Cyber insurance has changed incident response -- for better or worse

Cyber insurance has helped a growing number of enterprises offset the financial costs associated with data breaches and cyberattacks, but it's also become a thorn in the side of some security vendors when it comes to incident response.

By all accounts, demand for cyber insurance coverage is surging. Many estimates put the global cyber insurance market at around $4 billion, with projected growth to reach $20 billion-plus within the next five years. At a micro summit during Black Hat 2019 in August, experts described a booming market with an increasing number of competing insurance carriers and incredibly cheap policies for enterprises that need financial protection against cyberattacks.

But the speakers also urged the infosec community to be aware of potential hurdles and drawbacks, including hidden exclusions and conditions within cyber insurance policies. One element emphasized by speaker Jake Kouns, CISO at Risk Based Security, was incident response (IR); insurance carriers often offer policies that dictate how incident response will be conducted, and which vendors will be called in to conduct the investigations and clean-up efforts. If those IR plans aren't followed to the letter, then coverage can be nullified.

"From an incident response standpoint, this is one I want everyone to be really, really mindful of," Kouns said during his session. "When it comes to cyber insurance, there are a lot of these processes you have in place -- that you like and that you're used to -- that may need to change."

That has caused frustration in the incident response industry. Sean Mason, director of incident response at Cisco, said cyber insurance often "throws a wrench" into response efforts for his company by adding time and confusion while removing the vendor as the primary decision-maker for the engagement.

"I feel like I'm beating a dead horse on cyber insurance lately because it continually pops up," Mason said. "There are a number of cyber insurers out there, and they're making a play for this space because it's pretty much the Wild West at this point."

Mason isn't alone; SearchSecurity spoke with several infosec professionals with firsthand knowledge of incident response engagements who described similar scenarios with their customers: an organization suffers a cyberattack or suspected breach and informs its insurance carrier of the incident; the carrier provides the organization a breach coach, who then brings in a pre-approved incident response vendor for clean-up efforts and forensic investigations.

The infosec professionals, several of whom spoke on background, said the process can be frustrating because the breach coach becomes the primary decision-maker and point of contact for clients, rather than their own IR teams, and the process can delay reaction time.

That's if they're allowed to work on the engagement at all. Most major cyber insurance carriers have panels for pre-approved vendors and service providers that clients must use. As a result, some incumbent vendors find themselves on the outside looking in when an incident occurs.

Further compounding the issue for vendors is the fact that many carriers have rushed into the growing cyber insurance market with no infosec knowledge. Jeffrey Smith, an insurance broker and managing partner at Cyber Risk Underwriters, said during the Black Hat micro summit that some carriers simply offer cheap policies with little to no underwriting in order to win business.

"They're kind of making it up as they go," Smith said.

And yet, insurance carriers often dictate how data breaches and cyberattacks are handled for their clients, which has some security vendors concerned.

Delayed reaction times

A longtime infosec veteran, Kouns also worked in the insurance industry for many years, most notably as director of cyber security and technology risks underwriting for Markel Corp. Having worked on both sides of the spectrum, Kouns said he isn't surprised cyber insurance is a source of friction for incident response providers; organizations that have a strong IR team in place could be put through an "inefficient claims process" by an insurance carrier that hasn't handled as many incidents as other top-tier carriers, he said.

"I think the feedback about friction from good IR teams is legit," Kouns said. "In many cases, that initial breach coach call would be frustrating, and I've found it a bit frustrating when I was on the side of just wanting to get things done and I knew what needed to be done and I just wanted to react quickly."

A major source of frustration is time; instead of getting right to work on an investigation, incident response vendors often have to wait for clients to call their insurance carrier and loop in a breach coach before an incident response engagement can proceed.

"We've actually had a couple cases where cyber insurers are taking a whole day to get back to their clients and then they say 'Hey, you have to do this, this, this and this first,'" Cisco's Mason said.

Breach coaches are another layer to the incident response process that can add to the waiting game. Along with contacting their insurance carriers, enterprises also select a breach coach from the carrier's pre-approved list. One vendor said the process of reporting incidents to the insurance carrier, selecting a breach coach and completing the necessary paperwork can add significant time before the vendor can begin their investigations and restoration efforts.

Jeremiah Dewey, senior director of managed services and head of incident response at Rapid7, said after a customer experiences an incident, his company often has to "take a step back and let their [legal] counsel initiate engagement with us.

"It does add some time," Dewey said, "but it's usually more in terms of hours than days or weeks."

Waiting can be particularly frustrating for organizations anxious to clean up and contain a potential data breach, so Dewey and his team try to fill the time as best they can by analyzing whatever evidence a client can provide them. "We never want to create time where the client is wondering what's going on."

SearchSecurity contacted several major insurance carriers to learn more about their cyber insurance practices, specifically how they managed incident response engagements, though most did not respond or declined to participate.

Tim Francis, enterprise lead for cyber insurance at Travelers Companies, Inc., said rapid response to claims calls are absolutely critical for enterprises, not only to provide assurance to customers during a stressful situation but also to get the incident response process moving as quickly as possible. To that end, he said, Travelers has 24/7 claims service and breach coaches on hand to set up "immediate" triage for the situation.

"Frankly, if you have a policy that covers a lot but the claims people aren't responding in a timely manner, then it doesn't really matter how good your insurance contract is or how cheaply you obtained it," Francis said. "That time, particularly in a ransomware event when it comes to the decision-making process on whether to pay or not, could be the difference between your systems being restored or rendered inoperable."

Breach coaches

In addition to delays, there's concern amongst infosec professionals about having lawyers -- not technical experts -- leading incident response engagements. Kouns said he has "come around" on breach coaches despite initial skepticism.

"I always struggled with the idea of talking to a lawyer when they don't understand anything technical, they have no clue about what I'm supposed to be doing from a response standpoint, and they're just asking me boilerplate about how many customers do we have in different states and things like that," he said.

But Kouns said breach coaches offer value in two areas: First, they provide privileged communications for the breached organization. Second, they can triage response efforts and offer a "much more simplistic conversation" with the organization about the incident.

Still, infosec professionals who spoke on background said they encounter friction with breach coaches, who tend to be more focused on getting clients back online while vendors try to determine the root cause and the full scope of the incident. Furthermore, there are often differences of opinion on how to address ransomware attacks; breach coaches and their carrier partners routinely recommend paying ransoms since it's often the quickest and least expensive option to restore systems, even if some or most of a client's data is backed up.

Mason said Cisco's incident response team has seen an increase in cyber insurance carriers paying the ransoms.

"Frankly, we've seen some customers follow certain advice and actually make things worse," he said.

However, the success of incident response decisions depends on the coach and situation. Organizations could be vulnerable to bad advice if they've never reviewed their cyber insurance policies, have never experienced a full-blown incident or cyberattack or even conducted an incident response table-top exercise, Mason said.

"They may actually take their direction as gospel," Mason said, "and that's not necessarily the best way forward.

"Paying threat actors for decryption keys carries risk, including becoming a repeat target for attacks, according to experts. Rapid7, for example, encourages customers to consult law enforcement.

"We have good relationships with a few FBI field offices," Dewey said, "and we encourage [customers] to call them because they'll be able to guide them and say if there are decryption keys already available for that type of ransomware or tell them that the threat actors have a history of not releasing files after payment."

Customer confusion

Infosec and cyber insurance experts both say customers aren't blameless. For starters, when they contact their security vendors for incident response services, they can't answer a simple question: do they have cyber insurance or not?

And if they know they have a policy, they likely don't know what kind, who their carrier is and whether or not they have the ability to select their own vendors or breach coaches.

"Generally speaking, our customers aren't necessarily prepared to answer those questions or understand what they have available to them from a cyber insurance perspective," Mason said.

The confusion can extend to actual decision-making during the incident response engagements, too. For example, infosec professionals say clients sometimes fail to inform their insurance carriers about a breach until after they've brought in an incident response vendor and remediated the situation. Other times, they say, clients stumble in selecting who will run their incident response effort.

Kouns cited one case where a customer was allowed to pick their own incident response vendor, and the choice was regrettable.

"I had never even heard of the forensics shop before, which wasn't just a forensics shop," Kouns said. "They contracted with this firm to do the forensics work, the forensics work was not done appropriately, the actual intrusion wasn't fully cleaned up and the customer had to bring in another forensics firm to do it right."

Smith described a recent meeting at Cyber Risk Underwriters where the client had a pre-existing relationship with a major law firm and wanted to use the firm for incident response and breach coach services. However, Smith said, the firm didn't have an extensive cybersecurity practice. "I told them I didn't think it was a good idea because the last thing you want is any sort of delay in a response," he said.

Just as the cyber insurance industry has been flooded with new companies eager to capitalize on the growing market, Smith said, a number of IT services firms and resellers have added cybersecurity offerings to their repertoire and positioned themselves as incident response providers -- even though they may lack such expertise. "All of the sudden, everyone is a security expert now," Smith said.

In this respect, Kouns said, cyber insurance has had a positive effect on enterprise, especially those that may have fewer resources for cybersecurity and less experience handling incidents. A cyber insurance policy can at least prompt an enterprise to build an effective incident response plan and get a security vendor on retainer.

John Farley, managing director of the cyber practice group at insurance brokerage Arthur J. Gallagher & Co., routinely reviews incident response plans, which he said are often missing key components.

"Many times, you find that the incident response plan is essentially an escalation procedure within the four walls of the IT department," he said. "But when the IT department realizes that they have an incident that rises to legal liability, with personally identifiable information that requires statutorily mandated notification to the affected individuals, that's where organizations tend to break down."

Panels and pain points

While cyber insurance carriers and breach coaches can provide benefits beyond the coverage itself, some security vendors still find the incident response process frustrating. And perhaps the biggest obstacle presented by cyber insurance carriers is the first obstacle in the process: panels.

In the past, enterprises could choose a type of cyber insurance policy that allowed clients to choose their own security vendors and then be reimbursed by the carrier. But Kouns said that type of policy is much less common today, and major carriers are more likely to pay security vendors directly on behalf of clients – but only vendors that are on the carriers' panels.

Most major carrier panels have preferred or pre-approved options for not just incident response and forensics services, but for breach coaches, public relations and credit monitoring as well. However, these lists aren't extensive -- some major carriers may have only 10 or fewer vendors for incident response or forensics services. Therefore, if a security vendor's existing client acquires a cyber insurance policy with a carrier but the vendor isn't on that carrier's panel, the company could lose potential business down the road.

Dewey said one of the first questions Rapid7's incident response team asks during the initial call with a client is whether they have cyber insurance, and who the insurance carrier is.

"If you have a Beazley or an AIG policy, we're not on their panel of approved vendors, and they're not going to pay that claim," Dewey said. "We tell the client right off the bat, 'If you want to engage with us, that's great, but just know that your insurer is very strict on who they'll let you use if they're going to pay a claim.'"

The trouble is that a carrier panel may require a vendor that isn't familiar with the customer's environment, practices or people.

"They may ask you to go in one direction when you might already have relationships with organizations and would prefer to use them," Mason said. "Generally speaking, the insurers shouldn't make those business decisions for you, but again, you might blindly follow them if you haven't sat there and thought about it ahead of time."

Francis said Travelers never makes the decisions about how to handle an incident, such as whether to pay a ransom or not. "Our job is to make sure the experts are available, have them work directly with the insured [party] and have them make the best recommendation," he said.

Travelers is also flexible about which experts a client can use, Francis said, adding that it's not unusual at all for clients to request that an incumbent vendor or service provider handle incident response engagements. "As long as there's no conflict of interest and they're qualified, then [the customer] can use who they want to use," he said.

Still, Rapid7's Dewey said it can be difficult to engage with cyber insurance carriers because there is little commonality between how major carriers operate their panels and policies.

"I would say that's probably my biggest dilemma. If the insurers came to us and engaged, that's a world I would love to live in," Dewey said. "I've approached the vast majority of insurers individually, and each one of them has different processes, and each one has different people you need to go to -- none of whom are easily findable."

The situation can create a dilemma for enterprises choosing a cyber insurance carrier and a policy.

"There are some really good carriers out there for handling [incident response] and there are some that haven't handled as many claims," Kouns said. "I'd say there's less of a chance of friction with a top-tier carrier than a mid-tier one."

But, Kouns said, some top-tier carriers "may not necessarily spend as much time on claims as you'd expect" because they handle so many per day, while smaller carriers may offer customers more attention and flexibility in terms of selecting vendors.

Smith said it's important to remember that the cyber insurance space is still in its infancy, and that it will take time for carriers to increase their knowledge of cybersecurity and accrue enough actuarial data to improve the underwriting process.

Cyber insurance is almost a necessary evil at this point, and I think we as an industry are going to have to go through it and take our lumps and learn how to work better with our insurers.

"There's not a lot an actuarial can do with 100,000 [claims] files over the short period of time we're talking about -- at least not with a high level of confidence," Smith said. "The good news is, there's been a realization that they need to start underwriting like hackers [by conducting security assessments and penetration testing]."

Monzy Merza, head of security research at Splunk, said actuarial data is crucial for market maturation, but carriers must also recognize that cybersecurity is new terrain.

"You really have to give that terrain some respect because otherwise it's just not going to work," Merza said. "And if cyber insurance doesn't work out, the people that it's not going to work out for are the consumers."

Security vendors hope cyber insurance market maturation arrives sooner rather than later as they grapple with the growing pains.

"Cyber insurance is almost a necessary evil at this point," Mason said, "and I think we as an industry are going to have to go through it and take our lumps and learn how to work better with our insurers."