Artificial intelligence and technology are changing cyber risks for carriers and their customers. Sarah Thompson, head of cyber, North America, for MSIG USA, examines the evolution of cyber insurance, offers suggestions for managing third-party risks and shares how AI is changing cybersecurity.
Transcription:
Transcripts are generated using a combination of speech recognition software and human transcribers, and may contain errors. Please check the corresponding audio for the authoritative record.
Patti Harman (00:09):
Welcome to this edition of Leaders. We're so glad you could join us today. I'm Patti Harman, editor-in-chief of Digital Insurance. Artificial intelligence and technology are impacting cyber risks for carriers and their customers around the globe. The risks are changing, the threats are evolving, and threat actors are using AI and other tools to disrupt businesses on a daily basis. There have even been attacks on major retailers, financial institutions, airlines, insurance companies, and even Microsoft this year. So basically everyone and anyone is fair game when it comes to cyber attacks. Here to discuss all of this and more is Sarah Thompson, head of Cyber North America. For M-S-I-G-U-S-A, we will examine the evolution of cyber insurance and how AI is changing cybersecurity. Look at suggestions for managing third party risks and much more. Thank you so much for joining us today, Sarah. Thank you. So as I alluded to, there's been a lot going on in cyberspace these days. Ransomware attacks are changing, the demands from bad actors are certainly getting bolder, and the entities impacted by attacks span every line of business. Are there certain types of attacks that companies are more concerned about, say data breaches or ransomware or something along those lines?
Sarah Thompson (01:41):
Yeah, so historically companies were very focused on large scale data breaches of sensitive information, corporate confidential information. And while that still remains an exposure for organizations, the main concern and focus has definitely shifted to ransomware as we've seen an uptick in frequency as well as sophistication of phishing, spoofing, business, email compromise attacks happening against organizations across all industries. It's really led to ransomware being the main concern for most organizations today.
Patti Harman (02:19):
Yes, and one of the things that's become really important is the training aspect of it, because we've seen that just within our company and I think, oh, I write about this all the time, and still there are times when it comes up and says, huh, no, this was a training exercise and you failed. So are threat actors getting smarter and adapting more quickly than as companies improve their defenses?
Sarah Thompson (02:48):
They are. So threat actors have always been very quick to adapt, but the speed of that adoption is what we're really seeing has materially changed and accelerated the types of attacks we're seeing the success of those attacks. So as companies are investing in ways to protect their organization, the threat actors are at the same time working on ways to innovate around those protections. So it really makes response as important as readiness while organizations are evaluating how to best to protect their company.
Patti Harman (03:25):
Then with all of these changes, how is the role of cyber insurance even changing, and do you find that the coverage has to keep evolving to address some of these emerging risks?
Sarah Thompson (03:37):
Risks? Yeah, so cyber insurance has evolved to become much more than just a financial contract that you're buying. Cyber insurance now, in most cases include some element of proactive services along with response services. So at MSIG, we work very closely with our clients proactively to provide them guidance on how best to secure their organization, how they should be prioritizing their roadmap when it comes to implementing security controls to drive value both within the actual insurance policy, but also to help mitigate that loss. And then we're there in the instant, and that does happen to help manage the response side. So I think the biggest evolution is not necessarily within the words on the page, but how that insurance policy is being integrated into the cybersecurity posture of the organization, how insurance is playing a part in the incident response piece, but also in the proactive risk mitigation vertical.
Patti Harman (04:42):
Right. And that's a really important aspect of it too that you don't think about until you've been through a cyber attack. So traditionally there've been a few vulnerabilities when it comes to cyber risks, and we're talking like cyber hygiene employee training that I alluded to earlier, backing up your files and securing them, and even vendor exposures. Are these areas still susceptible to attacks or are companies becoming maybe a little bit more, excuse me, cyber savvy in these areas?
Sarah Thompson (05:20):
So I think companies are definitely more aware of their cyber risk than they have been in the past, and I do feel like most companies know what they are supposed to do and what is required of them. Where we see the fall down happening is in the continuous monitoring and the full implementation of those controls, it can't be a moment in time, check the box, we have EDR, it has to be continuous implementation as the company itself continues to evolve and grow while the threats are changing too. So where we feel the best protection comes from when cybersecurity is embedded into the culture of the organization. So when you're looking at m and a activity, you're thinking about the cybersecurity risk associated with that. When you're looking at procurement of vendors and onboarding third party vendors, you're thinking about cybersecurity as part of that. When you're hiring talent and you're looking at expanding your workforce, you're training them, and to your point Patti, you're retraining them.
(06:22):
So it's not just a matter of, yes, we roll out quarterly phishing, but you're looking at those employees that failed the foot phishing from last quarter and you're retraining them. So human error is still a massive risk for organizations, but that human error is not always just clicking a link. Sometimes it's just the continuous practice. It's like a muscle. You have to practice this for it to become truly part of your organizational protection. Backups are a great example of where we see them failing when on paper they're structured and set up exactly how they should be when it comes time to press go. We haven't tested them recently, we don't know that they're not working, and as a result, it's really hard to be as resilient as you think you are if you're not living it, testing it, breathing it as every part of your company is evolving and growing.
Patti Harman (07:18):
I spoke to another cyber expert who said the exact same thing and he was like, you need to know just because you've backed up your systems, do you know how to access that information and then just add it back into and access it and all of that sort of thing. So those are really important factors. Are there still common mistakes that companies are making that maybe make them a little bit more vulnerable to cyber attacks?
Sarah Thompson (07:44):
I think the main controls, the baseline controls are pretty much the same. I think where they are making the mistakes is kind of on that testing, kicking the tires so to speak. So have the backups not been tested? Is end of life decommissioned properly, and are we continuously training on business? Email compromise as the sophistication of these spoofing is continuously shocking us all. Are we preparing our employees to understand what to look for and giving them an outlet for reporting that behavior? Are we patching at the cadence that we have outlined? We would. So it's much more walking the walk that we see companies struggle at third party risk is still a driving exposure for organizations, but it feels like we're at least very aware of that now. It's just a matter of how do we fold that exposure into our own insurance, our own insured's priority of how to secure their organization.
Patti Harman (08:50):
You talked about third party risks. How can businesses better manage some of those third party risks that might leave them exposed to a cyber attack or some other sort of incident?
Sarah Thompson (09:04):
Third party risks, in my opinion, needs to be viewed as first party risks. So companies need to take the exposure that they're seeing or putting onto their vendor into their own organization as their own direct exposure. So really strict due diligence on your vendor partners, contractual requirements on security controls and SLAs, vendor segmentation. So when you're bringing vendors into your organization, you're not allowing them to then have full access to your network. And then we're seeing more commonly now like backup and redundant vendors being set up so that there is a very quick failover. So when if you had an issue with one vendor, you have a redundant vendor already set up, already vetted, you've gone through that due diligence process already, and so you'll minimize the business interruption impact to the organization by moving to a redundant vendor for those core critical business functions that you rely on these vendors for.
Patti Harman (10:05):
Yeah, it's interesting when I hear about companies that their cash register systems are down or something else is down, my first thought is always, oh, that was a cyber attack. And you'll hear that in a couple of days when they figure out what the source of it was. But it's amazing to me how creative some of these threat actors are and how easily they're able to get into different systems and the companies just don't realize it. Are there certain verticals that are more vulnerable to cyber attacks such as power companies or healthcare or financial institutions, government infrastructure? I mean here I, I'm in Baltimore and the number of hospitals that have been impacted and schools just really amazes me, but are you seeing certain areas that just seem to be a little bit more vulnerable?
Sarah Thompson (10:57):
Yeah, so there's definitely industries or verticals that are known for being more underfunded that have historically always been targeted for ransomware as a result of that. But then we look at industries that are more critical in the sense of the services that they're providing, whether it be power and utility or the type of information and data that they hold with regulatory exposure tied to that, all of these factors lead into potential for more financial motivated extortion or loss. But also we're seeing a shift in the motivation of the threat actors from strictly financial motivated threat actors to threat actors looking to cause mass disruption, operational disruption or destruction or implement fear in public safety. And so as a result of that, there are industries now that are definitely more heavy and operational technology that we're seeing be targeted for that broader systemic disruption type event versus straight extortion for financially motivated threat actors.
Patti Harman (12:14):
And it just amazes me at how easily they can shift from one focus to another. So let's change gears just a little bit and talk about what seems to be everybody's favorite topic these days. Artificial intelligence. It seems to be everywhere and it's evolving very quickly. How is it changing cybersecurity risks for companies though?
Sarah Thompson (12:38):
So it's changing the risks, but it's also changing our ability to protect those risks as well. So I kind of view it as both a threat, but also a stronger protection available to organizations. So it's definitely accelerating the evolution of ransomware. So threat actors are using AI to automate attacks and exploit vulnerabilities at a much faster rate that will result in increased scale and impact for organizations. But on the defensive side, AI is being leveraged to strengthen cyber resilience. So we're detecting threats faster, we're responding more effectively and efficiently. So it's definitely fast moving on both sides and it's requiring more proactive risk management and then also just this continuous adaption of the use of ai. So if our threat actors are using it, we should definitely be using it as well to help meet that threat with a just as quick protection.
Patti Harman (13:45):
So AI is really able to help companies then kind of mitigate and identify those risks sooner. Are there other ways that they're able to use AI to kind of help on the defensive side for cyber attacks?
Sarah Thompson (14:00):
So companies are using it in ways to scale their own protections within their organization, but then also just to identify threats faster and move quicker through their own instant response business continuity plans, ways of communicating internally at a faster, more effective rate than before. So it's definitely being used on the identification piece, but then also on the response side,
Patti Harman (14:30):
Is there anything that really concerns you at this point in cyberspace, whether it's trends that you're watching or emerging risks or the threat actors as they're becoming bolder and more aggressive in their attacks?
Sarah Thompson (14:45):
So I think you just hit on the one. So I think we're all a little bit scared by the speed of the evolution of ransomware, the more sophisticated the attacks are becoming as a result, the impact and scale of any one event now has definitely been magnified. Another thing I think about is it's not one headline risk, but it's kind of how all of these exposures are coming together. So some of the concentration of the third party vendors that we see within the insurance market right now for core business functions definitely concerns me. I think we've seen in the last two years, definitely in the last year, more systemic type attacks happening. And so that's always something that we're kind of thinking about when we're looking at managing a portfolio of clients and a portfolio of risk. Where is there shared exposure across our entire portfolio and how do we best help manage our clients through those shared exposures?
Patti Harman (15:45):
What recommendations then do you have to help companies improve their cyber resilience training? I'm going to assume is still an important part of that.
Sarah Thompson (15:55):
Yeah, so the strong baseline protections are still there. We still very much emphasize the importance of access management, endpoint detection, network segmentation, patching, all of those core controls are still equally as important, but the response is as important as the controls being in place. So instant response planning, business continuity planning, that shift from recovery to resiliency. How is an organization do we manage through the storm if we can't outrun it, so to speak? So training is very important. I've said it a couple of times now. It's really truly like a muscle. You have to practice it. The more you can arm your employees to be an extension of your cybersecurity team, the more broad your protection will be as a company. Tabletop exercises are a really good example of how to live and breathe what you have put in place and practice. And we do them with our clients a lot. And we always walk away with really key takeaways. And our clients are always very thankful because sometimes it's just a small little detail missing from the incident response plan that everyone thinks, oh, well, we would know who to call, but how do you call if you don't have access to your email, do you? So things like that that are just really practical in nature, but can be really critical in mitigating the financial impact of any event in real time.
Patti Harman (17:24):
That's so funny because one of the things I was thinking as you were saying that is we used to talk about keeping our emergency plan in a binder on a bookshelf. You have to still do that because if your computer is locked or if it's not possible to get into your network, all you're going to have is whatever hard copies of something you may have created early on, and people don't think about that necessarily in the heat of the moment. Are there any risks that you're watching or issues that companies should be monitoring and in maybe the next six to 12 months? I used to say oh, three to five years, but it changes so quickly. It's like what happens between now and just six months from now could be totally different.
Sarah Thompson (18:13):
Yeah, absolutely. And I think this is a good example of it. We are watching closely the privacy and data collection exposure. We've seen an increase in litigation tied to how organizations are collecting data, how that data collection is being disclosed. And as a result of that, we're definitely looking very closely at how is consumer information being shared, how is it being collected? How is it being disclosed? Just because of kind of the heightened litigation activity we've seen.
Patti Harman (18:46):
I know, I know when people ask me for my personal information, my response now is, do you really need that? And at first they're a little taken aback and nine times out of 10 they'll say, yes, we do need it. But I want them to think about the fact that I am giving you just personally identifiable information and I want to ensure that you are guarding it the way that it should be protected
Sarah Thompson (19:12):
And that you understand how it is then being used. So that's a key link. So it's one thing to say we do need it, but do you as the person giving that data understand how your data is then being used in a multitude of ways within an organization?
Patti Harman (19:28):
Right. Very true. So wow, we've covered a lot over the last few minutes. Is there anything that I haven't asked you that our audience should know about preventing or preparing for cyber attacks
Sarah Thompson (19:41):
Cyber? No, I think we've covered it. I mean, I've said it a lot. I'll say it again. I think no one knows your organization as good as you do. So arming as many people within your company to feel responsible and accountable for protecting your corporate assets is going to be one of the best lines of defense you can have. Humans are still a driving loss leader in cyber insurance. So as tech is evolving really quickly, there are still people leaving the front door open, so to speak, clicking on the links, unsure how to report, or more importantly, being nervous that they clicked on a link and then not wanting to report it. So fostering an environment where cybersecurity is very much empowered and employees are accountable to that is going to really, really help. And then on the insurance side, partnering with an insurance carrier that can help you be proactive, can help you prioritize what really matters in your cybersecurity roadmap, but then also has the financial stability to be able to help you in the event that there is an actual loss, both on the response side, but then on making you financially whole for that.
(20:52):
One of the things we look really closely at MSIG is how cyber risk can affect multiple lines of business, and it is really not a singular cause of loss. So we work really closely with our colleagues in other product lines when we have a client that we're supporting across lines of insurance to make sure that we are following the threat of cyber risk through all of their insurance policies and not really looking to say, oh, well it fits in the cyber policy, or it doesn't, but instead, do we as a partner really understand this company's cyber exposure holistically, and are we bringing the best solution to them holistically? So that's something that we have really invested in a lot of time to make sure that we are looking across product lines that could be impacted by a cyber incident.
Patti Harman (21:45):
And that makes a lot of sense because with the way that we use technology today, it's not siloed in any one department or any one line of insurance. So that makes a lot of sense to take a much more holistic approach for it. So thank you so much, Sarah for sharing your insights with our audience for this Leaders episode.
