Cyber Insurance Past, Present, and Future
Ann Johnson: Welcome to "Afternoon Cyber Tea," where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision makers. I'm Ann Johnson, and today we're going to dive into the world of cyber insurance. I am joined by Dr. Josephine Wolff, who is an associate professor of cybersecurity policy within the Fletcher School at Tufts University. Dr. Wolff is the author of several books on cyber insurance. Her latest, "Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches and Cyberattacks," will be released on August 30. Her writing on cybersecurity has also appeared in Slate, The New York Times, The Washington Post, The Atlantic and WIRED. Before joining the Fletcher School, Dr. Wolff was an assistant professor of public policy at the Rochester Institute of Technology and a fellow at the New American Cybersecurity Initiative and Harvard's Berkman Klein Center for Internet and Society. Her research interests include liability for cybersecurity incidents, international internet governance, cyber insurance, cybersecurity workforce development and the economics of information security. Welcome to "Afternoon Cyber Tea," Josephine.
Josephine Wolff: Thanks, Ann. It's great to be here.
Ann Johnson: So I was doing some reading prior to our podcast and using some resources you had pointed to, actually, to make sure that I was well briefed. And I noticed that in the 1990s, cyber liability insurance emerged as this method of protection for companies going against computer viruses and data loss. Things, of course, were a bit easier back then when you think about computer viruses as they are compared to today. So as we fast-forward a few decades, cyber risk and liability have become incredibly complex for the entire world. Cyber insurance has come a long way, too. Could you give us a brief history on how the cyber insurance industry has changed and evolved since its initial inception? And what were the initial goals and motivations of cyber insurance providers then, and how has that changed or stayed the same over time?
Josephine Wolff: Absolutely. So I think one of the things that's often surprising to people is how long cyber insurance has been around - that we've, you know, gone almost two and a half decades now with varieties of these policies available for purchase. But you're absolutely right. They've changed an enormous amount over that time, which isn't surprising when we look at sort of how the cyberthreat landscape has shifted.
Josephine Wolff: So if you rewind all the way back to 1997, when sort of the first cyber-focused policy is offered, there's a lot of fear around Y2K. There's a lot of fear around sort of, what if all of the computers suddenly crashed, either because of malware or because we haven't prepared well enough for this changeover in dates? There's a great deal of concern about data loss. There's a great deal of concern about kind of business interruption. And the other thing people are worrying about then, right at that moment when sort of the internet is commercializing, when people are starting to buy and sell stuff in the mid-90s online - the other thing people are really worried about is the loss of that financial data and credit card information. And so you get these early policies that are really focused, I would say, on those two things - on the theft of personal information for customers and on the potential for computer systems to crash and covering some of the costs associated with replacing or fixing those systems.
Josephine Wolff: And in the early 2000s - right? - as a few more companies, I would say, especially in, like, retail, start to buy these policies, those concerns are heightened somewhat by states in the United States starting to pass these data breach notification laws. And so that begins sort of 2003, 2004. We start to see more and more states getting interested in that, led by California. And those laws start to make companies more concerned about these breaches of personal information of their customers because now they know they're going to have to report those breaches. They're not going to just be able to sort of sweep it under the rug or not tell anybody about it. And as soon as you start reporting them, you run the risk that your customers are going to file lawsuits, that they're going to say, hey, you know, my credit card number was stolen. You owe me some damages for that.
Josephine Wolff: And so the next big wave of these policies is really focused on data breaches. And it's particularly focused on the legal costs associated with those lawsuits, saying, OK, the really expensive part of this is not that your data has been stolen. The really expensive part of this is you're going to have to pay lawyers. You're maybe going to have to pay settlement fees. And so there's this real focus in that sort of set of policies coming out in the mid-'90s - or the late '90s, early 2000s - around covering those costs associated with data breaches.
Josephine Wolff: And now sort of, I would say, starting around 2015 to 2017, we start to see increases in ransomware. We start to see a lot of concern about sort of infrastructure being compromised and operations being shut down by cyberattacks. There's much more interest in how are we going to pay extortion-related costs? How are we going to compensate for lost business during outages related to cyberattacks? And you've seen these cyber insurance policies really expand. So they still often cover a lot of those legal expenses around data breaches, but there's also often sort of provisions to cover ransomware and extortion. That can be covering the actual ransom payments. But it could also mean paying negotiators to try and drive those payments down. It can also mean paying people to come in and conduct investigations about what went wrong. And the other piece that I think is really related to this that sort of comes in the past five years or so is there's more and more coverage for regulatory fines. So when you have the General Data Protection Regulation passed in the EU, one of the fears that companies have is - what? - are we going to have to, you know, pay these really large penalties or a lot of compliance costs? And so you start to see provisions and insurance now for that kind of investigation and penalty as well.
Ann Johnson: You know, I know we're going to get into it later in the podcast and to talk about exclusions and exceptions. But as you think about the penalties that may be in the policies and you think about the things that cyber insurers or - you know, the industry is evolving really, really, really fast, right? And I want to give an analogy to our listeners who are super familiar with, like, home insurance and auto insurance and life insurance, flood insurance, etc. And those dynamics change regularly, too. You know, I'll give you - the parallel is that I lived in a coastal county during - in New Jersey - during Hurricane Irene and Superstorm Sandy. And there were insurers that just flat out pulled out and said they would not write any more policies in coastal counties because of the increase in really catastrophic events. Can you talk about the differences between how cyber insurers think about those type of similar catastrophic events and talk about if there are any fundamental similarities between a cyber insurance policy and what our listeners, our consumers would think about their personal insurance policies?
Josephine Wolff: It's a great question, and there definitely are similarities, right? You think about something like car insurance. That's a new technology, or what was at one point a new technology and is continuing to evolve, that we're trying to manage risk around. You think about flood or other natural disasters insurance. You're talking about these really large-scale, difficult-to-predict events related to certain types of cyberattacks as well. But there are also, I think, some really kind of crucial differences. And a big one that that I would say spans almost all of those types of insurance you just mentioned is that we know a lot more about when these incidents happen - when we're talking about car accidents, when we're talking about floods, when we're talking about people dying with life insurance or things like that, right? It's very rare that you have a lot of car accidents that just go completely unreported, and nobody is aware that they've happened.
Josephine Wolff: And so the big difference that you sort of start from, if you're an insurer, is you don't have great data around cyber risk, right? You've got slightly better data around breaches of personal information because states have been requiring reporting of that for a long time. But when it comes to something like ransomware, which really kind of takes insurers by surprise in 2019, 2020, when those rates start spiking, you're working from a very incomplete data set of sort of which are the ransomware attacks that make the news that people either choose to disclose or have to disclose for some reason. And that sort of inability to collect consistent and complete data is a huge obstacle if you are trying to do the kind of actuarial underwriting that insurers do because they have to be able to predict, how many different types of cyberattacks do we think we're going to see next year? How much are those going to cost on average? I would say another big difference kind of related to that is there's actually still a fair bit of disagreement about how much a lot of these various cyber incidents cost, right?
Josephine Wolff: So you think about a car accident. Putting that kind of dollar value on that is something we've been doing for a while. We have, you know, some fairly well-established formulas for that. And then you think about something like the shutdown of Colonial Pipeline or attacks on various other kinds of critical infrastructure. And it's really hard to kind of say, well, how much did this cost, not just to the company that was directly hit, but to all of the other people who are affected by it? How much of that is sort of something that we can tally up and put a dollar figure on that everybody is going to agree with and, most importantly, that the insurers are going to agree with? And then I think you've got sort of differences here that may or may not go away, right?
Josephine Wolff: So one of the big differences between something like auto insurance, flood insurance and cyber insurance is that those other types of insurance have been around a lot longer. So you'll sometimes hear insurers say, you know, it's not that we can't collect data about cybersecurity incidents. It's just we haven't been doing this very long. And we'll get better at it. And we'll get more data as time goes by. And we'll be able to do a better job. And I think there's probably some truth to that. But you also have this difference, which is that the cybersecurity landscape is, I would argue, changing a lot faster than, like, the automobile safety landscape.
Josephine Wolff: The climate stuff, I think, is perhaps a little bit more comparable because you do have some of these changes in kind of natural disasters that suggest that there's some need to sort of keep adapting and evolving those risk models as well. But - and this is another big difference that I think we have to think about really carefully in the cyber world - when you talk about something like flood insurance, that is completely underwritten at this point by the United States government because, exactly as you said, if it weren't, insurers simply wouldn't sell those policies, right? You'd just lose too much money in the places where there's the biggest flood risk. And so you've got these other areas of risk where we know that selling insurance to certain customers is going to be a money-losing proposition. And the government has decided it's still really important to protect people from those costs. And so they've decided we're going to sort of contribute some money to making sure that this is available. And all of those are, I think, sort of things that we haven't at least yet seen for cyber insurance that are probably important and valuable lessons for insurers and for regulators to be thinking about in this space.
Ann Johnson: Yeah. When I talk to cyber insurers, because we have some partnerships, the first thing I hear from them is, you know, we've got decades and sometimes centuries of actuarial tables - whether it's for life insurance, whether we know the risk of cars in certain cities, whether we know the risk of homes in certain places. And they are confident in their ability to model risk. They lack that confidence in their ability to model cyber risk because, A, they haven't been doing it as long, but, B, the industry changes really, really rapidly, and the threats change really rapidly. So it's interesting to hear you talk about how flood insurance is underwritten, for example, by the U.S. government. And is there a potential for that? Is there a potential for cyber insurance to be underwritten so the cyber insurers can get a better level of confidence related to the policies and maybe make more access, right? There are just companies that can't afford cyber insurance, say. Do you think there's an opportunity there from a policy standpoint?
Josephine Wolff: So I think there's a fairly specific opportunity to get some government backstop for catastrophic cyber risk. And this is something insurers have been pushing for for a while now. And it's kind of linked to the Terrorism Risk Insurance Act that was passed after September 11, in which the government said, you know, in the event of really major acts of terrorism, we will help cover these insurance costs, kind of realizing after September 11 that otherwise, those losses were going to be really devastating for insurers. And so there are insurance carriers that have kind of pushed for something similar around large-scale cyberattacks, saying, you know, if there's something really massive that we haven't predicted that we can't afford to cover, can you sort of say in advance, we're going to help, we're going to be able to provide some assistance to that?
Josephine Wolff: And the government hasn't done that, but they have sort of signaled, well, we think, you know, some of the existing backstops around terrorism risk or other things might apply in the event of a sufficiently serious cyberattack. I don't think, yet at least, that there's any real appetite in the government for underwriting sort of more run-of-the-mill cyber insurance. And I think a lot of that is sort of tied to some uncertainty about how effective some of these insurance policies are at incentivizing policyholders to actually implement better security controls. And I think some of it is tied to the sense that they don't really think insurers need it, right? I mean, one of the things that's been true about cyber insurance up until very recently is it was actually one of the most profitable lines of insurance that many carriers sold. And you do see that change, starting about two years ago, especially with the uptick in ransomware claims. But I just think insurers didn't have a very strong case to make that, like, we're going to stop selling these policies because we're going to lose too much money. And because of that, regulators weren't particularly eager to say, oh, you know, we'll provide some money to make sure you keep doing that.
Ann Johnson: Yeah, I think that's fair. It's interesting - right? - and it'll be interesting how it evolves. But let's talk about varying levels of coverage. You know, whenever you sign up for an auto policy, you know, what is your deductible? What do you want your liability to be? There's varying levels of coverage that, actually, you can use to move the lever on costs but also on your liability and what your risk profile is. Can you talk to me a little about how cyber insurers are thinking about those varying levels of policy? And one of the things that - when we talk to cyber insurers, they talk a lot about not just wanting to write the policy, but they want - and have the right products and market as they consider their differentiation on what they're going to offer. But they also talk about being a bit of a consultant, right? They want to provide the companies they write cyber policies for some consulting services around how to improve their cybersecurity. So how should someone who's looking at cyber insurance be thinking about the different policies, these different products and even those consulting offerings?
Josephine Wolff: So there's a huge amount of variation in cyber insurance coverage. And I think this is one of the ways that it actually differs from a lot of sort of more established lines of coverage. Because you buy a car insurance policy, it's probably going to be pretty comparable between different carriers. There's a pretty standard set of things that those cover. Cyber insurance is sort of much more flexible. Different companies negotiate for different types of coverage, different provisions with a lot more freedom, I would say, than in many other lines of coverage. And a lot of that is tied to sort of things like, how much coverage do you want for ransoms? How much coverage do you want for business interruption? How concerned are you about regulatory investigations and penalties? And you do see a certain amount of tailoring, especially for larger customers, saying, you know, this is sort of the thing that's top of mind in our threat model that we really want to make sure we have coverage for.
Josephine Wolff: I think the really tricky part - and I would say it's only gotten harder as the market for cyber insurance has grown - is that piece you're talking about in terms of how do you sort of assess each potential policyholder's risk exposure and level of security? And I think if you go back 20, 25 years, that's actually easier to do 'cause so few companies are buying these policies. So either the insurers can hire some experts in-house, or they can contract with security firms that have a lot of technical expertise and go in and do sort of pretty tailored audits of, OK, here's what your networks look like. Here are some things we think you should do to ramp up your own security. And as you get more and more companies deciding this is something we want to buy, by necessity, it becomes much harder to spend as much time and money on each individual assessment of a policyholder. So what you end up with is this situation where all of that assessment boils down, usually, to a questionnaire and sometimes a kind of automated scan. Which ports are open, or kind of what basic security things can we identify about your networks from the outside? And that's, I think, been a real challenge for the industry because you send somebody a questionnaire with a question like, do you have a firewall, or do you require two-factor authentication or things like that, and, often, companies will go through and say, yes, we do all these things. We've got an incident response plan. We've got access controls and so on. And then when something actually goes wrong, you go back, and you look at what happened. And you say, OK, well, it was true that you had two-factor authentication in place, but the compromise happened because you had a legacy account from before two-factor was implemented that was still active. Or - there are sort of all of these little things that are very hard to catch in this fairly high-level automated process.
Josephine Wolff: And so because of that, the actual prices of these policies have been shown to be pretty clearly linked just to the size of the company, right? If you're a bigger company, if you have more revenue, you're going to pay more in your premium than a smaller company. And that's sort of the pretty clear main driver of what the price of these different cyber insurance policies is. And the other thing I would say that I think has been very frustrating for a lot of policyholders is we've seen those premiums shoot up pretty dramatically in the past two years, right? And this is, again, tied to the fact that these policies are no longer as profitable for insurers as they once were, that we're seeing a lot more claims activity than we did four or five years ago. And so there are these policyholders who feel like, hey, you know, I just spent the whole last year ramping up my security and implementing the NIST Cybersecurity Framework and doing all of these things I've been told are really important. And then at the end of that year, my premiums doubled. And so there is, I think, some frustration with this feeling of no matter how much I invest in my security, that never seems to be reflected in the premiums I'm being charged.
Ann Johnson: It's interesting because, you know, the rate increases relative to the actual cyber risks now being understood is probably what's also going to remove accessibility for a lot of customers, particularly small, midsize business who definitely need cyber insurance even more so than, potentially, their enterprise peers. But it will be interesting if government, you know, decides what role for government in this.
Ann Johnson: I want to switch to something that's a little controversial, and I'm going to ask you a pointy question, Josephine. So there is a - it's more than an urban legend. There is some truth to the statement that the ransomware bad actors attack enterprises who have cyber insurance because they know the cyber insurer will pay. How should we think about the rise in ransomware that's being funded potentially by cyber insurers and the real dilemma this creates in the industry in driving, you know, an unhealthy behavior?
Josephine Wolff: I think it's a really tough question, and I have strong opinions about it, which are certainly not shared by everyone. I think that there's no question when an organization is hit by ransomware, they're put in an incredibly difficult spot. And there are a lot of reasons for them to perhaps want to pay that ransom. My personal opinion is that we should be discouraging that as much as possible, including by saying if this is a payment you want to make, then this is a payment you're going to have to make out of pocket. And the reason for that is to make it a harder decision - right? - to say, you know, this is not just something that you've been preparing for and paying money into a pot to make sure you could do whatever was needed. This has to be something that you feel is so essential, so absolutely critical to your business that you are willing to shell out for it yourself.
Josephine Wolff: And I think one of the things we do when we let insurance cover those payments is we kind of make it a sort of standard business expense the way we do with other things that our insurance pays for. We say, OK, you know, I got in a car accident. It's not the end of the world. I have insurance that will pay for it. I personally think that it's really a dangerous mindset to sort of have that same mentality around making payments directly to criminals, both because we know that some of those criminal organizations are funding other types of crime and/or terrorism that have terrible consequences in other domains, but also because that only sort of fuels this sense that ransomware is a profitable endeavor, that those criminals should continue doing it, that other criminals should start doing it because it's a good way to make money. And I think when we sort of ask ourselves, what do we do about the increase in ransomware over the course of the past couple years, a big piece of that has to be trying to think about, how do we make this less lucrative for criminals? Because so long as it is lucrative, they're going to keep doing it.
Josephine Wolff: And I do worry about the role that insurers play in making it easier for companies to make those payments. And I just fundamentally think it should not be easy. I think it is such a sort of dangerous and counterproductive act that it should only be done as a measure of absolute last resort. And I think it should be financially painful. I think it should be something that gives companies a lot of pause and makes them think about, you know, is there any other possible thing that we could do to avoid this? My fear with bringing insurers into this picture is that they will look at the different options and say, OK, I actually think, you know, making this payment could be the cheapest way and the fastest way to resolve this. And if we don't make this payment, then that could mean interrupting your business for a week and that we're going to be paying out those business interruption claims. And I think it sort of skews the calculus in a way that doesn't take into account the longer-term societal level incentives this creates for criminals to continue conducting ransomware campaigns.
Ann Johnson: Yeah, I agree. And I think it is a very difficult question. And, you know, we always recommend not to pay the ransom. We also understand pragmatically that sometimes organizations just feel like they don't have a choice because of business disruption. But making it a harder decision rather than the - and what feels like an easy reply. And there is nothing easy if you're a ransomed organization. I think raising the bar would be helpful. But I also want to be really empathetic. These organizations who are - their critical business systems are offline, they literally cannot do business or health care organizations who can't, you know, perform surgeries, things like that.
Ann Johnson: Let's talk about exclusions for nation-state acts. So some cyber insurers are starting to message and talk about that. Those are acts of war, and they would not be covered. They would be excluded. Given that our government does not actually, as of now, formally help organizations respond - there's a lot that's done with threat intelligence and sharing. But, you know, the example we often use is if a nation-state entity literally dropped a bomb, a kinetic war, on the Microsoft campus in Redmond, the U.S. government would reply. We don't have, you know, that expectation across industry and private sector of the same level response from government. So given that, now that the cyber insurers are thinking about classifying, you know, nation-state events as acts of war and not covering them, how do you reconcile those things?
Josephine Wolff: So I think the challenge here is that insurers have one very specific, very kind of legally entrenched definition of what they call warlike or hostile acts, which is not necessarily in line with the ways that, say, the U.S. military or government is thinking about acts of war. And so you have this fairly large disconnect between sort of where the government believes its obligation to respond to cyberattacks starts and where insurers believe that their obligation to cover the costs associated with state-sponsored cyberattacks begins. And the case where we sort of see this most starkly is the 2017 NotPetya attacks, which have been widely attributed by many governments to Russia, that are sort of directed initially at Ukrainian targets, but very quickly spreads to a bunch of companies all over the world, causes massive damage - estimated, I think, around $10 billion. Many of the companies that are hit by NotPetya file claims with their insurers.
Josephine Wolff: Now, one thing that I think is sort of important to note about those claims is that several of them actually file claims, not just under their standalone cyber insurance policies, but also under their property and casualty policies because many kinds of insurance now include some coverage for destruction of data and things like that. And the important part of that is the property and casualty policies are much bigger, right? You can buy a billion dollars' worth of property and casualty insurance. You can't buy a billion dollars' worth of cyber insurance. Nobody will sell that much to you because it's too uncertain. And so you see companies like the pharmaceutical company Merck, the multinational food company Mondelez, filing claims under these much bigger policies because they want a hundred million dollars, they want a billion dollars in damages done by NotPetya. And their insurers say in both of those cases, no, this is a warlike act. This is the Russian government doing something that is aimed at another country - in that case, Ukraine - and we have an exclusion in our property and casualty policies that goes back many, many decades that says we don't have to cover acts of war because you can't possibly model and predict and pay for those. And so there are these long legal battles in both of those cases - with Mondelez and with Merck - about, well, is NotPetya really a warlike act?
Josephine Wolff: And one of them has actually been resolved in December of last year - or has been - at least, we've had an initial ruling out of New Jersey in the Merck case, which says, no, NotPetya is not a warlike act. There's no sort of traditional use of force. There's no violence. And so in that case, the insurers, it looks like, are going to have to pay that claim out. But it raises a lot more questions about, well, OK, what if you have a war like the one right now between Russia and Ukraine - where there is the use of traditional force, where there is lots of violence - and you have a cyberattack in that context? Is that going to be considered an excluded attack? And I think we're just sort of starting to see the beginning of these disputes play out in which insurers really do not want to be on the hook for these massive state-sponsored cyber campaigns.
Josephine Wolff: But it's very hard to carve out all state-sponsored cyberattacks and say we're not going to cover those because they're simply too common, right? When we think about something like the war exclusion, what we thought was being said by the insurers was, here's this fairly rare, very extreme thing that we're not going to cover because it's just too impossible to model and predict. But once you get to the point of saying, well, you know, most state-sponsored cyber campaigns, we're not necessarily going to cover. You're now saying, like, these are things that happen every day that you should not take for granted will be covered by your cyber insurance. And I think that's extremely worrying to a lot of policyholders, not least because there's still so much uncertainty about how that attribution process is done and how you know when something is or is not state-sponsored.
Ann Johnson: Yeah. And I think that that is - it really is going to be a tough conversation. And I think that's one of the conversations that's going to drive policy in the whole cyber insurance field for quite a while, right? It's also - we need to get the governments caught up with attacks, anyway, that are nation-state-sponsored and are not kinetic attacks. And then we need to add on - layer on the cyber insurance aspect.
Ann Johnson: Well, let's talk a minute about your book so I can ask you a couple of questions that, you know - of things related to your book but are interesting to me. In the abstract for your book that I read, you said, an industry built on modeling risk has found itself confronted by new technologies before the risks posed by those technologies can be fully understood. You know, security has been an afterthought for a long time, and it's been only in the past three to five years that it's actually become more viewed as a business enabler and an imperative for organizations. So, given all of that, can you talk a little bit about how the cyber insurance industry actually has an opportunity to change cyber posture for their customers, to help improve cyber posture for their customers as they model risk, right? As they learn to model risk, they can say, look. These are the most risky things that will lead to a big event. So here are the things you need to improve. And talk a little about the opportunity for cyber insurance to actually share threat intelligence and drive meaningful change in the industry.
Josephine Wolff: So this is far and away, I think, the most exciting piece of the cyber insurance market, and it's the thing that got me interested in this topic in the first place - was this idea that you could have a set of companies that were collecting information about cybersecurity incidents at a large scale across a bunch of different organizations in every different sector and putting that together with information about, well, which security controls and countermeasures were in place? And what can we say about which of those controls are really effective and we should be requiring of everybody? And it was this idea, which I think the insurers to some extent really promoted as well, starting in 2014, 2015, that we're going to have some real empirical evidence to put behind these kind of general lists of best practices for cybersecurity.
Josephine Wolff: So there's no shortage of advice around cybersecurity out there, but I do think there's been a shortage of sort of really good data to support, OK, if I only have X amount of money to spend on security, what's the sort of most cost-effective thing I can do with that money? Or how do I compare the different benefits of different potential security controls and countermeasures? And that hope - the idea was that insurers were going to become a way to put that information together, that they were going to be able to say, OK, we've collected information about thousands of different incidents. And now we can say that if you do these eight things, then you drive down your risk exposure by X percent. And not only that, but we're now going to go out and require of all of our policyholders that they do those things.
Josephine Wolff: So they were both going to be able to figure out what really worked for cybersecurity, and they were in a position to just mandate for all of their policyholders, these are the things you have to do. And it was kind of the, like, smoke detectors, seat belts for cyberattacks, right? Like, you collect a lot of data about what helps people survive car accidents. You say, OK, we need airbags. We need seat belts. And then together, sometimes with regulators, you kind of work towards making those things mandatory - or smoke detectors for fires or things like that. And I think we've seen some progress but not a ton of progress in that direction so far.
Josephine Wolff: And there are a lot of reasons for that. I think one big reason that surprised me a little as I was working on the book was many insurers said, look. We just can't get a ton of detailed information about a lot of the incidents that we cover. So when a company files a claim with us for a cybersecurity incident, and we say to them, like, we'd like to see the report; we'd like to understand what happened and what security controls you had in place, they're often told, oh, that report is actually privileged, or sometimes even, we didn't write that report. And so many of these insurers feel that their claims data is actually not sort of granular or detailed enough for them to be able to do that kind of data analysis.
Josephine Wolff: And then the other piece of that is that when they've been sort of looking through and figuring out what actually drives down the costs associated with many of these incidents, one of the things that has come out from that - and I think this goes back to that kind of early stage of cyber insurance when it was very focused on breaches of personal information and the lawsuits and legal settlements around those - is they say, OK, one thing that really seems to help is if you get a lawyer involved very early, right? So one of the things many insurers now do is they say, here's a panel of approved law firms. If you have some kind of data breach or cybersecurity incident, the first thing you do is you call one of our approved lawyers, and they kind of oversee the incident response. And what that has meant, among other things, is that a lot of these investigations now happen sort of under the umbrella of attorney-client privilege. And so it becomes harder, not easier, to get access to the information about what happened.
Josephine Wolff: And I think that's also been an obstacle in sort of trying to move forward and saying, OK, we're going to collect all of this amazing data and enforce a lot of really important cybersecurity requirements moving forward. I still have some hope for that, I should say. I think that insurers are in a really powerful position to do that. And in particular kind of as compared to some of the government agencies like NIST or others that think about technological standards, I think insurers are in a position to sort of evaluate and update those requirements much faster Because you have to renew your policy every year or so, you have this opportunity to kind of touch base with all of these companies pretty regularly and say, OK, here are the things that we think are really important to be doing this year. And we know that's super-important for cybersecurity, where you don't just want to say, like, OK, here are the three best things. Go do them, and you never have to worry about this again.
Ann Johnson: I think that you're right. I think the most important thing that cyber insurance can do is actually drive change in the industry. And I love the examples you use about seatbelts and those type of things because that's something that our audience can relate to. Speaking of things our audience can relate to, you always have a lot going on. I'm really impressed by the cadence and the velocity and the quality of your work. I'd say you're one of those folks that can produce a lot of work, and it's such high quality. So in addition to the book launch, which - congratulations, again - what else are you working on?
Josephine Wolff: Thank you. So right now I'm looking at two things. One is sort of the workforce capacity-building efforts in the United States, in the U.K., in Australia and Israel, trying to get a sense of how different governments are trying to encourage more education and awareness and training around cybersecurity. And I'm interested in sort of what the different spending initiatives are at different stages of, you know, all the way from elementary school and high school to college and graduate school to mid-career interventions and, in particular, kind of how we're measuring the impacts of those different initiatives, which have been around now for 10 to 15 years in some places, and trying to understand sort of, are we making progress? If so, sort of in what areas? Where do we still need to think about trying to ramp up some of those efforts? And what kind of measurement initiatives can we be setting up alongside some of this workforce capacity building work? So that's one thing I'm really excited about - is sort of understanding how those initiatives are shaking out and what progress we're making.
Josephine Wolff: And another thing I'm really interested in is the U.S. government response to foreign state-sponsored cyberattacks and, in particular, kind of the Department of Justice strategy going back to 2014, when the first kind of official indictment of foreign state-affiliated hackers is released by the Department of Justice - trying to understand sort of how the U.S. government has responded to these state-sponsored cyberattacks and what we can learn both from the information that they've released in their sort of public indictments and in complaints against foreign hackers and also in the ways that they have and have not chosen to respond to various attacks - everything from, you know, Sony Pictures and NotPetya to Chinese cyber-espionage to attacks on HBO from Iran - a whole sort of really wide variety of cyberattacks that have been linked to nation-states and how the U.S. has sort of shaped its response to those.
Ann Johnson: That's fantastic. And I look forward to reading more as you publish more on those topics and talking with you again. This has been a great conversation. So I really do appreciate your time. One of the things we try to do in "Afternoon Cyber Tea" is send our listeners off with two practical pieces of advice. Is there anything top of mind for you to send our listeners off as they think about acquiring cyber insurance? What are a couple of things you would suggest they do?
Josephine Wolff: So I would say the first thing when you're thinking about acquiring cyber insurance is you really want to think about sort of, what are the threats and risks that are most pertinent to you in your organization? - because that varies so much, right? It's not like the sort of auto insurance model where you say, well, you know, everybody has sort of the same set of fears around getting in a car. You really want to think through sort of, is this extortion? Is this data breaches? Is this business interruption? What are the different pieces that I need to be looking for in an insurance policy?
Josephine Wolff: And then the other thing I would say is really important here is trying to understand, as you're talking to different insurers or different brokers, what are the ways in which you're going to sort of handle what we might call moral hazard in the insurance space. By moral hazard, I just mean sort of the potential that, once you've bought insurance, you're going to perhaps engage in slightly riskier behavior because you know you have some financial cover if something goes wrong - and so sort of coupling that insurance purchase with a really proactive stance on, how am I going to still be investing in security, and what is the insurer that I'm working with going to do to help me understand the most important things that I can do using their claims data or their knowledge of the space - and really sort of viewing that as a partnership in which you are buying insurance coverage but also relying on that insurer to give you some guidance about how to make sure you don't need to use it too often, hopefully.
Ann Johnson: That's fantastic advice. I think combining the purchase of cyber insurance with actually improving your security posture and letting your insurer help you with best practices and guidance is tremendous advice. Josephine, I want to thank you again for making the time to join us on "Afternoon Cyber Tea."
Josephine Wolff: Thank you so much - glad to be with you.
Ann Johnson: And many thanks to the audience for listening. Join us again on "Afternoon Cyber Tea" wherever you get your favorite podcasts.
Ann Johnson: We invited Dr. Josephine Wolff to join "Afternoon Cyber Tea" because cyber insurance is a really timely topic, and it's not well-understood. We thought there was an opportunity for someone who's very deep in research and working with the industry to help folks understand what cyber insurance is about, what it covers, how to get the right policies. And one of the things that really was enlightening on the conversation was her push that - if you're going to get a cyber insurance policy, you also should be at the same time improving your cyber posture in your organization. So it was a fantastic episode, and I look forward to listener feedback.
