Taking uncertainty out of cyber insurance

Cyber insurance is a difficult subject to get one’s head around. On the one hand, it is absolutely crucial to have that insurance in place before a company is hit with a successful cyber attack. On the other hand, getting the right insurance for a specific company’s needs is not simple. Getting it right requires a technical discipline almost separate from all other security practices. Cyber Protection Magazine (CPM) sat down with Brett Helm of Dragonfly Cyber to talk about cyber insurance automation solutions.

CPM – Your company provides solutions for automated cyber-insurance compliance, which is a very competitive and growing market. Why did you specifically target the insurance industry?

Brett Helm – There are two key reasons we are focused on this market. First, as you said, it is a fast-growing market. But more importantly, our team has developed a unique solution that is needed in this space. While there are a lot of solutions in this space, there is still a substantial technology deficit. We solve that problem in a unique way.

CPM – I counted over 30 companies in automated cyber-insurance compliance, ranging from start-ups all the way up to big companies. There are even a couple of insurance companies that are offering it as a service. With this many companies offering solutions, is there really a need for another solution?

Brett Helm – Most of the current solutions are based on paperwork. Companies fill out questionnaires that can be used by insurance companies to perform risk analysis. But the paperwork approach doesn’t scale. Questionnaires are often inaccurate and, in some cases, pretty much useless. But when you put an automated process around the paperwork, summarize it, and put it into a report, it looks legitimate. The problem is not the automated processes. The problem is the foundation is wrong. Gathering data using questionnaires is the wrong approach. We took a different approach.

CPM – The companies that I’ve talked to are automating cyber-insurance compliance. They have a solution that finds Edge devices and identifies all of them. In other words, they have an automated process to go through the network and find all the different places where the holes are and then come back with a report.

Brett Helm – Those companies are automating part of the process. There provide partial solutions – basic device inventory and some level of vulnerability discovery. But a lot more is required for compliance with cyber-insurance mandates. Insurance companies now have 9 mandates that companies must follow to get and keep a cyber-insurance policy. We are providing a solution that maps cyber risks to these mandates.

A lot more is required for compliance with cyber-insurance mandates

CPM – On your website, you say you’ve been at this for 10 years. Have you targeted insurance companies for those 10 years?

Brett Helm – No, we didn’t start by targeting cyber-insurance use cases. Our solution provides a very strong, very unique vulnerability detection capability. The origins of this solution are in database monitoring. We created a platform to help companies protect their crown jewels – information stored in their databases. Technology has evolved since we first began working on this 10 years ago. In the past 24 months, our customers have been telling us how frustrated they are with cyber-insurance questionnaires and mandates. We have had companies tell us that they have been denied insurance despite having a strong cyber security program that meets insurance mandates because of issues with insurance paperwork. We have listened to our customers and added the ability to map the information we discover to the cyber-insurance mandates.

A broken industry

CPM – Gerry Kennedy, founder of Observatory Holdings, which advises both cyber-insurance companies and companies buying cyber-insurance, often says the way insurance companies are handling cyber-insurance is completely wrong. This is for a market that was worth $7.5 billion USD in 2021 with an estimated 6 million cyber-insurance policies issued. How can a $7.5 billion dollar industry be doing everything “completely wrong”?

What cyber insurance companies have been doing isn’t working!

Brett Helm – When you ask the question that way, it sounds surprising. That is a big industry to be completely wrong. But I agree with him. And I think a lot of the insurance companies, if they were completely honest, would agree as well. The last few years have been a land grab by insurance companies. They have been pricing policies to gain market share. They are operating under the assumption that they can accept losses in the short term, and they will figure it out as they go. But this is beginning to change. Insurance companies have been raising premiums, increasing deductibles, and lowering coverage limits. They started with 3 mandates for companies to follow to qualify for cyber-insurance and have now increased that to 9 mandates. They are making changes because what they have been doing isn’t working. Insurance companies are losing money. Companies are finding it more difficult to get cyber insurance. According to a report from Blackberry, 34% of companies were denied coverage and were unable to obtain a cyber insurance policy. For those with insurance, over 20% of claims did not receive a payout, or only received a partial payout on a claim. I even read one report that claimed that cyber-insurance companies offered payouts covering only 2% of incurred damages. To me, that speaks of an insurance industry that is broken.

CPM – If the industry is broken, how can it be fixed? Or can it even be fixed?

Brett Helm – It is a big problem, and there is no single fix. Part of the problem is that insurance companies blur the lines between types of coverage. For example, if you’re driving a Tesla and somebody hacks that Tesla and takes control of it, that’s auto theft. And therefore, should be covered by your auto insurance policy. But insurance companies have an exclusion clause in auto policies, so they don’t have to cover that scenario. So, part of the problem is insurance companies’ policies and how they do and don’t cover cyber insurance.

But there is a more fundamental problem; the agreements for cyber-insurance between the insurance companies and the insured are not clear. Ideally, the insurance company and the insured customer shake hands and agree on the conditions for a payout. It would be clear what is covered and what is excluded. But that is not the case today.

Part of the problem is insurance companies’ policies

To put this in perspective, we can look at auto insurance. There is a clear understanding of what is covered and what is not covered and there are clear conditions on what activities will cause claims to be denied. Everyone understands that there are exclusions for excluded drivers and intentional acts, and these exclusions are consistently enforced. Exclusions for cyber-insurance are not clear and well understood, at least not yet.

Let me give you a simple example. A large bank could easily have upwards of 10,000 applications. This information is based on our discussions with several large US banks. When applying for cyber-insurance they are asked if they have multi-factor authentication (MFA). There is a mandate to have MFA, so companies applying for cyber-insurance are mostly likely going to answer “Yes”, they have MFA enabled.

When the insurance company and the insured shake hands and agree on an insurance policy, the insurance company expects that the bank has the implement MFA across all applications. The bank, when completing the insurance questionnaire, may believe they have MFA installed on all critical applications. But the person filling out the application may not be aware of all applications in use through the organization. Even if MFA is enabled across all applications when the insurance application is submitted, something could change. A new application could be added, a user could inadvertently disable MFA. Or an old application that does not support MFA could be in use, unknown to the person submitting the application.

If there is a data breach or other cyber-insurance claim, and it is discovered that MFA was not enabled on an application resulting a data breach, the claim may be denied. And the insurance company has reason to deny the claim. The bank, however, was not intentionally trying to circumvent the mandates. A better solution is needed.

Understand exclusions

CPM – You pointed out two problems. Let’s start by looking at the issue of what insurance companies are covering and what they are not covering. As a company buying insurance, you can write a letter saying, no, we’re not accepting this particular provision in the policy. If you do that, doesn’t mean that the insurance company can just cancel the policy?

Insurance companies have an unfair advantage over the insured

Brett Helm – You are correct. If a company says that it won’t accept a provision, the company won’t issue the policy. The problem is that insurance companies have an unfair advantage over the insured. They’ve got an unbelievable amount of data that shows where their risks are, and they can absolutely put exclusions in the policy. Customers often have no idea what that exclusion means to them in terms of risk. It’s not like an intentional act or excluded driver with auto insurance. If you read a cyber-insurance policy, you will see that it is really hard to know exactly what is covered and what is excluded, and how that will play out in an actual attack. The insurance company has a team of lawyers writing these policies. The legal cost is then spread across thousands of policies. Each individual company buying insurance cannot afford the legal cost to review the details of each policy, let alone to negotiate these details.

CPM – That’s what Kennedy also points out. You can write a letter saying, no, we’re not accepting this particular provision in the policy. But if you do, the insurance company will just cancel the policy, or not issue the policy in the first place. They just wouldn’t do business with you.

Brett Helm – Yes, that is exactly what we are seeing. And most companies cannot afford the legal cost to review the policies in detail to understand all the exclusions.

Partial claims

CPM – That brings up another question. We are seeing a lot of insurance companies being sued right now for not paying or partially paying claims for cyber-attacks. Last year Mondelēz sued Zurich American and got a very large settlement. Just recently, the University of California sued Lloyd’s of London for the same issue, nonpayment after a cyber-attack. What is at the bottom of all this? Is it that they just haven’t written the policies intelligently enough so that both the insured and the insurers know what it is they’re talking about?

Brett Helm – Yes, that is part of the problem. The insurance policies are not easy to understand, and I believe that is at least somewhat intentional. Cyber insurance is also a new industry, so everyone is learning on the fly. The Mondelez vs. Zurich case is interesting. Mondelez claimed over $100M in losses due to the NotPetya ransomware. It is heavily suspected that a NotPetya is a state-sponsored ransomware campaign from Russia. Zurich denied the claim due to an “act of war” exclusion in their policy. This lawsuit was ultimately settled, but the terms were not disclosed.

CPM – Earlier you said there are two major issues with the cyber-insurance issue. The first is confusion about cyber-insurance policies in terms of what they cover, what is excluded, and what is covered by other insurance policies. You also talked about the difficulties companies have in relation to insurance company mandates for cyber-insurance coverage.

Brett Helm – Insurance companies have been influential in creating mandates that bring real, meaningful change. Right now, companies are losing money on cyber insurance, and so they looked at what has worked for them in the past. They know that mandates work, so they have applied that to cyber insurance.

There’s a mandate for airbags in cars, and for seatbelts. These mandates save lives. There is a mandate for smoke detectors in homes and offices. That has worked to save property and lives. And in both cases, to reduce insurance company payouts.

In the case of cyber insurance, insurance companies started with three mandates. Most insurance companies now have nine mandates, and we have heard from our clients that some insurance companies are adding a 10th mandate. But the mandates are not working for cyber insurance.

Shifting mandates

CPM – If mandates work for other lines of insurance, why are they not working for cyber insurance?

Brett Helm – The short answer is companies are not fully following the mandates. This is not intentional on the part of the insured companies. But the process is flawed. Computing infrastructure is much more complex and dynamic than vehicles and drivers.

When a company is seeking to purchase cyber insurance, they fill out a questionnaire. This, as I’ve said, can be up to 50 pages. The insured companies do the best they can to accurately fill in the questionnaire. But there are frequently many different questions for which there are not black and white answers. And this is what leads to problems.

Companies are not fully following the mandates.

Let me give you an example. One of the high-profile lawsuits which is going on right now is a case between Traveler’s Insurance and International Control Services. International Control Services asserted that they have multi-factor authentication, which is one of the original three mandates. In this case, International Control Service’s main application had multi-factor authentication enabled. But their support services application did not. And that’s what hackers exploited.

This is a really big problem for large organizations. As I mentioned before, we are talking to a bank that has over 10,000 applications. A universal answer of “Yes” on the cyber-insurance questionnaire regarding a mandate like MFA means MFA is in place on all applications. With an answer of Yes to “is MFA enabled”, the insurance company and the insured shake hands and agree on an insurance policy. The insurance company then expects that the MFA mandate is met, and that all applications have implemented MFA. The insured, on the other hand, often fails in one of three ways:

• They believe that having MFA on their main applications is sufficient.
• The person filling out the questionnaire doesn’t have visibility into all the applications and thinks they have MFA in place everywhere. Because computing infrastructure is dynamic, they add applications, systems, or users where MFA is not in place, or someone inadvertently disables MFA
• The concept of mandates is the right direction for cyber-insurance. But they don’t work yet because the validation that mandates are being followed is not yet in place. The companies being insured don’t really know if they are meeting the mandates. Cyber-insurance companies don’t have visibility on whether mandates are being followed.

That is what Dragonfly Cyber provides. We provide the tools to verify that mandates are being followed. We provide continuous monitoring to ensure that companies remain in compliance with mandates.

CPM – Okay. So why isn’t everybody using Dragonfly Cyber?

Brett Helm – Well, we think that everyone should be using our solution. But let’s ignore our company for a minute. Let’s talk about the issue. Insurance companies could require the use of a validation solution to ensure companies are following mandates but don’t. Our solution validates that a company is, or isn’t, meeting the claims they made in their questionnaire. Better yet, we can automate the reporting, so companies don’t have the burden of filling out questionnaires manually. That’s easy to do, at least in concept.

Insurance companies are starting to focus less on growing the market and more on profitability

There’s a reason why insurance companies don’t mandate the use of a solution like this. Insurance companies are in a growing market. Today, I believe there are approximately 6 million cyber-insurance policies in the United States, and 11 million worldwide. This has been a very fast-growing market, and cyber-insurance companies are essentially in a land-grab scenario. They are trying to get as much market share as possible, and they don’t want to create excessive barriers to signing up new customers.

Once an insurance company has signed up a customer, they are much more likely to keep their current insurance provider than switch to someone else. Insurance companies understand this and spend their time and effort signing up new customers. It’s much easier to win business from someone searching for a new insurance policy. The point with this is that, if an insurance company requires that a company install a new solution to prove that they meet the insurance company’s nine mandates, that’s an impediment. If their competitor doesn’t require that impediment, the competitor will win more business.

Once you have a saturation of a market, insurance companies will start turning towards how to make money in that market. And that change is starting to happen. Insurance companies are starting to focus less on growing the market and more on profitability. We have not completely made that change, but it is happening.

With a focus on profitability, insurance companies have a great incentive to implement a solution that verifies mandates are being met. Once the market is saturated, insurance companies will take the time to ensure their policyholders meet the mandates.

CISOs are not common

CPM – I understand that a company’s computing infrastructure is complex and ever-changing. But isn’t that why companies hire a CISO? Isn’t it the CISO’s job to manage that complexity and understand if insurance mandates are being followed?

Brett Helm – Yes, that is certainly a big part of every CISO’s job. But very few organizations with cyber insurance have a CISO. I mentioned earlier that there are around 6 million cyber-insurance policies in the United States. There are only about 7,500 CISOs in the United States. That works out to only 1 out of 800 organizations with cyber insurance having a CISO. CISOs are hired at the largest companies, but cyber-insurance policies are for everybody.

CPM – So how many insurance companies have contracted with you so far?

Brett Helm – We have talked to dozens, but as I’ve said before, they’re not forcing customers to put solutions in place to prove that they are meeting the nine mandated cyber-insurance controls. This is simply because their competitors don’t require them, and they are still more concerned about growing market share than anything else.

Instead, we are taking a different approach. We help companies that are purchasing insurance. These companies read the news; they know that more than 20% of cyber insurance claims are denied. And they know that cyber-attacks are on the rise. We’re making them safer. Companies know that they need cyber insurance, but they still don’t want to be hacked. Everyone needs auto insurance in case of an accident, but no one wants to be in a car crash.

Only 1 out of 800 organizations with cyber insurance have a CISO

We help by installing our solution to monitor companies’ networks. We automatically show where they stand on the 9 or 10 mandates for cyber insurance.

With our solution, they know they are disclosing accurate data when they apply for cyber insurance. Suppose they have a cyber event as the result of a zero-day attack. If the insurance company says they are not going to honor the claim, they have real data to support their claim. They can show the insurance company they are following mandates. They have monitored their infrastructure continuously since before the cyber-insurance policy was bound. They have proof that their infrastructure hasn’t changed notably and that they are following the required mandates. This leaves little room for the insurance company to deny the claim.

CPM – Well, okay, let’s step back a second here. A company has a monitoring solution in place. They are showing that they are meeting cyber-insurance mandates, and yet they still get hacked. That means that either the system that they put in place is not working, or it didn’t cover what they thought was being covered. Even with your system in place, they are not 100% safe, they can still get hacked.

Brett Helm – Our solution will tell companies if they are following the mandates. If they are not following the mandates, it provides detailed information on the gaps. And not only things like, is MFA installed for all applications. In nearly 100% of cases where we have installed, we see passwords in the clear. That is, network traffic that is unencrypted where anyone listening to that traffic can see the user’s credentials. We help them clear that up. We help eliminate many vulnerabilities and ensure they are following insurance company mandates. But that does not mean they’re 100% protected from all cyber-attacks.

If a hacker exploits a zero-day vulnerability and gets hacked, at least they are following insurance company mandates and should get a payout under their cyber-insurance policy.

10 mandates

CPM – We’ve talked a lot about the mandates, but we never identified the mandates.

Brett Helm – The original three mandates are EDR or endpoint detection and response, multifactor authentication, and backup. The next six mandates are Patch management and vulnerability scanning, Email security, Security awareness training, Network segmentation, Break plan and incident response, and Identity management. Finally, some companies are adding a tenth mandate, which is data encryption, covering both encryption of data at rest and in motion.

CPM – Great. Thanks for joining me today for this interview. I think that’s covered all my questions.

Brett Helm – Thanks for your time.