In today’s episode Monica Verma talks to one of industry leaders within Cyber Insurance, Michael Spreitzenbarth on why you should care about cyber insurance, why you need it, what are the key elements to consider when underwriting a policy and some of the important gotchas, loopholes or myths around insurance policy.
Looking for your dream job in cybersecurity?
Don't know where to start or how to go about it?
Follow Monica Verma (LinkedIn) and Monica Talks Cyber (Youtube) for more content on cybersecurity, technology, leadership and innovation, and 10x your career.
Monica Verma 0:00
Welcome to a brand new episode of We Talk Cyber with Monica, your one and only platform for real world stories, some renowned global experts within security, privacy and leadership, making a real impact every single day. In today's episode, we'll be talking to an industry leader within the cyber insurance market. So let's hop right on the episode. This is We Talk Cyber with Monica.
Monica Verma 0:32
We'll be talking to Michael Spreitzenbarth from Munich Re on why should organization scared about cyber insurances independently, whether they're from the public sector or the private sector? What are some of the biggest gotchas, loopholes or even myths around cyber insurances? What role does cyber qualification play? And what are some of the key elements in the process of getting a cyber insurance policy for your organization? What are some of the adoption challenges that we have seen and some trends going forward? So before we hop into the episode, make sure you subscribe to my YouTube channel, Monica Talks Cyber, you will find all my videos, including a podcast videos. And if you're interested in listening to the podcast audio, then please tune in and subscribe to We Talk Cyber in your favorite podcast app. Shout out to today's sponsor, simply cyber. If you're interested in more technical security stuff, please check them out. Let's meet our guess right away. This is we talk cyber with Monika. Lovely to have you on the show today. Would you like to introduce yourself to the audience? What do you do what have been your background and maybe share a fun fact with the audience?
Michael Spreitzenbarth 1:35
Of course. So from the technical background, I'm more the techie guy. I was working with in a large corporation doing Incident Response doing bit of red teaming pentesting, then more or less changed a bit the science and move to one of the largest reinsurance companies. And there now for close to two years did a lot of cyber underwriting and risk assessment in.Yeah, together with the lawyers and all the other peoples involved in the cyber insurance. The fun fact, I'm not even not only dealing with one mobilities and a large amount of companies out there doing their risk assessment. I'm also a hobby beekeepers, so treating 1000s of different customers. So to say, it's one of my day to day business.
Monica Verma 2:26
Lovely. And you're definitely the right person to be talking about type insurance today. So welcome to the show. And let's get started. Let's let's just start with why should companies care about cyber insurance in both in public and private sector ?
Michael Spreitzenbarth 2:45
So the cyber insurance itself, it's one of the classical risk treatments methods. So if you're not sure how to mitigate it to the right level, or if you don't want to stop your business, or the issue that's bundled with the risk, you've had for them another way of at least lowering the impact to your company. So the risk insurance, and the cyber insurances, the classical thing to go for. And in a lot of cases, there is also, let's say the the small difference, because in a lot of cases, that people are talking about risk transfer in retransfer, everything of the risk to the insurance, then we can do things like we want to do it, insurance will cover for it. But for the in terms of the cyber insurance, you always have to think about also reputational topics and stuff like this, which will have a more long time focused disadvantage or consequence. So therefore, it's not the the 100% risk transfer to cyber insurance, it will cover for a lot of losses. But still you have some risk left within your own company that you have to deal with. And then the another thing why a lot of companies are currently caring about the topic is more from the supporting act, a lot of cyber insurance, bundle services with their insurance, supporting them with preach coaches, with large Incident Response companies that come on side and support. So it's not only about dealing with the financial consequences, but also really supporting to handle the crisis and to have to solve the issue faster than the normally.
Monica Verma 4:33
And in Washington public sector care about it. I mean, they're not usually either they're these health insurers or the government is the insurer, insurer here. Why why should they care about cyber insurance?
Michael Spreitzenbarth 4:43
That's right, and especially also when you're looking in Europe and then GDPR even there, according to GDPR. They are not applied to any kind of fines. So they're the risk, at least from a financial perspective is a bit lower than someone from the private sector. But also as we know, the IT security and the awareness of the people working in public sector is often not at the same level that we know from from private sector. So for them, it's even a could be a much higher benefit to have those additional services available, that on the one hand site, help them to get a bit more awareness in their employee base, maybe also to support them up front with vulnerability assessments or with mitigation strategies. And but then, of course, if something happens, have the right people on board, that something where the public sector is even more, it's more requested from public sector than we see from private sector.
Monica Verma 5:51
Interesting. And let's, let's understand a bit of the elements of cyber insurances. What are you seeing in terms of adoption? What are the challenges that you've seen in terms of adoption, and especially in Europe.
Michael Spreitzenbarth 6:05
So the adoption, adoption itself is quite different from if you compare us to Europe and to other parts of the world. So in Europe, we have seen that the the topic of cyber insurance is in the market since a couple of years, in 2018, they already had more than 3.7 billion of revenue, just from the insurance policies. In Europe, it's in the same year, it was 0.6. So much lower. And this on the one hand side is because the awareness is a bit different in Europe, still, the large corporations, they are aware that cybersecurity is something they have to deal with, and they have to care about. But still there are lot of them are thinking that they have done a lot within their own company within their own environment. And I'm not sure if the insurance will help them in the end that much as an additional value. For the SME segment, it's even more on the on the complete awareness topic. If you ask a small or medium company in Germany or in Europe, a lot of telling, you know, why should I be a victim of a cyber attack, nobody's interested in what I'm doing here. Nobody's interested in my data. So there's still the issue that they think, Okay, this, everything is targeted. And it's only done by criminals that really want to get data of when to create damage or loss of footbed, one single company, this widespread and untargeted things, something that they not keep that much in mind than they should be. And that's what we've seen in the adoption. For the last year, it also changed over the last years, because we see now the ransomware gangs, it's more in media, we also see more and more lots is happening in Germany and other companies in Europe. And that creates slowly the awareness that they start to think about, maybe cyber insurance is something they should care about.
Monica Verma 8:13
Yeah, I mean, rightly so because this topic around awareness, especially with SMEs, that you're saying is an interesting one, because I usually post a blog about and I've talked about this, in many of my conversations with people is that everybody is a potential target either direct or indirect, or collateral or a step to somebody else's network. A good example of that is the cloud Hopper attack that happened, they were the service providers that were attacked, but ultimately, it caused consequences and impact or let over the entire world. And a lot of the companies obviously, hard are a part of, even if non direct target, they're a part of some kind of collateral or as I said, part of a step to somebody else's network. So it's everybody should really be caring and worrying about it, that it's, it's, they could be one of them as well. So just this whole awareness around it could not be me, is a big myth that we need to break and help companies break. And talking about myths, another thing that I've also heard with terms of cyber insurance, and my experience is that the companies that are actually are some of the companies that think of cyber insurance that think of it in more incidence of either work, like you said, right? I mean, lots of organizations are like, Okay, we have controls in place, and we need some insurance, but also the, but also the other way around, as I've seen that they go like, Okay, now that I'm getting cyber insurance, I probably don't need to care so much more about my internal security programs and governance and so on. And what our experiences what that is really either order or what would be your recommendations around IT organizations.
Michael Spreitzenbarth 9:52
It totally depends on the size of the company. If they go for the large corporations, then it's definitely not a either or they are going for cyber insurance because they are searching the the worst case that could happen and therefore, they need the kind of risk transfer and insurance. That means they go for very high limits for very, very high deductibles. So, they have to pay themselves in any case of a loss and really only want to have the insurance for the huge things that could happen to the next not Petya stuff like this. But then you also have the SME segment. And there it's often really a either or. And that also depends on the prices, because for the kind of premiums that the insurance puts on the table, they can't do a in depth risk assessment. So we will be speaking about 500-600 euros per year for cyber insurance. Therefore, you can't set someone on the table that discusses two hours how the IT security within the company looks like and really do do an in depth assessment. So in the end, for the insurance, it's also the decision, okay, I can now upgrade all my IT systems to the newest versions can get an MSSP or a kind of service provider that supports me in patching, hardening my systems that will cause 1000s of euros per year, or I get the cyber insurance. That's half the price, or even less. And if some thing happens to me, I will get covered somehow, at least the financial impact will become. So there we unfortunately really see this either or thinking. I personally don't like it, I think a lot in the insurance market. See it's similar. And of course the IT security community sees it with the same danger behind it, because then you suddenly start to not improve the IT security of the market. But just putting everything in the insurance, which doesn't help the community and the overall market. It's just transfers everything to the insurance.
Monica Verma 12:13
Yeah, plus also, it's not a replacement for increasing your security maturity over time, you're not becoming more mature in terms of security, governance, and something that will, I believe, will be a part of it today already is with all the digitalization that's happening. And when the physical, digital and biological worlds coming in, converging, coming together and converging, it's going to be even more integrated into our daily lives. And how do then the SMEs as well go about just buying insurance and not thinking in long term of maturity. So that's sort of fascinating. And we'll see how that turns out to be in the coming now in the coming years. But with regards to the ones that are then having cyber insurance, either small companies, mid SMEs or large corporations, just like any other insurance, insurance, obviously have terms and conditions. There are certain like loopholes sometimes and there are certain wordings and certain things that people should be caring about. So what in your opinion, are some of the key things that you've been seeing in terms of an understanding towards how these are underwritten, and what kind of loopholes there can be?
Michael Spreitzenbarth 13:23
So the the toughest discussions is always about the the wording of the insurance policy. Because normally, the insurance policies are written by lawyers, they are not really aware of all the technical meanings of the terms today are using. So they're doing what a classical lawyer is doing. They're searching for definitions that had been proven in front of court, or where they think they have been proven in front of court or are stable enough. And that's then then often the point of contradiction, because you have now the IT security person from the from the company that wants to buy an insurance sitting opposite to a lawyer that tells them what is written in the insurance policy, and then they suddenly start to discuss if their IT network is really bundled under the word computer system, or if anything is missing from the terminology and from definition. And especially when you then go to manufacturing companies, it's getting a real tough issue because now the company itself is speaking about IT and OT and understands that these two worlds are getting connected to each other but from the technology and the security, they are totally different. But from the insurance industry, there's only computer system. So it's only discovered, is it not? There are the the toughest discussions that I've seen for the last years. While a lot insurance companies still think that within the policies they are not covering the robot felon in a manufacturing line, because that's not a computer system. But the company that wants to get the protection, of course, sees this as one of the computer systems. And so that's really something I would give as an advice. Have a look at the definitions within your policy. And really check them word for word and do not think that just because you know what the computer system is, also the cyber insurer has the same meaning for the term. So that that's really an important part. And then, as with all the insurances have a look at the exclusions. Within a lot of them. You find classical exclusions like that your your ISP is excluded. So if that one has an issue, and it's not able to provide you with internet any longer, then this is not a reason for you to claim your business interruption according to the cyber policy. And the same applies for the more or less famous war exclusion.
Monica Verma 16:05
Yeah, data war, right.
Michael Spreitzenbarth 16:08
We luckily haven't seen any large issues with that with a cyber policy. But we all know the cases from common proper property insurances, where then in the end ensure is not that willing to pay and trying to claim the the exclusion. This, as mentioned, luckily is not the case within the cyber insurance market as far as I've seen. They often say even targeted attacks nation state sponsored, they don't see it as a real war act. And with this, still cover it, but they are you will have discussions if the next not Petya or something will come around the corner. Therefore really be careful what's in the index solutions and in the definitions.
Monica Verma 16:59
In addition to these include these exclusions and loopholes are things that people should be carried out taking into consideration before underwriting, what are some of the key elements that you believe are important to have done or the company should know off before they underwrite insurance?
Michael Spreitzenbarth 17:18
So on the one hand side, really understand your risks. So do the proper risk management within your company? So it's a really no, which risks do I have? How likely are they what potential impact if they materialize? Because only then you can see if the cyber insurance is really the right thing and if the policy fits. Within cyber insurance, you have a large amount of different color which elements you have the classical business interruption topic, you have data breach, but even within data breach, you have a lot of different subsets that are different from cyber insurer to cyber insurer. And therefore it's really important to understand what exactly is your risk? Is it the, for example, if you're talking about a data breach, is it the fine that is your most fear of that you get from from state or from the authority? Is it the PCI monitoring costs or reading certification costs? What really is the the driver for your loss and for your risk, and then really map it to the insurance coverage. Because even there, you find coverage elements that from the name seem to fit, but looking into details, that can be a huge difference from policy to policy be. So therefore really doing a solid risk assessment within your company is a good thing. And with this, also know your numbers, so understand what it means for your company. If your factory is bound for one to three days, what does this mean in terms of missed revenue of losses, maybe also of penalties from contractual liabilities.
Michael Spreitzenbarth 19:08
Putting this on the table when the cyber insurer is there, because often they assume a lot of those values based on former losses they have seen or sometimes even just take your turn over decided by 365 multiply it with their the timeframe they think you are offline after an incident. And this is then the value that they are using. And if you want to have a more realistic premium and a more realistic approach, really show them your calculations and your numbers because then you can learn from each other. And the same time you get the more let's say the more suitable insurance policy for yourself and the less generic import policy.
Monica Verma 19:55
And what you mentioned was quite interesting in terms of understand your losses.And then be able to have a tangible figure around it. It doesn't have to be exact, accurate figure, but maybe an a bracket or understanding of where it would lie in terms of loss, revenue, direct and indirect losses and so on. And as you said, In the beginning, I've been reputation reputational loss, you can't really get rid of any way. But but barring that, what other kind of direct or indirect losses you could have. But we've seen historically, organizations are really not quantifying cyber risk. That is, that is a big challenge. Also, in the finance sector, which I see is very interesting, because finance sector has been quantification of all the other kinds of risks. But there are a few companies in the world that actually do proper cyber risk modification. What are your experiences and thoughts on that? And what are your recommendation if somebody wants to start with that?
Michael Spreitzenbarth 20:49
Um, my experience is quite similar. Received that the larger ones, for parts of their risks, they can tell you numbers, they did risk quantification, but for our others, they have no idea. And especially if it comes to the data breach topic, even though they are dealing with a large amount of health data of personal customer data, they're still unaware what it really would mean, if there would have been or if there would have been a data breach to them. And that's the thing that I mentioned, where they can learn from each other, and from the insurance industry, because they have seen a lot of those losses already and can with that, at least, get a rough estimate what it means, if you lose 20,000 of credit card data sets, or if you lose patient data or something like this. So they can support you to get in the right direction to understand what the the loss would mean. And with this, start doing the risk quantification. But at the same time for for things like the outage of your business or something there, you often as a company owner of the company itself, you have a better truth behind the data, so to say are the are the better data set itself. So there, it's really look at your numbers, try to figure out which of the risks you can somehow measure. And even there, it's not about to really make it precise. But it's enough to have a rough estimation behind it. And then tried to search the exchange. And therefore, not only with the cyber insurance, there are a lot of communities out there from the IT security, but also from other kinds of business environments that are really interested in doing this exchange. And therefore, every company that currently has no idea how to quantify their risks or wants to get a, let's say, a second opinion, if they did it the right way. Try to get out to one of those communities or approach your insurer and start discussion with him what he thinks how realistic those numbers are.
Monica Verma 23:07
Let's go back to the whole change part of cyber claims and cyber insurance, some some real examples. What have you seen in terms of the top cyber attacks or cyber types of cyber attacks or cyber incidents that have actually caused cyber claims? What have you seen in terms of that?
Michael Spreitzenbarth 23:23
It really fits to what you see in news and media for the last couple of months or years. So you've seen the large data breach. Don't name names here or companies here, but some of them are quite obvious, and everybody has them in the back of their mind. So a lot of them also had been covered by cyber insurance. They had been supported through the incident response, the whole credit card monitoring, PCI recertification stuff like this was paid by by cyber insurance. And then of course, especially looking currently in US, the ransomware cases, we see a lot of cases where now the insurance is paying because the company was victim of one of the large ransomware things. And then it's the two fold topic. It's on one hand side, helping them to recover and also to get the business up and running again. But at the same time, they support the victim reference and negotiation parties and preach cultures that then support them to deal with the bad guys and at the same time also to manage the reports to media, to law enforcement to authorities, to really have all that you have to do to support in there to not miss anything just because you're in the emergency mode and don't think currently about in forming law enforcement or sending the report to the state of authority or something like this.
Monica Verma 25:00
Yeah, it makes total sense. I mean, much what's happening really a lot in the way the cyber threat landscape is changing. And it makes sense to see that also, as a trend towards cyber claims, basically, that's are happening. What do you think are the trends going forward? Especially around the adoption? And how do you see the cyber insurance world in the trend. With regards to that changing moving forward, especially for Europe?
Michael Spreitzenbarth 25:28
What we have seen in recent years is already the adoption rate goes up. So it seems that awareness is slowly getting more mature or is broadening. On the one hand side, of course, you see a lot of insurers going into the market, because the estimations for the market are quite high. So everybody wants to get a piece of the cake. And with this, you also do kind of awareness, because if the second salesperson is sitting in your office and telling you, have you ever thought about cyber security and claims resulting out of it, maybe it starts also within your head to finger a bit more, maybe that's something I should start to take into consideration. So we have seen this on the one hand side. But on the other hand, we now also see a lot of those friends and rare losses happening in chairman in Europe, that make it to the media, we have the one and famous case with the hospital where even the person died because of ransomware attack. So that starts now that a lot of people really change their mindset and think, okay, maybe it's not that the attackers are really targeting me or my company, it's just because I'm there, just because my system was the next one they found on the list without even knowing who's behind it. And that makes the prints up the adoption rate and also strengthens a bit the market that the insurance is support more often.
Monica Verma 27:03
Lovely,I think we've talked a lot about why cyber insurance and what it actually entails and what are the what are some of the examples of kinds of cyber insurances? Are you seeing? Is it like the people or organizations getting like pure sub insurances? Or is it more in terms of PLF, p&l and part of their insurances?
Michael Spreitzenbarth 27:23
So in the past, I think it was more combination, they sometimes had their property insurance, and then just tried to get an extension for for cyber in there. But with this, we have also seen all the law cases, now suddenly, because there was kind of a misunderstanding what that extension was really covering and what not. And what the market now does, is they publish clear exclusions that are now bundled into the property, world or casualty world, to really state that cyber is not covered in those and make it a dedicated feel for the insurance, which makes it easier on the one hand side for the insurance because now they have dedicated people there that can really try to assess the cyber risk. And that do not need to think about what's the exposure to fire or too flat or something. And on the other hand, it also helps the company because they can more clever invest, let's say because often, often the cyber losses are high, but they lower than the property losses. If your whole factory burns down, that means immense losses for long time. If you have a ransomware, there could be a high loss in the first place. But the recovery phase is much quicker than building up a new building or getting all the equipment back in there. And that also helps the companies to to more wisely invest the money there.
Monica Verma 29:00
Fantastic. I think we had really good conversations today and learned a lot about what's actually happening in the cyber insurance world and how it would go forward. So thank you so much for that, would you like to maybe just say a key message to the audience based on our conversations.
Michael Spreitzenbarth 29:15
So my key message would really be to don't think that much in the either or really look at your own stuff, try to get your own maturity to a proper level, and then use the insurance as a risk transfer as it was intended in the beginning. That's the only thing that will help in the long term. And that's the only thing to bring the community and the security out there to a more mature level at all.
Monica Verma 29:43
Fantastic. Thank you so much for that. It was so lovely to have you on the podcast today. We had really lovely conversations. Thank you again really very much for that.
Michael Spreitzenbarth 29:51
Thanks a lot for inviting.
Monica Verma 29:53
That was today's episode of We Talk Cyber with Monica. I'm back with more episodes fantastic guests amazing conversations. Until then keep tuning in take care and stay safe!