Cyber insurance covers losses and expenses associated with data breaches, incident alerts, third party liability, business interruption, cyber extortion, damage to reputation, etc.
As cyber risk claims and indemnity payments have risen in recent years, we wanted to learn more about cyber insurance by inviting Othmann Layati to speak on our podcast INTRASEC, In Fidem’s cybersecurity channel.
Claims Manager Cyber at the Beazley insurance company, Othmann participated in the last panel discussion moderated by Matthieu Chouinard, Founder of In Fidem and Head of Big Data and Cybersecurity Atos Canada, during the Forensik 2020 Conference.
Alongside Laure Bonnave, a lawyer specializing in the protection of personal data, and Jean-Simon Gervais, an expert in incident response and digital investigations, Othmann took part in a simulation exercise of an attack on a service provider managed IT.
During episode 7, season 2 of INTRASEC, we discussed:
- the ideas relating to cyber insurance,
- the best practices to adopt in the event of an incident,
- and the important role that cyber insurers play during a cyber attack.
Check out our interview with Othmann Layati.
What exactly is a manager of cyber and financial operations?
My job is to help companies that are victims of a cyberattack to respond as quickly and efficiently as possible so that they can recover their operations before the incident gets out of hand.
And so, you participated in the panel discussion on “How to respond to a cyber attack if our managed IT service provider has been implicated” …
Exactly.The topic discussed is extremely interesting because it is quite relevant. Meaning, we are seeing more and more incidents that are affecting service providers. There are several reasons for this trend. I think the first one is that hackers know very well that by targeting service providers they are going to be able to exponentially affect the customers of those service providers. So, I took part in this panel discussion, to give the insurer’s perspective and also to address certain perceived ideas about insurance in general and cyber insurance in particular.
So, even if I insure myself, my partners can also be affected. Can you talk a bit more about this?
Actually, I would correct your statement: “I insure myself and I ensure that my partners are also insured.”
It’s more about this perspective, because obviously the first thing to do is to insure yourself as an organization and to verify that you have cyber coverage that’s adapted to your vulnerabilities. However, when dealing with service providers, you also have to ensure that they themselves have cyber coverage. And at the same time, we must also ensure that the risks of our suppliers are also covered by our insurance policy.
And what were the elements that you wanted to debunk relating to the perception of cyber policies?
There are a bunch! I think the first is a bit general talking about insurance, it’s the idea that insurers do everything to not pay claims and try everything to deny the claim and ultimately not pay out.
I think this is a misconception because there is no point in denying claims when they are covered. Quite the opposite, what we want is a satisfied customer.
The other misconception is that insurers do not follow trends and that coverages are not adapted to evolving risks. I think this is also incorrect. We are generally very responsive to the market with our policies. Very regularly, we have improvements to our policies in order to respond to new trends and in particular the increase in incidents affecting service providers.
For example, we have been able to adapt our clause on interruption of service when the incident involves the service provider. So, it is through this that we have been able to adapt to these new risks which are quite recent, and which are evolving very rapidly.
We try to ensure that the customer solves their issue in the best possible conditions. This is our goal.
Moreover, during the panel discussion, you made analogies with “physical incidents”. You said that we could borrow certain insurance logics from one aspect to another. For example, in the case of ransom demand, there were already ransom policies for executives going to dangerous countries, and so we already know how to tackle these issues.
It’s just that. I don’t think cyber insurance invented anything. It simply adapted existing concepts to the cyber reality. Extortion is a very good example. Unfortunately, this has existed since the dawn of time and we simply had to adapt this coverage to our cyber reality.
For example, how do you pay a ransom demand? In the physical world it’s easy, you pay a sum of money, but in the cyber world, how do you do that? How do we make sure that in return for paying the ransom, we will receive the encryption key for our data or how will we receive the assurance from the hackers that our data will not be disclosed?
So, it’s all these new aspects that we had to adapt to, but basically, we didn’t invent anything.
The same goes for interruption of service. Interruption of service in the past: you had a company and for some reason X or Y you can no longer carry on your activities. You had interruption of service coverage; the same goes for in the cyber world.
We have insurance for buildings, but how do we know if we have insurance that covers cyber risks? What first steps should a manager take?
Everyone is affected by cyber insurance, especially in the world we live in today. I see it in the complaints that I process. It goes all the way from a poultry farmer in Manitoba to a large multinational company. Everyone operates online, everyone uses IT services… So potentially everyone is at risk. In my opinion, this is the specificity of cyber insurance, it is that it is very very very broad!
And so, to answer your question, I think the first step is to contact your broker and make sure you have cyber insurance available.
How do you assess and compare the types of coverages? If we draw a parallel with insurance that covers physical goods, such as houses, I’m gonna look at different categories. For example, what happens in the event of a fire, if I have water damage, etc. In the case of cyber insurance, what are the main scenarios? What if my network is blocked? What if some data is stolen? What if trade secrets are stolen? What are the cases to watch out for?
That’s a good question. For that, you have to analyze the risk. This means that we are going to question the nature of the data that we process and store. Are these personal data? Medical data? This would all be considered called sensitive data.
We will also look at the volume of data processed on the computer system and the protective measures put in place.
It is the job of the underwriter – with the assistance of the broker – to assess. There is usually a service that will help policyholders improve their cyber incident response plan.
So, we try to predict the risk as much as possible and it is in this phase that we will make this effort based on the information we have gathered.
I have the impression that a lot of companies seem to be struggling with cumbersome security measures. For example, setting up multi-factor authentication, having a red team, a blue team, etc. How can we make people aware that these measures are necessary and that this impacts the evaluation?
We do table top exercises. These are incident simulation exercises. I think this is the best way to make them aware of their flaws and especially in their incident response plan.
We have a common goal with the organizations. It’s about planning as much as possible and avoiding risks wherever possible.
We work together throughout the process, from negotiating the policy to resolving the claim.
In my experience, I have not seen a customer who is reluctant to improve their management or protection systems if necessary, because they simply don’t want to.
I don’t think there are any barriers for the insurer and the customer to work together to minimize risk even before taking out insurance.
It’s interesting because an incident response expert gave a presentation about the importance of setting up incident response playbooks during the Forensik Conference. One of the first steps after shutting down systems is to contact your insurer, then the lawyer and technical experts. Although the order of the steps is not strict, calling insurance still seemed to be high on the list.
Actually, I can tell you that we can do even better because once you call your insurer, they will be able to take care of retaining IT experts or lawyers. So, once the complaint is reported, we take care of everything. We will react extremely quickly, in the span of a few hours.
We have the best experts in the market who will start trying to resolve the incident, both on the technical side and on the legal side to find out if there are any notification needs. We also have other services. For example: public relations firms that are useful when it comes to communicating about a publicized incident.
The insurer can offer all of these services, but I think what’s important to remember is to immediately contact your insurer or broker. The sooner we know about it, the better we will be able to manage it. I won’t get into coverage issues, but it is always better if you can report as soon as possible and it is generally specified in the policies: “to make the effort to report the incident as soon as possible”.
And then again, I think there is a misconception about reporting an incident. Some policyholders will be hesitant to report because they will think it will impact their renewal premiums, etc.
But, I think you should never hesitate to report or seek advice from your insurer as soon as possible.
Whether you’re a victim of ransomware or a data breach, it’s not just a technical issue. It is also a problem which affects the legal aspect which will have an impact on relations with clients. Communication and public relations managers are also stakeholders in the event of an incident that should be considered. I would even say that the technical problems, in the case of ransomware, are almost marginal because once we have paid the ransom, we will receive the key to recover our data.
But the incident does not end there. Then there are the notification issues and then potentially this incident can give rise to a complaint if the customers in the data have been disclosed take legal action.
Then there is also the risk of damaging the company’s reputation and that is why the public relations firms are going to be useful.
Depending on the scale of the incident, communications can be very complicated to manage. If you have several tens or hundreds of thousands of individuals to notify, you will have to put a system in place and that we can help with specialized firms.
And finally, there are all the issues of “credit monitoring”. In other words, for a while, one can check the credit of affected individuals.
So, it definitely goes well beyond the purely technical framework, at least in the case of ransomware, that’s for sure.
Is this the same when these are our servers versus those of managed service providers? How do we manage this relationship when it’s the partners, who we have trusted, who have been attacked in our place?
We do in fact have less control over the management of the incident when it is our suppliers who are attacked, but this does not mean that we have less obligation, especially in terms of communication.
It is the service provider who will be able to manage the incident from a technical point of view with his insurer. But that does not mean that we will be covered from all risks.
This is the case for risks related to notifications and related to potential complaints from our own customers who have had their data disclosed. Even if the primary reason is the attack on a third-party provider, we are not entirely safe.
Nonetheless, it usually goes very well because, again, everyone has a common interest in resolving the incident in the best possible way.
The only issue I see is indeed the lack of direct control over the incident. But we can easily overcome this issue with our experts and considering our lawyers who have this experience and who communicate very easily with the service providers affected to obtain the information necessary for their own consultations to find out if there is a notification needed
Essentially, it generally runs pretty smoothly.
And once the incident is resolved, what happens usually?
It depends on the situation. There are incidents or claims that resolve faster than average compared to other claims in other lines of insurance.
You learn from these lessons. For example, fraudulent instructions (also called ‘fake President fraud’) where typically we have hackers who will contact the accountant of the company, pretending to be the CEO, and ask to pay a certain amount of money to a company. account abroad under the pretext of a secret transaction that no one in the company should know.
This has been common, but it’s a lesson that is quite easy to learn because then we can set up control systems that are as simple as when we receive an email of this type. The integrity of the request and the information can easily be verified by making a phone call.
I think these incidents cause everyone – the policyholders as well as ourselves – grow as we learn, and this is a constantly evolving field. This is what is so fascinating about cyber insurance.
You said the attack on managed service providers was on the rise. What are your predictions or how would you like people to protect themselves from cyber risks?
Predicting incidents, it’s very complicated …
But I can tell you that in 2020 unfortunately we saw an explosion in the number of ransomware cases. Experts say it’s mainly related to COVID where people work from home, where there is less human contact between members of a company, which makes these attacks easier.
We have also seen an evolution in the type of attacks, where the amounts of the ransoms are more and more substantial and where the threats have changed.
Normally, hackers would demand payment of a ransom against the decryption key. But more and more frequently we see hackers who also threaten to divulge data on the dark web, or even sometimes on platforms like Twitter, or go to journalists to divulge confidential data and information.
The risk has really changed. I’m not sure it will calm down, but I’m still very confident because I know that everyone is working hard – whether it’s the insurers or the policyholders – but also the security forces all over the world who are hunting down these bad actors. And so, what I would like is maybe a lot more vigilance, and that applies to everyone.
For me, every time I receive an email or an attachment, I send it to my IT department to verify that everything is correct. Without falling into paranoia, I think it’s something that everyone can do on a daily basis and which potentially can reduce these risks.
If you want support in preparing for a cyber incident, contact us! We have experts to help you prepare for cyber attacks and also work with cyber insurers who can provide coverage tailored to your needs.