Mythbusters:The cyber insurance edition
In the last year, I’ve learned a lot about cyber insurance, and I’ve also seen many incorrect facts being stated by fellow peers in infosec.
In this post, I attempt to debunk some of these incorrect facts, while giving a quick introduction to some insurance concepts and write about why I believe cyber insurance will play an important part in the future of cybersecurity.
Let me start by immediately admitting - I am biased. A cyber insurance provider acquired my startup. I work for said cyber insurance provider, and I believe in the mission we are trying to accomplish.
Lets get started…
What is cyber insurance and what does it cover?
Cyber insurance is a policy that can be acquired by both organizations or single-individuals and that covers multiple types of damages (these coverages change from provider to provider including the language used for definitions). Typical coverages are: Stolen funds (typically social engineering), Lost business income (DDoS that leads to business interruption), Cyber extortion (ransomware), Computer replacement, bodily injury (if you’re damaged by a failure in a SCADA or IOT device), etc…
What are the key metrics for a cyber insurance provider ?
There are many different metrics we use to measure different topics internally, however two key metrics are extremely important:
-
GWP - Gross Written Premium - Total premium written by an insurer before any deductions are made (like reinsurance or comissions).
-
Loss Ratio - The relationship between incurred losses to earned premiums formatted as a percentage.
If we have $10.000 of premium and pay $5000 in claims our Loss ratio is 50%.
I heard that cyberinsurers don’t pay, because of war reasons or wtv?
This comes mostly from the now famous Mondelez case, where the company filed for damages with Zürich Insurance due to a NotPetya attack in 2017 and were refused payment. Here is an important fact often overlooked about that case, at that time Mondelez DID NOT have cyberinsurance. They tried filing their claim under their property insurance and got denied, but due to information dillution overtime and hearsay, cyberinsurance ended up targeted by people reading the news about this case.
Is Cyberinsurance expensive ?
Different factors go into how expensive your policy will be, from limits requested, to revenue, industry and number of records held by your company, and of course the results of our security scans.
A policy has different coverages, limits (max an insurance company will pay), and retentions (how much you must pay before insurance pays a dime), and all these levers can be used to generate the right policy for the right price.
The average policy for SME in 2021 has a cost of $1,589 for $1 million in cyber liability coverage.
BUT, hear me out. If you pick the right carrier not only is your cyber insurance policy a safety as it is a great investment from your infosec/cyber budget.
It’s not just your policy…
Two months ago, we launched a new free product called Coalition Control, and since then I’ve been talking to some startups and friends about how they are using Control, and one topic that kept on being repeated by the different people that I spoke with was how with Control being free, rather than saving money they would be able to shift the budget they had been spending with their current Attack Surface Management provider into something else. And that got me thinking.
If I was back in startup mode, or in an organization with a small budget for security, which tools could I leverage that are free that would allow me to optimize my spend? Note: I am focusing on tooling here not on practices. Good/Best practices involve a much longer post and are a separate post. Also buying tools doesn’t get you rid of following said best practices.
With a typical budget for security of less than $1000/month any money we can save or redirect is a blessing. (Some of you will shout that this organization is already being negligent by not assigning proper budget to cybersecurity, my advice is go talk to some orgs in the real world. Get out of your bubble. The orgs we are talking about in this article can’t afford a multimillion dollar investment into cybersecurity, they are non-profits, charities, small startups pre-funding, small local companies, etc…).
So I sign up for a policy with Coalition (I talk about Coalition because it’s what I know and can talk about without making gigantic assumptions about what the offer looks like.) Just by going through the quoting process I get access to a security report of all my external assets and potential security issues detected (a light version that looks at 400 ports across all assets, you too can get this in Control.)
Lets say I take the policy they offer, it’s gonna run me between $1000-3000 and what do I get in return?
1 - Access to the premium version of Coalition Control, this is a risk management platform for which we are constantly building and adding new features, right now that means:
-
Full attack surface discovery and monitoring for your organization and 5 vendors. This means we will scan multiple times a month all 65.535 ports on all assets across your org and vendors and notify you if we find any vulnerabilities. (Hint: even if you wanted to get this from a vendor, AFAIK no one is doing all ports across all assets with service identification and all the enrichment that we do).
-
Darkweb keyword monitoring (if we see you mentioned on the dark web we let you know)
-
Look alike domain monitoring (if we see an attacker preparing a social engineering attack and adding an SSL certificate to a domain similar to yours or an MX entry, we let you know in Control)
-
Torrent monitoring, if we see any of your assets downloading torrents, we also let you know within Control.
You would have to buy from multiple vendors to get access to all this data and maintain some kind of platform to aggregate it all, this would easily run you $25.000-$30.000/year.
2 - You get access to a world class security team. Yes, if you don’t know how to fix something or how to correctly implement certain security controls, we are here to help, you can book a call with our security team and they will try to guide you through any questions you might have. How much would you have to pay an IT provider, MSP or consulting company to help you with this?
3 - You get access to our partner technology ecosystem. These are different technology solutions at discounted prices , exclusive to our policyholders. EDR, Training, Compliance tools, we’ve got it all and its only getting better!
4 - IR - If you get a claim, we have an IR team that will help you with the entire process, from understanding the initial vector of compromise, to fixing it correctly and guide your through the restoration process. Again, if you went with a vendor, this would run you up quite a bit.
5 - Your policy. When all else goes wrong, you’ve got your coverage. This might seem obvious but the policy is there to help in the worse case scenarios.
I heard that cyberinsurance is fueling ransomware or that insurance companies are happy with paying ransoms
Repeat after me: “No one wants to pay for the ransoms”, don’t believe me ? Take a look at numbers. The avg policy is $1500 of premium (take our own costs out, broker comissions, and what we’re left with is even less than that), that means that even payment of 1 ransomware claim burns a lot of premium we get from other policies.
However, sometimes our policy holders are faced with the worst situation a business can ever be in, “pay or die”, and in those, we (if the policyholder makes the choice to pay) do play our part.
I believe we play a much larger role in reducing the frequency by which ransomware events happen. One example of this is RDP which we know is one of the main vectors for ransomware. Just in the last year alone we managed to convince thousands of companies to turn off RDP from direct exposure to the internet. Either to get a policy with us or as part of our on going scanning, policyholders follow our indications and become more secure because of it.
I tried doing this proactively for years as part of BinaryEdge and for free, most of the conversations ended in companies either ignoring us or threatening to sue us.
Another great example is with Microsoft Exchange. When HAFNIUM came out at the beginning of the year, we had roughly 1000 policyholders vulnerable, the security team working along side the incident response team identified in <1 hour of technical details being released which policyholders were vulnerable, and got notifications to them in the next hour. We managed to get those 1000 vulnerable down to 8 in <1 week.
Cyberinsurance is still in its infancy, market penetration is less than 1% and will grow into an absolute beast of a market in the next few years. When you stop and ask the question “Which cyber insurance should I buy?” look at the entire package offered by your carrier from coverage to the entire ecosystem around it. Pick a modern carrier that will help you manage and control your risk.
Is insurance land like candy land where its all perfect and flowers?
No. We’re still learning. It’s a new game with no previous examples that we can point to and say “they did it right, lets follow!”, so we make mistakes. Some carriers are non-renewing policies, others are going out with 200% price increases and some of the things you read on the news are as painful as they appear, but here is the thing, we’re young. All other insurance lines went through similar phases in their development and stabilized overtime as carriers learned more about the different type of risks, frequency and severity.
Data becomes critical in this phase as the company that has the best data and can best leverage it across the entire lifetime of a policyholder will win. I might write a future post about this, as I have had a couple of posts in hackernews where people think its just scanning a company when we quote them and thats it, but it’s so much more!!
If you bothered to read to bottom and understand the tip of the iceberg of how we work, you’re probably wondering “how is it that they can afford to offer all the security tooling on top of the insurance coverage?”.
It comes down to being good at risk selection and reduction.
A close cooperation between our security, risk and analytics team enables us to have access to the right data and mechanisms to pick the right risks to insure at the right price. And for the risks we can’t insure, we will try our hardest to bring them to a level we feel confident insuring them.