Shopping for cybersecurity insurance: an IT Manager's tale

[Music]

[Music] happy friday everyone um hope everyone's having a great b-sides experience uh from my expect uh perspective it's been uh very informative but sorry informational um and valuable to connect with folks in the security community uh my name is stefan roenick i've been working in the calgary tech sector for over 20 years i have experience in working with school boards managed service companies telcos and a regulator for the past five years i've had the opportunity to work in the information security realm uh with a focus on enterprise risk management at the real estate council of alberta so um i i'm currently working at the real estate council of alberta i'm working also on a master's program

in security risk management at the university of leicester in the school of criminology today's presentation is based on lessons learned from my working experience seeking cyber security insurance and i'll be talking about enterprise risk management opinions are expressed or solely my own uh they do not express the views of the real estate council of alberta so let's get started so today we're going to start off with three questions and these are the three questions we're going to attempt to answer in the presentation what are we protecting what are our threats and risk to assets and how do we align risk risk management to our insurance policies so the first question to answer is what are we protecting and we can answer that

question by understanding what assets are in our organization and so we've identified our assets in four categories or or different asset types if you will and so the first one to look at is fixed assets and typically these are long-term investments that we can you know touch or point to and as i t security professionals we typically have our hardware inventories that may include desktops laptops servers storage systems firewalls etc now these fixed asset lists are up to date and well-managed so we have to continuously make sure that they're staying up to date the second asset type is service assets and so for these type of assets we're going to look towards cloud services utility services services that support

automation and business operation so we look to our product owners or business owners to help us consolidate what our service assets throughout the organization and the third asset type is intangibles intangibles or assets are hard to define and sometimes hard to understand are risks associated with intangibles but intangibles could be things like people skills brand corporate culture reputation and so on and so from my perspective most companies might not have great you know business uh analytics or insights into their intangibles and so it's even more of a challenge to evaluate our risks to our intangibles the fourth type is digital assets and i'm going to put this in bold here so what are digital assets what are we

talking about so we're not talking about bitcoin or cryptocurrency in this scope however my one son tells me i need to invest in dogecoin because snoop and elon are sending it to the moon and that seems like reasonable investment advice from an eight-year-old um but please don't invest in dogecoin yeah so what are we really talking about we're really talking about our data our data systems as information assets or information system assets that's software coding websites that's intellectual property and so warning there may be some crossover between our service assets and our digital assets and so what we need to think about is our service assets should really be the utility of that service a digital asset is what

drives the value of that utilities we value our data and we need to protect it if data governance is a new concept for our organization we will also have some challenges here so let's say you know we don't have data governance in place and we tell folks in our organization hey by the way you're an information owner with the responsibility and the stewardship of your own data so please provide me a list of information assets so i can do a risk assessment on and they might look at us in a puzzled look we need to overcome that and so we need to work on potentially a data governance framework and maturing the organization in that regard

so classify information assets so our goal is to have a centralized information asset inventory for our organization that is defined with good metadata so good data about data and we need to understand our assets and what we're protecting so we do this by working with information owners business leaders to identify and review information assets and we adopt a taxonomy or a method of classification and so once we've assigned a standard method of class classification then we can work with business to understand the sensitivity of that information and start to look at value of the information assets in the organization and you may be looking at this already going we have information management we have records management i think we're pretty

good here develop threat lists and discuss and qualify risks so we want to have a good understanding of what to protect and consolidating in terms of our information assets when we consolidate into a single inventory so we can start to think about a threat risk assessment or a tra do we have specific threats that target our organization or our industries we may need to have discussions about risks to flush out our concerns about threats before we develop a threat catalog we may need to consider using risk framework standards like iso 27005 31 000 coso 837 or potentially guidance from other sources of risk management factor analysis of information risk or firma if we're doing business in europe

once we have that threat catalog we can actually quantify the impact of the risk as being low medium high or some sort of scale we can do this by discussing how it will impact our business services our property and our people and what's the likelihood of that risk occurring as well so again we're engaging our information owners our business leaders to have these discussions but the end goal here is really we want to develop a top 10 a top 20 a top 50 risk registry one of the challenges is having the right information to understand the multi-dimensional nature of risks and so we need to understand the orbit and the universe the business works in again

talking to our business leaders in the organization to understand their risk perspective and their risk tolerances so discussing what if the scenarios better understand our risk exposure with our customers supply chain partners and other integration services we take that information back and as a risk management team we discuss the different types of risks that we're expecting so the first type of risk we're expecting is that have direct negative income outcomes sorry and they typically are the ones that we're going to discuss about when it comes to cyber insert cyber insurance the second one is control or uncertainty risks so with uncertainty there is going to be some uncertainty with operations projects programs within the organization

the third is compliance do we have regulatory risks with compliance to do business maybe we need to follow a certain type of legislation we might need to have a regulatory requirement to be insured we might have a master service agreement that says we need arizona mission insurance or third-party coverage in our service insurance finally do we have opportunity risks that may present financial benefits to the business so if we invest in cyber security insurance or become iso 27001 compliant does that give us a competitive advantage in bidding in opportunities we might not been able to you know bid before on so that might open up the door for new business so the enterprise risk team should

manage uncertainty risks mitigate hazard risks and minimize compliance risk and so ideally at this point in the journey we have a really good understanding of our cyber risks and now we can define that in our risk registry

now security professionals we can apply risk calculations that we learn from the cissp study guides that i've referenced below asset values may be based on annual revenues or net present value ebitda some form of parametric estimating but once we have that asset value we can apply a threat or a hazard from our threat catalog to determine the risk exposure value based on impact and likelihood so for example example one we're going to talk about extreme weather so we have an asset value of one million dollars and then we run it over with extreme weather and that could be a blizzard flood thunderstorm whatever the case is we estimate the negative impact of that threat to the value of that asset

and in our case we see an exposure value of 20 and that reduces the asset value by 20 so we we've reduced it by 20 that gives us the single loss expectancy of 200 000 on that risk then we estimate that extreme weather in this particular location and we figured out you know the different controls is one in 10-year type risk so the annual rate of occurrence is ten percent then our annual loss expectancy is twenty thousand dollars okay so twenty thousand dollars for an ale on a asset that's worth a million dollars we can chalk that one up as an acceptable risk in our second um example we're going to talk about a major cyber

breach so we take that same one million dollar asset and we run it over with a major cyber breach and that could be ransomware data x filtration whatever and let's say the exposure value is 50 so that gives us a single loss exposure of 500 000 and then we estimate based on our what-if scenarios that this event will occur every year so our annual rate of occurrence is now 100 and so our annual lost expectancy is 500 000 half the value of the original asset right here oh no what do we do with that i mean we probably need to prioritize this risk in fact we might sell off the asset to avoid the risk altogether if we can't

find a mitigating solution or maybe we do find a solution to reduce that risk using a new security control to reduce the exposure value which is our impact or the annual rate of occurrence which is our likelihood and let's say we're evaluating an intrusion detection system or an ids we estimate that we can reduce our exposure value from 50 percent down to 20 so now we're at 200 000 for our single loss expectancy and then we estimate that that threat will happen one in five years now that we've included an ids so our aro is now 20 so going down from 100 down to 20 this reduces our annual loss expectancy to 40 000 now we can look towards our safeguard

value at the top here and we look at the annual loss expectancy in the first scenario at 500 000 and then we look at the second scenario annual loss expectancy at 40 000 minus the actual cost of the ids the intrusion detection system and it's a fancy one so it's a hundred thousand dollars so we calculate the safeguard value at three 380 000 and looking at that you think wow you know the value of that ids is almost 4x so and we're mitigating a fairly big uh risk here so we buy the ids i guess in that one so to conclude here uh now you might be thinking in the presentation did this guy just do a math lesson on a friday

afternoon at b-sides yes i did and i have a very good reason because i will take that risk every single time for my colleagues that report into cfos or senior accountants where financial analysis actually matters and we need to justify that firewall storage system edr fim ids ips sim soar whatever to make sure that we get our security control and i hope that it's helpful for those folks a financial analysis like this can be overwhelming for many businesses and especially if there's a lot of assets that are identified a lot of different asset values we may need to consider partnering with an external auditing firm if we need to demonstrate this type of analysis to

senior leadership the board or the audit committee slide eight we made it so let's go shopping for cyber security so where do we start it's an interesting question and here's an interesting article this is from the online journal of applied knowledge management about the invisible whole of cyber security insurance and this is pavny gaffney2020 here's the abstract out of 44 major insurance companies in the us 68 offer cyber security insurance but only 26 percent market their services in a visible way i.e their company website this article suggests that several of the insurance providers in the us don't provide comprehensive policies and the insurance industry is still maturing products to address cyber risks the article is limited to us-based

companies so companies in the uk for example may not have the same market outlook but we may want to take this into consideration regardless how do we understand the cyber security insurance landscape to ensure our top security risks or cyber risks are addressed in our policy this is our challenge consider a licensed professional to be your guide and transfer some of that risk an insurance broker who represents the consumer is the best way to search for insurance policies and that we want to meet our needs insurance brokers research coverages terms conditions limits of liabilities and price that is most suited to the organization's needs and it's their job to find coverage someone someone might say to me okay of

course an organization like us has an insurance broker okay moving on it's also important to note insurance providers will be doing a risk profile against our organization insurance providers will look at the type of business the number of staff information security program and the maturity of that technology mfa systems cloud systems backup procedures disaster recovery you name it and they're also going to do a vulnerability scan on their organization's web assets at least some of them we'll talk about that and so we're going to start filling out these applications with these different providers to get our estimates during the underwriting process so we have to make sure that we have accurate information ready for these applications

we can leverage the information asset inventory that we did in the prior slides to answer some of those questions we also may need to take a closer look at our web assets to ensure our customer facing applications our web applications or websites or microsites or dns systems are all inventoried and secure and what i mean by secure well some of the in uh sorry insurance providers will be doing a vulnerability assessment against their web assets it's an expectation that i would have against my insurance provider so let's figure out all the domain names that are tied to the organization and start hitting them up with the vulnerability web scan things like nessus scurry qualisys ssl labs

and samurai web taste testing framework or samurai wtf shout out to sean marshall for his session yesterday there's other vulnerability web scanning tools that we can potentially use here as well we should be doing this anyways as a regular basis as part of our information security program and we want to limit weak ciphers weak authentication systems security headers and hardened public facing dns records maybe using dmarc or spf the goal is to harden as many web assets as we can in preparation for the insurance providers assessment and limit the organization's risk score to ensure we have the best coverage for reduced premiums

so comparing insurance policies so this is kind of where we rely on our insurance broker having discussions and negotiations with the insurance provider getting the underlying details to the underwriting process and so we want to talk to our insurance broker about our expectations that we have for the insurance policy you know what are the annual premiums what are the breach response services what is the retention or the deductible that goes with those coverages was the policy aggregate or the limit of uh liability and again figuring out what are those different coverage services when it comes to first party third party any crimes so just a note on e crimes so e crimes are different from cyber

e crimes are carried out on people through uh through sorry are carried out out on a person through other means like social engineering so a person receiving a call from the bad actor impersonating the cfo that's an example of any crime another example is the bad actor impersonates a personnel from the bank that the business invests with the bad actor contacts the fund transfer administrator aka accounting and convinces them to activate a computer link back to steal credentials or impersonate an authenticated session this event allows the bad actor to contact the real bank and pretend to be the funds transfer mana administrator and have a wire transfer issued that ends up on an offshore bank

resulting in let's say a 300 000 loss cyber coverages are purely digital means for the attack vector as security professionals these are typically the type of risks that we're familiar with like true cyber crimes an example of a cyber crime or a cyber event is an hr manager inadvertently installs malware that facilitates a data exfiltration attack of financial information and personal identifiable information or pii the company provided written notification to all affected parties and provided two years of complementary credit monitoring and engage public relations uh firm to assist them with the talking points in the brand management on social media so how do we categorize fishing that's an interesting question it depends we all know phishing uses social

engineering so it must be an ecrunt well it matters what the intention is of the bad actor and more specifically the outcome of a successful attack in the world of insurance fishing that leads to loss of funds or fraudulent funds traffic transfers likely considered an e-crime like business email compromise wishing or voice phishing where the victim is tricked into giving their credentials or uh over the phone probably is likely an e-crime as well phishing that leads to compromise network security data loss or potentially a ransomware attack uh is more cyber in nature so that falls on the cyber side of the house when you're looking at insurance coverage so according to identity management institute 90

of all cyber attacks are successfully executed with credentials stolen or socially engineered attacks from employees and that's why security awareness training for our employees is so important how are we doing for time here we're doing pretty good so ask your insurance broker about the different types of coverages and services for cyber insurance policies get a little bit more familiar with the different types of services that the different providers provide consider a matrix of coverages and services for evaluating the providers our insurance broker categorized the coverages based on first party third-party and e-crimes and gave us a rundown of kind of the different type of coverages for the different type of risks that we were trying to mitigate

and again based on our risk registry and our risk priorities we can better understand the coverages and relate that to the different risk coverages so and that really matters to our executive to make sure that our erm program is covered off in our insurance policy incident response considerations so we need to prepare ourselves on how we answer questions from the insurance company during a breach we need to be very careful with our words and how we direct the insurance company during the breach so if we're not careful we may detract value from our insurance coverage because in the midst of a breach when things are hot we have when we're dealing with a lot of

stress we may say something that may not be 100 true or legally true or we may not even be authorized to answer or respond to that question so this is where the executive team or the senior management team should have a communication plan and the resources should be available in case we need to escalate a decision or response from the insurance provider is a cyber security coach or advisor important to the organization for many small to medium businesses a cyber coach could be very important and that will that person could help us and coach us um and guide us through the incident response and that could be part of our incident response however some information

security teams that may be a bit more mature working on containing an incident and adding a new personnel from the insurance provider will likely slow us down and on achieving our objectives so maybe during the reporting phase over incident response makes a bit more sense ultimately it's important to have playbooks and repeatable processes to deal with our top cyber security risks and so that leads us to the question when do we get insurance involved in the beach breach process are we going to pay a ransom as well that's important question to ask our leaders is in the event of a ransomware do we pay the ransom and what are our risks if we do pay the ransom or if we

don't pay the ransom

i don't work in the insurance industry however i have a colleague that i had a coffee with he had told me this story about a business that went through a cyber security breach my colleague walked me through the story with details i made notes uh he used rounded numbers so please take that into account for this story so small to medium businesses that that reven revenues 20 million dollars per year has a phishing breach that leads to over 20 000 customer records or pii ex filtrated the leak occurs for a compromised account for weeks and unfortunately an excel file with customer data gets out the bad actor emails the business a ransom of approximately 140 000 us

dollars equivalent in in cryptocurrency the business values their customers their brand and contacts their cyber insurance company and provides them the information cyber coach gets involved and assesses the options uh and gives them kind of you know lays out the different risks and different uh ways to address the summary of this or the short conclusion of this is the business uh ends up paying uh the ransomware uh sorry the ransom and did not make a claim which was fairly interesting to me so uh and just a quick summary of their insurance policy they did have two million in in coverage um so that was their their limit uh their annual premiums were 20 sorry 12 000

and 10 000 in retention or deductible fee for cyber extortion which was in in this case the the type of uh event and so one might conclude 140 000 it's not too bad that's about seven bucks per pii record um and that cost wasn't too much in the story but really the story keeps going the residual costs end up being over 1.1 million dollars to deal with damages from legal fees administrative claims professional fees from doing a cyber security assessment and then they implemented multi-factor on several systems with sensitive data so that adds up to the residual fee of 1.1 million dollars so the moral of that brief story is expect residual costs for a major cyber

breach well beyond what the insurance provider will uh cover and also think about you know obviously the staff time to respond and any other potential reputational value or other things that we can't quite measure will be part of that so so just going through this do we have an understanding of the residual breach cross do we have the appropriate coverages to reduce some of those costs and is even making the claim worth it for specific scenarios so i hope we address the questions today so again what are we protecting it's really about that asset management asset identification what are threats and risks again a really comprehensive threat threat risk assessment or a tra and then how do we align cyber risks to

insurance and again taking that you know enterprise risk management risk registry and comparing it to the policy and having a licensed professional to guide us these are my references and if you need to contact me or like to contact me on social media this is my um my linkedin profile and that's a link to me um i have not been able to see the chat um so i'm just gonna catch up here if there's any questions feel free to throw them in the chat or in the q a but thank you for everyone's time today and and really thank you to uh besides for giving me the opportunity uh to present today and thanks to uh james and

his team for for putting this together i know it's a i know putting together a conference like this is a lot of work even a virtual one like this so thank you everyone is it ethical for an insurance company to scan an environment without consent great question um i guess vulnerability scans are pretty commonplace these days um uh you know it's it's an interesting um question because you know we we use a third party risk tool um at the real estate council of alberta to uh do vulnerability scans on on the web so this is you know customer facing internet facing um of our different suppliers to get a sense of where they're at with their web

assets and so uh we actually provide them with a report um of their exposure so i think it's i guess the answer is i i think it's pretty commonplace to have vulnerability scans um on the web i i wouldn't con consider it ethical but um i don't see a point for an insurance provider not to consent to that um and to be honest it's i would rather i would rather them not tell me about it and then send me a report if there was any major exposure so um i hope that answered your question i guess the our experience is just make sure that you harden your app your web assets and get ready for it because they're i think

the insurance providers that are more sophisticated will scan you so get ready for it