Q&A with Keith Novak, Associate Managing Director, Kroll Cyber Risk
Trying to decide what kind and how much cyber insurance coverage to secure can raise many questions for organizations across industry sectors. Smaller companies wonder if they even need it at all.
Recently, Keith Novak, Associate Managing Director in Kroll’s Cyber Risk practice, and Vinny Sakore, Chief Technology Officer at NetDiligence, delivered a webinar on the factors organizations should consider when exploring new cyber insurance coverage or reviewing/renewing existing policies.
Keith has more than 25 years of frontline and executive-level information security experience and has led all operational and regulatory activities of enterprise technology. Today, he focuses on helping Kroll’s clients build proactive information security programs and become more cyber resilient. Prior to NetDiligence, Vinny served as Verizon’s HIPAA Security Officer and a member of Verizon’s Cyber Security Strategy and Risk team as well as CTO for two healthcare technology companies. He is a respected authority on cyber risk, cloud security and HIPAA security.
The following Q&A presents the highlights of their discussion and some participant questions. (For your convenience, you can watch the full webinar below and download the presentation on this page.)
Q. Will you give us some quick context around the claims that cyber insurance underwriters are seeing today.
A recent NetDiligence study of cyber insurance claims underscores not only the realities of today’s cyber risk landscape, but also the rising costs associated with incidents. Events that trigger notification are especially costly. Some key takeaways that organizations should consider include:
- The compromise of many kinds of data, and not just PII or PHI, can be expensive to remediate.
- A breach of any significance is going to cost at least $1 million; the per-breach cost for a large company incident averages $24.6 million.
- Ransomware demands exploded in 2018. Insurers are seeing ransom demands of $250,000-$500,000 (nonexistent six months ago) on a weekly basis now.
Regarding ransomware, Kroll has been seeing a trend that doesn’t bode well for organizations of any size. Cybercriminals that used to be more deliberate in choosing ransomware targets are now taking a shotgun or “spray and pray” approach, capitalizing on any organization with poor controls that they can infect.
Q. What risk areas do organizations most often overlook? How do you recommend they address or mitigate these risks.
Based on what Kroll is seeing in its investigations work, many organizations are not recognizing major risks in three areas, where tried-and-true security measures can prevent or mitigate risks:
- Cloud Adoption
Organizations are quickly moving to cloud solutions, but many are neglecting to look at the security implications of those services. For example, many clients are experiencing incidents involving Office 365. Although O365 offers a lot of security-hardening features, organizations are not taking the time to assess and implement them. Multifactor authentication is a best practice that should be adopted as early as possible, particularly for the protection it affords when cybercriminals gain access to one or more email accounts. Security assessments and penetration testing can also expose weaknesses before they can lead to a full-blown incident.
- Mobile Devices and Personal Devices (BYOD)
The boundaries for where corporate data lives has vastly expanded with the use of company-provided and personal mobile devices. The problem is that for many organizations, technical controls haven’t kept up with business desires for efficiency and cost savings. There are a number of policies, procedures and controls that companies can adopt to reduce their exposure:
- Encryption: If a device is lost or stolen, encryption affords a critical layer of protection.
- Data Retention and Data Classification Policies: Many business email compromise (BEC) incidents are exacerbated by mailboxes that contain years and years of messages. Even if the information contained is outdated, it will still likely to trigger notification or ediscovery services that can be extremely costly.
- Mobile Device Management (MDM): Combined with mobile application management, MDM provides IT teams with resources to manage, track and more effectively protect corporate data and networks that interface with mobile devices.
- Insider Threats
Employees and trusted third parties will always pose a risk for data loss, either through accidental exposure (e.g., a lost laptop or duped by phishing) or their own malicious intent to steal and sell confidential information. Implementing a comprehensive data loss prevention (DLP) solution that leverages security analytics can serve as an effective early warning system to problematic activity.
Q. What kind of risk assessment will underwriters take seriously?
While every organization is unique and the risk assessment has to reflect that fact, there are some best practices that will help an organization not only demonstrate its security posture to underwriters, but also actually improve it. Six components that we at Kroll recommend are:
- Inventory data
- Assess regulatory requirements for your industry and operational jurisdictions
- Adopt a formal risk management framework
- Perform a risk-based assessment against accepted standards (e.g., NIST, CIS Controls)
- Build a security risk register
- Establish a vulnerability management program.
As you can see, the risk assessment shouldn’t be exclusively focused on IT, it should really be around the business, where data lives, how it moves around, who accesses it and then the IT part of it.
Organization should also be aware that some carriers will cover proactive services like risk assessments. So be sure to ask if the carriers you are considering will cover assessments costs or give you an allotment to put toward the assessment.
On the topic of standards, if you operate in a regulated environment, let’s say healthcare, the HIPAA framework cross-maps closely against the NIST framework, generally about 70%. So, if you’re doing the HIPAA assessment every year, you can incorporate the NIST framework relatively easily and demonstrate a higher level of commitment to underwriters by following two frameworks.
Q. What would you say are the biggest benefits of cyber insurance?
The costs associated with an incident are increasing every year. More to the point, virtually every organization can experience a cyber incident, so the potential financial protection is rather self-evident as is the opportunity to pre-negotiate rates.
But there are benefits beyond that. First, cyber insurers have a lot of historical data and experience about the factors that can trigger a claim, notification requirements, regulatory consequences, etc.
This knowledge can be of great value, especially to smaller companies that might not have the maturity and in-house skill sets to effectively identify and gauge their risks.
However, most organizations would agree that the biggest benefit of cyber insurance is the assistance and coverage it provides for crisis services. Cyber insurance gives you the ability to call one single point of contact to activate the services of a panel of experts who understand the challenges and can work with the insurance carrier on your behalf. Crisis services include legal counsel, forensics and incident response, eDiscovery, notification, ID/credit monitoring and public relations.
Speaking of help in a crisis, many carriers are now offering the services of a broker who specializes in ransomware incidents. The broker will analyze the message and work with the attacker group, bartering to make sure keys are valid. This often buys the company extra time to determine if its data is recoverable. Interestingly, according to the NetDiligence study, the average cost of a breach due to ransomware costs $211,000 if the ransom is not paid, but only $92,000 if the insurer pays the ransom through a preferred vendor.
Q. Any last thoughts or insight?
Be sure to select a broker that specifically has experience in cyber coverage. They know what to look for in a policy, which can help prevent any surprises or gaps in coverage should you ever need to submit a claim.
Likewise, when selecting a partner to conduct your risk assessment, look for a vendor whose people have both business and technical acumen. Certainly, they must understand the technical requirements of security and the meshing of multiple frameworks, but at the same time, have insight into how these measures work in the day-to-day operations of your business.