The world of cybersecurity is rapidly changing. At Diversified, we strive to stay up to date on important issues and one of the ways we do this is through our Ask the Expert series. This time, we are talking with Madison Mooney, who works in Business Development at Coalition, Inc. Coalition focuses on cybersecurity and works every day to help organizations better manage and mitigate the risk created by the digital economy.
According to Coalition’s 2022 Cyber Claims Report, cyber claims severity rose 56% for small businesses last year. Mooney tells us not only how to deal with an attack, but also how crucial cyber insurance is to combatting attacks and responding quickly when they do happen.
Q: We see a lot in the news about how bad things are in the cyber world, but they don’t give a lot of background about what companies can do. Due to the current situation, a lot of underwriting companies are telling us they want a perfect application, what does that mean?
A: As businesses become more digitized we have seen cyber threats evolve along with them. At Coalition, we see this dynamic shift in risk translate to an increase in both frequency and severity of cyber claims. Our approach to underwriting is a collaborative one, where we encourage our policyholders (or potential policyholders) to adopt and maintain proactive security controls to mitigate risks.
One of the ways to incentivize better security is at the application stage. We do this by identifying the most critical cyber risks specific to an organization with our Risk Assessment and encourage businesses to adopt controls such as Multi-Factor Authentication (MFA) and Endpoint Detection and Response (EDR) to protect themselves from a potential cyber incident. Our team works with brokers and their clients to make determinations on the level of acceptable controls, their impact on insurability based on their industry, revenue and cyber risk posture.
I can only speak for Coalition on this: we are still in the age where we are underwriting based on exposure. We underwrite middle market accounts very differently than our small business accounts (under $100 million). For example, for risks with more than $100 million in revenues, we typically require EDR and response technology that we might not require for a smaller firm with less business interruption exposure.
Another example is how we approach MFA. We would like to see it across the board, but that doesn’t mean we don’t write any accounts without MFA. For accounts with smaller exposure — think revenues, record counts, etc. — we will still quote them without MFA though the pricing and terms will be better for those with it.
As technology changes and vulnerabilities change, it’s hard to say if that will move, but the frequency and severity are on the rise.
Q: What are the types of business or operations that are going to be a bit more challenging?
A: Recently, some carriers have decided to instantly decline certain higher hazard classes of business like manufacturers, municipalities, school districts, healthcare, and large banks. A cyber incident could potentially have more destructive implications for these industries due to the nature of their operations and their tendency to hold more sensitive information. We refer to these classes as “targets of choice” as they are attractive targets to threat actors and may not always have the ideal level of controls to spot and thwart a cyber attack.
Q: What is the application process like?
A: At Coalition, businesses fill out an application with their insurance broker (through the Broker Service Platform — like Diversified) or send in a manual application. Then, it must pass an external and non-invasive security scan, either by our proprietary Risk Platform or our internal security team.
When we get an application, we ask, ‘is it a target of choice or a target of opportunity?’ The answer is based on security vulnerabilities.
A few examples of minimum controls that may not pass through our security screening are out-of-date Microsoft Exchange and exposed Remote Desktop protocol. If you allow remote access to your network, it needs to be secure. These are very risky exposures and we will need an organization to mediate their use before they can become a Coalition policyholder.
For more than 60% of small businesses, this leads to our issuing a quote instantly. If the account is flagged based on the scan results (e.g., a risk exposed technology, unpatched critical vulnerabilities, etc.) or a business reason (e.g., larger revenues, higher hazard industry, etc.), it is reviewed by a member of our team for what we call secondary review.
Q: If they don’t pass the initial scan, does a company have time to make changes and reapply?
A: If there are critical issues identified in the initial scan, we may require the applicant to remediate these conditions prior to becoming a Coalition insured; we call these contingencies. Many of these items are simple fixes, like changes to firewall configurations, that can be implemented quickly. We even offer potential and existing insureds the opportunity to schedule a time to discuss contingencies with our Security Engineers.
There are a few conditions that will lead us not to offer terms immediately due to the significant risk that a threat actor has already compromised the network, notably Microsoft remote desktop protocol (RDP) exposed directly to the public internet vs. being behind a VPN, etc.
We also sometimes see risks with an overall security posture that we are not comfortable taking on. While we do offer terms for many companies with multiple contingencies that need to be met prior to binding, we sometimes choose to decline firms where this appears to be indicative of a lack of commitment to basic cyber hygiene. For example, if an applicant is running out-of-date software with known vulnerabilities, we would be concerned about their willingness and ability to keep their network up to date, in addition to our specific concern about the out-of-date software.
Q: Are there certain businesses that are more pressured to pay a ransom?
A: It comes down to a few considerations when deciding to pay a ransom:
- Do they have backups in place? How often are they backing up? Is it offline? Is it segmented from our current network?
- Can they afford downtime? If the data lost is not mission-critical, how long can the business stay offline?
It’s hard in today’s regulatory environment to be okay releasing data. As technology evolves, we use it in almost every aspect of our business.
Q: It seems like the focus of cyber has shifted to ransomware. Do you find that to be true?
A: I remember in my early days in underwriting training, some carriers were leading the charge. Cybersecurity was new and emerging. Now, the main concern is ransomware. Non-IT supplemental will come up sometimes as well.
Q: You mentioned impersonation fraud, but is it completely dwarfed and overshadowed by ransomware?
A: The top two we see are funds transfer fraud (FTF), phishing, or social engineering, but ransomware claims are much more severe. I think that’s attributed to while there are many bad actors out in the world, there will always be employees. Most phishing incidents are initiated by employee action or employee error. Human error is always going to drive the frequency and severity of claims. That brings us to the importance of ensuring that your employees are aware and taking this seriously. Your intangible assets are your greatest exposure.
A couple of questions you need to contemplate:
- Do you implement employee security awareness training?
- What percentage of your employees pass?
- What is the consequence of failing?
- How many times do you have to fail before another consequence?
We are really digging into the answers to these questions because the larger the organization and the more access points can be the demise of an organization. For example, the root cause of the Colonial Pipeline breach can actually be tied back to weak, compromised passwords and not enabling MFA.
Again, as technology develops, it’s important to take a moment as an organization to stress its importance. A cyber insurance policy goes beyond just a piece of paper that responds when there is a claim.
At Coalition, we offer continuous monitoring: Active Insurance. One example of how our technology works is with the Microsoft Exchange vulnerability – we scanned the entire book of business and told all of the insureds, ‘this is your exposure, this is why it’s bad, this is how you remediate it.’ We completed another scan after to ensure the vulnerability was addressed.
Insureds can see in real-time what their policy includes when it comes to loss mitigation services. At Coalition, we offer specific training that our insureds employees can take continuously. It’s something I’m seeing utilized more and more among our policyholders.
Q: What are retention factors?
A: The size of the company (the capacity that is being deployed),their risk posture, how likely they are to have a claim, and what type of a claim that would be are all retention factors.
Q: When it comes to paying a ransom, how does that work?
A: At Coalition, we call ourselves the 911 of Cyber. Our team deals with these situations every day. They are familiar with the strain of ransomware based on how they deliver the message of the ransom. Often, they will sign it with the bad actor group they are associated with.
Our incident response lead sits by me in the office, and I can hear her working with clients and negotiating with bad actors. All of our incident response services are available outside of the limit and outside of the retention.
Utilize every resource available to ensure that you pay the lowest amount. We want to help you get back online and back to normal as quickly as possible.
While they may clock up an invoice, it will be taken off the final invoice of the claim. We believe we have an incentive to keep claims and costs low. We never want an insured to hesitate to call us. Our hope is to be seen as a partner when a claim occurs rather than someone who costs more money. Also, because we are handling the breaches in-house, it helps us not only handle the entirety of the claim, but we are also more knowledgeable when dealing with the same threat actor group next time.
Q: How important is it to have a plan and team in place?
A: You need a team ready to respond to a cyber attack in a matter of minutes rather than days. Even if you put millions of dollars into cybersecurity technology, there is still a good chance that you are going to get hit. There’s no silver bullet to stop a hacker. The priority should be how fast can you recover properly?
Q: What can a company do to be more protected?
- Get a vulnerability test done. You need to know what vulnerabilities you currently have in your IT environment. Partnering with an insurance company like Coalition or an outside vendor can help you, but as a reminder a Cyber Risk Assessment (CRA) with Coalition Control is free for all organizations
- Get an inventory of your assets.
- Independently back up your data
- Come up with a plan to respond quickly.
- Assign responsibilities: who calls lawyers, law enforcement, and insurance company?
- Training employees to be alert and aware of potential phishing attempts and also to only access the information they need to perform their job duties. If it seems suspicious, report the incident.
Be prepared and aware. Always be on the lookout for the next vulnerability. As technology evolves, so do claims, and so does the risk environment.
Q: Is the cyber market hardening?
A: There are signs that there may be a slight softening. We’ve learned a lot in the past. The cyber market was very underpriced in the beginning because nobody believed it was a high exposure. No one thought they needed it. Now it’s taking over news headlines. I don’t think the cyber insurance market will ever return to where it once was. As insureds look for more capacity, I am seeing the market return to answering that call.
Thanks to Madison Mooney for taking the time to talk with us. If you would like more information about Coalition, you can go here.
If you would like to talk to someone at Diversified about cyber coverage, you can go here.