Because the artificial risk of cyber-attacks Is So controllable, Cyber Insurance can be a reliable cash cow, but it we must rethink what cyber risk is and what role cyber insurance plays. Doing so unlocks the door to billions of dollars in potential profits. Currently, nobody in the entire insurance sector knows how to do this and nobody does it properly.
The term for what we are living through is moral crisis.
Last year, the world lost hundreds of billions of dollars to cyber attacks and trillions were lost to the total economic impact of these attacks. The biggest problem is ransomware, but business email compromise, leading to fund transfer fraud and other types of account interception and social engineering fraud are also costing the economy billions. Every week, we hear about more police forces, hospitals, schools and critical institutions being attacked. Ransom is frequently paid. Lives have even been lost. It’s no longer possible to rely on your doctor, lawyer, police force or fire department to be there for you and not leak your private information.
And then we have cyber insurance, which keeps paying ransom and racking up losses, insisting that “cyber is just inherently high loss” or “cyber incidents are like earthquakes: unpredictable and unstoppable.” We see top ranking executives, even the likes of Warren Buffet saying that it is expected that cyber insurance will lose money. It will because cyber risks are just big risks and we don’t know how to control them. Also, we don’t have enough data, and perhaps in a few years we will be able to figure out how to price it.
As an expert in cyber security, ransomware especially, with an education in cyber security and over 20 years of experience, I cannot stress this enough: THIS IS INSANE!
Cybercrimes are just that: crimes. Like all crimes, they are human created and can be stopped. Cyber security is not some oddball unfigured-out kind of thing. It’s just bad guys breaking into our systems because we do not institute strong enough controls. The idea that cyber criminals are so much smarter than our best engineers is absurd. It’s the year 2024 and the US has the best technology in the world. None of this needs to happen. We could shut this down in a day, if there were proper experts involved.
There has been a massive misunderstanding of the nature of cyber risk by the insurance sector, and in doing so we have entrenches a monster which is sapping hundreds of billions of dollars out of the legitimate economy and is funding terrorism. The history of cyber insurance is a comedy of errors. There’s a reason no legitimate cyber risk experts should not have been consulted from day one, but there was a belief that cyber was simply a shiny object that could be monetized to appeal to the digital age. Insurers have been trying to sell cyber insurance without investing a dime in understanding it. They’ve simply broken something they don’t understand and now consider it a lost cause. This is absurd.
The truth is simple: If not for the fact that cyber insurance has come along and decided to encourage bad behavior, while funding crime, we would not have the ransomware problem we do. Our hospitals would be safe. Our schools would be safe. Our emergency services would not be targeted. The problem cannot currently be solved, because insurance companies stubbornly insist that they don’t want to, but are fine paying out ransoms.
When cyber insurance was first introduced, by AIG, in 1999, it had no qualifications at all. It was inexpensive and rarely paid claims. Most of the time, major data breaches would end up on CGL insurance or crime insurance, and nobody complained, because it was not very frequent. It’s questionable whether it is ever acceptable to have a security and crime insurance that does not require security measures. At best, that creates a moral hazard. However, things have changed a great deal since 1999, and this is absolutely no longer workable. Cyber insurance today is not the low-cost special rider that it used to be. There is an unfortunate unwillingness to do this properly do this. As one insurance executive told me “They don’t want to [because] they went into cyber and have done nothing but lost money on it … cyber insurance has no future” another insurance insider said “cyber is uninsurable if the insurance company wants to make a profit because cyber will always lose money.”
This is insanity.
Cyber risks are artificial. They exist in the most perfectly controlled environment. Every variable, every bit and bite moving through an IT system can be tracked in real time. Every connection interrogated. Every file can be backed up as many times as we want. We, the law abiding organizations of the US own these systems. We dictate how they operate. We designed them.
Furthermore, the idea that it would be difficult or impossible to stop from happening does not make any sense at all. After all, if we could not keep foreign hackers out of our systems, how on earth do we have nuclear missiles on alert? How do we manage to have crypto currency at all? How does it not just evaporate when some hacker wants it to. And beyond that, why are things getting worse? Isn’t technology supposed to improve things. If cyber is truly so impossible to conquer, perhaps we should go back to paper and typewriters.
Of course, we don’t have to go back to typewriters. Any system we build can be as resistant as we want. The problem is that this absurd notion that we are unable to stop gangs of third world thugs from sending deceptive emails to our companies is not some kind of insurmountable challenge we can’t overcome. Problems like ransomware are not even that difficult to solve. There are products out there that are nearly 100% effective at shutting it down and restoring systems in minutes.
So what explains these massive losses?
What we have is a failure of economic incentives, proper qualifications and requirements. As is stated by the Institutes “Without proper qualifications, insurance might be seen as a replacement for good risk mitigation, creating a moral hazard.” This is exactly what happened with cyber insurance. The illusion that it could ever be properly done with few or minimal qualifications is the root of the problem.
The problem comes down to years of entrenches behavior that did not have consequences. For decades, computer systems and data were poorly protected, and this rarely caused many problems. Most systems were isolated from the internet and connected intermittently. Companies did not host so much of their workflow in the cloud. Remote work was not as popular. These things evolved into exitance in the 2000’s. As with previous systems, security was an afterthought, if a thought at all and poorly enforced.
The tech sector has not helped. Software and IT products are always developed in a rush and rarely tested thoroughly. Companies have tried hard not to set the precedent of being held liable for the safe and secure operation of their software and many severe problems have gone unpunished over the years. The tech sector, by its very nature, is bad at-risk management. This sector is dominated by brash young males who proudly proclaim that they are there to “move fast and break things.” That all sounds great, until you consider the second part of the sentence.
But none of this mattered, outside a few sectors, until someone invented a way of monetizing it through ransomware. Since ransomware gangs are primarily located in foreign jurisdictions which are hostile to the US, they can do as they please and it is very effective at making money.
There’s an overall regulatory vacuum. Organizations can do what they like with their IT systems and there’s really no way to tell them otherwise. There’s also very poor advice out there, and most people do not understand this field at all.
It seems only a few professionals these days have any clarity at all on this issue.
So lets consider what cyber security is for insurance and why it is neither optional nor something anyone should want to avoid:
Cyber security is the security, compliance and risk management of IT systems. It is the securing of online transactions. It is the inspection and certification of digital systems and networks. These systems are the nervous system of civilization and of all modern companies. The information revolution has been extremely disruptive and has changed society and the economy. We are not going back. For the foreseeable future, digital systems and networks will be critical for all commerce and digital transactions far exceed cash transactions.
This is the 5th industrial revolution, and like so many previous industrial revolutions, technology has been adopted rapidly and the resulting regulatory lag has resulted in exponential losses. In this case it’s especially severe because the losses are crimes and the payments subsidize them and keep the gangs going.
With the full funding of American and other allied companies, ransomware gangs have become an extreme danger. They have begun to use more ruthless tactics, like going after the most vulnerable victims and maximizing destruction of systems.
Because our society is only becoming more connected, more digital and more automated, this will only increase. It is a very big opportunity, because insurance rarely sees this kind of organic growth. Predicably, it will become even more embedded in our lives and encroach further on other kinds of insurance, which it already has.
All of this has happened while insurance executives continue to idiotically insist that artificial, technical risks are insurmountable. Of course, they are not. They require inspection, audits, design criteria and certifications. These things all exist, in cyber security. It would be nice if someone supported them.
How Cyber Insurance Programs Currently Work:
There are a number of problems with the assumptions that insurance companies have made about cyber insurance which are fundamental and wrong. This has resulted in cyber insurance programs typically being so disliked by leadership, with so much affirmative disinterest that insurance executives will go out of their way to never speak to an actual expert in cyber security risk management.
THE AUTHOR OF THIS BLOG HAS BEEN TRYING TO SPEAK TO THE C-SUITE OR BOARD OF A MAJOR INSURANCE COMPANY FOR MORE THAN 4 YEARS. NONE ARE WILLING TO RETURN COMMUNICATIONS.
Because of this affirmative disinterest, cyber insurance lines are only staffed by people with an underwriting background. They are also not the best and brightest in the insurance world. It’s an undesirable line where they tend to dump their youngest, least experienced underwriters. There is no supervision at all. It’s absolutely terrible.
The problem will only get worse until the leadership of insurance companies realize that not only are they feeding into the worst crime wave in modern history, but shooting themselves in the foot by refusing to consider that they actually could make unlimited amounts of money on this, the moment they decide to run their lines of cyber insurance properly.
For one thing, these lines are poorly though out in terms of what they cover and they are far too broad. Cyber insurance should really be divided into losses and liabilities, which are two different things and should be considered differently, since different companies have different profiles. In fact, cyber insurance really should not exist as a monolithic entity. It should be divided by the sectors and other factors that organizations fall into.
Additionally, because connectivity is the cornerstone of modern society, because we are in a full industrial revolution, and because it’s better to make money than lose money, insurers can’t continue to treat cyber security insurance like it is jet ski insurance. Cyber lines of insurance can’t continue to only employ underwriters. Like a proper, full service, line of insurance, with the opportunities of cyber insurance, it requires underwriters, inspectors, compliance coaches, vendor relationship managers, specialty lawyers and a lot of other specialists. In fact, because this is still fairly dynamic and new, it will need more attention than most lines.
The upshot of this is that risks can be reduced and losses can be brought to the only sane level they can be: anticipated annualized losses from cyber should be approximately zero, at least for major claims. The insurance line is more about assurance and compliance management than paying claims: as any such line of technical insurance in professional environments should. That’s the only sane way.
The severity of the misunderstanding can be seen in some of the often-repeated claims that are just patently false. For example “Cyber is hard to insure because we don’t have enough data.” The very idea that this could be true ignores what cyber security is. Since it is artificial, the system is already known. We know the theory. We can simulate the whole thing. This artificial system does not move in phases, like the seasons. It is not a primarily actuarial risk. It is a risk that is fully engineered and understood.
How could it not be? We invented it!
The problem, of course, is really just incentives and understanding. The market rarely incentives risk management, and in this case, it certainly is not. In the private sector, risk is managed by a combination of insurance, credit ratings, public audits and investment advisory. For whatever reason, those sectors have become so frightened by cyber security risk that they have dialed out entirely.
So, Now we Have an Entrenched Problem:
If you work in cyber security, your life is hard these days. No matter how well you do at a client or organization you work for, it is heartbreaking to see the problem getting worse. It is also very worrisome because ransomware gangs are resorting to third party attacks, to paying off insiders and other extremely dangerous tactics. It’s not sustainable. It’s difficult for people to not get burned out.
The problem is no relief is in sight. We simply cannot win this as long as organizations choose to ditch risk management and buy poorly qualified insurance instead. And that is exactly what has happened. Because of the high rates of insurance, the perception that it is required and the fact that it pays out for ransomware, nobody seems to be trying to prevent cyber problems anymore.
Companies tend to feel safe if their insurer approves their safety controls. People tend to feel like “I’m fully insured” and this has resulted in a huge divestment in cyber security. Today, cyber security is a terrible field to work in, plagued by layoffs, impossible to advance in and faced with a lot of liabilities and poor recognition. This should not surprised anyone. We literally have business leaders saying “Cyber security does not work. Cyber professionals don’t know what they are doing. You will get hit or you won’t. It can’t be prevented.”
Naturally, this has decimated the sector, especially with so many companies feeling risk fatigue. Very few understand the subject and what they need to look for. Some have paid a lot for poorly planned cyber security programs and gotten hacked anyway. In these cases, it tends to be caused by a lack of experience.
At least half of corporate CISOs are not qualified to work in security. This is not surprising, because, again, frequently we are told that we are too stupid to stop hacks and protect systems, by those who have no background in this at all and have lost so much money on this risk.
Perhaps worst of all, Buffet and his head of insurance have said that cyber insurance is an inevitable loss center. This is terrible. You should never say that kind of thing out loud in public! This insurance pays for extortion. What kind of tone-deaf idiot would say “We expect our extortion insurance will pay out for a lot of extortion because we just have no way of stopping it, but we fully accept that is what we will do.”
No one person has done more to destroy the cyber security of the United States than Warren Buffet. The man is well known for his investment wisdom, and he is listened to intensely. Investment firms hold watch parties for his annual meeting like it’s the Superbowl. Buffet has espoused some of the most poorly informed opinions on cyber security: implying that it is impossible, unknown or that it needs some kind of discovery to solve the great mystery.
Berkshire Hathaway just purchased a large portion of Chubb, one of the largest holders of cyber risk in the world.
No, we can’t win. Cyber security will be fully dead soon if the insurers have their way.
It’s sad, because if they were not so stubborn about talking to a cyber risk expert, they could make billions.
This is quite honestly, the only time in my life I have seen such an absolute empirical certainty for a method of simply raking in billions.
Hire experts to enforce compliance. Laugh all the way to the bank.
No, Cyber Security Is Not Inherently Complicated:
Like anything else, cyber security can get complicated when it comes to specific cases and highly technical systems. However, in terms of concepts, goals and methods, cyber security is not, in and of itself, complicated. In fact, it’s actually quite simple. It seems people get hung up on the first word in “cyber security” and that is the problem. Cyber security is just a type of security, but the second word in the phrase seems to frequently be lost.
The term itself is problematic because “cyber” is a nebulous term. It has its origins in science fiction and was associated with the internet and computers, especially in the 1980s and 1990s, when “cyber space” became a metaphor for being online. It’s a imperfect metaphor, however, and it becomes more confusing as our world becomes more connected and as all large transactions move online. The metaphor made more sense in a time when connecting to the internet was novel and only used for certain things, but now that so much is information-centric, the distinction between what is and what is not a truly “cyber” risk can become confusing.
In the insurance context, this can be extremely confusing because cyber insurance typically covers all manner of fraud, data breaches, system failures, accidental data deletion and insider threats. This is because the policies that exist inherited their design from what were unqualified special riders. So what “cyber risk” really is can become confusing.
To keep things simple, lets look at cyber security in a narrower manner: It’s just security for the enterprise IT environment. Granted, in practice, there are a lot of regulatory, budgetary and documentation needs, but at its core, it is simply security for the enterprise IT environment. It functions like other types of security and risk management. Cyber security is properly considered a form of enterprise risk management. It is well established and follows the same rules, with the same challenges, as any form or risk management.
The goal of cyber security is primarily to make sure that all the connections to IT resources are legitimate and authorized. If the CEO logs into the CEO’s email and sends out authorized e-mails, then we do not have a problem. If somebody can log into the CEO’s account and send e-mail, despite not being the CEO, and if you can’t catch that and do something about it promptly, then there is a problem. The reason we have problems in cyber security is that not enough effort is put into interrogating connections and making sure that they are all legitimate and verified.
That alone is 90% the problem in cyber security. It is that privileged accounts, such as executives and systems administrators, are not properly monitored for anomalous activity and that they are not properly secured with good, reliable access control. The other 10% of losses would be attributable to attacks directly against software, insider threats, fraud via various channels of trickery and also the relatively odd and one of a kind events, like having a thief find valuable data through dumpster diving or inadvertently sending an email to the wrong address.
But when you get down to it, all of these problems are rehashes of well-known and familiar business problems. These issues are not technical in nature. In fact, the technology of cyber security is diverse, depending on the environment, with some being entirely unique and the tech constantly changing. What does not change is the constant challenge of enforcement of good compliance with reasonable loss controls.
The problems of cyber security are identical to those of any other type of new, rapidly deployed, technology that is operated in a regulatory vacuum. This tends to happen any time a technology is so enabling and revolutionary that it goes from the specialty market to the general market rapidly. Normally, there is a lag of a few years before exponential losses begin to accumulate. But this is well known and it tends to last until there is an organized effort, by regulators or whole industries, to bring losses down. It is not atypical for the insurance sector to be the one who must start with the push for better risk management. In fact, that is almost always the case. In this case, it is not all that difficult, because the risk management has already been established and an existing system of professional organizations, research and reporting and established expertise exists. There’s no need to reinvent the wheel.
Of course, Cyber Security is Achievable:
And it’s so damn insulting to pretend it’s not. Our infosec topples Russian empires and wins world wars. We are the absolute supreme best at this. Stop being so stupid about this.
The idea that cyber security is perplexing, an unsolved problem or requires some kind of discovery, new thinking or development is absolutely incorrect. The idea that cyber security is hard and requires a unique and difficult to find talent base is also (mostly) incorrect. The idea that there is a reason to wait until there is more data or we have a better understanding of cyber security could not be more wrong.
As an established field of business science, with mature professionals, trade organizations, decades of data, access to the best experts in the world and full control of the environment, the idea that cyber security is anything other than fully achievable is ridiculous nonsense. It’s breathtaking that we would be debating such a thing in this day and age.
Cyber security is just like any other security: near perfection can be achieved if extreme measures, such as 24/7 guarding is used, and in some situations, this is the way to go, but it’s often too expensive, so compromises like automated checks and technical controls must be used. That said, if done properly, they work well.
So does that mean you ever have zero chance of having a problem with cyber security? If you do things correctly, just maintaining due diligence level controls, you have an approximately zero chance of something going seriously wrong and causing disastrous disruptions to operations. There will always be anomylies, threats, insider situations and so on. However, if you do things correctly, then you’ll only have a problem in the most rare and exceptional of “One in a million shot” circumstances.
Though rare black swan events may happen, they are rare enough not to worry about. This is especially for organizations that are not of great strategic importance and don’t have unique risk exposures. For most organizations, there is no need to worry about patient and well skilled spies, working a long game to gain access to the most sensitive data. Such threats exist, but they target only highly sensitive assets, such as secure government agencies.
For most organizations, the only real threat of loss is opportunistic criminals. They are much easier to stop, because they make little effort to be stealthy and do not operate with great patience and discipline. For example, ransomware is just a smash and grab attack. Attackers do not really care if they are successful with a given organization. If they are not, then it does not make a lot of sense for them to expend more time trying to get in. They will just move onto greener pastures with any organization that is not extremely easy to break into. So defenses do not even need to be perfect, in most circumstances. They just need to be adequate enough to make the bad guys move on.
Cyber security is a fully artificial field. It is a game that was invented in the United States, so we can change the rules of the game and move the goal posts all we want. The US has the best technology in the world, and of course we do, because we invented it and own it. Data centers are located primarily in the US and also in other closely allied, friendly countries. All this technology was developed by companies we have access to. The systems and the data centers they are located in can be equipped with whatever systems we want.
The task of keeping bad guys out and assuring the legitimacy of connections is not at all impossible. It’s not even a very difficult task. The technology and procedures to do so are well known and established. We have them and there’s no mystery.
If you think about it, it only makes sense. When a cyber incident happens, it means someone has figured a way of getting into our sensitive systems, so someone is smart enough to know, and the thugs operating in third world countries are not smarter than out best and brightest experts. They don’t know our systems better than we do. However, they may expend more time and effort looking for flaws in systems than out own companies do, and that is the problem.
When someone attacks an American system, we can throw them any curveball we want. We can force them to offer any kind of proof of validity we want. We can monitor everything to the finest grains. There is no bit in an enterprise IT system that can’t be monitored and manipulated in real time.
The reason Why Cyber Insurance Has Done Poorly:
It’s the most straight forward and understandable reason imaginable. Results-driven cyber security has never been a thing that many companies have been tasked with. There have never been any consequences for having poor cyber security at most companies. There are no regulations requiring base levels of cyber security controls, and few companies ever audit or keep records on what their security controls are.
So what we have is an absolute regulatory vacuum, and, predictably, companies are very bad at getting their act together and managing their risk properly if there is nobody there to set baselines and hold their feet to the fire.
All that is required to make unlimited amounts of money in cyber insurance is a full understanding of what needs to be done to keep companies compliant with good standards for cyber security risk controls. That said, this is not a easy task. It takes a lot of experience to actually get good at cyber security and understand what it takes to keep organizations on task.
What the goal of cyber insurance should be:
Cyber insurance insures controlled environments, artificial risks and technology systems. It is completely based on compliance. All things can be monitored, audited and inspected, and we know, for certain, that systems can be made highly secure and very resistant to attempts to take them over.
Because of this, cyber insurance should not be a product that pays claims regularly, and if it is administrated properly, it won’t. Like any proper technology insurance, by applying appropriate pressure to vendors, tracking potential risks and aiding with compliance baselines, this line of insurance can be brought into reasonable control, where it never has to pay any major claims. There may be some minor claims, due to investigations or accidents, if things are done properly, modern American technology should never fall to a group of third world terrorists, it does so often.
This is how any insurance that deals with highly technical issues in professional settings. The problem is entirely regulatory, and, with proper oversight, any technology can be brought up to standards of good safety. The point of this type of insurance, therefore, is to keep organizations on task and provide a safety certification that customers, clients and investors can be assured that safety is being maintained.
If ever a major claim is payed out, heads should roll. Major claims coverage is just a backstop, in case the primary compliance enforcement somehow fails or something slips through the cracks. This should only happen, at most, once in a blue moon. When a major corporate hack does happen, it should be investigated as he one-of tragedy it is, with the root cause being determined, so that it won’t happen again. It really is amazing that we have degenerated to the point where we normalize the payment of claims for things like ransomware, operational losses and fraud.
One thing that is important not to forget is that, as technology improves, things are supposed to get more secure and not less. This seems perfectly reasonable. In this case, the US is failing to reign in these risks and losses, and that is just unacceptable.
Small Organizations Will Need Help:
For small organizations, medium organizations and even some large organizations, it can’t be expected that they will have good security and compliance when they sign up for cyber security insurance. Asking anyone to fill out a vague series of questions at an insurance agency or with a broker is not going to get any meaningful information to help qualify their risk, nor can it be expected that any requirements will be enforceable without a great deal of proper care for how things ae worded and an effort to insure clarity of requirements.
For one thing, it is mandatory that there is a compliance help desk and compliance coaching available. That’s because many organizations will lack the ability to even understand what is being asked of them. Confusion and frustration can be expected. Certainly, AI and self service can go a long way, but in the end, it is impossible to fully substitute the human factor in helping organizations get going.
Because so many organizations will not be compliant with even the most basic levels of security, it’s important not to present any loaded questions or questions that have any wiggle room and have any incentive toward answering with anything other than the truth. Again, most organizations will not meet reasonable baseline standards for security, so it’s important to figure out where they are so that they can have their gaps filled and security upgraded to meet reasonable standards.
It will be necessary to provide some hands-on assistance. Most MSPs and MSSPs are unlicensed and lack certifications or professional oversight. It isn’t really possible to send out a client to find an MSP and expect that MSP is going to provide a reliable assessment. The only way this really can be done is through preferred and fully vetted firms or by auditors and inspectors who are internal to the insurance company. Using a client-determined MSP is just not reliable, nor is self-attestation a reliable manner of assessing cyber risk.
In general, if a small business wants cyber insurance, they will have to go through a detailed process of auditing and inspection. Thankfully, this can largely be automated, and most companies rely on a relatively small number of software vendors. There will still be a need for some level of expertise when organizations use customized systems or specialty software, which many do. Automation can do more than 95% of the work of enforcement, but it can’t always work in unique situations and edge cases, and it’s also important to talk to the people of an organization and make sure the results that automated system inspections are giving are accurate.
Inspections will likely find that there are issues with security. This is going to be the case at most organizations. Even the largest clients will not always be 100% compliant with the most basic of security measures. So this will require a phase-in and remediation period and a second audit to confirm that things were done correctly the first time. After that, ongoing reporting with telematic enforcement, periodic audits and change management is required.
I realize this sounds daunting, but it’s really the only way to achieve good security, but the process is mature and costs can be calculated. It becomes easier with time and experience. This kind of enforcement benefits from economics of scale. Once one vendor or product is confirmed as safe, this can be rubber-stamped at other clients who use the same vendor or product. Most companies use a limited number of vendors, and 90% of companies use the Microsoft ecosystem. There really are only two dominant mobile phone operating systems and windows dominates desktop operating systems, with a few others running MacOS, Linux or ChromeOS. So, it really is not as daunting as it seems. There is an obvious need for some training. There will need to be engagement with vendors and a full understanding of enforcement mechanisms and methods, but this is all completely manageable with known and off the shelf solutions.
Large Organizations Have Complex Needs:
Small organizations can be complex and difficult to deal with, but large organizations are not easy either. With large organizations a different approach may be necessary. In fact, large clients run the gamut. Some are very well organized and can provide excellent audit reports. Those are easy, but most are going to have issues. This can be extremely complex at an organization that has many subsidiaries, has grown through M&A and has various ventures, joint or otherwise.
Large organizations frequently have customized technology or may be producing their own products or services that carry third party risk. It is inevitable that large organizations will frequently be complex. They may even operate one-of-a-kind facilities. This is not at all insurmountable, but it does require that specialists be available for such situations. The failure to invest in cyber security talent has been a huge problem here.
It Can’t Be Fully Outsourced, Without a Lot of Vetting:
It is important to understand just how immature most companies are when it comes to cyber risks and how poor the market is at assuring that contractors and vendors actually prioritize security. At this point, most contractors are focused on client satisfaction and they know very well who pays the bills, so if you simply tell a client to go find a vendor who fix their security problems, they will likely find the lowest bidder who is willing to do the most cut-rate kind of work.
There really are no reliable places that clients can go for basic advice either. Simple questions like “Should I upgrade my firewall, because the one I have is a couple of years old” or “How can I make sure I can still do business if I lose my internet connection for a day” are going to come up frequently, and the quality of cyber advice out there is extremely poor. It can provide all the difference in the world to just provide that basic trusted and accurate advice, and it’s worth it to avoid clients going to someone who does not know what they are taking about, which is most people.
For minor work, it does not make sense for small companies to have to establish a relationship with a vendor and have them send an independent technician just to configure an additional system, which has to be integrated securely. All of these things are doable, the talent is out there and they can be scaled at profit, but they do require the proper knowledge and expertise to do.
If contractors are to be used, then they must be fully vetted, and they must follow standards for risk management set by the insurance company. Because there has been such a regulatory vacuum and become existing contractors and vendors have rarely been held to the highest standards of compliance and security, there will need to be an effort to make sure anyone who is certifying the security of policyholders have their incentives aligned with good security and not just getting the job done quickly and cheaply. For this reason, some level of direct subsidies through premiums makes the most sense. It helps avoid any conflicts of interest.
Most importantly, when outsourcing, is to consider certification by accredited industry bodies. It is insane to have a client evaluated by anyone other than a Certified Information System Auditor.
How Cyber Security auditing and enforcement works:
Cyber security risks are kept in check with a series of mitigating controls with systems monitored, security periodically tested and a system of auditing and compliance reporting. The way this is done is mature and conventional. It follows the same patterns and uses many of the same methods as other forms of CGR (Compliance, governance and risk) and the auditing of cyber security compliance goes back decades, with methods and procedures constantly being reviewed by organizations like ISACA (The Information’s Systems Auditing and Control Association) and NIST (The National Institute of Standards in Technology.) There are other auditing regulatory bodies, though none currently have the kind of enforceability and recognition that is found in other areas of technical compliance.
Auditing, using formal procedures and professional auditors is how banks and large institutions maintain compliance in cyber security baselines. It’s how credit card processors assess the security of merchants, and it is the standard in highly regulated industries. Currently no cyber security insurance companies are capable of reading an audit report and understanding what it is telling them. There are no professional auditors of cyber security compliance working for major insurers. This is unfortunate. It’s also ridiculous. It means the most sophisticated clients are unable to interface at all with their insurance carriers to report their compliance.
It is important, for the purposes of objectivity and accuracy, that audits be done properly and with formally credentialed auditors. This would be the standard in any other area of compliance management. It’s entirely reasonable, because auditors always need to be protected against pressure to report things in a biased manner. Auditors should be placed in a department that is governed separately from the department which implements the security controls. It’s very important that Certified Information Systems Auditors be used in this function, as they are held to ISACA standards and are trained to be objective and to properly assess and enforce the risk controls in information systems.
It may seem daunting to audit every organization, and it may seem worse to both audit organizations and maintain an ongoing enforcement effort, but full manual auditing of all security controls is only necessary for the largest organizations and most complex and high stakes environments. Some level of self-assessment can be done by smaller and lower risk clients, but it must be done properly, with evidence attached to the report, detailed instructions, help when needed and a well-designed system for reporting. Automation can also be used, although it will need to be manually installed and configured, in many cases.
Banks and credit card processors require some level of auditing and enforcement at all merchants who process credit cards. However, they manage this seemingly daunting task by scaling the audit requirements to their clients size. Smaller merchants do not need to have independent audits, but larger ones do. The process also relies on relationships with vendors, helping to pre-approve technologies as secure out of the box. The system is economical and works well at avoiding losses due to intercepted credit card transactions.
Increasingly, organizations are moving to the cloud or using connected and managed services. This makes the task easier, because cloud environments can be highly automated and major cloud providers like AWS and Microsoft Azure all provide a suite of built in enforcement and inspection tools, which automate the process. If insurers work with these vendors and integrate these methods of telematic enforcement and reporting, much of the process can be done with full automation, behind the scenes, with little human labor or input.
It is important that insurance carriers take some ownership of this, however, because individual organizations will not reliably enforce their own compliance of their own accord, simply because they are told to do so. It’s not that they are dishonest or do not care, but this is an area where companies seem to struggle to maintain discipline. It needs to be understood within the standards of how companies are incentivized in a market system. Within that context, the problems become very familiar.
How a Formal Compliance Audit is Conducted:
Cyber security compliance auditing is extremely conventional and established in how the process works. Typically, audits are done by either an internal audit team, a third-party auditor, or, in some cases, are audited by an external entity, such as a client or government agency. What is included on an audit depends on what the goal of the audit is and what types of risks are to be addressed. Also, who the intended audience for the audit report is must be factored in, such some audits reveal things that must be kept confidential and some do not.
Typically, audits are best done with an external stakeholder or some kind of critic who can enforce quality control. This may be the general public, in the case of publicly reported audits or may be investors. It can also be regulators or insurers, but it is important that an audit has some kind of ownership to it, which goes beyond the party being audited for compliance. For example, with banks, it is not unusual for a “peer audit” to be conducted, where a randomly assigned bank is given the task of validating another banks internal compliance audit. This system exists because banks are highly connected and it has long been recognized that an IT security problem at one bank can easily propagate.
As mentioned earlier, ongoing compliance enforcement can largely be automated, but this may not be appropriate for all risk levels and client sizes. It also depends on what the goal of the audit is. In many cases, compliance audits are focused more on complying with black letter law standards than results-driven risk and security reductions, which is an important distinction to make. To date, audits which are done with a loss control mindset, that is, designed to be pragmatic and get results while being easy and enforceable, dispensing with unnecessary metrics and focusing on the most important, is rare. The only sector that does that regularly is banking and credit card processing, which has always enforced the strongest possible cyber security loss controls, due to the fact that credit card processors have born the brunt of cyber security losses.
Typically, an audit starts with scope discussions then a formal audit charter is created, the audit having given goals and limits. The actual examination begins with an IT asset inventory. This frequently must be validated as accurate before checking to ensure all assets and liabilities, within the scope of the audit, have a control which is approved. Auditing also involves examining procedures, collecting evidence and interviewing stakeholders. After an audit, the results are reviewed. It’s typical to find a few minor problems, which can be corrected right away and do not require their own dedicated effort. If any major deficiencies are discovered, there will be a remediation recommended, with potential mitigating controls in the meantime and an effort to retrofit the systems that do not comply.
When new controls and systems are brought into a secure IT environment, they have to go through a process of change management and approval. This may involve committees or additional oversight. All of the bureaucratic process of evaluation and enforcement of compliance draws on existing corporate compliance strategies.
Standards and Frameworks in Cyber Security:
Cyber security has existing frameworks for compliance, but the problem is that they are not generally specific enough to be fully enforceable without technical level approvals and well written, comprehensive definitions of what terms mean. This is one of he major reasons why it is so hard to enforce cyber security good practices. What constitutes an approved technology, product or methodology to achieve a given cyber risk goal is highly arbitrary and organizations are frequently left to make their own choices.
Mamy of the existing frameworks for cyber security compliance, such as COSO and COBIT are primarily focused on the governance end of cyber security controls, with requirements for enforcement and reporting baked strongly into the frameworks. There are also more specific frameworks, such as NIST’s cyber security framework and similar international standards from ISO. There are also standards for more specific circumstances, like healthcare which uses the HITRUST standard and must comply with HIPAA requirements. There are other specific standards that apply to given situations and industries. There are also standards like SOC2, part of the Service Organization Control reporting protocols. SOC2, like most other standards, does not require any specific technologies be in place but instead is a reporting standard for service organizations to report their controls to clients and prospective clients.
It is important that high stakes audits be done by Certified Information System Auditors. Ideally, they should be from an external organization and working with a proper audit charter. Auditors should be free from any sales pressure and should have limited contact with clients, beyond the audit work itself. These are all important controls native to any form of compliance auditing. There is also a place for cyber security experts who have expertise extending to things like public audit and cyber-CPAs, but unfortunately, few currently exist.
For the most part, the standards and frameworks that exist are just that: frameworks, and this is where we find a fundamental, tough not unsolvable, problem with the enforcement of cyber security standards: the lack of detailed definitions, lack of vendor certifications and lack of independent technical approvals with independently verifiable audits, laboratory testing and independent analysis. What this means is that standards will tell you that you must have “Industry standards encryption” or “Update systems regularly/.” This is difficult to enforce. It leaves a great deal of what these words up to the judgement of individual companies, and therefore, it’s difficult or impossible to maintain consistency. What we need is a standard that says “You must use industry approved encryption, and Microsoft Bitlocker, with TPM key storage meets those requirements” or “You must have full stateful inspection firewall, such as a Cisco model 3005t” or even “Systems are updated by the end of the day Thursday, each week, by the IT department, and if any delays occur they will fill out an explanation of delay in updates form.” Only that kind of specific approved process and technology language can actually get the kind of compliance and loss reduction necessary. This is like any other field of safety technology. It’s not enough to say “You must have a fire suppression system.” It is necessary to specify how often the system is to be tested, which models are approved to meet the specifications and what kinds of documentation is needed to provide the necessary verification that those technologies and vendors have been properly vetted.
The Need for Technical Approvals:
The process of technical approvals may seem daunting, but it already is done with numerous other technologies, consumer products and safety systems. The validation of an approved device, for example, begins with the establishment of strict standards for what kind of safety features it must have, what the baseline for functionality it has and what kinds of tests it should be subjected to. This typically includes torture testing technologies, to the point of failure and beyond, to establish the function of devices and assure they do not behave in a manner that is dangerous and unexpected.
Typically, there are industry standards, which are set by trade organizations and government agencies. There is often a collaborative effort and organizations like NIST and ISO play an important part. Speciffic organizations, like the Society Of Automotive Engineers or the National Fire Protection Association are often empowered to set some of the enforceable standards. In practice, insurance companies are generally central to this process. This does not meet that the insurance sector must pay for the enforcement; typically the individual vendors must foot the bill for technical approvals.
With most consumer products, in the United States, Underwriters Laboratories is the premier independent testing laboratory, but others exist, such as FM Approvals. These organizations are subject matter experts in all the ways that something can fail and have engineering experts deconstruct, analyze and document the safety and potential failure modes of the technology.
This is standard for all kinds of security, but IT systems lag others in terms of testing and validation. Product testing needs to be comprehensive, with full lifecycle management. Some products need to be retired when the manufacturer stops supporting them or if flaws are discovered after they are released. It’s very important that a comprehensive system of approvals, audits and lifecycle management be part of cyber risk management efforts, but this can certainly be done in a manner that is economical.
The Need for Penetration Testing:
Penetration testing, or pentesting is the pursuit of testing systems against potential hostile attack by having ethical hacking experts try to attack the systems, under controlled conditions, to see if they can be breached. The systems in question could be individual technologies, like firewalls and software or could be entire organizations, where experts may work under agreement to try to break in, using methodologist as diverse as breaking WIFI encryption to tricking workers to reveal secret information.
The scope and extensivity of pentesting depends on the circumstances and different penetration tests can be done with differing levels of rigor. The security experts and technologies available to companies in the US and elsewhere is absolutely top notch. If out best and brightest are given ample opportunity to break into a system, and they can’t do it, it is unlikely that an external adversary would be able to breach the system.
The reason that we have so many technologies reaching market, only to be found to have poor security or fundamental flaws is that pentesting is under utilized as a means of validating security. Most software is not fully tested, and if it is, it is usually done entirely by the software developer.
Full enforcement of penetration testing, with results that matter and standards designed to properly evaluate risk, is rare. It’s not enforced outside of a few high risk and highly regulated sectors. In general, when it is done, the focus isn’t always on the results. One of the biggest problems is many organizations do not want to receive bad news from a penetration test, so they put restrictions on the testing, which is intended to prevent the testers from being successful in an unexpected way.
It should be obvious that penetration testing is really the only way to be sure that security is working and achieves the results it is intended to. This is, of course, how all secure systems are tested. Locks are subjected to not only picking, but physical attacks with hammers and crowbars. Doors and safes are attacked with plasma lances, drills and even explosives. Only the full torture testing of security systems can validate that they can stand up to attempts to defeat them.
The biggest problem is that this is not done frequently enough with IT systems, and even when it is, the goals and stakeholdership frequently is misaligned.
Most Current Standards are Not Pragmatic and Results-Driven:
In addition to the vagueness and difficulty in enforcing rules and regulations that lack technical-level approvals, there is the problem with the lack of results-driven cyber security standards. Good loss control standards are designed to control losses and achieve the best possible economics, balancing the cost of loss control services and compliance enforcement with the cost of absorbing losses. They should be designed to be efficient, easy to understand and to be as self-enforcing as possible.
That’s not how current cyber security standards are generally written. Most are overly complex and too extensive for small and medium organizations. Standards like NIST 800, the standards for risk management in federal information technology systems, were designed for high security situations and defense contractors. Therefore, they fail to properly prioritize risk controls based on which ones have the highest ROI and are the most important, especially in commercial situations. These standards simply are not based on any kind of cost benefit analysis and are not always evidence-based.
Following such standards can introduce a lot of red tape and does not actually assure the highest standards of security for all organizations, but it can introduce a lot of unnecessary expense and red tape. It can be very hard for a small or medium company to comply with such comprehensive standards and even harder for them to document it properly. It’s also unnecessary, since they will not be the subject of nation states trying to spy on them with drones. When it comes to well written loss control standards, the only one in existence is PCI DSS, a private sector standard, created by credit card processors and charge card companies. This standard is designed to be results-driven, enforceable and light-weight. It works well, and probably should be expanded, as it has a great ROI and has saved hundreds of billions of dollars.
What basic controls do organizations need to avoid cyber security problems?
The obvious question is specifically what kinds of mitigating controls are needed to achieve the highest possible levels of cyber security, and to ensure that problems are uncommon and caught early, when they do happen. The answer is that nothing special is required. It does not need super high-level intellect. It does not require any exotic or customized technology be brought in. It is just basic due diligence level controls.
1. Secure Email – One of the most common attack vectors is to first break into an email account. This is because e-mail is one of the oldest, poorest monitored services out there. If a company has a 30-year-old server, still in service, it is probably an email server. After all, e-mail has not really changed much in the past 30 years. Additionally, the email service offered by Microsoft is not the most secure out of the box, without all the proper features enabled.
There are, however, many secure email options and providers. Email is a relatively commoditized service, and you can always switch email providers without a lot of effort. So switching to a highly secure email provider, which provides strong access control, anomaly detection, attachment scanning and so on, should be no problem. These services are not expensive and are turnkey and available. It’s just that not enough organizations fully utilize these services.
2. Phishing Protection – Phishing is the single most common root cause of cyber security incidents. The way this works is that a realistic seeming email is sent to an end user and the end user is generally tricked into either revealing their password, downloading a harmful file or otherwise being compromised, through social engineering, as opposed to technology-based hacks. There are extremely effective anti-phishing services, which can reduce losses, from this threat, by upwards of 99%, but too many organizations forgo this protection.
There are many reasons why phishing protection is so poor. It may have to do with the fact that phishing is the least exciting type of attack and many organizations seem to think that signing up for full featured phishing protection is something akin to admitting that their staff could be gullible. That kind of mentality is why phishing protection must be mandated. It’s a greater threat than most can imagine. Services that provide excellent phishing protection are not expensive, but they are just not likely to be instituted of an organization’s own accord.
3. Universal MFA for Access Control – MFA is the single most important protective measure that any organization can take. If properly instituted, MFA could reduce losses by upwards of 80% or more, in and of itself. However, because MFA is seen as an additional annoyance and resisted by people and organizations, this control must be enforced with a great deal of effort and discipline. It is very hard to get organizations to embrace something like MFA, since it increases the difficulty or annoyance level.
There are a lot of options for good access control out there, with a number of managed services and options out there. But, they are also not all created equal. Most MFA installations are done to the lowest common denominator, which is unfortunate, since doing this properly can be the difference between being hacked and not being hacked.
4. Automated Updates and Patch Management on All Systems – Patching computer systems is one of the most important forms of preventative maintenance. As new threats emerge, new vulnerabilities are discovered and new systems require compatibility, there is a need to update software regularly. This process can be largely automated, but it’s very important and could theoretically stop up to half of cyber attacks, if both the correct software were installed and updated regularly. Many companies got into the habit of not updating their software, because it does occasionally cause compatibility issues or they may not like updated features, but this mentality is obsolete, since updates are so important to maintaining security.
5. Firewalls on All OnPrem Connections – Every connection to an office, a physical location or any servers or infrastructure should pass through a firewall, when connected to the internet. Thisis a very basic and straight forward protection, which has been recommended for many years, but like so many cyber security requirements, careful enforcement has been lacking and many organizations have inadequate firewalls on internet connections. Firewalls are one of the most basic forms of protection for any network. They determine which connections are allowed to pass and which ones are blocked.
One of the problems is that firewalls have evolved over the years, and a firewall from 2005 is no longer considered to be adequate protection, by modern standards, but it would still qualify as a “Firewall” and this is where the approval process is so important. Having a proper, modern, updated and well configured firewall is much different than having a device that meets the minimal definition of what is a “firewall.”
6. All Critical Data Backed up and Backups Tested – The single most important loss control for data protection and cyber security is to assure that backups are being made, kept securely andhas been tested to make sure that they work and can relied upon, in an emergence. As a loss control, backups are important to any incident response, both standard cyber attacks and things like natural disasters and even insider threats. Few companies do their best to keep backed up copies of their data and test the backups to ensure they are reliable and being done properly.
7. Full Business Continuity Planning for Diverse Contingencies – One of the most vital controls that every business should have is business continuity planning. Thisisa basic control, which is not native to cyber security only. It isimportant for all kinds of situations, from office violence to pandemic and natural disaster. Business continuity planning should be done at last annually, but few companies do this. Business continuity, in the modern sense, takes into account the need for secure remote data access and leveraging cloud infrastructure to remove the need to be in a given geographic location.
8. Banking-level Financial Controls in Place – Financial fraud is not a new problem, but this risk has entered a new venue due to the transition toward an IT-centered business world. Fraud schemes like sending out fake invoices to companies have been given a new lease on life by the transition to e-mail communications, which are far easier to spoof and cheaper than snail mail and quicker than fax or telephone. That is why scams like this have increased in severity and scale, even if the basic scheme is not a new one.
The best way to combat this problem is with financial and anti-fraud controls on the banking level. Simply instituting a written policy is not likely to be effective, but arranging with your bank to only allow transfers to approved accounts, to flag high risk transactions and send some transactions to secure escrow for processing. These controls are available from banks and payment processors, but are rarely used to their fullest. If used properly, fraud can be all but wiped out and the risk of loss can be fully transferred to the bank or funds transfer company.
9. Endpoint Protection On All Systems – This is basically what most people think of as antivirus. Modern endpoint protection does more than just scan for viruses. It includes configuration management and assuring updates are in place. Modern enterprise endpoint protection includes central reporting, anti-malware, monitoring, firewall configurations and other similar protection. It’s like the immune system of every individual computer. It’s very important that every system in use, whether they are laptops, desktops servers and even phones, have endpoint protection and that this is kept up to date.
10. Full Use of Compliance Automation, especially in the Cloud – There are many automated and full telematic compliance products out there. For example, Microsoft offers Microsoft Automated Compliance Enforcement Assistant. AWS and other major cloud providers also have tools which can help enforce compliance automatically. It is very important and helpful to use these tools to the maximum capacity. However, because these tools are not required, and because there is no third party to report to, they are rarely used to the maximum capacity.
These are not all of the controls that every company needs. Some specialty companies and edge cases will need special and highly customized controls. Not every company needs the same controls, because not every organization uses the same technology or is exposed to the same risks. However, the above listed controls will reduce losses by over 90%, in most organizations, if applied correctly.
Although this is not a comprehensive list, all controls that are needed are similarly fundamental and straight forward. There should, for example, be a procedure for how alerts of unusual activity are investigated and whose job it is to validate when an alarm signal is false or positive. There needs to be training, which is well tailored to each job and role. Record retention and documentation is always important.
However, these requirements are similarly straight forward and logical. Extremely technically intensive and complex controls are rarely necessary in cyber security. After all, these are mature and sophisticated systems and can be operated safely, if that is the goal and discipline is maintained. The biggest problem is that, because it is so lucrative to attack American companies, they are being attacked almost continuously, so even allowing compliance to slip in one circumstance, can be enough to cause major problems. It has proven incredibly difficult for organizations to maintain any kind of discipline in the absence of exterior Stakeholdership in compliance
The Importance of a Well Configured Microsoft Ecosystem:
90% of companies in the United States rely on the Microsoft Ecosystem. This used to be relatively simple, consisting of Windows installed on desktop and laptop computers, local Microsoft network administration and some servers for things like e-mail and file sharing. However, traditionally, this has been wholly owned and relatively contained.
Today, things are not quite a simple. Microsoft, along with many other companies, has moved to a model that stresses software as a service. Today most of the profits for a company like Microsoft come not from the one time sales of software licenses, but the ongoing provisioning of cloud services and the subscriptions to products like Office 365, which is a highly web-centric and cloud based product, unlike previous versions, which mostly kept data on the endpoint device.
Microsoft environments and devices are managed and configured through a technology called Active Directory. This protocol was started in the 1990s, and since then has evolved, with new features added but most old ones maintained for compatibility reasons. Because of this, Active Directory has become complex and is not a very user-friendly technology. It may be beyond the capabilities of small organizations to have any expertise at all in how to properly configure this kind of IT ecosystem.
One of the biggest problems with the dependence on Microsoft products is that Microsoft has always given the end users of its technology entirely too much freedom in how they configure and operate it. This is just how Microsoft has been, philosophically, all along. Like many other software companies, Microsoft has done its best to avoid any kind of ownership of the security and reliability of the software it produces. Most software is sold without warrantee or guarantee and all risks are fully accepted by the end user. This is truly an outdated mindset, and it should have been left in the past many years ago, but there has been quite a lot of resistance to it.
For example, Microsoft does not require that internet-facing accounts have MFA enabled. In fact, prior to October 2024, even administrator accounts could be created on internet-facing systems without any requirements for access control. Even the weakest passwords were allowed. Even after October 2024, some organizations have asked for up to a year of extensions before fully implementing MFA.
Microsoft’s security products generally leave a lot to be desired. They tend to be rough around the edges and have poor documentation. These have never been a profit center for Microsoft, and the investment in promoting, supporting and deploying security has been extremely poor by Microsoft. This is just how it is.
Even Microsoft’s MFA client is relatively poorly implemented, allowing organizations to choose options that are not secure, like using SMS for confirmation or using “push based” MFA, which is a type that generally meets minimal requirements, but is not considered effective.
Microsoft’s products can be used safely and securely, but that often requires that they have additional features enabled and may also require that third party products be used in conjunction with Microsoft products. This can be tough for smaller organizations to figure out, and Microsoft has helped make the whole thing as clear as mud. Therefore, some level of expertise in how to set up the Microsoft ecosystem properly is required to manage cyber risks effectively.
In most attacks, horizontal traversal across the IT system is accomplished because the Microsoft environment is simply not configured in the most secure manner possible.
Stalled Phaseout of Obsolete Technologies:
One of the major problems that cyber security risk managers face is the stubbornness with the final phase out of technology that is no longer considered secure. This can happen because standards have changed, manufacturers may not support older products and new systems require new systems to be compatible. There are also certain technologies that have been discovered to have major security flaws in them.
The management of EOL (End of Life) of technology has always been a bit of a problem. There are no clear and enforceable mandates that require that technologies be phased out. This is truly a huge problem, because in many situations, a technology has been 99% phased out, but there remain a stubborn 1%. This can last for years.
For example, DNS, Domain Naming Service, is a vital service that is used by internet connected computers to direct them to the correct website. Standard DNS has been around since the 1980’s and is not encrypted or regarded as secure. For over 20 years, DNSSEC (DNS Secure) has been the preferred method of connecting to DNS. Yet the old fashioned DNS, without encryption and with many security holes is still very much in use and nobody will take it upon themselves to phase it out.
This is a very familiar problem for insurance companies. In cyber security it can be tricky because many organizations rely on custom software or products that are no longer supported, especially in industrial applications. This is not an insurmountable challenge, however, because it’s usually possible to isolate such systems and mitigate the risk, but it must be done, and right now, it is almost never mandatory.
Additional Considerations:
In the upcoming paper “Without Insurance We Cannot Win, With Insurance We Cannot Lose,” additional important considerations are included, such as the need for technical approvals and better incentives for good security. Insurance is the foundation of how risk is evaluated, priced and managed in a capitalist society. Because this is such as transition, we need insurance to be all in on this. There are many things insurance provides: approvals, enforcement of standards, independent research on risk management.
The key here is that none of this information is likely to be all that helpful to any insurance company that is only willing to put people from an “underwriting background” on cyber insurance. Amateurs and lay people don’t do well here.
Really, this all comes off as confusing to those who are not well versed in it. People have a hard time dealing with the intimidation factor. They also, just plain don’t know what they don’t know.
We need those things to solve the cyber security problem.
And yes, at enormous profit too.