A NETWORK OF CYBER EXPERTS AT YOUR SERVICE

Author, Brian Robb, Underwriting Director and Cyber Industry Leader, CNA

The damaging effects of global cybercrime show no signs of abating – the global average cost of a data breach now stands at over $3.9 million with breaches taking an average of 279 days to detect and contain1. With the rise of nation-state attacks, ransomware, organized cybercrime, and an expanding display of threats, businesses of all sizes face significant risk of loss.

The battle may seem daunting – but effective enterprise-wide cyber risk mitigation can provide organizations with the tools they need to defend themselves against irreparable harm.

Organizations, particularly the smaller and mid-sized firms, can be overwhelmed by navigating the steps to take on the path to cyber risk mitigation. Which cybersecurity approach will be most effective? What vendors should they work with? How long can business operations withstand disruption without serious revenue loss? These questions and more can be addressed long before a cyber event – especially with the assistance of experienced cyber insurance providers.

Cyber risks present companies with opportunities to transform their traditional relationships with their insurers, the best of which can provide their clients with cyber risk management experience, knowledge, and guidance in addition to their more traditional risk transfer functions.

Few other modern-day business risks offer organizations the chance to take charge of their destiny the way cyber does.

Cyber risk mitigation services offered by insurers historically have low take-up rates. CNA set out to change that with a thoughtful approach to pre-breach risk mitigation strategies to help organizations proactively become more secure. CNA launched its new CNA CyberPrep program in July 2019, designing a holistic approach to identify, mitigate and respond to the specific cyber concerns its clients face.

For businesses, the time for taking advantage of pre-breach preparation is now. Regulations that have come into effect – and more that will soon be in place – have drawn focus to the steps that organizations take prior to a cyber event. Regulators enforcing the European Union’s General Data Protection Regulation (GDPR) have indicated that the efforts of businesses to prevent breaches – even if they occur – do matter.

Developing the program grew out of the decades of experience CNA had gathered from responding to client breach events. Working with trusted cybersecurity experts, as well as utilizing the cybersecurity framework from the National Institute of Standards and Technology (NIST), CNA produced recommendations and resources for cost-efficient ways to improve cybersecurity. From pre-breach threat assessment and mitigation to post-breach remediation, CNA’s network of the best cybersecurity specialists in the business is there through the lifecycle of a cyber policy, working to minimize the chance of loss.

CNA’s Brian Robb, Underwriting Director and Cyber Industry Leader, recently spoke with Advisen to discuss the evolution of CNA CyberPrep and the market need it addresses.

Do you feel businesses in general are aware of how much they can identify and mitigate pre-breach?

The awareness about cybersecurity and the desire to be proactive has increased exponentially, but there’s still a long way to go. Without a background in cybersecurity, it can be challenging to understand and quantify the current risk landscape. A business might think, ‘I’ll buy this antivirus and I’ll be okay.’ That’s a place to start, but diversification of your security strategy is important. If you’re just going with one type of defense, the bad actors will get around it. There’s a broad range of services that can help organizations specifically identify the areas where they most need help. If ransomware and downtime is your biggest concern, there are ways to address that. If you need an overall consultation to assess your greatest risks, we can help to provide that as well.

Can you share more about the development of CNA CyberPrep?

CNA CyberPrep represents collaboration among underwriters, the risk control team, and claim experts at CNA. We’ve used the NIST framework as well as other cybersecurity guidance to create a coherent, thoughtful plan for proactive pre-breach services for our insureds.

With the new regulations coming into effect, such as New York State’s recently passed “Stop Hacks and Improve Electronic Data Security Act” or SHIELD Act, GDPR, and the California Consumer Privacy Act (CCPA) on the horizon, we’re getting to the point where it’s actually required by law that companies take proactive cybersecurity measures to make sure they’re protecting private information.

We wanted to get ahead of the curve and not only help our insureds to access these services but provide a little bit of guidance so they have a roadmap to improve their cybersecurity posture.

The vast majority of companies don’t have a budget to take care of everything right off the bat, they need to move incrementally. We set it up so they can identify their current posture and take steps to mitigate it with various vendors.

What are some of the reasons that cyber risk mitigation services have had low take-up rates in the past?

Lack of awareness is definitely one reason, but organizations also may not have taken pre-breach mitigation as seriously in the past, because it wasn’t seen as a major risk. If you’re a risk manager or a general counsel, up until a few years ago, you were probably more worried about your employment insurance, or your D&O or GL, than you were about cybersecurity.

With growth of the industry and the breaches in the news, it has become more of a forefront issue for risk managers and others purchasing insurance. The time to identify risks and mitigate them is now, long before a breach occurs.

And the insurance industry has a greater handle on the types of risks where insureds most need guidance and how to incorporate that guidance into the insurance relationship. Previously, there was a lack of a coherent message from carriers on what the services were — there wasn’t the clear message that “we’re here to help.”

We’ve gone out and identified areas where we can provide value-add or preferred pricing services that are useful and that will help policyholders. They’re in place to help insureds identify what they need to do next. And from there, we can give them tools and information to find the next steps. We’re helping businesses get better every step of the way by connecting them with the experts on cyber risk. When a company purchases a standalone CNA cyber policy, those value-added services are available for free. Also available are preferred pricing options, where the vendors will provide a significant discount off their retail pricing for CNA insureds.

Taking a look at the threat landscape, is it possible to identify the most pressing issues today? As an insurer, what do you feel concerns organizations most and how does CNA CyberPrep meet that concern?

Currently, we are hearing the most about ransomware, business interruption, and system failure. And ransomware can be expensive, there’s no question. It’s not that business interruption isn’t a big deal – it’s absolutely a big deal. But when you see the big claims in the news, the major breaches, it’s still, most often, all about that classic notification, forensics, breach counsel, credit monitoring — all those costs that go into responding to a breach of personal information. That said, no matter what the cause of the cyber incident, proper proactive preparation begins with understanding where your organization is at, cyber security-wise today. To that end, CNA CyberPrep’s value-added third party services include cyber-readiness penetration testing (via WhiteHax), a privileged access management assessment (via CyberArk), and an analysis and assessment of a firms existing information security programs via CNA Risk Control. There are also numerous preferred pricing options available. The goal is to help an insured understand what its cybersecurity posture is, and how it can be improved.

In taking that holistic view of cyber risk, do you see more departments of a given organization getting involved in cyber insurance planning?

Yes. Compared to five years ago, there’s a greater level of board/upper management involvement in these decisions. Cybersecurity and cyber insurance is being taken much more seriously in a way that it frankly wasn’t, five, six, seven years ago. And that’s due to the big claims in the news, the exposure, and people being more aware of it, but also due to the increased regulatory action, both in the United States and beyond. There are European laws and other global laws putting requirements on companies to take a holistic view of cybersecurity and insurance. It’s now more than just a person from IT who’s answering a quick questionnaire for cyber insurance. You’re getting the CISO, the CFO, the general counsel — the upper management of these companies is involved in the process.

The program recognizes that different-sized businesses have different needs. Can you highlight some of the ways this responds to the unique needs of smaller businesses (and larger ones)?

When you look at CNA’s cyber profile, we have insureds with two or three employees, all the way up to Fortune 25 companies. The companies that are Fortune 500 or 1000 likely aren’t going to need to look to their insurer for cyber risk mitigation — they already have teams dedicated to this. That said we made sure that there are options for larger insureds as well, but we really want to focus on the smaller, lower middle market, and middle market firms that make up the majority of our portfolio.

They need help taking steps along the way. We provide them some guidance to help them identify where they’re strong and where they can improve. The range of services builds from the introductory assessments for organizations new to cybersecurity to incident response plan testing and tabletop attack simulations.

Do you have guidelines for how often organizations should be taking stock of their cybersecurity posture? Will insureds be required to take advantage of these pre-breach services?

It is not required; however, it is something our underwriters consider. Ideally, we want to know that you have given some thought to this and have appropriate controls, incident response plans, and business continuity plans in place, because that sort of thing makes you a better risk to underwrite. And, in the unfortunate event that you have an incident, a regulator that may come in is going to ask for those plans and if you don’t have them, that’s a red flag; it’s one of the first questions they ask. We like to see that, at a minimum, you have plans in place and you test them annually. Hopefully, organizations would test their plans more frequently than annually, but that is a recommended baseline.

The concerns related to all cyber events frequently relate to employee training. How does CNA CyberPrep address strategies for organizations to better reduce that risk?

Using ransomware as an example, a lot enters a system through phishing and social engineering. To aid with employee education, we have several options for insureds — some free, some preferred pricing. CNA CyberPrep includes among its valueadded services a vendor partnership to provide computer-based training modules covering timely cyber topics such as social engineering, phishing, breach response, and more. Other services connect insureds with breach counsel for tabletop simulations, security awareness training, password management, and penetration testing.

The program is designed to give multiple options to improve your cybersecurity posture, including an emphasis on improving employee education and training.

How would you say that CNA CyberPrep represents a new step for cyber insurance?

Carriers, including CNA, have had proactive services before, but they haven’t been put together in a holistic manner. We’re taking a thought leadership role by putting it together in a way that can help insureds see the steps they need to take and be better served. We believe it was a logical next step for the cyber insurance market.

Our goal was to provide clear sets of options for businesses to consider. But when and if new or different security challenges arise that currently are not squarely addressed by CNA CyberPrep, our subject matter experts will help to evolve the program evolve to address them.

Do you expect a positive impact on claims costs? How did claims experience factor into planning?

We looked at this from the perspective of “how can we help policyholders better understand cyber risks and reduce the need to file a claim in the first place?” Our experience with claims factored in — for example, knowing how claims proceed when you have a plan in place versus when you don’t have a plan in place. All of this experience was part of how we went about planning the mitigation phase of CNA CyberPrep.

And if a breach occurs after the CNA CyberPrep services are in place, the steps taken in advance of a cyber event will make a difference. If you’re taking the steps, forming the partnerships, and building the incident response plan, it is likely going to lower costs for everyone. When you have fully thoughtout incident response plans that have been tested, coupled with cyber products and partnerships, the response to a breach is going to be more efficient and more seamless.

Is there still room to advance in cyber insurance and cyber risk management?

As an industry, we’re still in our infancy from a cyber insurance and cybersecurity posture perspective; there is still ample room for growth and a lot of space to improve products and offer better services. As more people get involved and take cybersecurity seriously, we’re going to make bigger and bigger leaps forward, and they’re going to happen faster.

Where do you see cyber insurance as a product growing in the future?

We’re still in a growth phase as a product. The market is nowhere near fully mature, even though it is expanding rapidly. There’s still room for growth. As the cyber product expands, we’ll reach into areas and see what works, whether it is business interruption that overlaps with property, or cybercrime that overlaps with fidelity or bond coverage. We’ll continue to reach out and test, and pull back when necessary.

But as we move forward, cyber risk isn’t going anywhere. That core risk is going to be around and it’s going to be one of the bigger areas that require insurance solutions. Cyber touches everything becausenetworks are used in everything — that’s only going to get more and more involved.

Breach response coverage will always be necessary and have value for insureds, but it will continue evolving and expanding.

What do you feel represents the most significant value of cyber insurance to buyers?

At its heart, insurance is a risk transfer method that is there to help when companies have a bad day — what might be their worst day, when someone has been in their system and violated their confidential information, both personal information for employees and customers, but also probably trade secrets and corporate confidential information.

Baseline, cyber policies exist to cover policyholders from covered losses. But they also help companies respond to attacks, help remediate them, and plan ahead for the next incident that could occur. Those, to me, are the core reasons for cyber insurance.

We do this every day. We live this. We help companies that need guidance around their cybersecurity posture. We’re there to help a company when it has a really unfortunate day.