How to Prepare for 2022 Cyber Insurance Renewals and What to Expect | BeyondTrust

Cyber insurance premiums in 2021 continued to climb to record highs, spurned by a significant spike in successful cyberattacks. According to the Council of Insurance Agents & Brokers, the average premium for cyber insurance coverage increased 27.6% during Q3 2021, which was on top of an increase of 25% in the previous quarter.

In 2022, higher premium costs and firmer due diligence from underwriters are causing cyber insurance renewal conversations to happen up to six months prior to policy expiration dates. Accurately measuring your security posture is a big job, so starting the review and application process early is must.

Recently, we brought together Tom O’Neill, a Management Liability Coverage Specialist from Fred C. Church, and BeyondTrust’s Chief Security Strategist, Chris Hills, for a candid conversation about what’s changing with the cyber insurance market, what organizations can do to best position themselves to obtain or renew cyber insurance, and the best practices organizations should follow to get the best rates.

You can check out the transcript of this conversation below, or tune into the on-demand webinar. Tom and Chris also fielded several audience questions about cyber insurance. You can check out that Q and A here.

Try: Free Privileged Access Discovery Application

Use this free app to uncover privileged and remote access risks that could imperil your enterprise and scuttle your chance at obtaining cyber insurance.

Cyber Insurance Conversation Webinar Transcript

Sarah Lieber: Hey, everybody. Thank you, guys, for joining our webinar today. So, we’re talking cyber insurance and preparing for your 2022 renewals. With me is Tom O’Neil: he’s management liability coverage specialist at Fred C. Church. Hey, Tom. And BeyondTrust Chief Security Strategist, Chris Hills. Hello, gentlemen. Let’s get this insurance party started. Do we have insurance parties, Tom?

Tom O’Neill: Absolutely.

Sarah: Nice. All right. So, I’ll go ahead and I’ll hand it over to you, Chris, just to do a quick introduction of yourself, and then we’ll hand it over to Tom to take it away for a couple of slides.

Chris Hills: Awesome. Well, thank you, Sarah. Thank you everyone for joining wherever you’re joining from. I’m excited about this. I’ve been a huge fan of cyber insurance, and it’s great to get Tom here, and I want to make this as interactive as possible. We’re going to run through a few slides, give you some background, and talk about the market. Tom’s really going to give you some insight from the insurance aspect of it. So once that gets done, we can actually start looking at the questions when we get to that part. But as Sarah mentioned, my name’s Chris Hills. I’m the Chief Security Strategist here at BeyondTrust. I’ve been with BeyondTrust for about three years. Prior to this, I came from the customer side, so I’ve had my hands dirty, not only in the PAM Operations architectural and engineering side of it, but I was a user of our product. So, with that being said, Tom, I’m going to hand it over to you and let you kick this off for us.

Tom: Thank you, Chris. Thanks to you and the BeyondTrust team for having me on today to participate in your series here and talk about the insurance side of things. So, a little bit of background on myself, so as Sarah said, I’m the cyber insurance and management liability bridge specialist at Fred C. Church, which is a large regional insurance agency located in Massachusetts. And just to keep in mind, I’m not the insurance company, I’m not the underwriter; I’m the agent.

So, we have our group of clients and we work with them every day to help them manage their cyber insurance risk. Also, we have access to a network of insurance companies where we go out, we get quotes, we manage the policies and the coverage programs for them. So that’s a little bit about what I do. I think we’re going to talk a lot more about the marketplace and the difficulties and how stressed the marketplace is today, and really what that means for you: business owners, CISOs, or IT directors out there who are involved in the insurance renewal process, or maybe the new business process, and there’s a lot to get into. So back to you, Chris.

Chris: Awesome. Well, I’m going to go ahead and drive the slides, Tom. So, I’m going to go ahead and just kick it off and let’s talk about it. Let’s talk about the cyber insurance market. Go ahead.

Tom: Absolutely. So, I think anybody who’s been through a renewal in the past couple of years, who has gone out to seek new coverage in the past couple of years, has run into the things that you see up on your screen here: reduced capacity, increased rates, rising retention, and then I have it bolded right there in red, increased underwriting scrutiny. That is potentially the most painful process, or the most painful aspect that you’ve experienced or you will experience. We’ll talk a lot today about what kind of things you can expect, but also what kind of tools, resources, and information security information technology partners can help you through that process. Companies like BeyondTrust, obviously. So, when we say reduced capacity, reduced capacity means that there’s not as many insurance companies writing cyber insurance business out there in the marketplace.

So, you have insurance companies reducing the amount of limit or that they would offer, or just companies in general that will not offer cyber coverage at all. Obviously, that’s going to create lower supply, higher demand. So, you have a smaller pool of insurance companies trying to cover everybody, which puts some stress on the marketplace. Obviously, everybody’s pretty well aware of the increase in claims and increase in claims is going to drive rates up. So, I know Chris has some more slides about rates coming up, so we’ll leave that there for now., And then, also rising retentions. So once upon a time, going back five years, it was pretty easy for a business to get a cyber policy; maybe a million dollar limit, $2 million limit, $2,500 retention, $5,000 in premium.

You could be a 50 million organization and have that kind of picture when you went out to get a cyber policy: not so today. So really, it’s a totally new environment. And when we talk about underwriting scrutiny, there’s a lot of new aspects to the process out there. A couple of things you see on the screen there —Security Scorecard, BITSIGHT— these are third-party companies that do vulnerability scans, so that’s something to keep in mind. That’s a new tool that the insurance companies are using to evaluate what your network security looks like from the outside in, and then to gain the perspective of the inside out. What they’re doing is having you fill out what is called a Ransomware Supplemental Application.

So, in addition to the normal application that you might fill out, you’re also seeing a Ransomware Supplemental Application, which is really going to drill down into specific security controls like endpoint detection and response like multifactor authentication. What does your backup infrastructure look like? Do you have employee training? A whole host of things. These are multi-age applications and simply just can’t be completed by your risk manager alone, or maybe your business owner alone, or your HR department, or your CFO. This is truly something that you need your CISO or your IT director, or in many situations, bringing in your outside IT firm to help you through this process.

Chris: Tom, really quick. My question is why is the cyber insurance application process so complicated?

Tom: The applications, going back three years, maybe you were looking at a one-page application. Or you could even get a quote for a million dollars in coverage based on your website; what’s your revenue, and do you have antivirus software? Somethings like that. But with the rise in ransomware claims and just a whole host of changes in the threat environment, the bad actors are coming up with new ways to get into our networks every day. So, as this environment has been rapidly changing, the insurance companies are responding by asking about the controls that prevent these losses from happening, and that manifests itself on these Ransomware Supplemental Applications. They can be painful to go through. If you’re the business owner or if you are the risk manager, if you don’t have that IT background, or if you’re not living that and breathing that every day, it’s going to be a frustrating process.

Chris: You mentioned a couple… not just a couple of things, but you talked about the reduced capacity. You talked about increased rates, and then you talked about the rising restrictions and the scrutiny on the underwriting. For those companies that are keeping their insurance policies and the premiums are going through the roof, we know the outside market; what’s happening with the bad actors and the cyber adversaries out there. But what’s causing the premiums themselves to go up so much?

Tom: There’s a number of factors that go into a premium. Every insurance company is examining their overall book of business of cyber on an aggregated level. They’re managing their profitability based on losses and based on premiums coming in, so they need to a look at that loss ratio and see —projected on what we’re charging for premium, we’re going to go out of business if we keep offering premiums at 1,000, 2,000 or $5,000. So, they’re looking at it from an aggregate level like that —looking for rate is a term that we use. Carriers are going to look for a rate. Maybe that rate starts at 35% and can go up to 100% or 150%. So, there you have a range, and what helps establish an individual client and where they might fall in that range is going to be things like their claims history.

So, if you’ve had claims recently, maybe you’ve been hit with a ransomware pop for half-a-million dollars in total claim payout, that’s going to factor into your overall premium on the upcoming renewal. Then, of course, what security controls that you have in place — that’s going to factor in as well. So, if you don’t have multifactor authentication, you may struggle to get an insurance policy at all. That’s really what we’re seeing now. What I do every day is, I’m marketing my client’s cyber policies to the marketplace and in the triage world that is cyber underwriting. The first question is multifactor authentication. If you don’t have that, you might struggle to get a policy to begin with.

Chris: There are some free multifactor solutions out there that are offered, but if you haven’t implemented, or you’re not currently implementing some form of multifactor authentication, man, you are so far behind the curve. It’s almost feels like I don’t know what else to tell you to help you move along your security maturity process. So, ransomware, frequency, and severity. Let’s talk about that.

Tom: Yeah, definitely. From the statistics there, you can see ransomware is leading the back by a pretty wide mark in terms of the frequency and severity of the claims. Going back three years ago. Social engineering, business email compromise — these are the kind of claims that we were facing. But now, and particularly with how COVID just completely turned upside down on the way we do business with the remote work environment, the threat actors figured out that they could capitalize on that and certain vulnerabilities in people’s networks. It was easy enough to just ask for the money rather than to try and monetize data that they were exfiltrating from a business’ network. Unfortunately, business has been good for the bad guys as you can see in some of the statistics there.

Chris: It’s been staggering, and you know what? The question I have is, how has ransomware specifically contributed to the current cyber market and what you’re seeing on as an insurer?

Tom: I think a couple things. Just the pure frequency and severity driving those loss ratios up for the carriers. That, in and of itself, is going to put them on alert because: number one, the thing to think about is that a cyber insurance policy does reimburse you for ransom payments, so it is paying that part of the claim. Then, it’s covering for other things related to the forensic analysis, that goes into that. There’s a whole host of payouts when it comes to a ransomware claim, so just the payouts themselves are causing problems. But even beyond that, the potential for these widespread events or catastrophic type losses, SolarWinds is a great example of this.

So, the SolarWinds is an attack where you have the bad actors essentially creating a Trojan horse in a software update that’s making its way into hundreds and thousands of networks. That’s just based on one breach of a SolarWinds system. So, there is the potential that a widespread event like that could affect a vast number of, not only organizations out there, but policy holders. For any one specific insurer, that is a truly catastrophic exposure, almost like a flood or a forest fire or something. That’s why ransomware and widespread events have had this impact on the insurance marketplace. It’s so severe and so widespread that it’s really causing some concern.

Chris: When you and I were brainstorming and trying to figure out what to talk about, something that came up —and I did a cyber insurance presentation at our company kickoff —and I think one of the things that we haven’t talked about, is the fact of what cyber insurance doesn’t cover. So, I want to make sure not only for me conveying it, not from being a cyber security solution company, but more from you — that negligence is not an excuse.

When we talk about companies that get compromised as a result of vulnerabilities because they didn’t patch a system, or maybe some other aspect of that —people were not trained, etc. — how does that negligence play into when you guys come to look at, “Are we going to pay out for this, but the company didn’t do their due diligence by making sure the systems were patched?” Can you, at least for the audience, talk about that from your perspective. Because you guys have to, as a cyber insurer, protect your company from paying that out. You saw the stats from the last slide. Some of those insurance companies are paying out over 100%. Cyber insurance is not a marketplace that your executives are walking away with bonuses and they’re making money. Can you talk to the negligence factor of companies that are not doing due diligence?

Tom: Some of the good news in all of this is that the cyber insurance policy actually has quite broad coverage. So, like I said, it is going to pay that ransom. It’s going to pay for the forensic analyst, the legal advice that you need, and the credit monitoring for anyone’s information who’s been exposed. It’s going to pay the business interruption loss. We’ll get to it later, but manufacturers are a big target right now because you shut them down, you hold them for ransom. Every day they’re not producing, they’re losing money. So, there’s actually a business interruption coverage built into the cyber policy so the coverage is quite broad.

I think really where you get into that negligence of not patching or not doing your due diligence from a security standpoint, really the way that’s going to impact you…Well, number one, that could lead to a loss, which is always bad, regardless of whether you have coverage or not. It’s a painstaking process to go through it. But to have a negligence situation, or to not be patching, it’s going to be very difficult for you to renew your insurance policy when it comes back around. Because not only now do we have a loss, but we also have what looks like a culture that doesn’t promote cybersecurity as a priority for the business, and those are not necessarily the organizations that are going to float to the top of the pool of clients that cyber insurance companies want to write.

Chris: No, and that’s a great point. It goes back to your opening slide where you talk about underwriting scrutiny. You talk about why they’re being questioned about what they’re doing, and what their security maturity is. So ideally, they’re hoping to uncover that right from the beginning, because of all the emphasis that they’re putting on before they even write a policy. But I just want to make sure that people know and people understand. Three years ago, when I started with the company, I was talking to some security professionals and you know what?

They’re like, “Hey, we have cyber insurance, we got breached, no biggie, cyber insurance paid for it.” It was just like, “Why aren’t you guys fixing your security gaps instead of …?” So, it was wrong approach. I just want to make sure that the audience is aware that that’s not the answer. Cyber insurance is there, and it’s just like your car insurance. The last thing you want to do is go get into an accident, but if for some reason it happens, it’s there to cover you — not that you want it to. So, I just want to make sure that they understand that’s the purpose of it. As we move forward in your presentation here, let’s talk about the average cost of ransomware.

Tom: As it is common trend with and lot of this stuff, it’s getting worse, so you can see the average cost of ransomware is going up. I know we actually had a question in the chat about whether cyber insurance is still feasible given how high the ransom payments are getting. Is it still a good way to transfer your risk for this to buy an insurance policy? I would answer that question initially with, yes. I know that in the news, you’d see things like the Colonial Pipeline attack, with a 14 million ransomware demand, I believe it was. I think it was something like 70 million across all of the different affected network systems for SolarWinds; huge numbers.

That’s not exactly the reality for most organizations. So, you see here, less than a million is where a lot of these demands end up getting paid out. I think a lot of companies will see ransom demands that start at a million or 2 million or 5 million, and this is, again, the value of the insurance policies. You’re going to have specialists who negotiate those ransoms and are actually familiar with these threat actors. That was something that was fascinating to me when I learned about it a couple of years ago is that the spec is that these insurance companies who manage these claims and work with the threat actors, they’re actually familiar with who they are.

Because they’ve worked on so many different claims together that maybe based on the identifier of the crypto wallet, or other aspects of that come up throughout the claims process, they can tell which threat actor they’re working with and whether or not they can make a deal. Or, if they shouldn’t pay their ransom at all, because they’re not going to get their information released anyways. The average cost of ransomware is going up dramatically. If we were to look at this graph next year, you might see it trend downwards a little bit, because I think as organizations start to improve their cybersecurity —particularly their backup infrastructure —they gain the ability to not pay that ransom and restore from backups and go that direction.

Chris: It’s interesting, and when you talk about that question that’s asked, I always tell everybody that these bad actors, these cyber adversaries, the guys behind the scenes —they’re very smart and they’re not going to price themselves out of the market. They want to price themselves in a position where they know that when they hold a company ransom that it’s not just instantly paid, but it’s not instantly denied. They have that happy medium, and they know where to price themselves so that there’s a pretty good, or a pretty high chance that the company’s going to pay out.

It might be painful, but they’re getting smarter. So, to your point, ransomware costs a lot now that we’re seeing that. I’m not going to lie, from a customer’s perspective, it creates a very arguable point to where, “Do I spend the money on cyber insurance and then still potentially have a breach, or do I spend the money on my security maturity and get it and spend that type of money and then still have a breach and still have to pay?” I get the customer perspective: where do you find that happy medium and that balance? Do you have anything to respond to for that aspect of it, Tom?

Tom: To me, it’s two sides of the same coin, and the point is risk management. You’re trying to figure out how you manage this risk, and you need to be doing both. I take it back to good old fashioned fire insurance. You have property insurance to cover you for a fire, but that doesn’t mean that you’re not going to buy sprinklers and have those sprinklers tested every year — so I think you need to do both. That’s the best risk management solution, but we work with clients on that problem every day because the premiums are dramatic. And even the cybersecurity solutions, those are costly as well.

Chris: It’s funny you bring that up because when you mentioned that… Sarah’s in California and I grew up in California, and I’ve lived through plenty of earthquakes. It seems like everything’s an add-on; well, I have homeowner’s insurance, but I don’t have earthquake insurance. So, I need to make sure that I add earthquake insurance to the policy. Then, to your point, you talk about flood insurance, maybe hurricane, tornado, and we see the effects of that. But as we move along, talk about the changing threat environment that you see from the insurance side.

Tom: We touched on it a little bit before with SolarWinds and the idea of a widespread event, and how much that has the insurance companies concerned. But basically, as cyber insurance companies are looking at their profitability and looking ahead at what they’re going to do in terms of premium increases and how they’re managing their loss ratios, this potential for the big hit is still out there — even for how bad SolarWinds was. I think Log4J was another exposure that came out. My fingers are crossed every day that it doesn’t materialize into a widespread event, and it seems like we’ve probably dodged a bullet on that one, but the big concern is that the big hit —the big hurricane —comes and wipes out a large swath of policy holders. I think that’s what carriers are concerned with now.

Chris: When you talk about coming through and wiping out, is there any other aspect? Maybe it’s not ransomware. Years ago, nobody ever thought of ransomware. Is there anything else from a carrier perspective to be worried about besides that next big thing? I’m like, “this is the last thing I want to happen, but when something major in a breach is going to happen, it’s going to happen in a cloud provider.” We’ve seen some of the companies start to pull back from cloud aspect of that for fearmongering, or whatever you want to call it. But is there anything else as a carrier that you’re either concerned with as a carrier, or are worried about for your customers?

Tom: You mentioned cloud providers. So, I think in general, we’re doing a pretty good job of improving our own security in our own networks, but what we can’t control is the security for our vendor network or our cloud providers. So, I think we assume if we’re using AWS or something like that the security is high —which it is —but there is the potential of an AWS or a breach of some other cloud service provider, and the potential that that has is still.

In terms of clients and what I worry about for them, I think as they improve their network security, I think it comes back to employee training. That’s why employee training is still in the top five questions that the carriers care about the most on an insurance application. Because you can have the best network security in the world, but the reality is that the humans are the weak link. We are the ones who love to click. We love to click all day long on links and attachments and all kinds of good stuff. So, I think employee training is something that if my clients don’t have it, I don’t let them off the phone until they agree to do something.

Chris: It’s a great point, and you bring up the training aspect. I’ve done round tables with CISOs and security professionals. Ideally, when we talk about the aspect of if they knew what they know now, if they could go back and redo their COVID days, what would they do differently? The answer to, I want to say, the majority of the CISOs all agreed upon is the fact of, to your point, the user training.

Chris: The users are the weakest link, and they would go and put more emphasis and more effort on the security awareness, security training, and every aspect related to making sure that their employees were armed with the knowledge of, “This is what’s happening.” This is a COVID phishing attack and everything else related to that. It’s funny, because I yell at my mom all the time because I’m constantly getting a call like, “Hey, Chris, my computer’s not working right,” and the first thing out of my mouth is, “What did you click on?” So, you’re right, it’s human nature. As we move forward, the million dollar question is: how much insurance should I buy or should I have?

Tom: Yeah, it’s a key question. I think it’s a question a lot of our clients are thinking about, “Well, okay. I want to increase my limit. I’ve been on a million dollars in coverage, or 2 million, I need to get to five.” I’m like, “All right. So, number one, do we have this cyber controls in place to get you to five?” So, a lot of this is driven by what your risk profile looks like is going to determine how much we can get you. But how much we can get you isn’t necessarily answering that question. How much should I have, because we can always work on how to get there. How do we determine how much that is? I think the best way to do that is to undergo some kind of cybersecurity risk assessment.

So, in that process, you can talk about the security that we have in place and our backup infrastructure. This is a meeting that you have to have with both your finance team and your IT team. Based on this, what’s our maximum possible loss if we were to sustain a ransom event? If our backups can get us back up to 90% up and running within two days, then maybe our maximum possible loss is only $5 million or maybe $10 million, but what’s our maximum probable loss? Okay. Maybe our maximum probable us is only a million dollars, because we think that we can get even 95% of the systems back up and running in a day. Maybe we lose half a million dollars in sales, and we’re working on a whole bunch of other forensics off and whatnot in terms of data restoration. So, maybe we only end up paying about a million dollars on this loss.

If you can get to a point where you understand what your maximum possible and maximum probable loss would be, then you can start to make a decision about what kind of limit you want to carry. Not every company has the opportunity to go through an assessment like that. But if you do, I think that’s the best possible scenario. Some other factors that come into play are: do you have contract requirements? I think this is something that exists today but is going to increase as the threat environment continues to cause problems, so contractual requirements for cyber. You may have clients who want to see 1 million, 5 million, you name it. I’ve seen contracts up to 25 million in requirements. So, you want to look there to determine what limit you need to buy. Then, of course, there’s how much you can afford, so that’s always an aspect that’s going to come into play.

Then you see some of these charts here. These charts come from a completely public resource called the Chubb Cyber Index., Chubb is an insurance company, it’s pretty well known, and they are one of the top writers in cyber insurance. So, they created and aggregated all of their cyber claims data and put that into this tool that you can use to see based on your industry and sub-industry class and your revenue band what your peers are buying. So, it might be hard to see on the screen there, but I think this is for a $25 million range revenue group. You see that large bar there, it’s about a million dollars in coverage. That’s just one insurance company, so it’s limited in that way, but it is an interesting tool to use as you think about benchmarking because you can filter it based on your business.

Chris: Hopefully, everybody can read that, but we’ll reiterate it. It’s www.chubbcyberindex.com. We still got 25 minutes left, but what can you tell people that are maybe looking at insurance policies, maybe going down that avenue as Fred C. Church, what can you tell him about Fred C. Church and how you and how Fred C. can help them?

Tom: I appreciate it, Chris. So, Fred C. Church, we are one of the larger regional brokers here in the New England area. A bit of an update on us, we’ve actually just been acquired by Assured Partners in December. Assured Partners is the 11th largest brokerage firm in the country. We’re really excited to join them and work on synergies with them. I think as we get to know our new Assured Partners friends, what I’m seeing is we have specialties, we have verticals here, and cyber is definitely one of them. It’s something that our agents see as a focus in. Obviously, I’m the practice leader for cyber insurance here at Fred C. Church, and we encourage our clients to take a risk management approach not only to cyber insurance, but to their insurance programs in general.

We do a lot of proactive risk management with them. We’re helping them manage their policies and out there getting the best coverage for the best price, but when it really comes down to it, what you want out of an insurance agent is someone who’s going to have the relationship with you in order to understand your business, to present the best possible risk profile into the insurance marketplace, because that’s how you end up with a long relationship with a carrier and ultimately create the best possible coverage claim service and premium scenario for you.

Chris: That’s awesome. Now, I’m going to lead into building up the market, where we’re going and how our products tie into what you had mentioned earlier on the ransomware supplemental piece. So, for me, when you look at the slide —we all know that statistics, depending on when you pull them or who you get them from, they’re all slightly going to be different. But at the end of the day, when you grab that data point from that point in time, and you look at fromQ3, I think it was, for this statistic here. Q3 last year, ransomware had increased 311% since, COVID 19 in 2019. Ideally, a lot of people might be scratching their head wondering like, “Hey, why have we evolved?”

Ultimately, at the end of the day, the primary purpose of targeted attacks used to be around PII and PHI data. We can go back and to history and look at pre-COVID. You look at the Yahoo data breach 2014 —it was 500 million accounts. In 2017, it was 3 billion accounts. In 2013, Experian suffered 200 million records that were breached: Marriott in 2018 — 500 million. So ideally, when we look at this and now, we look what happened during COVID, we look at what changed and ideally the attack purpose. Prior to COVID, the target was those large companies: Fortune 100, Fortune 500. The small to medium market, they really didn’t see any, and if any, very few attacks. When you compare the two now, you ask the question: why is the landscape changed? Why is it so different?

Ultimately, at the end of the day, 2019 is being looked at as the big change. The COVID spike in 2019 provided camouflage for activities and the largest being, you mentioned this earlier, Tom, was the remote working aspect. We talk about one of the largest influencers in the market, both as a company and security and companies, businesses, people, technology had to change. Digital transformation, we talk about that. Well, guess what? So did the adversaries’ aspect of that, and the cyber criminals of the world just kept on evolving as the market evolved. They went from that typical going after the PII and PHI data as their primary focus, to the ransomware aspect. Now that that data exfiltration whether it’s the records or social security numbers, credit cards now is looked at as the cherry on top in a breach or a compromise.

If you look at this, downtime is the biggest disruption of a breach. It caused the largest impact to companies. Ultimately, when you look at ransomware and you look at the stats on the slide, in 77% of the ransomware attacks, it involved data exfiltration. So, not only are they getting you for what they used to go after companies for, but now they’re getting you from ransomware. So, they’re almost double dipping you. In some cases, companies are seeing eight-figure losses. To your point that you mentioned earlier, Tom, manufacturing businesses, if they go down, they can’t manufacture. They are losing money, thousands of dollars by the second, maybe by the minute. It’s a huge disruptor to the factory. Do you have anything to add to this that you might want to throw in?

Tom: Just on the manufacturers — what’s really unfortunate is that, historically, manufacturers are not a big buyer of cyber insurance. So, you got a lot of uncovered companies out there, or underinsured companies out there for manufacturers. It’s definitely about changing the mindset and changing the culture because they’re certainly exposed.

Chris: I’m giving this to everybody. I normally do a buildup in this slide. I start with the industry and then I start with the size. I typically have this broken out, like I said, and I build up. I have a funny slide in between, but ideally, I want people to look at this and kind of digest that. Once again, statistics, depending on who you pull them from, it’s going to vary. At this point in time, when we pulled this in Q3 last year, what’s shocking is the fact that companies with 1,000 employees and less make up 81% of the attacks that are occurring.

That’s a huge shift from those fortune companies. Now, for people that are listening or might listen to this in the future, I don’t want to say that large companies are off the hook and they’re not targets anymore. Ideally, the large companies have much more mature security programs in place to help one mitigate or address risk. When we really start speaking of addressing risk for the small to medium market… Businesses that are listening to this, look, if this is not a wakeup call as to what’s going on and what’s happening, I really don’t know what else. This is not a fear factor.

This is real data that’s occurring in the world that you don’t see because it’s not a Fortune 100 or a Fortune 500 company, and it’s not making mainstream media, social media outlets to be able to get to you. Companies are suffering at the small to medium market range and the social media aspect has no clue, unless you were directly involved and you specifically post about it. Then, for my large enterprise guys, look — I encourage you to continue doing your due diligence and maturing your security stance, because we always talk about security as being a journey. We have to continue to evolve as the new threats come. We have to continue to move forward and you can’t just stop at a place in time and be like, “Hey, I’m good,” because we all know that the bad actors out there, they’re very opportunistic.

If you leave an opportunity available to them, they will take advantage of you and leverage that against you. One of the other things on here, that again, when you start looking at the industry aspect, some people might be scratching their head, wondering, “Professional services? Why does that make up the biggest share of the pie here?” I want people to understand —and maybe Tom, you can even toss in some views on this —but when we think about professional services and we think about, let’s say, maybe a law firm or somebody that does something professionally for somebody else, that the data they have could be very damaging data if it got out to the public or in the wrong hands. So, when you think about it from the aspect of a bad actor or a cyber adversary, those are prime targets.

Not all law firms are huge law firms, and so guess what? They don’t have that mature security posture. So, when bad actors go after them, they go after them knowing that the chances of the data that they have will be pretty damaging, and that firms don’t want it getting out. So, the likelihood of them paying a ransomware is very high. The other aspect, when you think of professional services, is maybe you have third-party vendors — people that are offering services and they are remoting into your network or your system. When we start to describe and define professional services and why it makes up the largest piece of the pie here from an industry aspect, those are some of the things that you can take away and start thinking about, “Oh, wow, that’s very interesting.” Tom, can you add or shed any more light relative to either of these, both the company size or the industries?

Tom: Sure. Just anecdotally, I think just this week I got a call from—we call them our select team — but it’s our smaller organization team. Three different clients called or have had claims in the past couple of weeks, so no one is immune. It’s truly like the bad actors are ruthless. One of the big pieces of the industry pie there is the public sector. They’re going after towns; they’re going after municipalities. The number of school districts that have sustained cyber-attacks is ridiculous, it’s astronomical. It’s like, who’s going after the kids? Well, they’re going after the kids.

Chris: No, it’s a great point. So, when we dive into bringing it together and why PAM fits the criteria that cyber insurers are demanding, I really want to drive this home. You mentioned it at the beginning, Tom. I called it Ransomware Supplemental Addendum when we talk about it. What potentially your customers are looking at, or maybe even new people, new businesses out there that are looking at cyber insurance as a new option for them. This gives them nine categories to basically look at what you guys, as insurers are looking at to see what the companies are doing to mitigate risk in those areas. So, when I tie that back to PAM as a product, because we’re a PAM vendor, ideally, I break this down in two stages. The first stage is, where can we draw hard dotted lines?

So, for PAM, when you think about Privileged Access Management and the core of where PAM originated from, from its legacy days. Obviously, it’s digitally transformed and evolved into something much larger than just simply a password management solution. But in those days, that was the first one. When you think about Active Directory and service accounts and being able to protect privileged accounts relative to Active Directory service accounts, and then extend that on even further into your system, your root accounts, your administrators, application accounts —that’s the core. So, for us, PAM has an absolute dotted line going back to those Active Directory and service accounts in the Ransomware Supplemental Addendum. When we talk about endpoint detection and response, I’m a firm believer in the fact that if you are detecting and then responding, it’s too late, that and we need to do something more proactive in that aspect.

When we talk about EDR MDR, their claim is that they do predictive. But one of the biggest things that we are facilitators for is the fact that there’s really five steps to endpoint security. While I didn’t write the supplemental addendum, and I would love to have them change this, the first step is the antivirus, which you talked about at the beginning. The next two steps are the privileged elevation steps, where we remove users from being the administrators and remove those administrative rights from their systems. Then, we couple that with application control and those two steps before we get to EDR, which actually allows us to clean up that noisy data that those EDRs get. They get constant data, constant feeds coming in. So ideally, when we can leverage Endpoint Privilege Management as part of the PAM Solutions in the EDR category, I truly believe that we have that hard dotted line. Because we, I don’t want to say enhance, but we have two additional steps before you can even look at EDR, so that’s critical there.

Then secure RDP and VPN —and for those of our customers that might be listening to this, when we talk about our security mode access pillar, we talk about protecting those third party vendors. Even in some cases, employees that are making connections into your network that you don’t want to give a VPN to that carte blanche VPN client. When they connect, they have access to anything that’s hanging on the VPN. Instead, we want to use a solution like Privileged Remote Access to make a point-to-point connection, encrypted connection that’s protected. Oh, by the way, we also couple that with auditing capabilities, password injection and things like that.

So, those are the three categories in this Ransomware Supplemental Addendum. I feel we have huge impact and PAM plays a huge part. Now, some people may think I’m crazy, but I like to create some dotted lines. Once again, at the beginning, Tom, you mentioned multifactor companies implementing multifactor. Look, no we’re not a multifactor authentication company, but I think it’s notable to say that all of our products can be configured to leverage multifactor authentication, and I think that’s critical. So, for me, being able to create that dotted line over there to multifactor is huge, because there’s solutions out there that you can’t integrate multifactor authentication. So, I think PAM in itself plays a critical part into creating that dotted line. Now the next one, patch management. Some people are like, “Come on, Chris. You’re a PAM vendor. How do you do patch management?”

Well, at the back end, you leverage the platform aspect, which is called BeyondInsight. BeyondInsight still has some relevant features that essentially give you risk scores. I’m going to talk about the inventory aspect of this, but when you go out and do the inventory of what’s on your network so you know ideally you can interrogate those assets, so operating systems, applications install, what level they’re at and everything else. You bring that back to give you that landscape so you can make that decision to know what you want to do and how you want to handle the data. Well, for patch management, you got to know what’s out there to patch first before you can patch. So, for us, BeyondInsight, having those risk scores, having that inventory to be able to give you the landscape of what’s going on out there, I think is valid enough to create that dotted line, to be able to say that we can play or enhance the patch management category.

Now, the third and final disaster recovery and backup. Some of you might be like, “Oh, come on Chris, you’re not a backup company,” but those of you that have our products that might be listening to this know that our products can be configured in a disaster recovery scenario, whether it’s an HA configuration active —and all of our products can be configured to be backed up. So, for me having again, that dotted line to be able to go there to say, “Look, our products are configured in disaster recovery can be configured and we can back those up,” to me is strong enough to say, “We can create that dotted line here.” Tom, is there anything else you might want to add to this aspect of this?

Tom: I just want to say how much I love it. From where I sit as the insurance producer, I’m all about, “How can I show that my client has a best of the best cybersecurity risk profile?” For us to be able to draw these lines as you have, and not only check the boxes just like on Active Directory, EDR VPN — no problem. But to show that there’s this entire infrastructure built behind checking those boxes, that’s the difference between just going down the ransomware application and checking the yes box and being able to provide that supplementary information to your insurance carrier to show “No, no, this organization is taking network and cybersecurity extremely seriously. They’ve incorporated into their culture, and they really are committed to preventing losses?” That puts me as the insurance producer in the best possible scenario to deliver to my client. So, to have a security partner like BeyondTrust that is not only providing these services, but helping you connect the dots from an insurance perspective, I think there’s huge value there. It’s great to see.

Chris: Awesome. So, when we talk about that, we talk about our product portfolio and what’s out there. In our product portfolio, we have four pillars. We have the Privileged Password Management portfolio. We have the Secure Remote Access portfolio. We have the Endpoint Privilege Management (EPM) portfolio. Then, we have the Cloud Security Management Pillar here. So ideally, depending on where you’re looking at focusing and protecting privileges, whether it’s at the core of where PAM started, or it’s at your third-party vendor access, or even your help desk — making sure they can make a clean and uncompromised connection to that end user that needs help, and be able to share screens and files and whatnot. Or it’s trying to reduce the risk on the endpoints, because endpoints are one of the largest targets when you talk about user endpoints.

That VPN and that remote access is still one of the top attack vectors of how a bad actor gets into an organization, so that’s why this pillar is key. Then obviously, we talk about cloud entitlements and we talk about diversifying cloud strategies and not putting all of our eggs in one basket. How do we look at all that privilege in one area and be able to get risk scores and be able to fine tune all three of those in a single solution while following least privilege model? That’s what’s key. That leads me into the free Discovery Access App that we have, or the Privileged Access Discovery App.

Look, I’m a huge believer in that you don’t know what’s protected if you don’t know about it. It’s not what you know about that poses the greatest risk to an organization, it’s what you don’t know about. So, I don’t want to spend a whole lot of time on here, but we do have a free app that you can leverage and use on your network to go out there and essentially scour the four corners of your network to bring back, or at least expose to you, what privileged access is actually out there.

That’s a huge key, because again, if you don’t know what to protect, how can you protect it? Those are the things that provide the largest landscape for the bad actors to essentially take advantage of. Again, I want to thank the audience for listening to you and I go. We could probably spend a whole other hour on this, Tom, to be completely honest with you, but I want to make sure that we give enough time if there are any, I’m just going to go right into it.

Tom, the million dollar question that I always get asked from our own internal sales guys is, “Hey, Chris, I love the presentation. I love cyber insurance. How much money can my customers save if they buy a policy and whatnot?” How do you relay that? How do you respond to that? If somebody comes to you and he is like, “Tom, how much money can I save if I implemented PAM?” How do you answer that question?

Tom: Yeah, it is the million dollar question, both from your end, Chris, but from my end as well. My clients always want to know like, “All right, I’m going to do these things so I can get a cyber policy, but what’s that going to mean for my premium?” The reality is that right now in the insurance marketplace, insurance companies are trying so hard to just recover and stay stable, that the infrastructure to apply a safe driving discount credit to get 5% off your auto insurance premium, it doesn’t exist. I think it will. There’s a lot of energy behind getting that infrastructure and credit structure built into how an insurance premium is determined. There’s a lot of really great new cyber insurance companies that are really more like technology companies than they are like insurance companies out there that are innovating and bringing some really cool ideas to this space.

But right now, it’s not quite there. So, what I tell my clients is all these investments that you make in your network security are going to create the best possible risk profile that I can use in the marketplace to get you the best possible price and coverage. So, while it may not mean I go get you 5 or 10% off your renewal premium, it might mean that we can market your coverage. We go look at other insurance carriers and maybe the developments that you had get you into a new class of carrier that is willing to think about things on a more granular, a more critical level and will offer lower premiums than what your incumbent carrier might offer. So, it’s really all about that risk profile and improving that as much as possible.

Chris: Awesome. Sarah, I know we have a ton of questions in here and I know we’re at time, so I want to be respectful. For those of you that have questions, Sarah, you’re going to get a transcript of this and we’ll be able to look at these questions and then follow up with the audience attendance list, correct?

Sarah: Yes, absolutely. Thanks for doing my job for me, Chris.

Chris: Cyber insurance is so huge in the cyber market right now for technology, and so there’s some really good questions. Some that are related to our sales aspect, some that need to be answered aside. But I just want to make sure and I want everybody to know that those of you that ask questions, we will absolutely respond to those. If you don’t get a response, I’m going to give you my email, it’s really easy, chillschills@beyondtrust.com. Send me your question. Add me on LinkedIn. Tom, you want to give a final plug really quick for somebody who wants to follow up with you on LinkedIn or your email?

Tom: Yeah, absolutely. So, my email address, happy to field the emails from anyone. Please do reach out to me and I will try answer some questions that were in the chat. But my email address is toneill@fredcchurch.com. You can find me on LinkedIn as well, Thomas O’Neill at Fred C. Church.

Sarah: Next time, we’ll make our cyber insurance webinar 90 minutes instead of 60 so that we can get to all of our questions. But thank you guys, everybody who attended please rate and review this session and provide us any feedback. We do share this, all of the feedback that you guys write in to our presenters to make this more educational and beneficial to you always, so we’re always looking to improve. All right. Thank you all so much for joining and we will see you at our next webinar. Take care, everybody and goodbye.

Chris: Thanks, Sarah. Thanks, everybody. Thanks, Tom.

Sarah: Thanks.

Tom: Thank you.

This post was first first published on BeyondTrust website by . You can view it by clicking here