Author, Brian Robb, Underwriting Director and Cyber Industry Leader, CNA

The damaging effects of global cybercrime show no signs of abating – the global average cost of a data breach now stands at over $3.9 million with breaches taking an average of 279 days to detect and contain1. With the rise of nation-state attacks, ransomware, organized cybercrime, and an expanding display of threats, businesses of all sizes face significant risk of loss.

The battle may seem daunting – but effective enterprise-wide cyber risk mitigation can provide organizations with the tools they need to defend themselves against irreparable harm.

Organizations, particularly the smaller and mid-sized firms, can be overwhelmed by navigating the steps to take on the path to cyber risk mitigation. Which cybersecurity approach will be most effective? What vendors should they work with? How long can business operations withstand disruption without serious revenue loss? These questions and more can be addressed long before a cyber event – especially with the assistance of experienced cyber insurance providers.

Cyber risks present companies with opportunities to transform their traditional relationships with their insurers, the best of which can provide their clients with cyber risk management experience, knowledge, and guidance in addition to their more traditional risk transfer functions.

Few other modern-day business risks offer organizations the chance to take charge of their destiny the way cyber does.

Cyber risk mitigation services offered by insurers historically have low take-up rates. CNA set out to change that with a thoughtful approach to pre-breach risk mitigation strategies to help organizations proactively become more secure. CNA launched its new CNA CyberPrep program in July 2019, designing a holistic approach to identify, mitigate and respond to the specific cyber concerns its clients face.

For businesses, the time for taking advantage of pre-breach preparation is now. Regulations that have come into effect – and more that will soon be in place – have drawn focus to the steps that organizations take prior to a cyber event. Regulators enforcing the European Union’s General Data Protection Regulation (GDPR) have indicated that the efforts of businesses to prevent breaches – even if they occur – do matter.

Developing the program grew out of the decades of experience CNA had gathered from responding to client breach events. Working with trusted cybersecurity experts, as well as utilizing the cybersecurity framework from the National Institute of Standards and Technology (NIST), CNA produced recommendations and resources for cost-efficient ways to improve cybersecurity. From pre-breach threat assessment and mitigation to post-breach remediation, CNA’s network of the best cybersecurity specialists in the business is there through the lifecycle of a cyber policy, working to minimize the chance of loss.

CNA’s Brian Robb, Underwriting Director and Cyber Industry Leader, recently spoke with Advisen to discuss the evolution of CNA CyberPrep and the market need it addresses.

Do you feel businesses in general are aware of how much they can identify and mitigate pre-breach?

The awareness about cybersecurity and the desire to be proactive has increased exponentially, but there’s still a long way to go. Without a background in cybersecurity, it can be challenging to understand and quantify the current risk landscape. A business might think, ‘I’ll buy this antivirus and I’ll be okay.’ That’s a place to start, but diversification of your security strategy is important. If you’re just going with one type of defense, the bad actors will get around it. There’s a broad range of services that can help organizations specifically identify the areas where they most need help. If ransomware and downtime is your biggest concern, there are ways to address that. If you need an overall consultation to assess your greatest risks, we can help to provide that as well.

Can you share more about the development of CNA CyberPrep?

CNA CyberPrep represents collaboration among underwriters, the risk control team, and claim experts at CNA. We’ve used the NIST framework as well as other cybersecurity guidance to create a coherent, thoughtful plan for proactive pre-breach services for our insureds.

With the new regulations coming into effect, such as New York State’s recently passed “Stop Hacks and Improve Electronic Data Security Act” or SHIELD Act, GDPR, and the California Consumer Privacy Act (CCPA) on the horizon, we’re getting to the point where it’s actually required by law that companies take proactive cybersecurity measures to make sure they’re protecting private information.

We wanted to get ahead of the curve and not only help our insureds to access these services but provide a little bit of guidance so they have a roadmap to improve their cybersecurity posture.

The vast majority of companies don’t have a budget to take care of everything right off the bat, they need to move incrementally. We set it up so they can identify their current posture and take steps to mitigate it with various vendors.

What are some of the reasons that cyber risk mitigation services have had low take-up rates in the past?

Lack of awareness is definitely one reason, but organizations also may not have taken pre-breach mitigation as seriously in the past, because it wasn’t seen as a major risk. If you’re a risk manager or a general counsel, up until a few years ago, you were probably more worried about your employment insurance, or your D&O or GL, than you were about cybersecurity.

With growth of the industry and the breaches in the news, it has become more of a forefront issue for risk managers and others purchasing insurance. The time to identify risks and mitigate them is now, long before a breach occurs.

And the insurance industry has a greater handle on the types of risks where insureds most need guidance and how to incorporate that guidance into the insurance relationship. Previously, there was a lack of a coherent message from carriers on what the services were — there wasn’t the clear message that “we’re here to help.”

We’ve gone out and identified areas where we can provide value-add or preferred pricing services that are useful and that will help policyholders. They’re in place to help insureds identify what they need to do next. And from there, we can give them tools and information to find the next steps. We’re helping businesses get better every step of the way by connecting them with the experts on cyber risk. When a company purchases a standalone CNA cyber policy, those value-added services are available for free. Also available are preferred pricing options, where the vendors will provide a significant discount off their retail pricing for CNA insureds.

Taking a look at the threat landscape, is it possible to identify the most pressing issues today? As an insurer, what do you feel concerns organizations most and how does CNA CyberPrep meet that concern?

Currently, we are hearing the most about ransomware, business interruption, and system failure. And ransomware can be expensive, there’s no question. It’s not that business interruption isn’t a big deal – it’s absolutely a big deal. But when you see the big claims in the news, the major breaches, it’s still, most often, all about that classic notification, forensics, breach counsel, credit monitoring — all those costs that go into responding to a breach of personal information. That said, no matter what the cause of the cyber incident, proper proactive preparation begins with understanding where your organization is at, cyber security-wise today. To that end, CNA CyberPrep’s value-added third party services include cyber-readiness penetration testing (via WhiteHax), a privileged access management assessment (via CyberArk), and an analysis and assessment of a firms existing information security programs via CNA Risk Control. There are also numerous preferred pricing options available. The goal is to help an insured understand what its cybersecurity posture is, and how it can be improved.

In taking that holistic view of cyber risk, do you see more departments of a given organization getting involved in cyber insurance planning?

Yes. Compared to five years ago, there’s a greater level of board/upper management involvement in these decisions. Cybersecurity and cyber insurance is being taken much more seriously in a way that it frankly wasn’t, five, six, seven years ago. And that’s due to the big claims in the news, the exposure, and people being more aware of it, but also due to the increased regulatory action, both in the United States and beyond. There are European laws and other global laws putting requirements on companies to take a holistic view of cybersecurity and insurance. It’s now more than just a person from IT who’s answering a quick questionnaire for cyber insurance. You’re getting the CISO, the CFO, the general counsel — the upper management of these companies is involved in the process.

The program recognizes that different-sized businesses have different needs. Can you highlight some of the ways this responds to the unique needs of smaller businesses (and larger ones)?

When you look at CNA’s cyber profile, we have insureds with two or three employees, all the way up to Fortune 25 companies. The companies that are Fortune 500 or 1000 likely aren’t going to need to look to their insurer for cyber risk mitigation — they already have teams dedicated to this. That said we made sure that there are options for larger insureds as well, but we really want to focus on the smaller, lower middle market, and middle market firms that make up the majority of our portfolio.

They need help taking steps along the way. We provide them some guidance to help them identify where they’re strong and where they can improve. The range of services builds from the introductory assessments for organizations new to cybersecurity to incident response plan testing and tabletop attack simulations.

Do you have guidelines for how often organizations should be taking stock of their cybersecurity posture? Will insureds be required to take advantage of these pre-breach services?

It is not required; however, it is something our underwriters consider. Ideally, we want to know that you have given some thought to this and have appropriate controls, incident response plans, and business continuity plans in place, because that sort of thing makes you a better risk to underwrite. And, in the unfortunate event that you have an incident, a regulator that may come in is going to ask for those plans and if you don’t have them, that’s a red flag; it’s one of the first questions they ask. We like to see that, at a minimum, you have plans in place and you test them annually. Hopefully, organizations would test their plans more frequently than annually, but that is a recommended baseline.

The concerns related to all cyber events frequently relate to employee training. How does CNA CyberPrep address strategies for organizations to better reduce that risk?

Using ransomware as an example, a lot enters a system through phishing and social engineering. To aid with employee education, we have several options for insureds — some free, some preferred pricing. CNA CyberPrep includes among its valueadded services a vendor partnership to provide computer-based training modules covering timely cyber topics such as social engineering, phishing, breach response, and more. Other services connect insureds with breach counsel for tabletop simulations, security awareness training, password management, and penetration testing.

The program is designed to give multiple options to improve your cybersecurity posture, including an emphasis on improving employee education and training.

How would you say that CNA CyberPrep represents a new step for cyber insurance?

Carriers, including CNA, have had proactive services before, but they haven’t been put together in a holistic manner. We’re taking a thought leadership role by putting it together in a way that can help insureds see the steps they need to take and be better served. We believe it was a logical next step for the cyber insurance market.

Our goal was to provide clear sets of options for businesses to consider. But when and if new or different security challenges arise that currently are not squarely addressed by CNA CyberPrep, our subject matter experts will help to evolve the program evolve to address them.

Do you expect a positive impact on claims costs? How did claims experience factor into planning?

We looked at this from the perspective of “how can we help policyholders better understand cyber risks and reduce the need to file a claim in the first place?” Our experience with claims factored in — for example, knowing how claims proceed when you have a plan in place versus when you don’t have a plan in place. All of this experience was part of how we went about planning the mitigation phase of CNA CyberPrep.

And if a breach occurs after the CNA CyberPrep services are in place, the steps taken in advance of a cyber event will make a difference. If you’re taking the steps, forming the partnerships, and building the incident response plan, it is likely going to lower costs for everyone. When you have fully thoughtout incident response plans that have been tested, coupled with cyber products and partnerships, the response to a breach is going to be more efficient and more seamless.

Is there still room to advance in cyber insurance and cyber risk management?

As an industry, we’re still in our infancy from a cyber insurance and cybersecurity posture perspective; there is still ample room for growth and a lot of space to improve products and offer better services. As more people get involved and take cybersecurity seriously, we’re going to make bigger and bigger leaps forward, and they’re going to happen faster.

Where do you see cyber insurance as a product growing in the future?

We’re still in a growth phase as a product. The market is nowhere near fully mature, even though it is expanding rapidly. There’s still room for growth. As the cyber product expands, we’ll reach into areas and see what works, whether it is business interruption that overlaps with property, or cybercrime that overlaps with fidelity or bond coverage. We’ll continue to reach out and test, and pull back when necessary.

But as we move forward, cyber risk isn’t going anywhere. That core risk is going to be around and it’s going to be one of the bigger areas that require insurance solutions. Cyber touches everything becausenetworks are used in everything — that’s only going to get more and more involved.

Breach response coverage will always be necessary and have value for insureds, but it will continue evolving and expanding.

What do you feel represents the most significant value of cyber insurance to buyers?

At its heart, insurance is a risk transfer method that is there to help when companies have a bad day — what might be their worst day, when someone has been in their system and violated their confidential information, both personal information for employees and customers, but also probably trade secrets and corporate confidential information.

Baseline, cyber policies exist to cover policyholders from covered losses. But they also help companies respond to attacks, help remediate them, and plan ahead for the next incident that could occur. Those, to me, are the core reasons for cyber insurance.

We do this every day. We live this. We help companies that need guidance around their cybersecurity posture. We’re there to help a company when it has a really unfortunate day.

Author, Nick Graf, ARM, CISSP, CEH | Assistant Vice President, CNA

As mobile devices continue to increase in popularity, many consumers use them as their primary means of communication. These hand-held devices, which are equipped with increasing amounts of processing power and data storage capability, are not only used for written and verbal communication, but also for taking high-definition photos and video, conducting financial transactions and transmitting health data. Therefore, ensuring this information is adequately protected is critical, but often overlooked.

How Can You Protect Your Mobile Data And Stay One Step Ahead Of The Hackers?

Start by enabling a pin or biometric screen lock. This lock will prevent a casual user from accessing the contents should you lose your phone. Apple iOS 9 now defaults to a six-digit pin instead of four digits. Adding two extra digits make guessing the pin much harder (i.e., 1,000,000 possible combinations versus 10,000 with a four digit pin). For additional security, you may also opt to use a longer alphanumeric pass phrase. Many new phones also give the option for biometric (fingerprint) authentication.

Another crucial step is to ensure you are using full disk encryption. Consumers will sometimes confuse having a pin or password on their phone and encrypting their phone — they are not the same. While an encrypted phone requires a pin or password, it is possible to have a pin screen lock on an unencrypted phone. An unauthorized user may be able to access information stored on an unencrypted phone (plugging the phone into a computer with specialized software) without knowing the pin or password. Encrypting your phone and using a strong password prevents this type of attack. Apple recently began encrypting their software by default in iOS 8, and Android in 6.0 Marshmallow.

What About Wi-Fi?

Be careful using your mobile device in public Wi-Fi hotspots. While users may opt to use a public Wi-Fi hotspot to reduce data usage on their mobile plan, they should be aware public Wi-Fi is inherently insecure. If you choose to use such a connection, attempt to verify the hotspot is legitimate. Ask the owner of the business for the network name. Be mindful that it is trivial for a malicious user to create a wireless network with the exact same name, making it difficult to verify the authenticity. Next, use a virtual private network (VPN) to protect your data from an attack on this local network.

Keep Your Software Up To Date

Another area of importance is keeping your mobile device's software up to date. Both the phone's operating system and individual applications should be updated to reduce the risk of software vulnerability exploitation. On iOS devices, you should be automatically prompted when a new version of iOS is released. On most Android devices, users will need to wait for their wireless carrier to make updates available to them.

Both iPhone and Android have a "find my phone feature." Enable this feature to help find your device if it is lost. Both services will allow the owners to locate their device, play a sound on the device, and remotely lock and erase their device.

Learn more about CNA's Cyber Liability products or please contact a CNA representative to pinpoint your risk areas that are becoming more and more vulnerable in the context of today's emerging technologies. One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

By Nick Graf, ARM, CISSP, CEH | Assistant Vice President, CNA

While most people think of hacking as an attack against a website exploiting a vulnerability, in reality, hacking can be as simple as asking for a password. Today's hackers have realized that social engineering a user to give up his or her password may be the easiest way into an organization. The term social engineering refers to the "psychological manipulation of people into performing actions or divulging confidential information." And, it is important to understand this type of attack can occur via email, phone or even in person.

Phishing is a common type of social engineering done via email. We have undoubtedly all seen these types of emails. Historically, they were easy to identify (the Nigerian Prince emails come to mind). But these days, the bad guys will make their message far more polished with a plausible backstory, and timed around current events. For example, phishing emails purporting to be from the IRS always peak around April 15. Social engineering attacks also occur by phone.1 Attackers will perform reconnaissance on their targets and pretend to be a business associate or other trustworthy party. They may also spoof the caller ID, making the number match the person they are impersonating. They may even conduct an attack in person by having a background story in place and dress to "look the part." Attackers will also leverage malware, sent as email attachments or via malicious websites. If they can get this malware on your computer, it can allow them to see everything you type (this is known as a keylogger).

Password reset questions can be another avenue for attack. While an attacker may not know your password, they may be able to use publically available information against you. Security questions, such as where you went to high school, your mother's maiden name or previous street address, can often be discovered on the Internet. If the attacker can provide the answers to these questions, then they can easily reset your password to access your account.

Typically, people are not great at remembering passwords, and the bad guys know this. Most of us likely have three to five passwords we reuse for all of our website access. If an attacker compromises your password through another method (i.e., website attack, social engineering, etc.) they will try these credentials at other sites because it is likely to provide them access.

Finally, we know surfing the Web at a public Wi-Fi hotspot can put our data at risk. Over an unencrypted Wi-Fi link, everything you type is clearly viewable to those around you. And, when you're in a public setting, it can be difficult or impossible to determine if the hotspot you've connected to is illegitimate or has been compromised. If you unknowingly connect to an illicit hotspot, the attacker can silently redirect secure traffic to a normal HTTP (unsecure) connection, allowing all information to be viewed.

With an abundance of additional access points for hackers to breach, how can you ensure that your system remains secure? Please contact a CNA representative to learn how risk controls can be tailored to your business or visit www.cna.com/cyberliability.