What Companies Must Do To Bring Their Cyber-Insurance Premiums Down – Part 2
In Part 1 of this article, we spoke to Matt Middleton-Leal from Qualys, a firm that specializes in cloud security and cyber-solutions, about what exactly is happening in the world of cyber-insurance. It was a disheartening, if revealing, conversation. Lloyds of London is no longer going to offer ransomware protection on events “connected to a war” from 2023 onward, and lots of other insurers are busy carving ransomware cover out of the policies of their tech industry clients ahead of an imminent policy renewal.
So if we’re really hurtling towards a world in which policies are gutted of their ransomware protections and premiums are nevertheless rising, what must companies do to ensure they can still get cyber-insurance that’s worth the screen it’s written on, at a price that doesn’t break them in the oncoming recession?
That depends where we are. Speaking from a UK perspective, we don’t have a standard of universal cybersecurity readiness against which companies can measure themselves – or be measured, to say “This is X-percent secure, which translates to Y-percent discount off its new premium.” The US has FedRAMP Plus, which is pretty stringent, and a different approach to compliance to that which applies on this side of the Atlantic. So US companies have the FedRAMP Plus standard to work towards if they want to both be as cybersecure as possible, and use that demonstrable security to lower their premiums at a time when they’ll inevitably be rising.
In the UK, we work in a much more advisory basis here. We say “Thou shalt use two-factor authentication in some way, shape or form, for it shall bring down thy premiums mightily!” But that’s just advice – companies don’t have to listen to it. So when an insurer goes in and says “Show me you’re secure,” there isn’t really a benchmark to use.
The Consultancy Framework
That means quite a few of the big insurers have set up their own cyber-consultancies to go in and do some evaluation work. I think that will probably grow, because there’s no good answer right now.
Why not adopt something like the US system?
We already have a massive skills shortage, so if we mandated doing it the US way, we wouldn’t be able to physically do it, I don’t think there’s a manpower in the UK to do it without then driving up costs. Silos would increase, consultancies would be created, and it creates a self-fulfilling prophecy of rising prices, and we don’t ultimately end up with a better product, so I would rather we find a way of potentially penalizing the boards of companies that don’t maximize their cybersecurity. Financially penalizing them for not making the right investments. The days of cutting the budget for cyber, that can’t continue. But on the flip side, the technology people, the CISOs, where they are today is not sustainable either. They’ve got to take a new approach. And I think the I think the board needs to get involved in that and say “We are going to sponsor you to take a new approach. It might mean tearing up what we’ve got today. Because 20,000 organizations this year got hit by ransomware, and they did roughly the same as us.”
Yeah. And it hasn’t worked. So what is this new approach we need to take? It won’t be the same for everyone. There’s not one kind of standard equipment, but it’s a paradigm shift in terms of how seriously they take things. And they can’t do that on their own. That’s the problem. Because it will mean change.
What’s the issue with change?
The tech industry is a pretty immature industry. If you look at something like engineering, for example, and you look at the controls, there’s so much more history, there are more cases and examples to follow. So, the tech industry has to mature quite dramatically.
Everyone creating their own stuff and applications and servers has created more complexity, and with more complexity come more gaps that attackers can exploit. So we’re going to need slightly better compliance. If companies can prove for example that they have 100% coverage of their controls and they can show it in real time to their insurer, I’m pretty sure that’s going to help in the future with their premiums.
But if they can’t – if they put on a smoke and mirrors show, which has happened to day, that’s not going to help anyone.
The Extrapolation Error
Is there a sense of that? Of companies using smoke and mirrors to just get through a box-checking exercise on cybersecurity?
People have a tendency to extrapolate. In doing GDPR checks [GDPR is a European standard of data retention to which companies have to adhere], we used to find people being signed off as compliant, and when you asked the consultant who was signing them off how they knew the companies were compliant, they’d say “Well, we checked 20% and extrapolated from that.”
Doing that with cybersecurity just leaves 80% of your windows open for the attacker.
Is there a sector-wide awakening to the idea that companies really need to take this seriously? And how long do you think it’ll take to raise the overall security floor of the industry?
Oh, change is happening already. Whether it’s a sector-wide change yet I’m less sure, but there are definitely moves in the right direction. The idea of losing compliance puts a firecracker under some companies, and they’re amazed at what they can get done in a matter of months when faced with a consequence like that. They may have been meaning well for years, but a concrete consequence and a deadline shifts the paradigm of how people operate.
What companies find is that there’s a small number of vulnerabilities out there in the world, which most of the ransomware variants actually exploit. It’s like 30 vulnerabilities. But cyberattacks are accelerating because companies don’t take the time to deal with those 30. They don’t patch them, they don’t stop attackers using the vulnerabilities, so the attacks keep coming.
Dial Down Your Risk Profile
At the very least, if you can dial down those critical risks, and show your insurer that you’ve done so, you have a case to make for lowering your insurance premiums, because you’re clearly taking the threat seriously.
But it’s the beginnings of building an internal approach to cybersecurity.
- First – find out what assets you’ve got.
- Second – find out where they are and what they’re doing.
- Third – There are these 30 or so common vulnerabilities that attackers use. Patch them, close the doors, and you begin to look like a better risk, a better insurance prospect than Business B down the block who has done none of that.
The other aspect of that is that it provides better clarity on ownership of system assets to the actual business owners. That means if you suddenly you get a report that says “These are all the associated assets that operate, you’re part of the business. This is the risk profile, this is the cost to change that profile. Do you want to stay where you are? Or do you want to fix it?” You’re going to get a much better response from business owners with that kind of information at your fingertips – that’s part of that maturing process I mentioned.
Flammable Business Models
What do you say to companies that see the rising costs of premiums, and the reducing cover for ransomware, and conclude that they don’t need cyber-insurance?
I’ve never had a fire in my house ever.
I actually don’t think a board would allow companies, certainly companies with more than 500 employees, to go without cyber-insurance. Apart from anything else, there’s a rubric that says they need to be covered if they’re going to go for bigger deals and contracts – and other companies with which they try to do deals would be unlikely to stand for adding that vulnerability to their systems, either.
What should technologists be saying to their boards to get this taken seriously and to get the corporate culture matured in a hurry over cybersecurity?
It’s about knowing what your current risk posture is. Work it out, put a figure to it, the figure is X. These are the associated KPIs with that. Here’s the investment required to address that to the level we deem acceptable as an organization. What are the real consequences? Maybe a 10-day catastrophic cyber-event where they can’t trade. Make that impact clear. And wherever possible, don’t go in one-handed – have an ally on the board who can make the case when you leave, because IT departments can come unstuck making pitches like that without someone on the inside prepared to keep talking about it when the IT department’s allotted time with the board is up.
Cybersecurity has never been exactly a lie-down-on-the-job issue for the tech industry. But talking to Matt made it clear that there is an immaturity in the industry – a lack of knowledge of what’s in a company’s data siloes, and a lack of attention to common, straightforward vulnerabilities and the power of patching, that will need to be addressed as the cyber-insurance market gets tighter, preparing to offer less for more. To take advantage of what savings are available in cyber-insurance going forward, tech businesses will need to toughen their attitude to cyberattacks, and invest to strengthen their overall threat resistance platform.