5 Keys to Cyber Insurance | EP 005
In the podcast episode "5 Keys to Cyber Insurance," cybersecurity insurance expert Wes Spencer explains that effective cyber insurance requires standalone policies covering a broad range of cyber incidents and mandates five essential controls—multifactor authentication everywhere, segregated immutable backups, and others—to qualify for coverage amid rising cyber threats and costs.
Podcast Episode Transcript
Host: Connor Swalm
Guest: Wes Spencer (Cybersecurity Insurance Expert)
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.
Introduction
Connor welcomes Wes Spencer, an expert in cyber insurance and cybersecurity, to discuss the evolving world of cyber insurance. Wes explains that while cyber insurance isn't new, it has recently become a hot topic due to the increasing frequency and cost of cyber incidents.
What is Cyber Insurance?
Wes describes cyber insurance as a specialty insurance product designed specifically for cybersecurity events such as ransomware, business email compromise, and other breaches that can result in significant financial loss. He emphasizes that there are both good and bad cyber insurance policies:
- Bad policies: Often just a rider or warranty added to general liability insurance, covering small amounts (e.g., $50,000–$100,000) and filled with exclusions. These rarely pay out.
- Good policies: Standalone cyber insurance policies that cover a wide range of incidents, including ransom payments, business interruption, reputational damage, public relations, digital forensics, and legal help. These policies are more comprehensive but also more expensive and require meeting certain eligibility criteria.
The 5 Essential Controls for Cyber Insurance
Wes outlines five key controls that most cyber insurance carriers now require for coverage:
- 1.
Multifactor Authentication (MFA) Everywhere:
- MFA must be implemented across all systems, including for executives and users who may resist. Carriers will not provide coverage without it.
- 2.
Segregated, Immutable Backups:
- Backups must be stored off-network and be immutable (cannot be deleted, even by administrators). This protects against attackers deleting backups during a breach.
- 3.
Endpoint Detection and Response (EDR):
- EDR solutions act as a home alarm system for your network, monitoring endpoints for suspicious activity and alerting on threats.
- 4.
Vulnerability Management:
- Organizations must patch critical vulnerabilities promptly (typically within 30 days). Carriers expect active vulnerability management to reduce risk.
- 5.
Security Awareness Training and Phishing Testing:
- Regular training and phishing simulations for all employees are now mandated controls. Carriers recognize that human error is a major risk factor.
Wes notes that most carriers require all five controls, not just a selection. Some may offer limited coverage if controls are missing, but with significant restrictions (e.g., lower payout caps for ransomware incidents).
Why Are These Controls Required?
Connor and Wes discuss how carriers are becoming more sophisticated, asking more detailed questions on applications (sometimes over 30 pages). Carriers are collecting data to better understand risk and loss ratios, and requirements are evolving as they learn from past breaches. The industry is moving toward more data-driven and consistent underwriting, but it's still in a reactive phase.
The Importance of Cyber Insurance
Wes and Connor stress the high costs associated with breaches:
- Average ransomware downtime is 16 days, which can halve monthly revenue.
- Loss of customers and reputational damage can have long-term effects.
- Legal costs, digital forensics, and lawsuits can quickly escalate total losses.
Cyber insurance provides a financial safety net, but only if organizations meet the required controls and understand the true risks involved.
Closing Thoughts
Connor thanks Wes for sharing his expertise. He encourages listeners to consider the importance of cyber insurance and to ensure their organizations are meeting the necessary requirements. He also mentions the value of high-quality security awareness training for employees.