For insurers considering revising their panels, CYFOR Secure offers insights into how they can be more effective and what insurers should look for in an MSSP partner.

The advantage of insured clients is that they will immediately be tapping into the network of vendors that are on their insurance panel. They will immediately have a huge range of guidance to talk them through the process, what needs to be done, what the risks are, what the benefits are, and the different courses of action. From an insurance perspective, it is difficult to perceive a complete shift from the odd attitude of, ‘well, we’re insured, so why can’t we just pay it, and everything will go back to normal’, which is a common occurrence. It’s the job of the insurance experts to explain why it’s not that simple. There is no one size fits all approach to these sorts of incidents, as there are so many variables.

There is much that goes on behind the scenes in the event of a cyber incident. Ransomware for example, even if the ransom is paid, it’s not just a case of a switch being flicked, and the lights all go back on. The negotiating route can be taken, a working decrypter tool can be applied and the IT system can be rebuilt, but this can be extended periods of time, even months. From an uninsured perspective, that type of attitude is more commonplace from companies that have a vested interest, because they’re keen to draw a line under the issue, limit the business downtime, and get things back up and running as quickly as possible.

On the private side of business, companies tend to be more demanding as it’s their money on the line. They don’t have an incident response process in place that an insurance company would provide. If a rigid insurance policy is in place, insurance can be on the phone speaking to the client within minutes of discovering an incident. In a private scenario, CYFOR Secure can be taking a call at midnight on a Saturday talking the client through all relevant steps and reassuring them. It might take a private company that we work with 24 or 48 hours to get to the stage where they’re speaking to us, and we’re getting the right people on board, which can have a huge impact on the trajectory of an incident. Those are the key differences that we see in those scenarios.


Cyber Insurance Costs

A recent study conducted by cyber insurance platform vendor Corax and global law firm Clyde & Co found that the overall cost of a data breach event is 36% lower for insureds who use trusted panel vendors to manage incidents, as opposed to those who opt for the open market approach. The white paper, Cyber Breach Insights: Key Drivers Beyond Cyber Insurance Claims, uses anonymized invoice data from 321 randomly selected US breach events to provide new insight on frequency, cost and duration of data breach events.

A key finding was that panel vendors, who are trusted third-party advisors selected by insurers, often with fixed rates and contractual obligations, can drive significant cost savings in the event of a breach. The overall cost of breach events involving panel vendors was $16,000, compared to non-panel’s $25,000. The largest drivers of cost savings for panel versus non-panel events were: credit monitoring ($500 versus $2,000), legal fees ($3,000 versus $6,000) and public relations ($6,000 versus $11,000).

“According to our research, there’s no doubt about the cost benefits associated with using panel vendors,” said report co-author Marcus Breese, head of insurance innovation and strategy at Corax. “Post-breach credit monitoring is one of the best examples. The average cost of credit monitoring for a company who bought credit monitoring codes in the open market was about $2,000, but with a panel vendor that dropped to $500, which is a significant difference. Likewise, legal fees were half the price on average if the insured went to a panel vendor.”


Panel Vendor Challenges

Marcus Breese, head of insurance innovation and strategy at Corax further states that setting up a panel of vendors is not a one-off process and managing it can be challenging.

More and more primary carriers are establishing panel relationships with the aim of reducing the costs associated with a data breach. However, setting and running a panel of vendors is actually “quite a challenging thing to do,” according to Breese, who set up a panel of vendors during his previous role as cyber head at Hiscox.

“Panels need to be constantly managed with regards to legal contracts and pricing to ensure they’re being run in the most efficient and effective manner possible, and to ensure the carrier’s getting the maximum benefit from it. It’s a lot more complex than just listing a few company names on a piece of paper.”


MSSPs need to be vetted: the skills gap issue in the UK

From a technical perspective, it’s probably no surprise that a graduate can be hired on a high salary straight out of university, but they don’t have the practical experience to respond to some of these incidents.

Lawrence Perret-Hall, Commercial Director at CYFOR Secure commented that “we have been called to numerous incident response investigations and when they’ve had people on the insurance panel from a technical point of view, who haven’t done an adequate job, the insured have said, look, you’re just not doing a good enough job. Thankfully, Kennedy’s Solicitors recommended us on this particular occasion, and when we went in it became apparent that the incident response team were recruited work and just fresh graduates. This was a large widespread complex ransomware job.”

“This team of graduates were just young, they knew what had happened, but they hadn’t had the experience or the practicalities of the impact on the business. There’s also a huge disconnect as well, there’s actually a very small pool of good quality incident responders in the UK.

“That is simply because the cyber market is moving way faster than graduates can gain proper experience. Many have moved roles for large salaries without gaining the necessary experience within each role. What they need to do is stay in a job and retain a good amount of experience, which will serve them much better.”


What insurers should look for in a clients MSSP provider

Insurers look for specific elements when it comes to MSSP providers and the services they provide to clients. This will heavily dictate the level of insurance provided.

  • A proactive approach to cyber security
  • Frequent vulnerability scanning
  • Multi-factor Authentication (MFA) enabled on all systems
  • An appropriate set of cyber credentials and accreditations
  • Air-gapped, encrypted, frequent and incremental data back-ups
  • Audit logs turned on across all systems and devices


Shifting mentality from reactive to proactive

One of the biggest problems in cyber at present is the lack of collaboration between MSSPs and cyber insurers. The question is how they can work together to benefit themselves, their customers, and the market as a whole.

Firstly, it’s the role of MSSPs to support organisations in achieving a strong foundation of cyber hygiene and improving cyber resilience with a proactive, combined cybersecurity solution. From there, a company will be better positioned to approach insurers and secure lower premium costs. This solution should include basic cyber awareness training; business continuity and incident response (IR) plans ready to use in the event of a breach; a comprehensive suite of back-ups that is regularly updated; and consistent threat detection and response services.

Vulnerability assessments are the next critical step for MSSPs to provide support. Regular scanning identifies unknown vulnerabilities in internal and external systems, enabling an organisation to respond to and remediate vulnerabilities before cybercriminals can exploit them. Vulnerability scanning can also include Dark Web monitoring to detect if compromised business credentials are for sale on the Dark Web.

Vulnerability scanning serves an essential purpose for insurers. If an organisation prioritises regular scanning, it acts like a black box for a car. Insurers can receive up-to-date data on a customer’s cyber resiliency, and consequently more accurately measure risk and price premiums. Real-time data should be provided by MSSPs to insurers and play a more central role in cyber risk assessments and cyber insurance policies for everyone’s benefit.

The importance of annual check-ins twice a year should also not be underestimated as this can make a huge difference to cyber insurance. Completing these checks and getting to know the client before they have to pick up the phone to report an issue; understanding how their systems are calibrated; how they store their data before we have to sit in a room with them having crisis talks.

Insurers also need to start looking at cyber risk slightly differently. Many primarily assess the amount of damage that can be done, and how much reactive services would cost in the event of a data breach. They need to move their focus away from viewing this as the primary consideration and start analysing how safe and secure an organisation is and what proactive measures are in place. How mature is this company’s cybersecurity, how many attacks have they mitigated, how regularly is vulnerability scanning used to provide a reliable, real-time risk posture? Working with trusted partners in the cybersecurity industry is crucial to help shift this mindset, enabling insurers and MSSPs to embark on collaborative partnerships and reduce risk together.


Cyber Security Retainers

Promoting the adoption of cyber security retainers can make a huge difference in the event of a cyber incident. They provide MSSPs with intimate knowledge of their client’s systems and in turn, a much faster response incident response.

From a technical point of view, without this information, when a company calls out of the blue to declare that their suffering a cyber-attack, numerous basic questions must be asked; how many staff have you got; how many offices have we got; is your network physical; Is it on the cloud; how many servers have you got? This takes up valuable time just to build a picture and ascertain whether or not this is a serious attack.

With retainer onboarding, all these details are accounted for, and a detailed infrastructure map is acquired, ready and waiting in the event of an incident. So, when the call comes through, you know the company, you know the server that has an unknown IP address attached to it, and you know you can isolate the issue. Suddenly your response goes from hours of learning to minutes to do an actual response. Onboarding takes no time at all and is a very effective tool. For the instant response. It’ll be quicker, cheaper, faster, and more effective.