The Future of Cyber Insurance: Why cyber insurance isn’t going away anytime soon

The Future of Cyber Insurance: Why cyber insurance isn't going away anytime soon

The cyber insurance market has faced challenges in recent years. Increased ransomware attacks have driven higher loss ratios. Russia’s attack on Ukraine has raised concerns about catastrophic global cyber events. With news that the U.S. government might create a government-backed national cyber insurance program, some people wonder whether private cyber insurance will become obsolete. The IT and cyber security community has questions about the future viability of the cyber insurance market.

We want to understand the potential threats to the cyber insurance market. We see three main risks from these threats:

  1. Insurance companies, worried about large potential losses, retreat from the
  2. The S. government creates a national cyber insurance program that crowds out the private market.
  3. Prices for cyber insurance become so expensive that coverage becomes unappealing to most

Although these threats can disrupt the future of cyber insurance with some level of plausibility, ultimately we find them unlikely. Let’s take each in turn.

The fear that insurance companies will simply retreat from the market due to the threat of large potential losses may be the most pressing concern. We can assess this threat better with some perspective on the history of the overall cyber insurance market and its position in the global insurance market.

Although 2021 was a bad year for cyber losses, the overall performance of the cyber insurance market in its 20-year history gives us confidence. Cyber insurance continues to be among the most profitable lines of business for global property and casualty (P&C) insurance. For more than 10 years, the cyber insurance market has grown steadily and is likely to continue growing.

Cyber risk continues to be among the top three risks cited by global risk managers, affecting every aspect of business and society. From cars, to manufacturing, building systems, to the very nature of workers’ everyday lives, technology affects every area of business and thus the insurance covering the risks it brings with it. Therefore, insurance companies struggle to ignore the attractiveness of the growing and profitable cyber insurance market, particularly in a world with few other options.

Rather than avoid the market, insurers are trying to improve their overall performance in cyber insurance. They are increasing prices and tightening underwriting standards with more requirements for cyber security. How these changes impact loss trends is not yet fully visible, but overall prices and requirements have moved at a greater pace in 2022 than in the previous two years.

Perhaps the greatest risk for massive losses is the risk of a nation-state-related catastrophic event. We see the insurance industry addressing this concern now.

Since the early days of insurance, insurance companies have recognized that war can create enough damage to bankrupt the entire industry. Every insurance policy, including cyber, excludes war-related losses. However, determining when a nation-state-related cyber attack constitutes a “war-like” action is a legal gray area.

Therefore, some insurance companies have started explicitly redefining “war” to include these nation-state-related attacks. For example, as of July 2022, Lloyds requires that cyber policies exclude coverage for nation-state-related attacks. Although this change might see painful losses for individual companies in the short term, it allows the cyber insurance market to thrive in the long term. By excluding these exorbitantly expensive and difficult-to-model losses as

“war-related actions,” this change essentially aligns cyber insurance with more traditional insurance.

Recognizing nation-state-related cyber attacks as war-related actions leads to the second main risk: the U.S. government might create a national cyber insurance program to protect

companies from these attacks, and companies might then decide that private cyber insurance is no longer necessary.

Rather than replace a functional private market, we find that the U.S. government typically intervenes only where the private market struggles to provide coverage. For example, after the 9/11 terrorist attacks, Congress enacted the Terrorism Risk Insurance Act (TRIA) to provide government-backed funding for insured losses from large-scale acts of terrorism. This successful program is a potential model for a cyber insurance fund for nation-state-related attacks, which can then be included in private cyber insurance policies.

Finally, the third threat—that prices will become so high as to make coverage unappealing to most companies—is also possible but unlikely. Cyber insurance is relatively inexpensive, often less than 10% of a company’s total cyber security expenses. We do expect the application and underwriting process to get longer and more involved, as underwriters bring more requirements and scrutiny to these risks. However, we also see insurance companies and technology firms working together to reduce the frequency and severity of cyber attacks. Efforts to reduce catastrophic events help make long-term price increases more manageable.

We expect cyber insurance to continue to be a vibrant and growing market, with the entrance of more companies offering more and better protection. Even as we see some volatility and change in the near term, as underwriters refine their process further and governments find their role, we expect cyber insurance to be essential for many companies for a very long time.

Build a Cybersecurity Fantasy Team

Build a Cybersecurity Fantasy Team

The cost of protecting data has never been higher. What many experts fail to say is that the financial liabilities associated with poorly secured systems are on the rise as cybercriminals target both MSPs and their clients. Estimating the cost of downtime and remediation support and the reputational damage from these attacks can be difficult for any business. For MSPs, those incidents are even more concerning as the experts in all things cybersecurity – a poor response can undermine their credibility in the business community.

That’s why dealing with cyber risk has become a team sport.

Cybercriminals are running businesses too, so they must continue refining and escalating attacks to maximize their revenue opportunities. For example, a recent IBM study found that the average incident takes 280 days from the point of access to conclusion and costs each company approximately $3.86 million.

Cybercriminals understand that most SMBs don’t have the internal resources to prevent cyberattacks. Ransomware purveyors target those businesses indiscriminately and rely on poor defenses, application vulnerabilities (vendors and suppliers) and inattentive and lazy employees – perhaps even a little luck – to gain entry.

Combined with the ever-increasing creativity of the cybercriminal community, it’s increasingly more difficult to protect businesses of any size today. As the amount of data they create, collect and store continues to grow, their financial and legal risks increase proportionally, and MSPs must work even harder to lock it all down.

A Complete Game Plan

Good teams produce more than the sum of their individual parts. Successful cybersecurity collaborations typically involve a tremendous amount of planning, training, evaluating, and, perhaps most importantly, communications. Most MSPs excel in most, if not all, of those areas, as are many of the specialists in their partner communities.

Building and executing cybersecurity “game plans” require that commitment. From conducting assessments and highlighting areas of concern to strengthening defensive measures and contracts, MSPs need to lead the way. That push begins (and ends) with finding the right partners.

Draft Highly Skilled Partners

Protection is truly a team sport. Building a ‘fantasy dream team’ by “drafting” quality partners can help minimize liability for MSPs and their clients. Collaborative relationships with complementary subject matter experts − those with knowledge and skills in different aspects of cybersecurity, liability and compliance requirements − will elevate the defensive game to new heights.

The “team cybersecurity” approach focuses on risk aversion to limit financial and legal exposure for both clients and providers. Together, they provide more comprehensive coverage, as each is an expert in their respective area. They may collectively review existing processes and systems to identify and quickly address high-risk vulnerabilities and then develop plans for resolving other potential breach points or areas of concern. Potential “players” and their responsibilities include:

  • Vendors − MSPs typically partner with a number of suppliers to comprehensively protect clients’ networks, devices, data, applications and other systems. From end-point protection and data back-up and recovery providers to Security Operations Centers (SOCs), these “players” are focused on the cybersecurity game and many can even chip in during the off hours to give MSPs a well-deserved break.
  • Auditors/Remediators − these firms help MSPs identify and fix potential vulnerabilities following a structured approach. These professionals often serve a dual role: mitigating cybersecurity threats before they can cause harm to clients or providers and addressing similar issues following an attack.
  • Cyber Insurance Experts −every team needs a coach to measure the threat environment and guide game plan development. DataStream Cyber Insurance offers that level of support to MSPs with a Cyber Risk Assessment that evaluates the defensive posture of each client and a 24/7 Hotline to call when they first suspect a compromise. A tech assessment on each policy helps expedite claims and payments, eliminating potential stressors for providers and the business they support.
  • Attorneys with IT Specialization – every cybersecurity team needs legal representation to minimize risk on the front end, writing air-tight legal agreements and contracts, and on the back end, supporting the response when things go bad. Those professionals should get the first call following a breach to review strategies and ensure MSPs properly execute their remediation plans.
  • Public Relations Firms −messaging matters before and after a breach. Every MSP should have a crisis communications expert on their team to interpret the key points of the situation and help craft verbal and written responses. Information management is crucial. MSPs may need to share details of the compromise with different audiences, including clients, government agencies, law enforcement, and media. Releasing the right information to the appropriate people helps ensure the success of the response plan and prevents additional exposure.
  • Cyber Forensics Experts − these companies or individuals step in after a breach, analyzing the evidence and reviewing each incident step-by-step to determine what went wrong. More importantly, the information they provide allows MSPs and other team members to mitigate vulnerabilities and prevent future attacks.

DataStream Honored with 2022 XCellence Award

SUNNYVALE, Calif. — Sept. 9 2022 — Managed service providers across the channel are fast recognizing the protection, partnership and peace of mind DataStream Cyber Insurance is bringing to their businesses — and those of their SMB customers. Attendees at the XChange 2022 conference, hosted by The Channel Company in Denver last month, selected the cyber insurance broker as winner of the 2022 XCellence Award under the Solutions Pavilion Strategy — Event category. The award marks DataStream’s sixth accolade in recent months, including multiple distinctions at industry shows for clearly articulating the MSP’s opportunity, offering a stand-out product/solution and other differentiators.

 

DataStream’s prowess in protecting SMBs and MSPs from cyberattacks with cyber insurance means covered businesses can enjoy comprehensive benefits that span from pre-breach protective services to post-breach response and remediation.

 

“Cyber risk is a team sport. It takes the vendors who develop the technology, the partners who install and monitor it, the legal and compliance teams who ensure the right protections are in place, and the insurance company who offer support when the inevitable breach occurs,” said DataStream Channel Chief Larry Meador. “MSPs are the quarterback of this team. They run the plays, but they also call the one-off audible if they don’t like the look of the defensive set. It’s rewarding to see our contribution to the team be recognized and valued.”

 

“XChange August 2022 was an absolutely massive event, and the vendors that were honored in Denver truly stood out from the crowd,” said Bill Jones, Global, SVP & GM, Connected Technology Communities at The Channel Company. “Our 2022 XCellence Award recipients truly deliver on the demands and promises of a new digital world, helping their channel partners to thrive now and for the long term.”

 

About DataStream Cyber Insurance

DataStream Cyber Insurance offers the most comprehensive cyber insurance coverage on the market, along with full cyber security assessments, data analyses of cyber risk in financial terms, and cyber security training. The company currently provides coverage in the United States and Canada, for both first- and third-party losses. DataStream also provides essential financial, legal and technical support in the wake of an incident — and helps businesses to quickly get up and running again. Make DataStream part of your business continuity plans today. DataStreamInsurance.com

 

About The Channel Company

The Channel Company enables breakthrough IT channel performance with our dominant media, engaging events, expert consulting and education, and innovative marketing services and platforms. As the channel catalyst, we connect and empower technology suppliers, solution providers, and end users. Backed by more than 30 years of unequaled channel experience, we draw from our deep knowledge to envision innovative new solutions for ever-evolving challenges in the technology marketplace. www.thechannelcompany.com

 

Follow The Channel Company: Twitter, LinkedIn, and Facebook.

 

Media Contact:

Taylor Gaines

CommCentric Solutions (on behalf of DataStream)
813-727-6871 | [email protected]

Are Your MSP’s Assets Adequately Protected from Cyberattacks?

Are Your MSP’s Assets Adequately Protected from Cyberattacks?

IT service providers spend a lot of time discussing protection. Whether consulting with clients or developing plans to boost internal defenses, those conversations often center on data and the systems that store or transmit critical and sensitive information. With cybercrime on the rise, many technologists are more inclined to invest in more solutions and implement measures that will help keep providers and the businesses they support safe from IT-related threats.

While those defenses are critical, MSPs must look closely at legal liabilities associated with those IT ecosystems. Cybercriminals are directly targeting IT services companies since they hold the “keys to the kingdom,” with access to clients’ networks, business systems and, by default, their data. SMBs rely on MSPs’ security expertise to protect those assets. With the escalating attacks on organizations of every size and mission, the threat vectors are continually shifting and evolving.

The financial costs of a cyber failure are too big to ignore. Unfortunately, some SMBs are not taking the appropriate steps to secure every system, perform regular backups and protect all their important data. The lack of an effective cyber defense significantly increases their legal liabilities.

That last point is essential. No matter how well MSPs lock down information and secure critical infrastructure, if someone (or something) finds a way to get into a client’s systems, the provider will likely take some, if not all, of the blame. In a highly litigious society, that exposure can damage, if not cripple, a small business. Worse yet, if cybercriminals gain access through a provider’s network, they can expect other clients and prospects to scrutinize their practices. The costs, from both a public relations and legal perspective, could be enormous and threaten the MSP’s viability.

Why?

Because cybersecurity is a matter of trust. When companies sign up with an MSP, they expect that team to provide complete protection for their businesses and assume, as cybersecurity professionals, they will implement industry best practices across every part of their operation. If even one client becomes the victim of ransomware or a cyberattack, especially through a provider’s compromised system, the trust may erode quickly.

Cover the Risks

Despite the rising threats, there is hope for MSPs. Careful preparation on the business end of an IT service firm’s operations can lessen those liability concerns considerably. That’s why providers should always seek legal advice from attorneys who understand the MSP business model and appreciate the threats against your company and clients. Those professionals should have the know-how to minimize the firm’s liabilities in the event of a cyberattack and work collaboratively with insurers to support the best interests of providers and their clients. An IT services-skilled attorney will be an invaluable resource to prevent things from going sideways.


Consulting with someone with extensive expertise supporting the legal needs of MSPs provides peace of mind. A good tech attorney can craft, review or amend services contracts and master agreements and offer guidance on a variety of industry-specific issues, as well as general business processes and policies. MSPs need that type of oversight today. Quality counsel will proactively address potential issues before they become problems and minimize the exposure when things go bad.


Those professionals help keep an MSP safe from potential lawsuits and bureaucrats (think regulatory compliance) regardless of the threat landscape and legal environment. Think of them as a firewall for cybersecurity experts.

The Fine Print Matters

A key reason for working with IT-experienced attorneys is their understanding of professional services delivery and the documents that outline the various responsibilities of MSPs and their clients. The “legalese” in customer agreements could be a major fact in whether the firm continues to thrive, let alone survives, following a cyberattack.

That’s a major reason for updating your managed services-related documents. Attorney Brad Gross, a recognized authority in IT services law, suggests that companies with antiquated agreements may find themselves in worse shape than those without contracts.

“The devil is in the details,” he emphasizes. His recommendation to MSPs is to partner with a proven IT attorney to review and strengthen their critical business documents to minimize cybersecurity-related liabilities. For example, any promises IT services providers make, whether explicit or implied, must be based on reality, not marketing prowess. “You can be confident, but your confidence needs to be based on both tangible and intellectual honesty,” adds Gross. “The way to achieve that is to have agreements in place that manage customer expectations, and then have the technical background and ability to perform under those contracts.”

A poorly constructed MSA (master services agreement) or SOW (statement of work) can increase your liability. The language in these documents can expose an MSP to litigation following a breach or malware attack. Knowing what to put in and what to leave out are decisions best left in the hands of those properly trained to deal with those legal concerns.

Best Practices for Staying Ahead of the Hackers

If we find online safety measures like multi-factor authentication (MFA) irritating, we probably need to adjust our levels of expectation and trust for the internet of today. The longer we put off proper level-setting, the more likely we will fall for the scams and frauds that are rampant on today’s internet.

That’s one of the messages Roger Grimes shared on The Cyber Crime Lab Podcast recently. In this article, we’ll go deeper into his reasoning and share some of the best practices he advocates.

Subject-Matter Expert

Roger has been in computer security for over three decades. He started in the virus space, fighting Apple and DOS viruses, before spending the 1980s as a network technician, rising through the ranks.

Roger has written 1,200+ articles and 13 books, and has been interviewed on shows like “All Tech Considered” by NPR.

He now consults with hundreds of companies on security reviews, attack responses, and advanced persistent threats.

MFA

One of the things Roger is known for advocating is MFA. When he gets push back on it, it is usually in terms of “it’s too much trouble.” This indicates that some people are still thinking about the internet in the same way as real-life scenarios.

Roger gives the example of ordering a pizza; We call a number and have no idea who is answering. We may even give them a credit card number. Then some stranger comes to our residence and hands us food that we haven’t inspected and we give them money. When it’s framed like this, it sounds like a lot of trust is involved, and it is! But that’s because there are safeguards in real life, not least of which include the police who can help you in case of a potential attack.

Now consider that same scenario on the internet: You want to purchase a pizza. Is it strange that your bank or credit card company or even the pizza place want to double check that it’s a real person ordering and not just a bot?

So once we understand that it’s unreasonable to apply our default real-world levels of trust and expectation to the internet, we’re approaching the right mindset for keeping safe online.

Four Signs You’re Being Hacked

But you can’t question every experience, right? So once a reasonable level of security expectation is established, what are some warning signs to put you on high alert for fraud? Roger lists four:

  1. An unexpected communication — this could come from a person or organization that you know or would be reasonable for you to know.
  2. Being asked to do something for the first time — this could mean filling out a form or sending an email or providing particular details.
  3. A stressor event — this is a demand that the thing you are being expected to do needs to be done in a short time window.
  4. Could be malicious — this is recognizing that whatever you do might expose you. This might include sharing your bank details or home address, or part of an identifying document, such as a partial social security number.

Job-Offer Hack

Red lights would definitely be going off in your head if all four of these signs happened at once. But Roger stresses that if any one of these occurs, you’re at risk. If all four do, you’re almost definitely being scammed.

Roger shares an example where a candidate was applying for a posted job offer whilst working at his current role (he was a chief marketing officer). He was asked to fill out an application in Microsoft Word format that had active fields in it. These active fields served as vectors for malware to capture his passwords and gain access. The scam cost his firm quite a bit of money, to say nothing of his embarrassment that the compromise happened because he was looking for new employment. Even worse, this person regularly read Roger’s columns and still fell victim to a scam.

This doesn’t mean that you can never trust a situation where there is a stressor event. It just means that you need to be vigilant, even in a scenario that you think you’ve initiated.

Romance Scams

Roger believes that sharing stories is a big preventative measure. But sometimes people disregard the evidence that they are being scammed.

Roger says this is most prevalent in romance/dating scams. Even when someone has been shown they are being scammed out of money, they still want to pursue a “relationship” with the scammer. “The heart has a mind that the mind knows nothing of,” Roger says.

It’s Not About Intelligence

It’s not “stupid” people who get caught up in these scams. One of Roger’s clients has a Nobel Prize in quantum physics — not someone you would classify as “stupid.” Yet he still got scammed out of two million dollars.

It’s not about intelligence, it’s about awareness. Keep up with the scams that are out there, be aware of the four warning signs in your personal interactions, and advocate for proper security measures to be taken in your professional environment.

Passwords and MFA

The average person logs into about 170 websites a year, but only tends to use three to seven passwords across those 170 sites, often without the help of a password manager. This goes back to the mentality shift Roger advocates.

We aren’t asked to remember dozens of passwords in everyday life. But instead of realizing that online there are methods in place to keep us safe, we rely on our memory and gut and then act surprised when we get hacked.

That doesn’t mean MFA is a cure-all. One of the last things Roger mentioned to us on the episode is about the class of MFA you are using. He advocates for phishing-resistant MFA. Just like viruses adapt to overcome treatments, criminals don’t just give up when confronted with MFA. They try to find a way in, starting with getting your password.

If they can find a way to hack your password, they can find a way to intercept your text messages, a one-time password, or answers to your security questions.

Roger refers to phishing-resistant technologies outlined in a White House document: FIDO2 WebAuthn and PIV smart cards, which use a third piece of technology to verify that the person requesting access is actually the right person.

Remember that if your reaction to this is that it’s overkill, it’s because you haven’t sufficiently shifted your mindset to what is normal on the internet. Until you do, you’ll be susceptible to attack.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.

Click here to learn more about how we can help secure your business data!

Practices of Cybercrime Syndicates

We recently had the chance to sit down with Vincent D’Agostino, Head of Cyber Forensics and Incident Response at BlueVoyant, on The Cyber Crime Lab Podcast. BlueVoyant provides security services like third-party risk and digital rights protection, among many others.

Before Vincent brought his talents to BlueVoyant, he spent a number of years with the FBI, seven of these on the team dedicated to dealing with traditional organized crime. While the connection isn’t obvious between that world and the world of cybercrime, someone with Vincent’s experience has context most of us lack—and this was just one of the things we spoke about during our conversation.

Traditional Organized Crime

Whatever country a traditional organized crime syndicate is in, they are involved in for-profit illegal activity. Vincent notes that many of these activities are in sectors the government does not regulate—and those organizations also deal in corruption to make sure that status quo stays in place. These organizations may also practice:

  • Physical violence
  • Extortion
  • Blackmail
  • Early adoption (using the latest technology to their benefit)
  • A particular code of rules, both implicit and explicit

Cybercrime Syndicate Similarities

While you can’t commit physical violence on the Internet, cybercriminals can and do commit economic and financial violence against businesses and organizations.

They use ransomware, powered by the latest technologies, as a tool of extortion along with threats of data breaches as blackmail to add pressure to ransomware.

Cybercriminals also operate by a specific set of rules, which includes how they get paid (usually in a difficult-to-trace blockchain-based currency) and how long they give victims to pay.

Cybercrime Syndicates as Tech Startups

The twist many might not expect is that, in addition to emulating the structures of traditional criminal organizations, they also follow some of the best practices of rapidly growing tech startups.

Tech startups need to:

  • Fundraise — cybercrime syndicates do this through their criminal activities which can include speculating in and meddling in traditional and crypto currency markets.
  • Hire well — cybercrime organizations have “job postings” out on the dark web which follow a traditional process of reviewing CVs and interviewing candidates.
  • Know their customer — cybercriminals research specific niches and sectors in order to find out which organizations are most vulnerable and what they can pay in the case of a ransomware event.
  • Have a strong brand — employer branding can help with hiring in the legitimate business world; it also helps in the criminal one. A strong brand also puts victims on notice that they are dealing with serious threat actors, not just one hacker in a basement somewhere.
  • Deal with shifts in world events — because Ukraine and Russia have been bases for some of these organizations, the recent war and resulting sanctions have made it more challenging for cybercriminal syndicates to operate.
  • Schedule product launches — cybercriminals tend to pick vulnerable days (Fridays) or holidays (Christmas) to trap victims in particularly stressful and vulnerable situations.
  • Use social media well — cybercriminals can use bots on social media networks, which push out deep fake content to create pressure around their goals.
  • Use the latest technology — cybercriminals often use military-grade tools and packages to overwhelm their victims, triggering a surrender reflex that’s the mirror of the “buy” reflex when a traditional consumer sees dazzling technology.

Conti

During the podcast, Vincent frequently referred to Conti.

For those unfamiliar with it, Conti is ransomware focused on Microsoft Windows that has been observed since roughly 2020 and is believed to be distributed by a Russian-based group. The US government offered a $10M reward for information on the group in May 2022.

They use a website to leak documents copied by the ransomware. The technology and its implementation were shrouded in mystery until recently.

In a twist of poetic justice, the Conti Group (as it’s known) was subject to its own leak of 60,000 messages recently. This was done by an anonymous subcontractor of the group who was opposed to Conti’s unconditional support of Russia and its threat to launch cyberattacks against anyone who launched cyberattacks against the country.

The leak shared source code as well as the source of possible leaks to the Conti Group within the Russian government. Governments that are already sanctioned in some ways turn a blind eye towards threat actors in their territory, usually content to simply take a sort of “tax” on their activities.

Vincent thinks that this event will lead Conti to do something else that tech startups sometimes do: rebrand. Once an organization has been uncovered in any way, its power is weakened.

A Big Difference

While Vincent noted many similarities between traditional crime and cybercrime, there is one big difference: scale. Because of the Internet, and because of the medium of software, cybercriminals can commit hundreds or thousands of times the number of crimes that traditional criminals, constrained by such ‘old-fashioned’ restraints as time and space, can.

With that scale in mind, Vincent warns listeners that just as there are many businesses that serve a particular niche, cybercrime is its own growth industry—the “profit” involved attracts even those who would not consider themselves “criminals.” He adds that, over time, there will be organizations covering every niche, including small accounting firms in the middle of the USA, for example. It’s important for businesses to move to protect their assets now instead of waiting for these cybercriminals to build up their infrastructure.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.

Click here to learn more about how we can help secure your business data!