So, the real aim and the real parallel is, you can think of it, businesses can think of it, as very, very similar to normal insurance that they might have.
And it really tends to be, or it tries to be, this one-stop shop, where if something happens, then someone can call up the insurer and the insurer can connect the business to the right parties to get the incident resolved and to get the company back up on its feet as quickly as possible.
But cyberinsurance – and this is where it’s probably one of the new novelty bits… it really tries to address the prominence these days of cyberattacks.
Where we’ve seen cyberinsurance grow and grow recently is in situations where there are cyberattacks where companies have lost data, they’ve been offline.
Their insurance provider is really going to help them get back up on their feet as quickly as possible – assuming that you have a relevant provider, you’re paying your premiums, and so on.
PD. I guess one of the most significant differences to think about from something like, say, car insurance… well, let’s say your car gets trashed. (Let’s hope you’re not injured.)
Then, in theory, if it’s a reasonably popular model, there’s a pretty good chance that if the car can’t be repaired, that the insurance company can find somewhere to buy the same model, with similar mileage, and basically put it in your driveway.
And you get the same car again as, it were.
But if you’ve lost your data, if it’s genuinely been deleted and can’t be recovered, then cyberinsurance can never have that result, can it?
It can’t magic your data back out of thin air…
JN. Yes, that’s completely true.
I think there are definitely a few different misconceptions around it.
And I think, in the context of situations such as the one you to described, Paul… the reality is that cyber nsurance can’t help you very much in those situations.
And it’s really important, when people are thinking about cyber insurance, to try to understand a bit more about what are the appropriate limits of what it can cover and what it can’t cover – for example, in some countries cyberinsurance doesn’t cover things like fines or regulatory penalties.
There are lots of ethical discussions around that and for good reason…
PD. …so that would be, if you had a data breach and you went to your insurance said, “All right, I just had to pay four million Euros.”
They’d go, “Well, bad luck, shouldn’t have broken the law!’
JN. [LAUGHS] Yes.
In some scenarios, yes, because some countries have basically said, in situations where you have been fined, let’s say GDPR fines or regulatory fines, if there’s been good reason or good evidence to show that, well, you did not do the things that you should be doing in terms of protecting people’s data, and therefore this resulted in the government or industry body fining you…
…then the insurer can turn around and say, “No, we’re not going to cover that because you should have had X, Y, and Z in place.”
So there are all types of discussion around cyberinsurance.
And really, in many ways, there is no “standardized” cover, so you can go to different parties and find different things available.
One key difference that I’ll mention, for those of you who are actually interested in cyberinsurance, is that there are two general types of policy.
One policy is what we call a “standalone policy”, nd the thing about this policy is that it is very much a separate policy.
So it’s very much like a house insurance policy or a property policy where it’s completely separate.
You go to a provider and you say, “I want to buy a standalone policy,” and the good thing about this policy is that it will tend to have more things included.
So, it’ll have more support in the case of a breach, and more things that they might give you, even as soon as you sign up to the policy.
But there are also “package policies”, and package policies are very much – if you know your house insurance policy – when you buy house insurance and the provider might say, “Oh, do you want to pay an extra five pounds a month, or five pounds a year, to cover your mobile phone as well?”
With package policies, you might have, say, a professional indemnity policy, and they say, “Oh, well, do you want to tack on a cyberinsurance add-on for this amount per year additionally?”
And the key thing about that is even though it has benefits, it does traditionally not cover as much as a standalone policy.
PD. I guess that’s because it’s a “one size fits all”, in the same way that if you wanted to insure your mobile phone against absolutely everything that could possibly happen to it, that’s unlikely to be done in a “just tack it on for five quid a year to your regular insurance.”
JN. Yes, that’s exactly it.
In scenarios where you’re just getting the add-on, you’re clearly not paying as much, and the reality is that you don’t get as much back from it.
You don’t get as much in terms of the claim amounts that you can make, the limits and so on.
Some package policies might not even cover popular attacks such as ransomware, which is rife at this point in time.
PD. Jason, I think that’s an opportune moment to move on to the second question about cyberinsurance.
That question: “Is it actually bringing with it, is it essentially the cause of, some cybersecurity related problems?”
The big criticism you hear indeed relates to ransomware, where your data’s gone, so if you don’t have backup then there is essentially no way of recovering files except by buying the decryption key from the crooks, assuming they haven’t made a blunder in their programming.
And there are many cases where cyberinsurance companies – presumably because their job is to get you back on the road again… where the only solution is to pay, so they do come up with the money.
So, some people are saying, “Well, that’s a real problem because that’s what’s making the ransomware demands so high. The crooks know that the insurance company *does* have $2 million, whereas you probably don’t – and therefore cybersecurity should never cover ransomware. That’s unethical and almost immoral.”
What do you say to that?
JN. Yes, it’s a hotly content topic and there are lots of different sides to it.
Let’s look at the pros and cons of insurance, for example, in these scenarios.
In cases where cyberinsurance was not allowed to pay ransom, and those same insurance providers didn’t cover ransoms, what we would have is a number of cases where companies went bust.
And the reality is here that attackers know, the attackers are very aware of, the pressure points in society.
During the COVID pandemic the pressure points have been things like healthcare, and they have been things like hospitals, they have been research facilities working on vaccines, they have been schools.
And the reality is that, yes, in many of these scenarios, organizations might not have been able to pay on their own.
Cyberinsurance basically comes in and allows, in some of these scenarios… basically a way out in terms of allowing companies to bounce back in terms of paying ransoms.
Now, in the case where these ransom payments were not allowed, these companies either would have had to shut down, or would have stopped functioning.
It could have impacted people’s lives; people could have died; a number of general services could have been impacted.
So that’s one of the pros in having cyberinsurance, in that it can support scenarios where payments maybe can be made… though whether they should be made is another thing.
I completely understand the argument that many people are arguing that cyberinsurance is leading, or is one of the big pushes, for this increase in ransomware attacks that we’re seeing.
But I think it’s much more complicated, simply because attackers will attack organizations whether they have insurance or not, and they will basically try to push companies as far as possible, to see whether they pay out or not.
So, it’s really a very, very complex issue in terms of, “Should companies pay, shouldn’t they pay?”
Is paying funding things like organized crime; are payments covering things like child trafficking; and terrorism even?
And these are all very complex problems, which I think we’re only at the tip of actually properly investigating.
PD. Yes, I think I agree with you there…
My advice to people is, “Don’t pay.”
But I also like to say, “If you decide that you have to do a deal with the devil, and you have to pay, I’m not going to stand in judgment of you.”
Because it’s easy for me to say “don’t pay” when it’s not my business, and my 200 staff who depend on their work for their living, looking down the wrong end of the barrel.
JN. Another thing which I think is actually really important to this current discussion is, let’s say payments were banned completely…
This is just picking up on one of the points that you mentioned: what’s going to happen, is that attackers are going to really try to test the resolve of businesses and test the resolve of which businesses will actually not pay.
And what will happen is that some businesses will be forced to pay – and they won’t tell anyone that they paid…
So, the attacker will now have them twice: one, they’ll have their data; and then, two, they’ll have the fact that they paid, which is breaking the law.
So they’re going to be even deeper in debt to the attacker.
And that becomes an even more complex and risky situation for these businesses.
I think that’s another key point as well: I don’t think banning payments is as simple as, “Payments are banned and no one is going to do it.”
It’s just going to push this reality underground, for probably quite a while, and we won’t have transparency around what’s actually happening, what type of attacks are we seeing, and what type of payments are being made.
So not banning payments, at least at this point in time, does also allow some form of transparency, such that we can better understand what’s going on with ransomware, hopefully track it to the extent we can try to better deal with it.
PD. Yes!
That’s a really good point, that by driving things like the payments underground, you actually make it worse.
The flip side of that is that cyberinsurance companies – and I know this from talking to someone who works for a cyberinsurance company – they don’t like paying those ransoms any more than any company does.
It’s not like they’re doing it because they want to… they’re doing it because it’s written into the policy that they’re meant to get your business running again.
So, I imagine that what we will see is increasingly strict exclusions, in the same way that maybe some car insurers these days are saying, “You know what? We will drop your premiums if you allow us to monitor your driving in real time, and if you’re prepared to let us have your driving history based on engine monitoring, for example, then the kickback to you is that we will trust you more.”
JN. Some insurers actually try to nudge companies towards this… “Yes, we’re happy to lower your premium if you let us put a black box on your network where we can monitor and see what’s going on, and basically have a better idea of your risk exposure.”
Companies are not keen, based on what we’ve seen, because of the insight that that gives the insurer into their internal systems.
And it’s probably very similar to black boxes in our cars, in that maybe the average person doesn’t want their insurer to know exactly what they’re doing, and where they’re going, and how they’re driving, and so on.
So I understand your point, and I completely agree that insurers don’t want to pay ransoms – we’ve actually seen some insurers actually exclude ransomware in particular, because they recognize how significant a threat it is.
And for other insurers, we’ve seen, over the last year – this is of course linked to COVID, but also into boom in ransomware and a boom in ransomware payouts…
We’ve seen what was a very large cyberinsurance market before actually shrink gradually towards what we call a “hard market”, where there are less insurers.
And the good thing about this is that, because there are less insurers, cyberinsurers can be a bit more demanding in what they request from individuals.
In a soft market, what happens is that you have so many providers that if a company goes to Insurer A and says, “I want to buy a cyber policy, ” and Insurer A says, “OK, sure, but you have to have ISO 27000”, then the company might say, “Oh, well, I’m not sure about that.”
And they go to Insurer B and Insurer B just says, “Oh, you just have to have this one control and we’ll underwrite it.”
What you’ll see, therefore, is that insurers don’t really have this power to nudge companies towards better security – that’s in the soft market where there are many, many providers.
What we’re seeing now is that, because a number of providers have actually had to leave the market because of increasing ransomware payouts, and, of course, the impact of large COVID payouts… what we see now is a bit of a harder market where there are less insurers.
They’re insurers that have really heavily invested in understanding cyberrisk, and in writing strong, robust policies.
Insurers now, probably more than they’ve ever been before, are in a much better position to nudge companies towards saying, “Yes, if you want to buy this cyberinsurance policy, that’s fine, but you have to have controls X, Y, and Z in place.”
And it’s not a case of just going to the next insurer and hoping that they won’t request those controls.
Insurers are much more cautious these days about the policies that they underwrite.
PD. I guess the good side of that is it means that cyberinsurance won’t end up being that “thing where you put your money”, instead of investing in actual cybersecurity that could prevent attacks in the first place.
JN. There’s a lot of value for businesses in cyberinsurance, because it starts to nudge them towards thinking about what they should put in place or what they shouldn’t put in place.
And some insurance can provide – I like to think of them as an aggregator, where they can actually provide a broader understanding of the security within companies and across different sectors and so on.
So we’ve traditionally relied on security companies quite a bit for providing good understanding in terms of cybersecurity attacks and stuff like that, and I do think that there’s a strong position for them there.
For cyberinsurers, I think that where there’s a big benefit is around understanding the impact of attacks, especially the financial impact of attacks.
I’ve seen, over the last few years, that more and more cyberinsurance providers have started to partner with and in some scenarios acquire, security companies – and the big push for them there is to try to better understand cyberrisk.
I think that’s where the insurance companies are actually providing a bit more insight into industry in general, in terms of how things actually work, and what’s the actual, tangible, real-world impact of cyber attacks.
PD. Indeed.
It’s my understanding that some, most, probably all cyberinsurance companies insist that if you are going to call them in to help, claim on your policy, that everything does have to be done by the book.
So they will insist that the regulator is correctly informed; they will insist that law enforcement is brought in if that is necessary or appropriate; and they will essentially go by the book in a way that helps the rest of us learn how not to be a victim in future.
I’m not trying to victim blame… I’m just saying that’s a great way of us collectively pushing back against the crooks.
JN. I completely agree.
And I think the reality is, with the cyber insurance industry, as with many financial service industries, they’re heavily, heavily regulated.
And because the fact that you mention Paul… there is this nudge towards everything being done by the book; things being very clearly laid out; things being very well documented.
For example, we traditionally talk about incident response providers and breach counsel and general counsel and so on.
But insurance providers also actively engage with people like forensic accountants, because the idea is that they can have a really good understanding of, “What’s the financial impact of an attack? What does this mean for the business? How much will this cost the business?”
Because, of course, all this information feeds into how much the insurance provider actually pays out in terms of when a claim is made.
PD. So let’s move on, then, to the final question that I wanted to cover, which is how, as a community, both as cyberinsurance providers but also as a companies buying insurance… how can we make this work best for us?
Because, clearly, there are going to be some cases where even a well-defended, well-intentioned, on-the-ball company suffers a cyber incident – and it doesn’t have to be ransomware; it could just be something that causes their business to stumble really badly.
How can we make cyberinsurance work for us best, rather than just going, “Oh, well, I’ve got 20,000 pounds to spend on cybersecurity… do I spend it on actually trying to keep the crooks out, or do I just buy an insurance policy and hope for the best?”
JN. This is a really good question.
I do think that the answer to the question is in thinking about a comprehensive risk management strategy.
So, a bit of research that I co-led, funded by the National Cyber Security Center (NCSC) in the UK, was trying to explore the reality of how the cyberinsurance fits with the broader question of cybersecurity.
And I think the answer to your question, Paul, is grounded in the fact that cyberinsurance is a part of cybersecurity risk management, and companies should never view cyberinsurance as “this thing that you buy so you can forget about cyber security.”
What you should think about, instead, is that, in trying to do comprehensive risk management, you will try to put things in place.
You go through your risk analysis, and then you identify that, “OK, well, there’s a certain amount of risk that we want specifically to control.”
And then there are residual risks, where maybe it costs too much to protect against those risks, or the risks are very, very low likelihood, or or very low impact.
And then you would decide as organization, “OK, well, these risks… you know what: these risks, we want to buy cyberinsurance for.”
And I think that’s probably the way a company should looking at this, in that it’s not a scenario of “You have 30,000 pounds or 100,000 pounds or whatever, that’s your security budget”, and then you’re thinking, “Oh, well, I’ll just spend all that budget to buy a nice, shiny cyberinsurance policy.”
It shouldn’t be like that.
Cyberinsurance should be looked at as this vehicle that can actually tackle, or help address, residual risk.
And the reality is that, in cases where a cyberattack happens and your controls fail, or your controls don’t address the risk to the extent to which you expected, then cyberinsurance can kick in, and, like I mentioned before, it can provide these instant response services, and so forth.
You made the point yourself, Paul, that cyberinsurance providers aren’t here to just pay out.
We shouldn’t look at them as that, and they’ll tell you that they aren’t here just to pay out on incidents.
Cyberinsurance providers will all have a portfolio of risks that they’re looking at, and they’ll be looking at managing their risk as best as possible.
And the insurance providers are not going to take on a bad risk; that’s not in their best interest.
So, they will be trying to engage with organizations to try to reduce risks to a reasonable extent, and then, from that point, then they’ll be willing to underwrite the policy.
PD. Yes, that reminds me of a conversation I had with a cyber insurance person…
Now, this is going back a couple of years, so it’s before the shakeout in the market… he made the point that if you are going to invest in cyber insurance, then you should be prepared to do more work, sitting down with the cyberinsurance company that you’re thinking of going with, to try and work out what you want.
Not because cyberinsurance companies are incompetent or expect you to do the work, but because this is all so new!
He made the point that if you’re looking at something like life insurance, or insuring ships at sea, there are statistical and actuarial tables for those risks literally going back centuries, so we have a good idea of how those work and what influences them over time.
Collectively, nobody really has that with cyberinsurance and cybersecurity because: [A] it’s so new, and [B] it is so volatile, because the cooks find it, sadly, rather easy to adapt their attacks as we put up new defenses.
So I think part of the answer here is that it’s not just a question of going, “Oh, let’s find a provider that fits our price point.”
It’s also making sure that you’re getting, that you’re actually buying, the right cover for the things that are genuinely likely to be a problem for you.
JN. Yes, I completely agree.
And this is another key point, when it comes to thinking about policies and thinking about which policy you want to get.
It’s really, really important to sit down with either your insurance provider or your broker, and try to figure out and get to the bottom of what’s the best policy for you, or for your organization.
Another big difference with cyber compared to some of these other domains – maritime and so on – is that the risk is so dynamic, and people can upscale.
A criminal could not exist today, yet a massive criminal group could just exist tomorrow.
We have things like ransomware-as-a-service, denial-of-service attacks, botnets-as-a-service….
And one of the things that actually worries cyberinsurers the most, is that we know, from historic records, when it comes to natural disasters, we know what’s the maximum impact; we know what the catastrophic event is – so, you know what’s the worst things can get.
With cyber, I don’t think anyone knows what’s the worst, what’s the absolute worst case, event.
There’s still a lot of apprehension from security providers and from insurers about, “What is the catastrophic attack? What is the attack that is the mother of all attacks?”
And that really worries insurers, because insurers like to know what is the maximum, how bad could things get… because they featured that in all sorts of their actuarial models.
PD. Excellent!
Jason, I think that’s a fantastic point on which to end, and just to conclude by saying that cyberinsurance can really help your business.
It could be the difference between failing completely and having to go out of business, and being able to survive, if cooks do get the better of you.
But that it’s not just, at the moment, something you can tick a box on a screen and go, “Yes, I’ll add that.”
It’s something that you need to do: sit down with your proposed cyberinsurer, make sure you’re getting the right cove, and that you’re doing the right things in the first place to justify the sort of low premium that you want…
…which makes it correspondingly much less likely that you would ever need to claim in the first place.
So, Jason, thank you so much for joining us – it has been very insightful indeed.
And to everybody who tuned into this webinar, thank you so much for taking part.
All that remains for me, apart from thanking Jason, is to say, “Until next time, stay secure.”
JN. “Stay secure.”
[FX: MORSE CODE SIGNOFF]
Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response ▶
24/7 threat hunting, detection, and response ▶
