The Perils of Cyber Insurance

On this episode of The View With Vizard, host Mike Vizard talks with Max Pruger, general manager of compliance for Kaseya, about the pros and cons, benefits and pitfalls of cyber insurance. The video is below, followed by a transcript of the conversation.

Mike Vizard: Hey, guys. Thanks for the hand-off. We are here today with Max Pruger. He is the general manager for the compliance business unit of Kaseya, a well-known IT service management platform provider. Max, welcome to the show.

Max Pruger: Thanks so much. Thank you for having me.

Vizard: We’re going to talk about cyber insurance. It seems like there is a lot of it being bought these days. What are the perils of buying cyber insurance? Do these programs actually pay out? What should I be thinking about if I buy them in the event of ransomware? Help me walk through some of the gotcha’s that may be happening here.

Pruger: Sure, so lots of good questions there. We’ll kind of break it out a little bit. One of the questions is what are the perils? One of the challenges I see is that organizations don’t understand that cyber insurance policies are not all the same. There are lots of terms and riders and provisions that are specific to different organizations, different industries, especially the MSP space, so you’ve got to be careful and you’ve got to make sure that you understand what you’re getting when you sign up for a cyber insurance policy, because, as I said, they are definitely not all the same. That’s one. The downfall is that, yeah, if you don’t have the right points in the policy, the right riders and so on, there is a good likelihood that you will not get paid out if you have a data breach, so that is just something else to consider.

Every cyber insurance policy has terms and conditions in it. It’s typically referred to as due care, so it’s based off the due care standards, which are typically based off of the NIST cyber security framework. In its most simple form, it just says you’re going to maintain your environment based off of the due care standards, and those are going to be standard things like encryption and password management policies, incident response policies and patch management of your environment, so things like that. What ends up happening a lot is the company will get a cyber insurance policy, they will have a breach, they will submit a claim, and it’s well within the cyber insurance company’s right to request evidence of what they call due care compliance.

If you can’t provide that evidence, there is a high likelihood that you won’t get paid out. I think I saw a statistic a little earlier this year that said 49 percent of cyber insurance policies did not pay out fully last year because companies could not provide evidence of due care compliance.

Vizard: Is that compliance a checklist kind of thing or does somebody come in and actually evaluate my site and see what I did or didn’t do, and maybe I could have an embarrassing moment here, right?

Pruger: It’s definitely not a checklist. That’s a problem across all the different compliance standards, there are lots of checklist products that you can go and download a spreadsheet from the NIST cyber security framework, or get some OCR checkboxes. Everybody knows exactly what the right answers are, they all fill in all the right answers, so everybody claims they’re doing the right thing, but across all these standards, including cyber insurance, is you’ve got to be able to validate that what you put in your checklist and your documentation matches what you have in your environment. That’s really the issue, is a lot of those times those things don’t match, and that’s when the cyber insurance policies are declined and don’t get paid out.

Vizard: Given the rate of change, that’s almost impossible to meet, right? I have to continuously comply, but the minute I change a piece of code or if I’m a dev op shop, I’m updating my applications all the time, so it sounds exceedingly difficult to prove that I’m in compliance.

Pruger: Again, great point. You used the exact, correct terminology, which is continuous compliance. To be clear, nobody can certify anybody else as being cyber insurance compliant. The goal is to follow those guidelines as closely as possible, so it’s not that you have to perfectly meet every single term and condition in that policy, you have to show and provide evidence to those cyber insurance underwriters that you are trying to meet those guidelines. It’s not that it’s impossible to meet, it’s just that you’ve got to do something. Usually that’s referred to as best efforts, so you can’t ignore them. You’ve got to do something, and that something is typically what’s referred to as an accurate and thorough security risk analysis.

However, if your expectation is you’re going to do a once-a-year annual security risk analysis, then exactly to your point, Mike, what’s going to happen is that six months later you get a breach, and if you show that the last thing you actually do and the last thing you have evidence for was six months ago, it’s hard to prove that you’re continuously complying or maintaining that compliance. What you want to do is you want to do something at least on a monthly basis, where you rescan the environment. It doesn’t have to be a full walkthrough, it doesn’t have to be a full certification, but it’s showing that you’ve done your annual risk analysis and that, over time, you’ve either improved the environment or you’ve maintained the compliance in that environment.

Vizard: Do you think some people are opting to buy more insurance, per se, than actually investing in security products to prevent ransomware because they think that it’s just simply cheaper to do that? They may not have the technical skills or even the inclination to go and lock down their environments.

Pruger: Actually, I don’t see that right now. Companies are starting to get insurance, so I think we’re still in the early adopter phase of companies actually getting cyber insurance policies. That’s actually another big issue, is that a lot of organizations have E&O insurance, and they believe that if they have a cyber incident, that’s covered. A lot of E&O policies, in fact most E&O policies, unless they have a specific cyber insurance rider on them, will not cover a cyber insurance event, so I think we are woefully under-insured as an industry than over-insured today.

Vizard: Will those policies cover any ransom that I might pay out, because, technically, I’m not sure that ransom payments are legal? What is their status?

Pruger: Yeah, so again, it goes back to the riders and provisions. A good cyber insurance policy will actually cover the ransomware payment. These large underwriters, they actually have payment desks that will deal in cryptocurrency, so whether it’s Bitcoin or one of the other ones. Again, if it’s a good policy, then they will typically handle that for you, and they’ll decide whether or not it makes sense to pay the ransom or to try to remediate the issue without paying the ransom.

Vizard: There are some folks in Washington that want to make paying ransom illegal. What is your take on this?

Pruger: Yeah, just because you make something illegal doesn’t mean it goes away, so what they’re actually going to do if they make it illegal, they’ll make paying the ransom less safe and secure. But, if you’re an organization, I mean, just look at what’s going on in the government space. I live outside of Baltimore and we’ve been hacked multiple times. If a hospital goes down, you may just have no alternative but to pay that ransom and hope you get back up and running, because those are real people’s lives. There was a ransomware attack just recently, I won’t mention the name, but it was a healthcare industry on the West Coast. The hospitals were down for over three weeks, they were literally referring patients to other hospitals, and emergency surgery was being postponed. Again, if the government passes a law that says it’s illegal, it doesn’t mean it goes away, it just goes underground, and so I don’t think that’s the best thing to do.

Vizard: Is cyber insurance just like regular insurance? Every time I have an incident, my rates go up, so at some point, if I keep getting attacked, will my rates become unaffordable?

Pruger: Yeah, I won’t say that it will be unaffordable, that all depends on the organization, but absolutely, rates are going up across the board today. They have been going up over the last year, so as we get more and more claims, obviously those rates will continue to go up. The insurance organizations are in the business of paying claims, they’re in the business of collecting premiums, and they have to offset those premiums with those claims. As long as they continue to pay out those claims, the premiums will continue to increase. Also, industry-specific, Chubb is the largest cyber insurance underwriter in the world, and they recently pulled out of the MSP space. I know a lot of MSPs that their cyber insurance policies used to be underwritten by Chubb, and Chubb is no longer offering cyber insurance to any MSPs today.

I think part of it is that because this is relatively new, insurance companies are still trying to figure out their risk, how they’re going to price these products, and a lot of them have lost money for cyber insurance, so they’re either going to increase their rates significantly, or, as I mentioned, somebody like Chubb is going to pull out of the industry completely until they can get a much better baseline and risk management pool of what they think it’s going to cost them to deliver the service.

Vizard: What is your best advice to folks to figure out a) how to keep my insurance rates down. Are there certain best practices I should be implementing? What do you see routinely that people aren’t doing that they should be doing?

Pruger: Yeah, absolutely. The biggest thing is that when you buy a policy, you must understand that there are terms and conditions to keep that policy in force, just like you mentioned car insurance. If I have auto insurance and I decide to get drunk and drive my car 150 miles an hour and I hit somebody, there’s a provision that says that my car insurance company won’t pay for that. Organizations have to understand, it’s not that you just buy the policy and you’re good, you must actually meet the requirements that are set in those terms and conditions, and you must be able to provide evidence that you’re meeting those, as well. No insurance underwriter will ever call you and say, “Can you please talk to me about your password management plan? How are you encrypting your environment?” What they’re going to want to see is specific evidence, so obviously software, run scans on your environment. Make sure that you’re creating the right documentation that maps the due care or the cyber security guidelines, so that in the event that you have an incident or a breach, you can send that documentation to the insurance underwriters to prove you were doing what you were supposed to be doing under those contracts, and, therefore, you can help maximize your payout.

Vizard: All right. Well, no matter how it goes, it sounds like it’s painful because it’s like the seven stages of grief there, and somebody is always looking for somebody to blame, and it’s usually the poor IT guy sitting at the end of that food chain, right?

Pruger: It’s always the poor IT guy, and so more and more of this when it comes to ‒ I mean, again, cyber insurance is like any other compliance standard out there. More and more of it is falling on the IT guy and the IT company in order to maintain that compliance and to deliver that evidence of compliance documentation and produce it, because obviously a lot of these incidents are all technology-related, and so that’s the domain of the IT professional.

Vizard: All right, last question. Do you think we’ll see more regulation in the space as frequently people start to complain about their insurance rates, and suddenly the government is coming down and saying, “Hey, you can’t charge more than this for that”? Will that be a conversation in our future?

Pruger: Absolutely. Compliance is all about regulations. The one thing with insurance companies is that most of them are regulated a lot more at the state level than at the national level. I don’t really see that changing. Just recently, I saw a couple months ago lots of the large insurance companies are out of New York. The New York State, I believe, attorney general, as well as their insurance commissioner, sent out letters to cyber insurance companies saying that they have to make it a point to tell their end-customers that they must maintain certain standards and guidelines, and, once again, create evidence of compliance documentation so that the insurance companies don’t get overwhelmed. But, I definitely think that we’re going to see a lot more regulations.

I think the due care standards are going to evolve and they’re going to become more stringent. I think as part of that, you’re either going to have to follow those guidelines, or you’re going to have to expect that you are not going to get a full payout if you have an incident. Yeah, regulations are definitely coming from this industry, and I think they’re really going to align with a lot of the other regulations that we’re seeing for HIPAA, for CMMC, for NIST 800-171, PCI, and so on.

Vizard: Hey, Max, thanks for being on the show.

Pruger: Yeah, my pleasure. Thank you so much for having me.

Vizard: All right, guys, back to you in the studio.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 747 posts and counting.See all posts by mike-vizard