Why Cyber Insurance is Broken and What We Should Do About It

okay okay all right everybody everybody uh uh

um

thanks okay uh well uh hi uh to everyone virtually i'm basically uh speaking from uh cambridge not in ma but uh from the uk so there's a bit of a time difference oh is there an eco there oh gosh okay let's see if we can get let's see if i can get my headphones is he better now better okay okay so um yeah no no all good okay okay so yeah thanks for the introduction and basically um currently yeah as i said i work as a senior data scientist uh from fortinet uh and uh yeah my my main area of research besides uh insurance uh it's basically differential privacy and machine learning so um just a little disclaimer uh you know

i've done this research on my own so my employer which is fortnite currently is not involved and obviously doesn't reflect on any any of their views uh i don't work for any insurance provider so i'm sort of impartial to this specific topic but i do mentor a startup that does risk insurance analytics for uh for cyber insurance purposes and this is how i basically got involved in the in this kind of sector so um it's uh it's kind of interesting space um you know from a technical perspective and uh yeah this is why i got into it uh on a part-time basis let's say that uh so the agenda for today is okay we're going to be late so we'll be

45 minutes but yeah i'm going to start my timer just in case i get too slow um basically uh you know i'm going to talk about about cyber insurance um how basically was developed over time the business driver for for the actual insurance um kind of a little bit about the process that drives uh you can insurance market technical challenges that uh we are facing um and you know a bit of stuff that we've seen in news especially with the uh pipeline ransomware attack and um stuff like that right um and then obviously run somewhere in summary insurance which is a kind of a very hot topic um the gdpr uh and cyber insurance which is

i guess more for the european people but it's also relevant to u.s companies and basically how the attack review you know certain insurance how they leverage that and then a little bit of some predictions there uh so i think it's kind of probably most people know about cyber insurance but it's like any other insurance i guess um it's basically a product that you know if you have a business you can use to protect [Music] typically was developed for basically internet based release but you know it it doesn't have to be coming from the internet uh but yeah you know in general just any anything related to information technology um infrastructure activities um there are you know like this kind of you

know if you look at traditional insurance those kind of liabilities are usually excluded from those products so that's why you have to buy specifically several insurance um there are essentially two type of coverage broadly speaking is the kind of first party cyber coverage which you can see in the blue color there you know the dark color uh you know you can read these later but you know anything related to uh you know business interruption uh cost and um uh you know recovering from incidents rebuilding your backups you know restoring your backups you know cyber extortion recently uh with ransomware um you know notifications uh investigation for privacy anything that basically um it's related to the business

right in terms of cost um for the third party coverage it's related to uh essentially regulation most of the time uh you know media sort of reputation essentially releasing statements and um you know for you know anything related to uh data breach uh even slander and those kind of nice things uh um and you know privacy and so on so that's that's the kind of two main sort of uh you know sections that you have to look when you buy some insurance you know what does it cover in terms of third party and third party insurance um in terms of uh maturity like most people think you know sovereignty is new but actually uh you know we can track it back to the

90s uh you know originally it was mostly to cover uh uh you know like uh century essentially random errors and the missions uh yeah so the main buyers were like professional service firms and technology um you know in the early thousands the coverage was for bridges but uh no first party coverage and a lot of exclusions so he you know he was kind of new i guess it was the kind of you know sort of uh inception of uh like you know modern cyber insurance uh and main buyers were basically healthcare and retail and yeah the uptake was kind of slow and then you know we move a little bit to the uh you know

mid 2000s um coverage was added for first party including business interruption extortions uh network asset damage uh and uh you know there was essentially coverage for privacy online and offline and more sort of people were buying that more customers were buying that you know retail healthcare and finance financial institutions um which you know guess what were including some significant uh principal information uh and then you know there was uh you know if our compliance uh kicked in and then so they have to add that too uh but currently you can pretty much have a sub insurance for um almost any kind of uh first part in third party um coverage so there is basically you

can have a full coverage but uh in theory you can have a full coverage uh for almost everything but we will see why that's not always the case um in terms of main buyers but there is basically almost every every industry now is buying it from manufacturers to energy and transportation including the uh the previous ones um and like you know why these why this update well uh you know if you look at the uh kind of uh in terms of commercial activities like you know the first one that was available was in the 1998 from uh icsa through secure uh he had a you know a first party coverage of twenty thousand dollars per incident

uh and a maximum 250 000 per year uh you know uh i guess if you're factoring for inflation it's it's much more nowadays but you know if you look at you know over time uh you know up to you know 2000 with aig you can get you know first and third party coverage for 25 millions now so so you know it's basically it's it's i guess with any other type of other insurance markets you know like there's a growing need to satisfy and you know the kind of coverage has increased over time and it's kind of interesting when you look at these companies i guess i don't want to spend too much time on that

um how they uh sort of partner into each other uh you know in 1998 there was cisco systems and um you know a few other companies that were basically selling some sort of uh insurance which uh was kind of interesting and you know some other companies i don't know if they're still in business like the word scale underwriting uh i don't know if they changed to some other sort of branding uh brand or but you know ibm was the other one that was a yeah kind of a pioneer of survey insurance in 1998 we were already selling that so it's kind of interesting to see that but you know if you look at the kind of

update because the insurance is very much correlated from uh what we have seen in terms of internet forms right so in the 2000 there is the allow view with an estimated cost worldwide of 15 billion dollars then there was code red in 2001 uh nimdah clans you know how many people remember that there was a slumber war uh and then you know fast forward uh you know sorry my doom um stormwarm configure uh stuxnet uh which wasn't really um you know designed to disrupt uh those uh general public but you know we know we it was target for it was a targeted for uh iranian richmond plans but you know it was infecting a lot of uh a lot of

end points uh and then to the recent one like wannacry not paddy i think everybody knows about those two um uh worms you know with 4 billion and billions of uh damages in total so uh so yeah so the main driver is obviously the uh the cyber crime right so like how uh the internet has developed and uh basically facilitating all this kind of you know frat vectors like that we have seen uh and uh you know i was a contractor in 2000 before that you know i was uh doing basically like uh just partner a part-time consultant for recovering from uh warms and viruses and i do remember the dialogue incident uh which was kind of uh kind of

interesting at the time right it was probably one of the major ones and um you know it was quite simple if you think about it now but at the time it was new and everybody was uh you know caught off guard by that so um uh so there will be more in the future i'm guessing right so uh and the other obviously the other push of uh you know for the uptake of cyber insurance is obviously uh regulation right so we uh you know in 1986 there was the computer for the abuse act in the u.s then there was the dot com boom you know everybody was moving online uh in 1996 there was the

uh hippa hacked uh which it's quite incredible if you think about it nowadays if you look uh if you look at the uh you know in terms of industry uh verticals it's probably you know the afghan is the one that is uh like one of the major targets of cyber crime if you look at the polymon reports or the uh verizon report from you know for a couple of years ago until now uh healthcare is what you know basically always on the top right so it was kind of interesting um that people have already thought about that in 1996 so that was kind of a nice piece of legislation then there was the uh uh gl ba act um europe you know to be

slower so we uh we take some time to learn from from the us but you know there was a council of cyber crime treaty uh in 2000 uh 2002 the serpentis oxley act and then there was the you know california state law 2003 there was a kick about focusing on pii and cost um that we know that there was the presidential directive 54. uh eu again was following with the nis directive and then you know if you fast forward now we are basically gdpr from 2018 and 2020 we have the basically ccpa uh came into force which is basically kind of the equivalent european equivalent of uh of the gdpr so you know obviously this is kind of uh

it's kind of a you know basically uh when you look at liabilities and fines uh you know you do want to have some sort of coverage for that and which is also actually not a good thing but i will talk about that later uh so the business of study insurance what uh how does that work right um you know you have been sure and insured actually is more complicated than that it's uh but i'm trying to simplify that so so the insurance um wants to seek to capture profits from premiums uh exciting uh exceeding losses over time but it's basically spreading uh risk uh of you know certain events that you know we can't really uh predict accurately

uh that possibly are uncorrelated between clients right so you're basically kind of making a profit on uh on the losses of your of your customers assuming that you can measure risk very well and the insurance the insured is basically uh somebody that seeks to maximize their utility or profit by managing the risk uh and certain loss events that they basically uh offset to the insurer right so it's especially risk transfer it's at the end of the day is basically transferring risk from one party to the other one um and so once again that right like so like um you know the game there is basically to try to measure risk as accurately as you can uh

because if you set your premiums why obviously we are in a free market at least in uh most democratic countries uh which means if your primaries are twice somebody else will capture their profit their margin right so they are going to basically um you know compete and all offer low low premiums uh basically stealing your customers but on the other side if you price your insurance your premium is too low um and you have losses you basically might go bankrupt right so um so it is you know it is kind of a challenge and it's it's very much like an information uh theory problem right it's uh that's why you have a lot of actuarial

people trying to guess uh risk and uh basically measure that right and the most important metric from insurance uh perspective is the combined ratio so like obviously you have the premiums that brings cash in uh but then you also have your loss ratio um there are kind of various problems in the cyber insurance uh nowadays uh you know i would call these like minor issues uh one is basically adversarial selection where there is an informational symmetry where basically uh you know the sub insurance needs to try to gas uh the let's say maturity of the company right because uh you know you want to give a low premium like low coverage contract to uh to a company

that is uh probably uh too risky or or high premium high coverage contract to uh to a company that is less risky right um and the problem is that obviously there are companies that try to pretend to be less risky right so they want to have a lower premium uh and essentially what happens with this kind of uh within this problem is that you you tend to uh to have what is called like a welfare loss where essentially you have smaller companies are probably on average underinsured and the the bigger companies uh are you know a pretty good insurance policy so you sort of you know to reach the market equilibrium basically penalizing the smaller players

um there's nothing really uh new about this you know this is uh very common in other industries and maybe it's going to be more in sub insurance because uh you know people don't know how to measure risk yet but you know there are other tools and things that companies are doing to uh to measure that uh there's probably more hazard where basically uh you know when you have coverage you are a little bit more uh let's say relaxed uh so you might basically click on any any any spam link you get and uh uh and you know you're just relying on server insurance to uh your insurance provider to basically fix uh whatever incidents you have

uh but you know to solve that basically you know insurance providers are you know uh pretty um pretty uh clever so they will put exclusions in place so that if for example um you had a let's say a bridge or something they say well you know you don't have backups uh you know you clicked on a phishing link that was marked as fish from your uh i don't know uh aav uh so you know i'm not going to call it for for that right because you know you didn't practice uh you know very basic cyber aging procedures so uh sorry so i mean it is a problem but you have to be careful when you buy

yourself insurance there are a lot of exclusions to uh to provide for them and then there's externalities right so there are obviously all the computers are connected uh you know if there's a power failure or uh or a telecom failure like the communication failure you know you might be able unable to perform your business functions uh you know if there was a hurricane katrina destroys your power line you know the computers goes off and you know backup power only lasts for a few hours uh so all those things typically you will cover that with another insurance policy right because you can't factor in all these possible um situations right but there are also things like act of

cyber war that was unfortunately uh meant well this actually happened uh in a specific case but you can basically say well you know this was uh impossible to predict it was very sophisticated so we don't cover for that um so major issues are like what you know it's basically uh like one of the four pain points that we have nowadays risk prediction um and i put some quotes there but you know in other seg you know another cyber insurance uh so in other insurance sectors you can basically have a pretty much good idea of um you know like uh when when a building is going to burn down uh in manhattan or uh there's going to

be a hurricane or something like that but uh you know it's very hard to guess uh you know if a specific castle will be act tomorrow um there is data collection so you know if you get policies for personal car or homework insurance you know you definitely have a lot of good data but it's cyber insurance there is pretty much nothing right that it's disclosed publicly um you have catastrophic modeling so basically um you know what is going to work well is there going to be a next patient or wannacry and how much is going to be big and you know how many companies or uh you know sectors is going to affect and last but not least uh forensic

analysis um yeah so there's not really a standard from the insurance side to basically follow a specific protocol uh for basically doing forensic analysis you can report you know on an incident right so so each contractor will do we follow a different process maybe they will follow the list 863 um you know framework or anything like that but there's no really like a manual of standardized procedures to provide uh analysis to uh to insurance uh and also like you know customers if they're malicious they might also pretend to be hacked um you know to uh to cash in some some money and so how do you you know how do you know that um that that bridge was uh

you know was a result of uh collusion with the uh you know with another company or you know saber kimo right so yeah it's very hard to uh you know they have to tell that right you know like obviously it should really open uh happen really often but uh but it is a possibility that uh you know nobody is with that person today uh so if we talk if we look at the kind of um you know profitability and loss ratios for uh conservative insurance uh this was basically um this is coming from uh from market update from aeon you know up to 2020 um and you can see that essentially like in terms of losses

uh from 2005 uh to the 15 to 2019 where you know it was basically the uh yeah ransomware uh you know it didn't really impact them uh pretty much uh so it's sort of over in between you know like 50 to like you know 47 right um but you know there was an increase between 2018 and 2019 you can see that in those bars um and like what was different was as you can see in the text that it was more like a jumping frequency right rather than the sort of uh claim size right because you know there's two things that drives these losses is like how many claims do you get but what's the kind of value of

each claim right um and yes you can you can look at this later but um but yeah so like you know like you are thinking uh well what's what's 47 percent like is it a good number for them you know how does it compare to uh you know to other to other industries right so just to give you an idea you know like in property uh uh you know it's kind of frequent to have a one billion loss per event so if you look at us and canada from 2008 uh until now pretty much there were like 57 big events like that right so and hurricane katrina uh which was the biggest global uh insurance loss in history was 160

billion dollars right so so that's the kind of size we are talking from from like a physical uh physical insurance you know type of insurance um but you know if you look at patia or not patia the estimated loss in 2017 was three billions right the american core uh that was the pharmaceutical company had a 1.75 billion cyber loss and 250 million affirmative losses so you know if you look at those two it's uh you know relatively speaking it's not that big right compared to other insurance markets and uh you know if you look at wannacry uh the estimated losses were you know sort of four billion and you know in the uk wannacry goes to

our uh you know national uh national health um system about 94 million so you know they're kind of small you know they're you know they're not that big uh and then so like but uh you know okay so you know i give you those numbers but you know you you have to consider you can combine loss right so if you look at that uh and if you want to choose like uh an insurance sector you definitely don't want to be in private car insurance uh you can see that for 2019 the combined loss was like 98.8 right so that's quite high um you know home insurance 97 percent uh private equity insurance 97 percent as

well very similar to home insurance uh property and casualty combined it's 98 so we even when you factor in the kind of total uh expense ratio for for sub insurance right you are still pretty much in a you know maybe 10 percent lower than the other sectors right you know you're basically 74 you know for uh for 2019 compared to all these other sectors so so it's pretty good yeah so it's pretty good profit for them right so so everybody's into uh cyber insurance is the you know if you uh you know if you want to go in insurance go to slavery insurance it's where you make most of your money now um but one of the biggest problems with

basically ransomware uh you know since uh you know basically 2015 but up to now is that uh essentially uh the insurance providers are financing cyber payments right um and because of that obviously the uh the insurance market you see workforce has increased rapidly right so uh so you know like according to these stats basically the uh the premiums uh increase basically doubled to uh 3.1 billions right um and fortunately there are a lot of companies that even though they had um they tried not to pay ransom were instructed by the sub insurance provider to do so and the reason it's kind of very of obvious uh uh you know if the cost of the round somewhere

of the actual ransom is low is less than the actual cost of recovery uh then the insurance product will say well you know what let's pay that right because it will take you you know longer time to recover your business we are going to pay all your business interruption costs you have to get forensic involved you have to get you know all those kind of other uh professionals to uh to be able to you know eradicate and basically uh restore your business let's just be the ransom like that's the kind of most logical uh decision there right um and uh well you know as i see as as you can guess this is not well this creates a positive feedback

where basically uh ransomware criminals cyber criminals get more money and they can basically get more sophisticated and and do more of that right and if you look at the average on some payment for from companies like cover where uh you know it's about thirty six thousand dollars um in the last uh report uh and you know it basically went up six times from from the last uh from last october so um uh so yeah so you know insurance companies are approving uh ransomware payments so and there's a lot of evidence of that um so yeah i mean like uh ransomware attacks they're quite common now so you know as a result of that 2019 uh you know

like losses were spread across companies of all sizes uh especially the commercial segment and uh yes i say they were still making despite of that uh insurance companies were still making quite quite good money uh of 2019. um in the first half of 2020 so like last year uh you know basic answer attacks accounted for 41 percent of the total number of uh subway issue on claims so so that's kind of a lot and you know if you want to do some cheap statistics you can basically say that a business would fall victim of a ransom attack every 14 seconds and yeah so this is basically where the kind of insurance companies realize that [Music]

i guess they could be you know like it's it's good for business but obviously you know it comes to a point where it's not sustainable anymore right so uh so you know they were basically kind of predicting that well 2020 this is going to get war so we have to do something about that right so uh we can't just keep paying that but uh but we'll see uh you know what kind of things they're trying to do to mitigate that so um so like you know like what do you do like do you pay or not pay a ransom like you know it's to me it's kind of obvious decision like uh okay if you pay

the ransom you can have a fast recruit recovery time assuming you have a uh sorry yeah if you don't pay the ransom but you're good uh it's a response plan obviously maybe you can go back with a couple of days but uh you know if you pay that obviously you're going to find criminals you have going to have increased premiums and you're also going to include loss of reputation right so um and there was a kind of an interesting story story from my own uh country where um uh in italy like between the 70s and 80s um there were you know people were being kidnapped for economical reasons so they were kidnapped people and asked for a ransom

um university was the seventh uh 1977 when there were 70 uh people and yeah they were in three key regions uh where these kind of criminals were performing this kind of uh you know activities and they were not just mafia right you would think that's probably just uh you know the usual market doing that but they were like people you know groups formed specifically for this kind of activity so how did he stop right i mean after a few years like we didn't know anything about that um so you know in the original penal code please no jokes uh the jail time originally was between eight and fifteen years uh they had to put a new law uh you know

for 497 497 that increased uh basically from from 10 uh you know from 8 to 15 to 10 to 20 years uh in jail and there were you know additional law that the government had released specifically for that right so you know there was a additional penalties penalties if you were actually going to kill the person uh and i i i think the most important law that was passed was in 1991 uh which basically allowed the uh police uh uh or the basically law enforcement to actually stop payments right they didn't allow you to you know even if you had money they would basically freeze your bank account so you couldn't pay the actual criminals

right but assuming the police became aware of that and obviously if you you know if you didn't do anything then they couldn't stop that uh so this is kind of a good lesson right like that we can basically almost transfer to uh to uh you know to ransomware right uh and well the other problem is obviously you know i'm not against creep crypto like i don't invest or trading crypto but like the main reason why criminals uh are using these kind of strategies that it's very easy to to basically get paid and uh launder money uh from crypto right uh so so like you know if you look at the kind of uh you know percentage share of crypto

payments uh ready to run somewhere okay it's not that much right it's uh you know before 2009 before kind of the 19 was about you know less than one percent you know it went up to two percent uh and then it's going uh back down 2020 so people have stopped paying uh you know ransomware uh but you know it is it is especially the uh one of the main vectors to to get paid right there's nothing i mean i never heard of a ransomware attack where like the attacker said put cash into a bank account or uh you know bring it back full of cash at this location right uh it's it's very hard to do that because obviously

law enforcement can track you they can track your bank transaction it's also very expensive to have an offshore company somewhere to basically move money quickly between between that so uh so it is you know like you know crypto is a factor uh that allows cyber criminals to do that right so if there was no crypto i don't believe we would seem that we will see this kind of attacks right um and i mean if you look at other obviously other sort of uh sources of income from cyber criminals obviously scam is the largest share of cryptocurrency uh transactions so i'm just checking my time yeah uh in the colonial pipeline example it was in the news uh 7 may they were attacked

8th of june uh basically currently partly paste dark side um we i can't really tell if the insurance that they have uh which uh is uh the broker is aeon and is a mix of loads of london axe and beasley and they had a car for last 15 minutes so insurance could have paid for that but we don't know right they didn't publish that kind of information uh but funny enough for like basically after a few days they paid the fbi managed to get a subpoena for the uh for the crypto wallet where the payment was received and they managed to uh to send back well money to another wallet so um so that was kind of interesting like the uh

i guess the criminals uh were sort of afraid of moving money from from that wallet i don't really know why they took money outside of that wallet so maybe it was a timing issue i don't know but in this case obviously you know the client paid and the fbi managed to recover that so um so that's kind of a kind of a first time like i never seen anything like that so probably one of the first uh times uh the fbi has stepped in to recover bitcoins uh from a ransomware payment so um so yeah that was kind of interesting one and in terms of business impact people think like oh this was like very complicated actually what happened

they were basically uh attacking their billing system that was went down and because of that they couldn't basically sell their their gas to other to their customers so um so yeah the building system essentially blocked the actual uh uh you know transfer of uh of funds well basically allow the company to conduct their business so so that was kind of an interesting uh twist uh jbs another example the meat producer they actually produce a quarter of the entire meat uh in u.s which is which is scary it's a brazilian company seven june they go hacked uh they had to shut down four factories uh for facilities uh and the 10th of june that was a couple of days ago

they basically paid 11 million um to the uh you know the legal group right um i don't know what is going to happen uh the fbi is are they going to try to do the same thing uh maybe i'm not sure like maybe the uh criminals and mommy already um i can't find any information about the sub insurance so i don't know like what kind of insurance police they have and if the insurance is paid but but they didn't manage to restore from their backup but what they said was that despite their uh you know irp and uh you know uh pro you know stock and procedures and whatever uh it was still cheap well it was still

more effective to pay the criminals to get to get back in business quickly even though they had procedures to restore that although some something failed uh so it wasn't clear maybe if they're bluffing is this true or not but they did they did pay and you know in this case we don't know if the insurance paid um this is quite good like you know the government now is stepping in to uh to basically kind of help uh you know at least the kind of central government or like well state level basically out uh you know local government to you know fund their uh security program uh there was there was a bill from uh in the new york city uh senate in 2020

uh that will basically ban uh local government to pay for ransom but then they sort of blocked that so but anyway something is happening and um you know like the u.s treasury uh basically officially added these uh crimeware gangs into sanction programs uh basically not allowing and to see entities or cities and doing business with them like including uh paying a ransom so and recently president biden's basically there was the 12-may statement that basically say well you know we should do our best to uh uh to to basically try to defend our uh infrastructure right and uh i mean it wasn't anything specific but uh you know there seems to be a willingness from the government to do that which is

a good thing you know this is basically copying you know like the kind of same dynamic that happened in italy for for the uh for the ransomware uh or for basically lots of people so it is a good it's a good way to step in um the other kind of interesting thing is that ransomware uh needs to basically in terms of ransomware attack like there's not really a clear regulation about what you should do in us uh you know every every state every jurisdiction have some sort of data or breach notification law there are some guidelines from ftc and finra but they don't really describe exactly what you have to do in case of a ransomware attack so

uh but the companies are quite good in doing that they they are basically mentioning uh in their annual reports and quarterly reports um and you know special event filings uh things are on ransomware like it could be an attack it could be like uh the special program they have against ransomware so it's not just reporting attacks it's just about anything related to ransomware and there are like 820 documents basically mentioning ransomware um so you can see that this kind of uh trend has been increasing so like you know which is a positive things from 2014 like there were people talking about ransomware but obviously over time uh you know it's basically increasing uh there are all sorts of filings where

you can search that but the kind of most important thing is that from attackers perspective is that you can actually even find out how much uh a company has paid to restore a ransomware right so you can actually you know search this uh sec repository and find out if if a company had a an incident or like what kind of response plan they have ransomware and you know how much is going to cost them maybe even what insurance pride are you using for that so what the attacker can do was you know it's basically try to guess uh how much um run so they should so that they can be below the limit of the actual cost

uh that a sub insurance coverage can provide so they can basically kind of adjust their um you know limit so that they can basically uh be guaranteed to uh to get paid so um so you know with every every information disclosure there is also kind of a risk of tipping off the attacker which happens uh in many many ways um there's also essentially um you know insurance companies have tried to do that that was kind of cute so axa uh with the french company uh you know it's one of the top five in in europe they say nine or may we are going to stop paying uh ransomware right like it was quite good i love that but then

the 19 may just 10 days after that they go hit massive ransomware attack uh which targeted most of the apac regions uh which was quite bad i don't know if it was kind of a timing you know it really happened on purpose but it was kind of scary um you know the abdominal run somewhere was behind the attack and um you know they saw all sorts of things unfortunately uh but historically like this is not new like in uh you know 2020 well you know recently 21st of march cna was was bridge as well uh we clipped the locker charm allegedly was hit by maze on 26 march 2020 some legal firms doing some insurance rate by ransomware and

you know aviva in 2009 as well so so the so the risk is even like within the same insurance company uh they have to be reinsured because you know they can't get it by ransomware as well right so it's kind of an inception problem here like uh who is going to be that big to reinsure the insurance companies and you know they're doing that but it's kind of risky itself right so do you trust them with your data so it's a problem and um uh and yeah we can skip through these but essentially yes uh lots of things happen um i think the most scary event in terms of payout was the the pharmaceutical company

uh that they had the ransomware attack they have some insurance coverage but he was denied on the ground of act of terror and i believe they are still in litigation because the insurance company never paid and it looked like it was an excuse to not to pay uh the actual uh actual attack so um so yeah and no no no very uh not very positive things you know when you know if you have some insurance that doesn't pay off uh so so it's not you know it's not a good uh form and i think my deter other companies to buy that you know like you follow these kind of examples like you know why do i

buy some insurance it doesn't cover me from things like that right so uh this is happening you know some insurance companies are basically trying to uh uh try to uh to limit their exposures uh to run somewhere and what they're doing now is to add some limits so that if your ransomware attack they will only pay you for a certain amount like 25 thousand dollars for example for ransom related costs uh and you know they might add more exclusions right and um you know as you can see like i mean there is a trend uh in reducing payments you know in the last quarter of 2020 um and i think you know it could be two things

it could be because the insurance were not paying uh it could be cyber maturity and other things but but you have to be really careful when you buy some insurance you really have to check all the details to make sure that uh you know you have coverage for that because you know uh i think my fear is that you know before 2019 or that year uh the market was uh you know the there was essentially some insurance was cheap right so the premiums were sort of um you know essentially inflated and now they're realizing like that they are actually uh you know they were um they were basically incurring a lot of recently you know so they're trying to

so the market is shrinking and it's you know the insurance market is obvious that there are cycles right you know there are periods where uh you know good profits you know uh everybody is basically uh underinsured uh and everything looks good and then they realize you know with these things that perhaps uh you know the premiums should be higher and so you know there's a cycle and you know prices are going up so this is always happening uh so my prediction is that um and some people say well yeah this thing is going to go up more you know like 265 billions by 2031 in 10 years um i mean it is possible like we might

get a surge uh in uh you know like we can might get more of that um and you know like you know this kind of uh predictions uh but i think you know like if if the government uh put uh regulation in place uh and maybe crypto goes down i know what elon musk is going to do but you know china put the ban on people's exchanges and uh con offerings russia i don't know like most of the attacks in this country come from russia like i know what they could do with that uh but i think what we didn't see so much is the uh ddos type of ransomware attacks where you basically your company

uh it's subject to a ddos attack and the cyber criminal basically asks you for ransomware to stop that but there was uh one event just recently a couple of days ago where basically fancy lazarus uh ramped up those efforts for ransom so i think we're going to see more of that for sure in terms of damages from cyber ransomware if the government in u.s and europe are basically putting all these uh you know conditions in place we are going to see less less of that for sure uh there's another issue with gdpr like okay it's not a big issue in u.s although if you have you know european customers you can do that but the same issues applies to gdpr

uh so it's not illegal to have gdpr coverage uh liability coverage under cyber insurance uh which means that uh it creates sort of a moral problem right because uh in that point of view gdpr files is that uh you do want your uh you don't want that specific company to uh to handle pii information accordingly right so to follow protocols and to be able to protect customers data but if all they do is to offset their risk to an insurance provider then it's meaningless this kind of legislation is useless right so um and currently in european union i read a lot of documents it's not it's kind of a gray area uh and most insurance providers do

offer it's a grey area so it depends on the world they do offer coverage for gdpr liabilities right uh and they did a small survey with uh you know with 12 csos and unfortunately most of them they do use some insurance to offset their uh gdpr uh risk to uh you know uh to basically uh uh you know not well i wouldn't say not to on private hdpr uh but they don't do they don't put too much much effort in actually developing let's say as a specific program similar security to protect from uh from a gdpr type of breach right from a privacy breach and essentially what they do is from from their point of view is that they

want to protect the business right they don't really care about much well at least most of them they don't care about their customers sadly uh but they mostly care about their business so what is more cost effective right so should i spend you know one million in developing a new program to uh you know to protect uh for privacy breaches or do i pay i don't know 100 000 per year to uh you know a premium from a sub insurance provider to be to be protected right so so this is this kind of balance and you know most caesars unfortunately are seeing just the kind of cost risk analysis and they just do uh their choices based on that not all of

them uh thankfully but you also have to remember the the average professional life of the season it's uh you know two basically two years so uh uh basically they do their best to it to keep the business alive until they can uh so unfortunately that's the kind of uh that's the way business works which is kind of sad there's a more general problem it's adoption essentially there's not much companies uh buying subway insurance um you know if you look at the uh overall u.s budget well the u.s new market uh you know companies with more than 200 million uh in basically protection uh cover more than 50 percent of the uh five billion market right so

if you have 250 companies uh with let's say at least one dominion protection each which is very reasonable you just need five losses uh to wipe out the entire premium um and so what's happening now in the market is that the insurers uh then gave 50 percent of the opinion to reinsure us right um and that's the only way basically they have to protect themselves because you know if another large-scale war uh happens they basically go past right uh so they kind of sell their risk to to other reinsurers um which is pretty high like i don't know how much is in other sectors i even find any specific numbers but i've been told 50 it is quite high uh

you know compared to other markets so that's the way it works sadly um sometimes it's just some uh runs away jokes but uh in uk actually the uh the sub insurance market is smaller than the pet insurance market which is uh uh which is kind of fun um recently uh somebody uh hacked uh cd projekt cyberpunk uh i don't know how many people are playing that but it's so full of bugs that i think uh having the actual source code linked online uh it's actually a good thing maybe somebody is going to uh go and fix the code but uh but yeah i mean it is quite bad and uh ashley madison was breached again so

well no picture game but basically they're basically running a new extortion scam uh for the previous customers from the previous attack and uh there was recently uh also somebody stole the source good from uh from ea which is another video game company and you know maybe you can get some cheats from uh from the source code so uh i mean it's all sort of you know like it's not just like you know healthcare and other sectors like manufacturing that get targeted by even like you know uh you know gain companies like i guess there's automotive in that and you know like dating websites i guess so uh so there is that um uh i just want to conclude with this slide

but basically um you know like insurance providers are making a lot of money uh well at least from last year and their main sources of income is underwriting they you know investment income where they invest uh the profits into uh into the stock market you know cash value cancellations coverage lapses and reassurance but what will be beneficial uh i guess for for companies rather than just buying sub-insurance is essentially having them to finance uh you know the cyber security program because if you have um if you have especially for small companies where you know like before they can actually buy something insurance like the risk is too high that like you you buy uh you buy a policy and doesn't cover

you for anything basically right so you buy this this policy and it's almost useless right you're better off spending the same amount of money uh into into a cyber security program but maybe you don't have that or you know it's not enough for you so like why don't you basically uh you know borrow money from the from the insurance provider to improve your uh security monster so that that's um that's that's my advice anyway running another time uh thanks for listening uh if you have any questions uh ping me on discord uh and uh yeah this is my favorite sentence

uh thanks for listening and i think i have to stop sharing now and give back to the organizer okay all right thanks um

[Music] thank you [Music]

[Music] so [Music]

[Music]

[Music] you