GDPR puts the spotlight on cyber insurance
21 May 2018
A strict new set of data privacy rules that goes into effect May 25, 2018, has created an opportune moment for insurers to examine the use of cyber insurance for protecting commercial policyholders against a data breach.
Matt Cullina, CEO of CyberScout®
The General Data Protection Regulation, or GDPR, restricts the type of personal data that companies can collect, store and use in the European Union. In addition to other mandates, it gives organisations 72 hours to alert regulators about security incidents and will impose steep fines should they fail to meet requirements.
“This is the moment-of-truth year for European insurers to ask themselves: How can I start protecting my policyholders from this emerging risk and how do I go about it,” said Matt Cullina, CEO of CyberScout, the leading provider of identity and data defence services. “If they stay silent, you will start to see global insurers coming into the market, and the policyholder is going to be left wanting and have a big gap in their risk profile.”
What insurers can do: Insurers must understand the exposures their clients face, study where the risks are going over time and come up with solutions that include proactive services and support to help businesses prepare, plan and crisis-manage a data breach situation.
Businesses that fail to adequately prepare for a data breach will face reputational damage, loss of business and intellectual property, regulatory fines, and exposure to identity theft for employees and customers.
What businesses can do: Businesses should offer training to employees at every level, develop a breach response plan, identify legal obligations to protecting data and spell them out for employees and customers.
“There is no business out there that has zero risk,” Cullina said. “Every business is digitally connected in one way or another—and that creates exposure.”
The time is now for insurers to step up and cover cyber risk. For more information, call CyberScout® at 0808 189 0400.
Hello and welcome to Business Reporter's Future of Insurance Campaign hosted by the Telegraph Online. I'm Alastair Greener and today I'm talking to Matt Cullina from CyberScout.
Good morning. There's always been risks, so what's the urgency now?
Well, I think cyber risk has changed the whole landscape of how businesses look at their insurance company and how businesses look at their exposures. Historically, things were all about physical assets and having stuff damaged, people getting hurt your workplace.
Now the risk has really morphed into this digital area. And cyber insurance is the fastest growing type of insurance. What's really happened is it's grown in the US. And so by 90% of all cyber insurance sold is in the US.
But all that's really going to change in 2018. So this is really kind of the moment of truth year for European insurers in that there's a whole new law, GDPR, data protection law, that really has teeth. And it's requiring businesses to step up when they have data breaches. And it really is the moment for the insurance companies to say can I start protecting my businesses, my policyholders, for this emerging risk? And how do I go about it? What do I do?
I think if they stay silent, first of all, you'll start to see global insurers and other insurers coming into the market to offer. And I think the policyholder's going to be left wanting and have a big gap in their risk profile.
You talked there about carriers and they need to be prepared. So what exactly do they need to do to protect the risks of their clients?
Cyber is such a broad array of coverages. And it's really led to a lot of confusion in the marketplace. You know there's about eight different types of coverage that goes into a cyber policy. And so it leaves agents and brokers really confused and not being comfortable in explaining to their customers.
What that comes down to is it's up to the insurance company to really understand the exposures, to study where the risks are going over time and where the trends are going, and to come up with solutions that fit. And these solutions shouldn't just have insurance. All cyber offerings out there come with proactive services and support to help the businesses prepare and plan and crisis manage when breaches do occur.
You mentioned there about businesses being prepared. And all businesses know that they need to have cyber security. They need to protect against cyber risks. In reality, how many businesses are actually doing that?
Yeah, I think that there's a false sense of security. You know you ask an average business and they say, oh, it's not going to happen to me. But they pick up the newspaper every day and they see the latest breach that's occurred. And so there's a gap in the fear related to action.
And what we're really seeing is that in the US, about 30%-50% of businesses have purchased cyber insurance. Whereas in Europe, for example, it's less than 10%. And some statistics show less than 5%. So it's really just starting to become something to consider. And I think that it's a really sure way for businesses to plan for events. That they can have some risk transfer with cyber insurance. And again, it comes with so many great services and solutions, that it helps speed up their evolution into becoming better at data security.
There's no business out there that has zero risk. Every business is connected, is digitally connected, in one way or another. And that creates the exposure.
Put this into some perspective for us. What are the consequences of businesses not being protected?
First and foremost, this is a reputational risk. Meaning that this has the potential to significantly damage a business' reputation if they don't manage through a crisis well. The exposures tend to be the most sensitive information that the business has, the information of their customers, of their employees, the most sensitive information that identifies those folks. And with that information, hackers and thieves can create identity theft and really wreak havoc with those customers', employees' lives.
On top of that there is intellectual property. Every business has some amount of data that they wouldn't want to get out. And so, if you think about it, whether it's an accidental exposure or a significant hack, the results are common in that once that data is out there, it's up to the business to figure out how to react to it.
The average customer, the average employee, can accept bad things happening to a business they do business with. What they can't accept is a bad reaction ignoring what happened, being flip with concern, and not honestly dealing with the situation in a speedy time.
Earlier you said that I think it was something like 5%-10% of companies in Europe are actually protecting themselves. Why is that so far behind the US, for example? Why are we lagging behind?
The average business leader isn't a tech expert. And so it takes a lot to figure out what comes with all the coverage and why they should buy it. In the US the main driver for the purchase of cyber insurance was all the data breach laws that came to be. And so the businesses realise that if I have a data breach now, I have to tell people. I have to tell a regulator and I'm exposed, and I need protection for that.
What we found in Europe is really people purchasing it because of ransomware attacks. And they saw their systems getting locked up. And they lost profitability. They can't do business when their systems are locked up.
So it was more a practical response and saying, how do I keep my business running? What's my business continuity plan and is cyber insurance a component of that? But the all that is changing. And yet again, with the new data breach law that's coming into play in Europe, a big driver for cyber insurance in the future more likely is going to be all the coverage you get to help respond to those crises, to help deal with the regulators, to pay fines and penalties, which are common in a cyber insurance policy.
If an organisation does protect itself with cyber insurance, why do they still need a monitoring solution?
Well, you know, there's three ways to look at this or three areas of focus when you're dealing with any kind of cyber risk management. First, you have to minimise the damage. And what that means is understand the data you're taking in, understand who has access to it, understand how you're managing it internally, how you're destroying it when it needs to be destroyed-- so the whole food chain of that data protection.
Secondly, it's to monitor. From that, you have to monitor. And what that means is it's really monitoring the traffic in and out of your systems. Who has access? What are they accessing? Because it's the only way to detect problems. And what's happened to the negative is the average breach goes undetected for over 175 days. So if you think of that, a hacker, a thief, can wreak havoc on an organisation within that period of time. So you have to actively monitor to spot those things earlier.
It's not a matter of if, it's a matter of when you're going to have a breach. And most businesses have incidents that they're not even realising happened. So to have an active monitoring plan of your systems and your staff, whoever has access to that data, is key.
And finally the third M is to manage. And again, the breaches will happen. There's no silver bullet. There's no pure prophylactic here. And so really having a strong action plan that takes everything into consideration that you need to take into consideration when you're in that crisis mode ahead of time, because people don't think clearly when they're in a crisis mode.
What types of different monitoring solutions are there? And let's say that I'm a business owner or CEO or CFO and I'm looking for the right type of solution. How do I come to the right decision?
Yeah. A lot of it is policies and procedures. So it's just having a written information security plan to know how you're managing that data. And then there's lots of tech solutions out there to help you monitor it electronically and alert. Some are managed services. So there's actually a staff there to help you as well that you can outsource to. And some you can manage with your own staff.
So at the business level, there's a variety of software solutions that help you monitor your data. Then when it comes to data breaches, often, you're trying to assist the people whose data you exposed. And there's a range of monitoring solutions that you can offer the customers themselves that help to monitor their identity, their credit, their key credentials.
And if anybody starts to misuse that data on the black market or what have you, they will get an early alert. And so, again, the earlier the detection, the easier is to solve the problem. What we find is is things snowball without detection and it just gets worse and worse for business or for the customer.
When you talk to cybersecurity experts, they'll often say that businesses are aware of the risks, but actually don't take the necessary steps to prepare for what you described earlier on as being fairly inevitable. So talk me through the different aspects of dealing with that-- so communication, the technical side, the legal side, and so on. What are the steps that one should take?
The last thing you want is to have no plan when you're in that crisis mode, because you tend to make really bad decisions. On top of that, when it comes to senior leadership within an organisation, when they're struck by a social engineering scam-- so they get an email, they think it's from their CFO asking to wire several thousand dollars outside the organisation. And they press yes without really thinking or verifying-- then the eggs on their face. And so what we find is the most comprehensive approach is to have kind of a bottom up and top down approach to having everybody in the organisation trained, aware, understanding the type of risk that that business faces, because a florist will have a significant risk spectrum compared to a contractor. And you need to know the differences like what-- if there were to be a breach-- what type of breach could it be?
So having a plan, drilling on it like a fire drill within your organisation, making sure all the right people are at the table, and wargaming scenarios that would be common to your business if there were to be an incident. What we find is that tends to kind of ferret out the bugs. And you really get to see where the vulnerabilities are and you come up with a better plan.
So it's not something that you write up and just put on the shelf. It's something that has to be active within an organisation. And we work with companies that, on a weekly basis, test their employees and make sure they're not opening up photos they shouldn't be opening up or links they shouldn't be clicking on without verifying that it is for a business purpose and not erroneous or a hacker or what have you.
You say that an organisation needs a plan. What would be the first thing in that plan that an organisation should do once a breach has been identified?
It's just who, what, where, when, and how. So you need to know what people need to be at the table to respond to the incident. Hopefully, they have insurance. So you need to notify your insurance carrier of the exposure and get them involved. And often, they have a host of experts that they can bring to the table.
And similar to my teams, we have a multivariate expert approach. So we have privacy legal experts. We have security and forensic experts. And we have fraud experts. And so basically, with those different lenses you can assess the incident, determine if it's worthy of a regulatory event-- so having to notify the regulator-- or take further action.
And then what is the plan to fix whatever was broken in the incident itself? Was it an accident? Was it an intentional act? You want to have some sort of remediation on the technical side of the event.
We all know that you've got to obviously notify your customers and suppliers and mitigate the situation. But what about you mentioned there about legal services. So what are the legal obligations an organisation has?
It depends on what type of organisation. For example, health care organisations in most countries are viewed as more sensitive. I mean the last thing a person wants is their health records to be exposed. It's one of those things that once the genie is out of the bottle, it's hard to put back in. You don't want people to know what diseases, what incidents you've had in the past, et cetera. And so health organisations tend to have a different regulatory regime when it comes to data protection.
But for the most part, it's about notifying the regulator when it's determined to be an incident. And usually that determination is the data's been exfiltrated so that the sensitive data has left the building. And it's either in the wrong hands or just they don't know where it is. And usually, with that type of exposure, if the data was unencrypted, most regulations say that you have to notify either the regulator and/or the customers themselves.
And so it's really spelling it out in really plain language to the customers, to your employees, and explaining what happened and providing some sort of relief. And most of the laws don't require that relief, but it's become custom for kind of reputation management that you want to support those customers in some way. And so usually, it takes the form, or as what I said earlier, some sort of monitoring solution or expert support. So if they have a fraud or identity theft situation arising from the data exposure, they have experts to lean on.
And so doing all of that in a timely basis is critical. For example, with the new GDPR legislation, it requires 72-hours notice. So as soon as you find out about the event, you have 72 hours to get to a regulator and let him know what happened. That's a really short period of time to assess the incident, come up with a plan, and talk to people about it. And so it shows you the need for the planning up upfront, because most people are in crisis mode tend to just call either internally.
They want to keep it quiet. Or they want to talk to their attorneys and see what they can do to kind of shield themselves. And that's a typical reaction. Whereas, we found the best reaction is to do your investigation as quickly as you can and be forthright and upfront about it when you're dealing with the people whose data you exposed.
We talked about mitigation. Give me an idea of what that looks like.
In this era of big data, everybody loves data. They want more and more data. We consider customer information, employee information, it has the potential to be toxic data. You don't want to take in data just for the sake of taking in data. You want to take in data when you really need it, when part of your business transaction requires it.
But know that when you take it in, you then become the custodian of that data. And so it's up to you, just like your financial assets like putting money in the bank, you have to make sure that that data is protected. And so making sure you know where it is at all points in time, that you're segmenting it so it's not just one big data dump in one area, that if the hacker gets into one database, they get everything, encrypting that data, making sure that people who access that data are credentialed. So there's two-factor authentication. They have a few firewalls before they can get into that data.
So there's a lot of rules to the road around it. But basically, it's treating that data as sensitive as it is and making sure that you are responsible for handling it effectively.
Handling effectively is a term that comes to mind immediately when it looks at the response to a site or breach. So where would you start with that?
It's activating that plan. So you break the glass. You pull out the plan. You put it into action. And you're doing that with the right people at the table. And you're doing that in a expedient time frame. You're bringing the right experts, whether they be legal or forensic IT experts to the table, so you can assess what needs to be done.
A good example is the ransomware attack. So ransomware is the number one type of breach we see over the last two years. And there's many strains of ransomware. It's like the flu. There's many different types.
And if you bring in the right level of expertise, they can tell you the strain that you're dealing with versus one that you're not. And usually, your action plan will change or modify as a result.
So what you really want to do is be able to assess the security component of the incident, determine if it rises to the level of a breach incident, which means you have to tell people that the data was possibly left the building and was exposed. And so part is the security review, part is kind of a privacy legal review. You're just trying to make sure that you can get that system up and running and you're dealing with a hacker who's holding your data hostage.
If you don't have a backup, or an adequate backup solution, more than likely, you're going to have to pay that ransom. And the ransomware attackers are like any other business. They will negotiate with you. They have customer service. They'll show you how to purchase bitcoin, if you don't know how to do that. And as soon as you pay that ransom, they're going to give you your data back and unlock it.
So it's unfortunate circumstance, but we see a lot of businesses resorting to that. But once that's done, they have to then determine was the data exfiltrated or not? So it's one thing to have your data locked up, it's another thing to be able to respond to the breach incident. And that's where the privacy review comes into play.
And you talked about the legal aspects there. And of course, counsel can help you tick all the right boxes to make sure that you're fully compliant. Is there anything else that we should learn from that?
The privacy attorneys, it's a growing number in the legal world, but it's still a finite number of experts. So your normal business attorney more than likely will not have privacy expertise. So it's another thing you have to plan for ahead of time that you should have preidentified somebody that you can call in that crisis moment. Within cyber insurance, they do have experts, attorneys, that you can call on.
But if there's a critical need, you want to make sure you're comfortable with the person you're working with and that they are expert for your type of business, not just for privacy law in general. And with that, you're in good stead if you do have an incident.
And what about organisations who use a third party for their data storage? What are their legal implications and responsibilities?
Most laws out there, it's all about you own the data. So if you're the business who requested it from the customer or employee, then either you're subject to any regulation. It doesn't matter if other partners, vendors, businesses that you do business with expose the data. If you were the one who was supposed to be in charge of it, then it's up to you to respond to the incident.
And so what that really results in it's critical that you have strong vendor management that focuses on data security, because those businesses are an extension of you. And so when you're doing business, you really have to think through your business requirements, your contracts you have with those vendors. You've got to ask the tough questions on how are they managing data security themselves. You shouldn't take it for granted. You should audit them, especially if they're housing a lot of sensitive data of your customers.
And really, it should be a strong partnership around jointly managing that data. And most people don't think about it, but you should also have breach response plan in place for those vendors. So you should have thought about that ahead of time to say, OK, let's say that vendor causes the incident, who takes action? How do you respond to the breach?
There's so many incidents of major breaches happening, because of a small, supportive company that worked for the larger company. And if you don't have those plans ahead of time, it's the same damage.
We've talked a lot about the issues surrounding any potential breach. Tell me how CyberScout fits into all of this. What do you do to help your clients get this under control?
So we've been working, especially in the insurance industry, for over 15 years. And what we do is we help the insurance industry understand these risks, assess these risks, build solutions to best satisfy the risk for their customers. And so it's all about making sure that the cyber insurance programmes are robust. That it comes with education and guidance.
It's similar to what the insurance industry has done around automobile safety. They've been a real driver in making sure cars get safer over time. And the insurance industry has the same advantage with cyber, that they can really influence businesses' data security practises.
And so we're there to really help move the needle on that. We provide data security consulting services, proactively to help those businesses understand and plan for events. And most importantly, we're there. We're the first call after crisis. And so we handle thousands of breaches. And really, it's all about having an expert team ready that's multi-pronged that can react swiftly and, well, to any incident.
On top of that, we have a fraud department that supports the customers whose data has been exposed. So we can help those customers monitor their situation from exposure and deal with any fraud or identity theft incidents from there.
And at what point would an organisation typically call you in for help?
From a crisis mode, we're the first claims call. Hopefully, we know they're being guided by some of our education and outreach ahead of time so they have a plan in place. We help them build those plans. We'll help them monitor their systems as well. And again, when they're in crisis, we're the first port in the storm.
What about the claims process? How do you help with that?
Just like there is a very finite number of privacy attorneys and experts around the world, there's even fewer cyber claims experts because cyber claims are just such a new type of insurance. And so we provide cyber claim services. So we actually have a third-party administration firm that will handle the claim in its entirety on behalf of the insurance company.
And what that does is it helps the insurance company get to market quickly. They don't have to expend internal resources in trying to train or recruit people that are hard to find and hard to place. And we really keep a nice continuum on their overall programme by having a consistent, expert approach to responding to those claims.
Remediation plans are clearly very important. So give me an idea of what a typical plan would look like. Having thought through and really making it applicable to your business is my best advice. So whatever type of business you are, understanding the type of data you're taking in and what you're doing around it and having processes and procedures wrapped around that, and having thought through the remediation plan in its entirety.
So how many different countries do you have business in? What are the regulations in those countries when it comes to data privacy? What are the requirements if there were to be a breach of that data in those countries? How do they differ from country to country? What departments or people would you have involved in any incident? How quickly could you react to a situation? So what is the speed of response, which is always critical?
Every regulation has a time element to it. Some say as soon as possible. Some say 30 days. As I mentioned earlier, GDPR is three days. So you really want to have a fire drill type mentality to responding and have that all documented ahead of time.
Give us an idea of what are the most important things that an organisation should communicate as soon as they are aware of a breach.
The average consumer reads about these breaches every day. But there's still a huge awareness gap. And so the educational marketing really comes into play to be critical. And that also bodes well when it comes to the breaches that occur within an organisation.
You want to make sure that everybody in the organisation knows what happened, that they can speak to it, and that they can talk about what the business is doing to respond. Everybody is there to protect the business' reputation. And often these situations happen accidentally.
So somebody has been duped. They get an email. They take action with it, when they shouldn't have. It's a fake email or some sort of spoof email. The last thing you want is for an employee not to feel supported in those situations.
So you really want to be able to train your employees, make sure they're equipped with the right messaging. And use every breach as a learning moment. We have several organisations that we work with that after they've had an incident, they go back to the rest of the organisation and walk through exactly what happened. And the goal is to make sure that it doesn't happen a second time. And I think that that's really a great practise.
We've covered a huge amount of ground in this interview. So if you wanted viewers to take away three key, brief points, what would they be?
First of all, cyber insurance is a super opportunity, especially in markets like Europe where the laws are changing. It really is a point in time moment for the insurance industry to step up and cover this whole vast amount of risk that remains uncovered. So that's the real cause of action there.
And then for the businesses of themselves, it really comes down to the three M. It's minimising your attackable surface, the data that you possess and you manage, monitoring to make sure that that data is constantly protected, and if there's any intrusions that data you're alerted right away, and having plans to manage after a crisis. So whenever there's an incident, you know exactly what to do and it becomes muscle memory for the organisation.
Well, sadly cyber breaches are very much here to stay. And it's becoming more prominent as we go into 2018. So it's been fascinating finding out more and what we should all be doing as organisations to protect ourselves as much as we possibly can. Matt Cullina from CyberScout, thank you very much indeed.