In such a fast-changing cyber risk landscape, experts say preparation is key, and one element that can help with that is cyber insurance.
“Cyber insurance is such a critical tool when you think about having a policy and having an approach to handling incidents and incident response,” said Xing Xin, co-founder and CEO of InsurTech Upfort, on this episode of The Insuring Cyber Podcast. “One of the best partners and tools you can have in managing that risk is a cyber insurance policy.”
This is because cyber insurance isn’t just about covering a financial loss by itself, he added. It’s also a tool providing access to the right experts and data to help companies manage their exposure.
David Derigiotis, chief insurance officer at Embroker, agreed, adding that cyber insurance can provide a value added service even before an attack occurs by helping clients strengthen their security posture.
“It’s not just financial risk transfer when it comes to cyber insurance, like you see in other lines of business. It’s bringing together cybersecurity services, bringing together risk management services, alongside the policy. That’s where there’s huge benefit that can be offered,” he said. “It’s marrying together risk management technology alongside the insurance component. That’s where there’s huge value, and that’s what we’re seeing more of.”
Both Xin and Derigiotis were speaking at The Insuretech Connect conference held this year in Mandalay Bay in Las Vegas.
“In the end, everybody wins from that,” Derigiotis said. “The insured’s going to win because they’ll be a more secure business. They’ll be able to offer greater value to the customers and clients and vendors that they work with. And, of course, the insurers win as well because they’re insuring and providing coverage for a better risk – somebody that’s going to have a stronger security posture and that’s going to be more elevated in terms of their ability to respond and be prepared compared to somebody who’s not.”
He outlined additional steps insureds can take to prepare ahead of a cyber attack, such as having a plan for identifying the issue, communicating with clients and employees, and restoring data.
“Really, it’s all in the prep before something happens,” he said. “It’s having an incident response plan in place. It’s knowing exactly what roles people are going to take on, what their work is going to be, what they’re going to do within the company, whether it’s working with HR or it’s going to be dealing with employees … You have to have that action plan in place to know exactly what to do so you can snap into action immediately.”
He added that a lot of this comes down to training as well to ensure that employees know exactly what they need to do in the event of a threat.
“You do as much preparation as possible so that when the incident does happen, the company will respond effectively, efficiently, and they’ll be able to continue having trust with clients.”
Xin said a lot of this prep is about getting back to the basics.
“It’s really about taking action on what some people might call the basics around managing their attack surface,” he said. “Cyber criminals are very financially motivated, so what happens is that there’s actually only a small handful of ways that they can, in a cost effective way, get into your organization.”
He said this means a lot of cyber attacks are carried out through the human attack service, whether it’s phishing emails sent to employees or compromised links for downloads.
“That’s a key driver of claims,” he said. “And then there’s a digital attack surface. So when you think about the digital attack surface, it’s around what are the internet facing assets and systems that your company uses that are external facing? And it’s really around do you patch your vulnerabilities and keep your systems up to date? Are you configuring remote access and different ways to access your systems in a way that helps to provide the right level of security settings?”
He said taking simple steps such as backing up data and testing incident response plans can take companies far when preparing for a cyber attack, especially as criminals are becoming more sophisticated with their use of AI to carry out attacks.
“We are already starting to see cyber criminals incorporating AI to develop malicious software better and faster. That’s one element,” he said. “We actually have seen another big trend, which is really scary. One of the key attacks that we see constantly evading systems today and typical filters and actually getting companies into trouble is just text-based emails around social engineering and phishing. And the way to do a very sophisticated attack is, well, you have to be able to research at scale and make it feel really tailored.”
This is where AI comes in, he said.
“That’s one thing that generative AI is really good at today, right? Processing large amounts of information, distilling that information, and then automating a lot of the steps it takes to actually drive that,” he said. “So, we’re already starting to see it, and I expect to see even more very tailored, sophisticated attacks on even the smallest companies because the cost to do that today for a cyber criminal has just come down so much more.”
On the other hand, AI is also serving as a benefit to companies in boosting their cybersecurity posture.
“One way we think about it is from a defense perspective, there are ways to improve the detection of some of the really sophisticated attacks when you leverage it the right way using the data, but also just incorporating that as part of the prevention and identification elements,” he said.
In the end, Derigiotis said that even with the use of AI and an evolving attack landscape, it’s all about preparation.
“You have to absolutely, before a security incident takes place, think through what are the steps that we need to take when something does occur,” he said. “I think the biggest takeaway is you have to prepare, and you can never be complacent. Threats are always changing. We have artificial intelligence — good use cases and bad use cases in terms of security. So, I think all of the things that a company can do beforehand to properly prepare themselves and get ready for an event, that’s the big takeaway. Make sure that you’re prepared so that when something does happen, it won’t be a surprise. You’ll know exactly what to do.”
Check out the rest of the episode to see what else Xing and David had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.