How Do You Know You’ve Got The Right Cyber Insurance Policy?
In Partnership With
Regular attendees of RANT roundtables are used to the discussions circling around the evening’s topic but taking in the average cybersecurity leader’s major concerns of the day. Whether those are the challenges posed to businesses’ information security by the adoption of generative AI, the difficulties in developing metrics to demonstrate security achievements to a bottom-line-focused board, or the dangers of over-reliance on vendor hype, there are almost always a series of tangents that even the most laser-focused RANT discussion ends up haring off along at some point or other.
So it was a notable surprise to find that what on the face of it might well have been the driest and most procedural of topics – the role of insurers in the cybersecurity ecosystem – generated a discussion that stuck rigidly between the evening’s thematic guardrails. Clearly, cyber insurance is a subject close to many a CISO’s heart. And, often, our hosts from Beazley were probably not too surprised to hear, that seems to be because so few of them are actively engaged in the decision over which provider to use, or even properly read-in on what their policy includes.
“Not all insurers are made equal,” Mandeep Gosal, senior director of professional services at Beazley’s relatively new Beazley Security division, said. The point and purpose of Beazley Security – indeed, its very existence as a standalone entity under the veteran insurers’ corporate umbrella – only serves to emphasise that point, he argued. “Beazley has invested in what is almost a full-stack cybersecurity company within the company. People fear their premiums will rise if you start sharing insights [on cyber incidents or breaches] with insurers: we’re here to tell you that’s not the case.”
“Beazley Security exists because Beazley were aware of the gaps in the communication of the insurance product,” Gosal’s colleague, Beazley Security’s chief international officer, Raf Sanchez, added. “What we see is claims information: that informs both our products and services, and how we talk to our clients. Because we’re owned by a company that’s putting a pot of money on the table and staking it on your behalf, we’re motivated to protect that money, via the team Mandeep runs.”
What Difference Does It Make?
Talk immediately turned to the relationship the CISOs, BISOs and other senior security leaders around the table currently have with their insurers. Most of these, it seems are indirect – either because insurance isn’t seen as part of the purview of the security team within the business, and/or because the organisation uses brokers to get the best deals for insurance, and all discussions on the product are with the broker rather than the insurer. As a result, security teams will often be unaware of what their insurer can help them with.
“I went through every single clause of our policy, and it’s very difficult for me to understand whether those clauses accurately reflect what I see going on,” one leader said. “My relationship is limited to the broker, and through them to the insurer. We had an attack, and we’re using that as a template. [But the policy is written in] very woolly language.”
As a result, when this CISO – who, by having read the policy line-by line, was probably more aware of what they were insured against than many of their peers in other organisations – was trying to ascertain whether the incident they were dealing with was covered, the answer wasn’t immediately apparent. The legalese most policies are written in can be quite enigmatic. This can be helpful if it allows for an unforeseen situation to be covered, but less so when it ends up suggesting that a new type of attack may not be.
“When it came to the practicality, the insurer we negotiated with through the broker said they hadn’t had a previous case, so it was hard to say whether we could claim,” the CISO continued. “It takes a company to go through it, see what happens, and then determine that.”
The communications gap highlighted by Sanchez was another area that seemed all too familiar to some of the seasoned security professionals in the room.
“If you’re not in the middle of an incident, the insurer talks to you through questionnaires, and then talks to the legal team to sign the contract – but as a cybersecurity person, I’m no longer involved,” one said. “Where’s the return on investment in this thing we’ve spent a quarter of a million pounds on? For anything else we’d have KPRs [key performance requirements]. For a vendor where the cost is in our top 10, these providers should do better.”
These problems are amplified by the reluctance many organisations have – entirely understandably – to give insurers additional ammunition that could end up being shot back at them.
“Traditionally, you always make sure you tell your insurer just enough, without giving too much information,” another security leader said. Why? “Because if you’re engaging with an insurer they’ll say, ‘You should have known about this,’ and not pay out.”
“It’s probably very similar to getting ISO certification,” a third senior security professional said. “You tell the story in the right way. There are always things that you don’t know. I suspect, before I joined, people would tell the insurers what they thought they wanted to hear, rather than what they need to know. That’s not my preferred stance: I want to be honest.”
This Night Has Opened My Eyes
Clearly, this isn’t the best way to proceed. And while these kinds of experiences were shared by many in the room, others argued that there are better ways forward, some already in use within other kinds of organisations. One speaker argued that a lot of this comes down not to the sector or the size of the organisation but to a company’s internal culture. When there is mature, imaginative and enlightened management inside an organisation, insurers can become very important partners.
“Where insurance companies can add fantastic value is, they have fantastic relationships with the top incident response companies, [and] they can provide those services at the drop of a hat,” they said. “You don’t want to be searching round for an incident-response company when your hair’s on fire in the middle of an incident.”
Gosal pointed out that there are numerous things Beazley Security can do to help a client company – but, again, the benefits will only become apparent when the right people in the client company are aware that they exist.
“If you’ve bought the policy, you should activate the value,” he said, suggesting policyholders ask themselves, What do I get? As far as a Beazley policy is concerned, that means “Onboarding, risk management, a tabletop exercise, or a consulting session to brief on the top incidents that we’ve seen,” he continued. “Which verticals are being targeted, which vulnerabilities are being exploited? We can provide that to clients directly.”
“We’re encouraging everyone to take up onboarding,” Stephanie Webb, Beazley Security’s international vice president for sales, said. “Whether it’s directly delivered or an online option, that’s when you learn what you have access to. The insurance industry is quite antiquated, and one of the things we’re doing is automating – so we’ve moved forward in terms of people being able to do all this online. But make sure you get the detail.”
The firm also offers virtual CISOs to client companies that may not have their own, and runs its own SOC to assist clients in managing incidents. This aspect of the service provoked the only significant scepticism voiced during the discussion, with one senior cybersecurity leader from a large company wondering whether it would prove to be a wise decision commercially for Beazley in the longer term.
“There’s a number of vendors offering SOC and incident-response services,” they noted, “and if there’s a CISO in place, the last thing an insurance company should be trying to do is to compete with an internal CISO. If you go and pitch to a bank that you can help them reduce their material investment they won’t let you leave the room – but if you try to sell them a SOC service, you’re competing in a saturated market. You need to partner, not compete.”
“We regularly engage with organisations that don’t have CISOs,” Gosal explained “With SMEs [small and medium-sized enterprises], a virtual CISO is one of the first things they ask for.”
“Why are we competing in the MDR [managed detection and response] space? Great question. Because there’s a need,” Sanchez said. “Sixty to seventy per cent of our clients have a managed service provider and a SOC – but they’re still clients.”
Hand In Glove
Ultimately, the questions around culture will probably play a greater role in determining both the shape of the marketplace requirement from the perspective of insurers, and on how much value insured companies will manage to extract from their insurance policies. Asking the right questions is critical – but that means that having the right people in the business empowered to ask those questions, and making sure that they know both what to ask and who they need to be asking, will be pivotally important. And none of those factors are givens, no matter the industry, the size of the company, or the corporate structure in place.
“Each company is different,” one CISO said. “We’re a large organisation, we have defence in depth. We have over 300 security vendors. And strategy is very difficult to change. For us, we need engagement so that we can understand where we are. Most of the conversations I’m having are more about how we align with insurance requirements and what the gaps are, rather than on what we can get from the insurance company.”
Ultimately, the conversations that take place need to be leading both insurers and their insured clients to a place where both feels comfortable enough with the other to speak and share experiences and advice openly, without fear on the client’s part that premiums will rise, and on the insurers’ part that they are providing a service that adds value beyond the tick-box requirements most business insurance is purchased to provide. Agreeing on a mechanism by which that value can be established – and communicated to the board – and then monitored on an ongoing basis, without becoming an unnecessary burden on either side, would appear to be key.
“How do you know the real value?” Gosal asked. “We consistently recommend all insureds – and non-insureds – to conduct a crisis simulation. We can develop a scenario; you have everyone involved, from the SOC to the board. It can be completely customised. One of the injects involves calling Beazley – what does that look like from perspective of involvement with PR, crisis management, Informing the regulator? You have a range of professionals available, and you can simulate that and get a realistic expectation of what is available.”