Changing Data Quantification in Security Insurance


In this episode of Cybersecurity (Marketing) Unplugged, Peachey also discusses:

  • Important security tools to reduce your attack surface: Colonial and the coverage on critical infrastructure;
  • How insurance companies are seeing higher demands for subrogation in the wake of a cyber incident;
  • And addressing third party risks by doing more complete vendor vetting: Who are the vendors that you work with? What are their insurance policies? What does the contract look like?

Lynn Peachey is an expert in the cyber insurance space. Currently, Peachey serves as the director of business development, connecting clients and partners with cybersecurity solutions at Arete Incident Response, an insurance company and security insurance space. Previously earning her two bachelor’s degrees from Rutgers University in New Jersey in psychology and industrial relations, then her JD from Pace University’s Elizabeth Haub School of Law, Peachey is licensed in multiple states, including New York, California, Texas and Florida, as well as admitted to the New York and New Jersey Bar.

Peachey uses her experience in cyber insurance to weigh in on the changes in data quantification in the security insurance space in terms of responding to the current ransomware epidemic.

In another six months, I anticipate that there will be some progress and at least some sort of update on the data quantification and how insurance companies are able to use and leverage that to really approach the risk. … Another point is that insurance companies, even for them, did a pretty quick turnaround in terms of trying to respond to the ransomware epidemic.

Full Transcript

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

Steve King  00:13

Good day everyone. I’m Steve King managing this horrible segue into today’s episode, which I’m talking with Lynn peachy, who’s an expert in cyber insurance, she was currently serving as the Director of Business Development Ariete at or at an insurance response company and service security insurance space. And when earned her two bachelor’s degrees from Rutgers University in New Jersey and psychology and industrial relations, and then her Juris Doctor from KC universities. It was a hab School of Law. And holes adjusters have licenses in multiple states, including New York, California, Texas and Florida. Gotcha there any other states, and is also admitted to the New York bar and the New Jersey bar. So welcome, when I’m glad you could pull away from your day and join me for a half an hour updates around what’s been going on here in the last six months.

Lynn Peachey  01:22

Yeah, absolutely happy to be here. And yes, agree we had a we had a larger conversation for introductions, but kind of telling that, you know, there still is a lot to be figured out in this in the cyber insurance industry. It’s it’s continuing to get closer and closer. And you know, when we talk in another six months, I I anticipate that there will be some, you know, progress and at least some sort of update on the data quantification and how insurance companies are able to use and leverage that to really kind of approach the risk. Like they have traditional, you know, property risk things that have very long actuarial histories and claims data to support, you know, the premiums, the underwriting, you know, I think, another kind of point is that insurance companies, even for them did a pretty quick turnaround in terms of trying to respond to the ransomware epidemic, we may have touched on this last time, but policy requirements now to get a to get an insurance policy. Most even the MGS are requiring that you have some sort of advanced EDR endpoint detection monitoring solution in place. The traditional antivirus just consistently defeated by threat actors. You know, we certainly have our preferences as at era Tei. And kind of Gartner has great resources on their evaluations of EDR solution. So you can kind of see our viewpoint falls pretty much in line with the products that that they have rated very highly, and then really just kind of getting multi factor authentication installed on any open VPN connections, making sure that password management and complexity are are up to up to date. And those those things are the top really three kind of vectors that we see on the arity side, that threat actors are getting access, right. So it’s credential abuse, it’s abusing an open RDP port, and it’s defeating the antivirus solutions that you have in place. So I would strongly encourage any of the listeners that you know, are shopping products to take a look at Gartner site on on EDR tools, because it is very valuable. And you can kind of see maybe maybe what you thought was a superior product, which I know the market is flooded with advertisements and different products all the time. So it’s very hard to keep up on what is the best because I’m sure all products will say that they’re the best. But really, you know, there are a select few that can really do the job. And that’s not just detecting the threat, but also being able to take Bosh to quarantine and Bosch. And so those are kind of key key aspects from the EDR solutions that we like to see from the aerospace side. And I can tell you that underwriters on the insurance side are still struggling with kind of defining that because like I said, there are many products and some will meet the bare bones definition. And insurance companies aren’t yet defining what is you know, the the requisite EDR tools. So, there are still you know, gaps in cybersecurity with respect to companies that will appear to be you know, okay from a risk perspective, but if you really dove in, they don’t have superior products, and it’s quite likely that that they would still have a large attack surface on that basis.

Steve King  04:33

Yeah, that’s so that’s interesting, actually, from my point of view they both MFA and, and EDR STR were heavy, are very strong indicators that the the world of cyber security is sort of moving toward a zero trust model, or thinking about it or what have you still. Nonetheless, the last data I looked at says that only 27% of companies have implemented MFA, which is sort of ridiculous, right? And like, a intellectually, everybody should say, Oh, of course, because what MFA does is that it increases the granularity of identity proof. So that you need to be able to demonstrate that you are who you say, or through multiple factors of authentication or identity. And that any tool was in play today is to have it lifts that that requirement, and increases the difficulty of the user to prove that the users in fact the user, yet still we have very few, we talk about it a lot. But we have very few implementations.

Lynn Peachey  05:59

That makes sense from where we’re sitting to, we do track a lot of data on our ransomware engagements at erte. Whereas last year, maybe about 90% of the clients that suffered a ransomware incident did not have MFA, we’re at about 82% this year. So you know, slowly, slowly, but surely, and kind of with your 27%, we actually saw just under 18% of clients actually had MFA introduced in their environment. So certainly a testament to long way to go. But at least there is some sort of general feel in the community and you know, insurances reflecting that, too, that these are important security tools to have in your arsenal to really reduce your attack surface.

Steve King  06:44

Yeah, sure. From my point of view, we haven’t had enough damage yet. Today, we haven’t had enough consequence. Yeah, today, with all of the talk about it, both from within zero trust community and bow and then from within the identity community, and God knows with Fido and all the rest of it, we have plenty of talk, there must be very little consequence, because unless the damages are super high, and the coverage is super extensive. Ergo, the payout would be along that line somewhere, companies are in or not incented. To do what we’re all talking about here.

Lynn Peachey  07:31

Yeah, absolutely. And I still think that when you know, we’re having these sort of what we like to call pre breach conversations with clients and talking to them. I think there still is well, while the you know, it CISOs, while they might have a little bit more budget than maybe they did in years past, there is still a really heavy, I guess, inhibiting factor to being very secure, when you just don’t have the resources or budget to accomplish everything that would make you a perfect risk. You know, yes, you’re seeing boards, maybe get more involved or care a little bit more about cybersecurity and asking those folks questions about it. But we haven’t necessarily seen it translate into Oh, and now you have a carte blanche on your on your budget to sort of do whatever needs to be done to make us great. To make us secure.

Steve King  08:22

Yeah, we talked a little bit about colonial last time have you got Have you guys ever had coverage obligation that you can talk about? That looks something like the colonial bridge?

Lynn Peachey  08:37

Anecdotally, I would say no, because colonial was so different in that it got such heightened government attention and involvement. And sadly, you know, it was only because it was in that sort of critical infrastructure type category, that it got that attention. And, you know, I think from, from at least the insurance perspective, for all these years, that ransomware has been a threat. Nobody’s ever seen the FBI get so involved and recover funds. I mean, when you think about the multimillion dollar payouts of financial services, companies, things like that, from, you know, 2019 Onward, without any involvement, you know, aside from maybe the FBI received an IC three filing and, you know, noted it and maybe, you know, took note of the the TTPs of the threat actor, you know, there was just such a lack of involvement. So, not that it’s a the government does not have infinite resources, right. So I think that that result was an anomaly based on the the media attention and the fact that it got the country to care about it. The sad reality is that these types of things still happen every day. And I think the FBI is trying to get more involved when it’s, you know, certain variants that might be calling, you know, more attention or have potential sanctions implications, or they’re trying to tie them to a specific country. And so you know, our data into is very valuable to those efforts. But yeah, I mean, we’ve not seen anything like that, really since because of that, because of that sort of nuanced aspect of the industry that that colonial was was operating in. And, you know, while I’m not, you know, currently employed by an insurance company, I don’t know, necessarily that because of the industry that they were in, or anything like that, it wouldn’t necessarily have precluded coverage, it goes back to, did that company notify the carrier timely, was the carrier involved in, you know, the decision to pay a ransom or not to the insurance company, you know, clearly enumerate what, what the policy coverage was, things like that. So it hasn’t really changed the operation of the policy and the mechanics, again, the insurers were already on that, that sort of uptick in asking for more information, limiting their liability with respect to coverage of ransomware events in general. And it was not just because of colonial because really, the the dollar amount paid by colonial in the end was actually much less than a lot of companies that the insurance carriers had dealt with prior to that. So you know, that loss, not that it was a drop in the bucket, it was certainly meaningful, and, and what it, you know, denoted for the industry in terms of a, you know, nobody’s Nobody’s safe, not even, you know, things that cut to the heart of our, you know, daily lives, it was still not even as jaw dropping as some of the ransoms that were paid prior to that, or, you know, seen in prior years and months. Yeah, we’ll

Steve King  11:33

see it CNA for sure. It was worth 40 million, but even colonial boy, you know, I think he’s bragging clients, somebody’s gotten away with a lie here. Right. They claim that both their OTS as Nic assets were protected, and that they, if they had chosen to, could have recovered both both assets in roughly the same amount of time. And yet, people were waiting in line on city streets to fill their gas tank because their IT assets are exposed. And they went ahead and agreed to make that payment within 24 hours. So it’s hard to find a pathway out of the argument that there OTS weren’t protected either. And the only way they’re going to get that gasoline flowing again, onto the street was to was to comply with the demands of the ransomware. So you know, I can’t get me to buy that. But I don’t know if you have any thoughts about that. Or what you guys, if anything’s changed from your coverage, probably better questions, if anything’s changed, about your point of view about ot coverage.

Lynn Peachey  13:00

Yeah, I don’t think it does not change the the available coverage, because really, the policies are distinguishing between really what’s a what’s a digital asset, and what’s hardware. That’s how the policies are kind of maybe and probably archaically, viewing it. And I think we’ve talked about this before just kind of hardware, any physical part of the network, an insurance policy is going to qualify that as a property loss that would be excluded under a cyber policy. Now, there are always endorsements, there could be additional coverage, you know, for breaking things of that nature. This was not a breaking incident. So

Steve King  13:35

probably not endorsements these days. Like there were maybe a year ago, right?

Lynn Peachey  13:41

Yeah, I mean, I don’t, I think that there’s always the kind of question of well, you know, we at what why did the market add these endorsements? What was it trying to encompass? And really, with, you know, with kind of these hardware and property type losses, it’s has to be so indistinguishable from the cyber event, really showing that the cyber event caused that piece of hardware to malfunction be damaged. And we’ve heard from so many security practitioners that that is such a difficult feat to accomplish that in the end, that that coverage probably didn’t even make sense. You know, it’s certainly there and and it’s treated as that kind of backstop, but probably interpreted incorrectly the whole time. So, you know, I think that there’s still that kind of mismatch and lack of technical understanding when you’re writing these policies and the whole universe of what could happen. But to my knowledge, there have not been any changes in in underwriting or policy coverage solely based on colonial for and to that issue. I think what is kind of interesting and nothing to do with colonial is that we are, you know, anecdotally hearing from our our insurance partners, that they’re seeing more demands for subrogation in the wake of a cyber incident. So well, you know, we don’t have anything clear from the courts yet as to how we’re going to assign liability to events that a third party might be responsible for, regardless of contractual liability, people are trying to make those arguments. Now companies are trying to make those arguments, you know, you third party were responsible. And this isn’t even just with a, you know, a supply chain attack or something like that, it could be just my managed security provider, something like that. Messed up, the only reason we had a breach was because of this person. And now, you know, we’ve paid out all these losses. So you, you owe us a reimbursement insurance company. So we are seeing kind of a, or hearing an uptick in those types of actions. And I think that’s just only going to continue, as you know, people get more and more specificity as to where something originated and why it happened. And maybe it wasn’t so clear cut, as you know, an abuse of the client A’s, you know, RDP or something like that. So I think, you know, things are certainly going to change in terms of liability and how that’s handled between insurance carriers and amongst, you know, private companies, and how they’re kind of attributes those losses.

Steve King  16:03

Yeah. And that, you know, wraps us around a little bit to contributory negligence and comparative negligence. And how about those two fields? I mean, has, has that changed in the last six or nine months in terms of in crease requirements? Or a tightening of the, of the language or, or the proof points?

Lynn Peachey  16:31

Well, certainly on the underwriting side, they would, you know, the underwriters would would make the argument that they are absolutely addressing those third party risks by doing more complete vendor vetting, when they are writing a policy asking, you know, who are all the vendors that you work with? What are their insurance policies, what is the contract between the two of you look like? So there’s definitely more questions surrounding that. There’s more, you know, data supporting those decisions when when policies are being written. But in terms of what actually happens when an incident occurs, that’s still in that sort of muddy water where nothing clear from the courts yet and how we’re going to assign, you know, negligence to one party versus the other. You know, in the comparative case, or contributory is one person, you know, completely responsible or not responsible at all, certainly around the underwriting applications. third party vendors were a very big, you know, target and kind of cause for concern for insurers, obviously, supply chain risk being part of that, but even just knowing that, you know, there are so many unknowns in a client’s environment when they’re being managed by third parties, and insurers just never had any visibility into that sometimes didn’t even ask for contracts, or you couldn’t even find the contract in the file between those two parties on, you know, multimillion dollar losses. So I think that sort of hasty underwriting that time is over, where people were just in the soft market, trying to win business, you know, just trying to make the terms most appealing to brokers into clients to really make those wins. And now, you know, there’s so much more hesitation in in who’s being written as a risk, and where are the arms of that risk kind of going into, you know, what kind of territory and and is it a risky territory. So, I think there’s definitely been more scrutiny around that and questions around that to, to make sure that the insurer isn’t, you know, bearing the loss for something that isn’t isn’t even their end clients fault.

Steve King  18:34

Or the margins in the business, the same for PNC as they are now for cyber insurance.

Lynn Peachey  18:46

So I can’t specifically a pine on margins, but we do know that the carriers that did cut capacity, they were kind of still able to wiggle around and still be, you know, somewhat profitable by associating an increased premium with it. So I think that in the end, well, you know, it was a it was a tough year, there were quick enough changes for the insurance companies to cut the you know, stop the bleeding, be able to take a step back. And then if most of them are talking about getting back into the market in a bigger way, next year, then I think we kind of can read the writing on the wall. So without having this specific, you know, data percentages around their margins. I think it’s not, you know, it wasn’t damning enough for them to have a complete chilling effect and pull out of the market, which is what I think people thought six months ago was going to be the the end result that there was going to be no coverage for ransomware that everyone was going to pull out but it was really just, you know, some limits were put on things, some approach to the risk rating was definitely changed. And then you know, I think they’re gonna see look at this year and see how that did. Did it help and improve and then they’re going to continue to refine you know, as they move forward and coming yours.

Steve King  20:01

Okay, you know, we’re scheduled to meet again around the end of the year. And then the meantime, I know that you’re, you put on quite a cool educational program, learning with learning paths and curriculum for, for the cyber Ed business this unit over here to and I know a lot of people are looking forward to that, once we ever get launched here.

Lynn Peachey  20:27

Yeah, right. And kind of keep updating,

Steve King  20:31

it’s been quite a, quite a challenge finding the right, finding any platform, frankly. So we, we have to turn inward and are building our own platform, which actually accelerates things quite a bit now. Because we’ve gotten and it’s given us a ability to work with our developers to create a really solid technical reference document from which they will produce the the right product for sure. So anyway, looking forward to launching all of that. And in fact, you know, with, there’s a intersection between service security insurance and cybersecurity education, it seems to me as well, that companies could benefit from evaluating Yeah, right, evaluating the quality of the education. Yeah, insisting that companies take certain training, certain coursework, that they that they will essentially certify and say, You guys do all this. It’s kind of like them with a marshmallow client and Microsoft deal of a couple of years ago that never went anywhere, where Microsoft is going to advise Marsh on which software companies would were the best software companies for insured to engage with as defense products for the various categories, you know, kind of going back to extended HDR and HDR and, and the certifications or implementations, I guess, around MFA that you guys are looking for. This could be another way of going about doing that.

Lynn Peachey  22:28

Yeah, absolutely. And even just kind of learning that familiarity with what you’re going to be asked and why. And just kind of understand that there. There are real risks behind, you know, not taking these steps. And, you know, I think, fortunately, the news of what they have done a good job, but you know, in their kind of constant scare tactic ways, just let people know that really no, no American businesses is kind of safe from this attack surface. If you have data, if you are online, if you have if you run Office 365 or have some sort of email system, you know, your your target, so it’s easy money for them. And they will just kind of keep going until until the faucets are completely off.

Steve King  23:13

Right. All right. Well, we’re out of time today, I let this run over an extra five minutes, we’ll probably include the five minutes at the front end. But thank you, Lynne. Lots has happened, I think here and there are lots of ways for all of us to go about it in more detail if we choose. But for this little, you know, 40 minute hack. Thank her gesslin Peachy for, for joining me in this update to this part of our industry is rapidly changing. And we’re gonna do this again in another six months.

Lynn Peachey  23:50

Sounds great. Thanks so much, Steve. I appreciate it.

Steve King  23:53

Sure. Thank you. And I will say that there are very few experts like yourself that that I found make themselves available to to help out with the problem space because that’s exactly what you’re doing. So thanks again. Until next time, I’m your host Steve King signing out.