In this episode of CybersoundTM, Jason Pufahl, Steve Maresca, and Matt Fusaro discuss the stringent parameters on insurance policy renewals, particularly dealing with #cybersecurity.
New Requirements to get Insured
Listen to this episode on
[00:00:01.210] – Speaker 1
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity. With your hosts, Jason Pufahl and Steve Maresca.
[00:00:11.750] – Jason Pufahl
Hi, everybody. Welcome to CyberSound. I’m your host, Jason Pufahl. Joining me today, as always, Steve Maresca and Matt Fusaro. Hey, guys.
[00:00:19.680] – Steve Maresca
[00:00:20.540] – Matt Fusaro
[00:00:21.110] – Jason Pufahl
So, we’re going to roll back a little bit with some cyberliability insurance discussion. In particular, we’re seeing our clients come to us now with more stringent requirements for policy renewals, in some cases, or even new policies.
[00:00:37.560] – Jason Pufahl
And I think last year, we touched a little bit on the fact that insurance carriers were, frankly, bemoaning the fact that they had really not adequately planned for the severity of ransomware. And I think their costs are higher, and as you would expect, costs and some requirements changes are being passed down to clients.
[00:00:59.120] – Jason Pufahl
So, I think I wanted to cover that a little bit today because I think it’s important for people to be able to plan for the upcoming year, right? A lot of policies we’re seeing are probably coming due for renewal in that June, July time frame. The control requirements are becoming much more stringent than they were, and I think the landscape is changing to some degree. So, we wanted to cover that a little bit so people could prepare for the upcoming year.
[00:01:23.390] – Jason Pufahl
In particular, I think we’re seeing certain industries even being less attractive to some degree to these carriers, right? I think Steve, you were chatting about that a little bit here at the beginning around maybe higher ed, even due to the way it’s open, being a challenge.
[00:01:42.140] – Steve Maresca
Right. I think insurers in general are reevaluating the risk of certain verticals and treating them appropriately. Higher ed’s, sort of a case in point that’s a little unique. It’s open, it’s not corporate, things are not locked down. Therefore, it represents a higher risk. But there are certainly carriers for every organization. They still exist. It’s just a matter of recognizing that things are changing from the way they used to be.
[00:02:09.180] – Steve Maresca
The biggest thing that most of our customers tend to observe is that the carrier insurance prices are going up. Premiums are 300 percent, 400 percent higher than they used to be. It’s the most apparent issue, but I think all the other subjects we’d like to talk about to there, what is coupled with that change in price?
[00:02:31.860] – Matt Fusaro
Yeah. They’re definitely looking to claw back some of the… maybe, the losses they’ve taken. They had a pretty toxic pool of clients out there that probably drained them, right? I don’t think they were prepared at all for how unprepared a lot of these organizations were for any type of cyberattack, and they’ve just gotten worse, right? And more prevalent.
[00:02:52.610] – Steve Maresca
And as you’d expect, we’re seeing a shift in conversations with people as they’re trying to reinsure themselves and find new policies, control their costs. And the truth is that it’s moving the other direction.
[00:03:07.190] – Jason Pufahl
There’s no surprise here, right? I mean, we’re seeing these common controls that we’re going to talk about as being real gaps. Every time that we’ve done incident response, it’s a really consistent theme on the back end of these around what controls were missing, and it’s almost always the same ones: poor backups, lack of two-factor, lack of patching. And we’re really seeing a push now to standardize and formalize a more mature security approach.
[00:03:34.070] – Jason Pufahl
And that’s really all this is. On the one hand, sure, premiums are going up and they’re being a little more stringent. Everything on this list is reasonable, right? Everything on this list are things that people should be doing.
[00:03:46.370] – Steve Maresca
I think the most interesting thing is that carriers are taking a far more active role in ensuring that their risk and the risk of… experience by their customers is more controllable. Historically, you sign up for a policy, it gets inked, you’re done, that’s it. Now, requirements are being imposed that prior to the policy origination date, certain minimum thresholds need to be met.
[00:04:12.360] – Steve Maresca
Now, the most common, because the attacks we’ve seen and they’ve paid to correct over the last two years, have been primarily driven by identity theft, primarily driven by loss of credentials that allowed access to environments. So top of the list is multi-factor or two-factor authentication. That’s an absolute requirement for most of these insurers.
[00:04:35.450] – Jason Pufahl
So, dig into that for a second because two-factor means different things to different people, and they’re being pretty specific about where two-factor needs to be enabled.
[00:04:42.450] – Steve Maresca
Right. And generally speaking, it’s for VPN access, remote access to environments, but more generally, that’s not descriptive of every organization these days. The other requirement is applying multi-factor to email and similar services of that nature.
[00:04:59.230] – Matt Fusaro
Yeah, there are some carriers that want it on every externally accessible service, you need to have it on. And then even internally now they’re asking for it, especially if you’re an admin.
[00:05:11.370] – Steve Maresca
Right. People with access to sensitive information, customer information regulated data, those are the scenarios beyond mere remote access where multi-factor is likely to arise. But that might be a case-by-case scenario, depending upon the type of business.
[00:05:25.280] – Matt Fusaro
Yeah. I think it’ll have a big impact anyway. I’d say almost 100 percent of our incidents were with clients that had no multi-factor implementation. I’m not sure if I can even name one of them.
[00:05:38.010] – Steve Maresca
Overly permissive external access and no two-factor. It’s just a common theme.
[00:05:43.020] – Jason Pufahl
[00:05:43.660] – Steve Maresca
I mean, it’s a net improvement to make many of these requirements. I think it’s reasonable. We make these suggestions constantly with our customers, and I see that overall, this is a net positive. It’s just costly for those who are experiencing the need to renew a policy.
[00:06:00.900] – Jason Pufahl
Sure. So certainly, MFA being one, I think the other is your more stringent controls and requirements for robust backups. A huge issue has been the lack of disaster recovery planning, good backup capabilities, right? And I think now they’re mandating now certain time frames for which you need to keep data and the way you actually control it.
[00:06:27.870] – Steve Maresca
Yeah. I mean, even more critical than that, simply having offsite backups.
[00:06:32.400] – Jason Pufahl
[00:06:32.840] – Steve Maresca
Encrypted backups, a backup for the backup essentially. Ransomware incidents involve attacks against backup infrastructure. And I think that’s the primary thing that they’re trying to control. The business restoration factors into many cyberliability insurance policies. It’s a covered component. Therefore, the time frames that we’re talking about from a restoration standpoint from backup infrastructure, that’s what they’re trying to facilitate in terms of lowering the cost for recovery activity.
[00:07:05.730] – Matt Fusaro
Right. And all these recommendations really are looking to reduce that, right? The time it takes and the amount of money that they’re going to have to eventually cover for an incident.
[00:07:16.620] – Jason Pufahl
Yeah. And they’ve got data now. They know that typically when you’re restoring, you’re probably going back around a month for some of the data. And how often do we get involved in an incident where either A, the backups weren’t adequately tested, so they don’t even know if they had good quality data, or B, they’ve got seven days to go back. And that isn’t far enough to get outside of that ransomware event or incident event that they’re occurring.
[00:07:40.860] – Matt Fusaro
Yeah. And if they’re going to go down the forensics route where they have to decide if credit monitoring or data disclosure has to happen, they want to be able to go back into logs of systems that may go back further, right? So having those backups available helps you with that.
[00:07:59.020] – Steve Maresca
Absolutely. An interesting component to this beyond backup is that carriers are trying to measure risk as well. And I think it’s sort of the other end of what you just articulated in terms of notification. Ultimately, prior to policy origination, prior to the actual conversation moving into the contract creation phase, some insurers are actually proactively scanning customers before issuing that policy.
[00:08:32.380] – Steve Maresca
So they have a sense of external exposure to the world so that they can make requirements that are very unambiguous and clear to those prospective customers. I think it’s a very, very unique change and worthy of being mentioned because I don’t think many organizations are aware of it.
[00:08:50.510] – Jason Pufahl
So, I like the word unambiguous. I think unambiguous to you, but probably ambiguous to the recipient attached, because I know that we had one where if I recall, the recommendation was, “Reset your Kerberos ticket for active directory.” And I think that might make a lot of sense to you. I think people require you to translate to them perhaps.
[00:09:10.480] – Steve Maresca
Unambiguous organizations with IT actually on staff, right?
[00:09:14.530] – Jason Pufahl
But very specific nonetheless, right? I mean, doing a scan and identifying a gap that they know will contribute to an incident if not addressed.
[00:09:22.530] – Steve Maresca
[00:09:24.870] – Jason Pufahl
I think the other place that they’re really now pushing is EDR, Endpoint Detection Response, or MDR, the managed side of that modern-day antivirus. Huge changes there.
[00:09:39.640] – Steve Maresca
And I think that translates to changes from a budgetary perspective. This is one of those occasions where, in order to meet the insurer requirements, you, as an organization, may need to replace something that’s already present. Traditional antivirus does not meet the threshold of an EDR Endpoint Detection Response.
[00:10:01.600] – Steve Maresca
Effectively, insurers want to see these protective facilities in place across workstations and servers where they tend to be absent. And the thresholds are 95 percent of systems, 100 percent of systems. We’ve seen a variety, but the point is ultimately comprehensive defensive facilities in place. And that might mean shifting from something that’s been in place for a decade.
[00:10:27.510] – Matt Fusaro
I think they’re really going after the behavior detection, right? Most of the malware that we see now, you might get a detection from a traditional AV. They’re more concerned about attacker behavior trying to detect those things, possibly even having data to go back to look and see what systems they’ve touched, right? Because that’s going to play into how that policy actually gets covered or not.
[00:10:51.450] – Matt Fusaro
And again, moving data out of the organization, which is something they’re going to be concerned about, if an EDR isn’t there, you’re not going to get that kind of data or detections.
[00:11:01.800] – Steve Maresca
Right. This actually goes back to multi-factor candidly. Again, stressing the point that identity is the mechanism for most attacks these days. Similarly, use of authorized capabilities of a user stolen by an attacker is only really easy to detect, easy to analyze if you have a tool like EDR platforms in place.
[00:11:22.240] – Matt Fusaro
Yeah. I mean, that’s the key there, right? Most of the activities that are going to happen that are going to affect an organization are authorized activity, right? Copying a file out, that’s something we allow most users to do, right?
[00:11:36.990] – Jason Pufahl
The word that you used a second ago is demonstrable. 95 percent to 100 percent deployment for these tools, but they want you to be able to show evidence that you actually have done it. So, it’s not enough to say, “Well, I purchased a binary defense and deployed it.” You need to show that you actually deployed that to servers and endpoints and have added coverage. And they want that proof if they’re going to honor a claim.
[00:11:58.500] – Steve Maresca
Absolutely. And frankly, you’re talking about demonstrable proof, attestation of actual practice. It’s a reasonable segue into one of the other requirements, which is the fact that they want to see rigorous process and evidence that that process is documented and being followed on a regular basis. An example, as a case in point, would be: vulnerability management practices, measuring risk on a cyclical basis, fixing issues with corrective actions to either patch, or remove an issue from the environment. If an organization can’t point to an actual process and documentation that it’s occurring, it’s also another black mark.
[00:12:41.310] – Matt Fusaro
Yeah. I’d like to talk for a second about how difficult this might be for some organizations. There wasn’t really a lot of notification that went out about this, right?
[00:12:50.280] – Jason Pufahl
Yeah. I mean, honestly, almost none.
[00:12:51.970] – Steve Maresca
It’s a surprise that the renewal timeframe, it comes out of the business office. No one really knew that that type of thing was a requirement, and IT departments are scrambling to catch up.
[00:13:02.380] – Matt Fusaro
Yeah. When we look at compliances for government, for example, this stuff is communicated way in advance, and sometimes it doesn’t even come to fruition, right? This kind of came out of nowhere. I think a lot of people are caught off guard completely that they’ve got to do these things, and they’re not really given a huge time frame to actually accomplish any of this, either.
[00:13:21.570] – Matt Fusaro
Depending on the size of your organization, it might be simple to say, “Well, let’s deploy EDR and multi-factor. ” Right? You might be looking at months’ worth of months to actually get that accomplished, talking about culture changes. So, this is going to be very challenging for a lot of organizations to actually meet.
[00:13:38.050] – Jason Pufahl
And the requirements, they’re not consistent for every insurance carrier. So, it’s not like you say, “All right, do these four things.” We can’t sit here on this podcast and say, “Do these four things and when renewal time comes up, you’re set,” because they are variable to some degree and carrier by carrier, there’s sort of differences in gaps in what they want.
[00:13:57.860] – Matt Fusaro
Yeah. There is no standard they’re going by. From what we’ve seen, they’ve actually taken recommendations in from third-party companies and then adopted that framework and said, “Okay, this is what we’re going to go with.”
[00:14:10.230] – Jason Pufahl
But in a large part, if organizations decided to adopt some sort of security standard, all of these do align to your typical security standard framework. So at the barest minimum of the most basic here, you are seeing this sort of underlying, “Here are [inaudible 00:14:29] that you need to implement.” Sort of that security fundamentals concept that makes your security program more robust and reduce the risk of incidents. And whether it’s simply doing what the insurance carriers tell you, or maybe aligning to a more specific standard, like a NIST 800-171 or something like that, you’re going to then have a better security program which reduces risk, because that’s ultimately what they’re trying to do.
[00:14:52.230] – Steve Maresca
And certainly, we support that as an outcome. I think that it’s a required recognition that this type of activity requires time. It’s probably occurring on a time frame, which is more aggressive than organizations would prefer. And the capital outlay is not insignificant for many orgs associated with the staffing and service requirements to actually deploy these things and support them properly.
[00:15:20.350] – Matt Fusaro
Yeah, these requirements are coming down on companies that have no IT sometimes, right? They’ve either outsourced it or they’ve got a guy.
[00:15:32.150] – Jason Pufahl
We’ve joked in the past a little bit about people treating insurance policy as a substitute for a good security program, and I think the carriers are finally saying, “Listen, that’s no longer acceptable. You need to meet the minimum security standards.” I’m staring at three pages worth of notes here from one client of ours and their insurance carriers saying, “These are the things you want to implement. ”
[00:15:53.250] – Jason Pufahl
So, we truly talked about those things on the page marked high. There’s a medium risk page, a low-risk page. There’s a lot of requirements that people have to start thinking about with this. And I guess I would ask people, use this podcast, essentially as being put on notice that you probably have some increased requirements moving forward. Those requirements, quite frankly, from our standpoint, are kind of all security best practices, they’re things we would want to see in place anyway. And most significant contributors to the incidents that we’ve been involved in, without a doubt, to touch on them briefly, it’s implementing multi-factor in a variety of locations, it’s utilizing an EDR system, that next generation of antivirus, ensuring that you’ve got good quality backups, and, of course, making sure as always that you’re dealing with passes and vulnerability management.
[00:16:47.030] – Jason Pufahl
I mean, there are things you should be doing, and if you’re not, they’re likely going to limit your ability to get a policy, either a new one or renewal. But I think people also have to understand going forward, insurance is going to be more expensive. And in order to actually make a claim and have that claim honored, you’re going to have to meet some of these things.
[00:17:06.590] – Jason Pufahl
I think as a follow-up, as you’re going through this process, feel free to reach out to us. If you want to chat about this anymore, we can provide probably a lot of clarity on different ways clients have implemented some of these controls, different things you need to think about as you’re working through a project and how to actually make them sort of go as smoothly as you can. Multi-factor isn’t a wildly difficult technical concept, but it requires planning and time to roll it out successfully.
[00:17:32.290] – Jason Pufahl
So, we’re happy to have those conversations. Feel free to reach out to us on Twitter or LinkedIn at Vancord or Vancord Security, and we can chat more about it. Steve, it looks like in closing, you might have something you wanted to say.
[00:17:44.240] – Steve Maresca
Yeah, I think that it’s important to remember that when you’re working with Insurers and carriers and underwriters, it’s a conversation, right? Use a broker. They will help you find a carrier that meets your business and the flexibility required. Similarly, look for those that reach out and have a dialogue with you. When you’re engaging an insurer, they should supply a questionnaire or something to that effect. It’s a bi-directional conversation, and that will enable the best possible premium and the most attuned policy that meets the needs of the organization. I think that’s the most important thing to close with, in my opinion.
[00:18:25.630] – Jason Pufahl
So actually, I would add to that just really quickly, which is find a carrier that’s flexible enough to let you use a security vendor that you’re comfortable with. We’ve certainly seen a lot of carriers require that you go with people around their panels. And in some cases, that’s fine, but the reality is you may have a security vendor that you work with regularly, who’s familiar with your environment, frankly, can probably expedite the recovery or the containment, the restoration, and all the activities around incident response.
[00:18:52.010] – Jason Pufahl
Work ahead of time with your carrier to ensure that you can work with the partner of your choice. Some of us are much easier to work with than others, but I think that’s something to your point, Steve. With all insurance, just flexibility up front to negotiate how you want that insurance to work. Give thought to that. And again, we’ve got experience there and happy to chat with people about it.
[00:19:14.150] – Jason Pufahl
As always, we hope you got value from this. We hope that you’re thinking a little bit about cyberliability insurance in general and certainly preparing for that renewal process and some of the requirements that you have ongoing.
[00:19:27.290] – Jason Pufahl
Thanks, everybody, and have a good day.
[00:19:31.250] – Speaker 1
Stay vigilant, stay resilient. This has been CyberSound.