As cyberattacks grow in sophistication, insurance companies are drafting newer policies that impose greater burdens and conditions upon corporate policyholders.
Watch our recorded webinar below. IT Radix will be joined on this webinar by a well-known cyber insurance expert and valued client, Javier Gonzalez of Axis Insurance Services LLC, as we walk through how to help our client, “Sitting Duck Partners,” as they navigate the world of obtaining cyber insurance protection.
Sleeping Tabs Enhance Your Machine PerformanceCyber Insurance is Essential to Your Business
Things are quacking here at Sitting Duck Partners. Cathy, as you know, we just got a Renewal Questionnaire from our cyber insurance carrier, and you’ve got a lot of security things in place with us. I know we have MFA and everything, so I sent you a questionnaire. I pretty much filled it out because I kind of know what’s going on, but maybe you could double check. Okay, what you can see here is sort of a typical email that we might get from one of our clients and in this case, it came from Justin. You can see that he tried to take a stab at it, and he sent us just that little, teeny snippet at the bottom there and that’s it.
For us at IT Radix we are like okay, well where’s the rest of it because we want to make sure that he’s got the IT pieces of its components right. So, the way we knew that is we can see the number of questions. There are 27 questions, but we’re only getting five of them or sometimes we’ll end up with something like this where Justin said… I know we have MFA and he went ahead and answered things to the best of his ability so he could see that he checked yes to everything, but he didn’t necessarily check with us. So, if you look at it and it says at the bottom there to make sure that you check with the signer, you know the signer is checking with the who’s in charge with of IT Security at your organization. Now IT Radix and your broker, we are advisors, we can give you advice, we can give you tools, and we can talk to you about the risks of what’s going on from an IT security standpoint, but ultimately, we’re not the ones that are in charge of the IT Security at your organization or making those decisions about what you will and will not do. But at the same time, we want to make sure that when you’re filling out these attestations that you’re filling them out correctly with what you actually do have in place.
Don’t Go Solo… Seek Advice from a Cyber Insurance Specialist
Question #1: What are some of the top mistakes that you see clients make when they’re applying or renewing for cyber insurance?
Question #2: What is driving the increased security measures that are being required to obtain cyber insurance coverage?
We’ve been writing cyber probably for about a decade now, way before it was cool, and a lot of the claims that we saw in the past you only saw relative to large breaches like a Target and Home Depot and credit card information was very much the highest concern. And then you had breaches from other large organizations, but you weren’t really hearing too much about the small middle market being impacted so much by these bad actors. There was a lot of insurance that was written for a lot of zero-to-billion-dollar revenue companies, and they were done with very little information. They would ask four questions: what do you do for a living, how much money do you make, where you’re located, and basically what is your revenue, or the things of that nature. So, there wasn’t much information taking into consideration and back then the exposure for the carriers wasn’t very high. Your average ransomware was barely $10,000 on average and that was done strategically back then by these bad actors. They wanted to stay under the radar of the Feds and things of that nature. But now you have carriers that are paying out tens of thousands, if not hundreds of thousands, if not millions of dollars on many claims, like tens of thousands of claims and they’re no longer in a position to tolerate organizations not implementing basic network security procedures and postures that would prevent these items or these breaches from happening in the first place. So, they’d rather not write your account than have you elect not to spend ten thousand dollars to update your network security posture for the sake of them having to pay three or four hundred thousand dollars in cyber loss. They’re just not tolerating that anymore and if you want to be insurable you’ve got to be in a position to have these basic network security postures in place in order to help prevent these occurrences. These occurrences are still going to happen but they’re happening a heck of a lot less of a percentage on average for an insured who is properly set themselves from a network security profile versus somebody who’s just still trying to kick that can down the road because they don’t want to come up with the amount that it’s going to take both from a human element and a capital element is what it’s actually going to take to be in a position to protect yourself, so to speak.
So, I think you were mentioning if they put some of the tools in place and some of the measures in place that there’s some advantages to them for doing that. Could you talk a little bit about that? Yes, with these tens of thousands of claims, we now have a lot of data, and the data is compiled from the insurance companies and these breach response vendors to say okay, what security was in place that helped make this breach not as bad as it could have been? Or, what vendor was used for EDR or MFA that still allowed for this breach to occur? So, they’re now taking statistics on the vendors that are available relative to EDR, MFA, who your backup providers are, what types of backups do you have, are they segregated, are they segregated from your network? How often are they backed up? And so even things like if you have proper backups that are installed correctly and worked correctly and have been tested, you can now go back, maybe only you lose a day or two days’ worth of data, but now you can know and not have to be in a position to pay a ransom. And so now that eight hundred-thousand-dollar average ransom demand is not paid and you’re incurring tens of thousands of dollars in this loss versus hundreds of thousands, if not millions, by properly being in a better position to respond to an event.
Question #3: What are the risks of the people that will fill these forms out, they get they’re just trying to cross off their “to do” list and sometimes they will incorrectly fill them out. What’s the risk of that? What can happen?
Question #4: What do you do when questions are blended together? Should you attach supplemental information?
Question #5: At what price point does insurance cease to be feasible?
Question #6: What is EDR?
EDR stands for Endpoint Detection and Response, and basically that is a technology solution that we can put in place, typically on the end user’s machines, as well as on your servers or other endpoints in your network where it’s watching for things to happen. It’s detecting them so its endpoint is the user’s device, so that’s the E in EDR, the detection is watching for things to happen and detecting them, and then the R stands for response, which obviously we want to have some action happen when something is detected. It might be isolating the machine from the network. There’s a bunch of different things that could happen, it could be sending an alert out to someone like ourselves. So, that’s what the EDR stands for and that is what you’re finding that we’re seeing at least from the various cyber applications that we’re being asked to help our clients fill out is being mandated and required by a lot of these carriers today.
There is a strong push from the insurance companies. They’re happy you have EDR, great, but there’s a strong interest in who’s monitoring that. Is it in-house or is it 24/7 monitoring provided by the EDR service provider, which is what they prefer. They prefer somebody else be on watch 24/7 than Bob, Jane, or John who may not get the alert at one o’clock in the morning on a Saturday over the weekend, and then it’s just you’re responding to the situation or the potential threat too late, so to speak. So, yes, having EDR is great, what percentage of your network does it, taking into consideration, is it actually protecting? They want to see that number as close to 100% as possible and then who is actually monitoring those threats that may be detected at all, at any time of day or night so to speak.
That’s a wrap!
We want to keep it short and sweet. We try to be respectful of your time. I wanted to thank Javier and Axis Management for taking their time today to speak with us. I will say, the real message is to be sure to protect your assets, consult with your insurance broker, or if you’re not comfortable that you’re getting the information you need we strongly encourage you to reach out to Mike Smith who could not be here with us today, or Javier and the Axis Insurance team, but you want to make sure that you’re really digging in and not just checking the boxes on those insurance forms, that you understand. If you’re a client of ours we obviously would love it if you would keep us in the process because we do find that some of the clients have checked things that they don’t actually have and as Javier explained they’re putting themselves at risk and obviously it’s not really if you’re going to have an incident, but a matter of when and what happens, and so that you’re prepared and you’re not being reactive and that you can avoid turning into an angry monster like you see here.
If you have any further questions that you didn’t ask, today feel free to reach out to us. Allow for as much time as you can, get out in front of this as much time as possible. If you have a March 1st renewal, literally today is not too soon to start this process to identify any areas of concern that you can spend some time getting your hands wrapped around and actually be able to deploy. I can’t tell you how many times we’re within a few weeks or less of the expiration date and we’ve identified a vulnerability that needs to be dealt with or a procedure that needs to be implemented and you just don’t have time to find a vendor to put it in place, to deploy it correctly in your network, and then you’re uncovered for a short period or a long period of time in some cases, so the sooner that you can get out in front of these renewals or effective dates for your cyber if you have it in place, the better.
That’s great advice! Thank you again, Javier. Justin Case, make sure you fill out that insurance form properly. That’s it from Cathy and the Team here at IT Radix. Thank you!