[MUSIC PLAYING] Hi, everyone. How are you doing? Everybody having a good day? All right. Well, when Patrick asked me to do the closing keynote, I looked for inspiration for a closer. And any baseball fans out there? You know Mariano Rivera? Arguably, the best closing pitcher in the Major League Baseball, for many, many years and-- not arguably, definitely, from the best baseball team in all of America, the New York Yankees. So that's where I'm looking for inspiration today.
So we started the week off in Mark's opening session. He talked a little bit about cybersecurity insurance. And we're going to dig a little bit deeper into that today. So the first thing I'll say is some people call this cyber liability insurance, also cyber insurance. And then I'm calling it cybersecurity insurance.
So a few disclaimers before I get started, I am not an attorney. I am not an insurance broker. And I'm also not an underwriter. But I am a few things. I'm a cybersecurity professional, an expert in identity security technologies. And this last one might seem out of place. But I'm a parent to 17-year-old identical twin girls.
So why is that important? Well, it allows me to tell you the story I'm about to tell you. Hopefully, none of you have dealt with this recently. But we're going to compare a little bit with our car insurance that we went through this last summer. I went through this journey. My children got their driver's licenses on a nice day in August.
I then dropped them off at their job. Thankfully, they had jobs. And while they were there, they had their car there. They were to drive home that day. So as soon as I arrived home, I called my insurance company and said, excellent. I have these two new teenage drivers. Please give me a quote.
Well, as you can see here, my policy before that day, me and my husband, pretty good drivers, two cars, $2,400 a year. What I was-- my mouth dropped to the floor. I knew it was going to be expensive but when they told me that my twins, two additional people were going to cost four times the amount that my husband and I cost, I was quite alarmed.
Well, we went ahead and did a little shopping. We know that they're risky drivers. We reached out to another insurance company. And we were able to negotiate a little bit. The way we negotiated, though, they took the risk. And they brought that down.
What they did was they said, OK, we have this app that you and your children can put on your phones. And it's going to keep track of whether your speeding, whether you are hard-braking, driving too fast and then braking really fast, whether you use your mobile device while you're driving. And when we gather all of that data over time, then we can look at it and determine whether you are risky drivers or not. And if you're not and your children are not, you can keep this $4,000 a year.
So all of that to say the insurance company was calculating risk. And this is the same thing that cyber insurance companies do. Just a picture here of what the insurance company thinks my twins drive like.
So why do insurance companies have the ability to do this? Well, the automobile industry has so much data from so many years, statistics over time. So they're looking at motor vehicle crashes for children or teens between the ages of 16 and 19. It's the second leading cause of death for US teens.
And then they're looking at things like in their first months of licensure, they're much higher risk for having accidents. And I know we have some Europeans in the audience today. You guys are probably a lot smarter than us here in the United States. But in Europe driving at this age is not even permitted. So they've kind of gotten it a little bit more right.
Great story, right? So what? Luckily, I'm not here just to give you cautionary tales about my lovely teenage daughters. But we're going to talk about something that we can compare this to, the cyber insurance industry and how they quantify risk and how they determine how risky your environment is and what premiums they're going to give you even if you qualify at all.
My next few slides have some research from an insurance company called Munich Re. Munich Re insures or underwrites 14% of global cyber insurance policies. So they know a bit about what we're doing here. So you can see here that in 2018, these are premiums, $4.7 billion spent in the United States on cyber insurance premiums.
Then by the end of 2021, we were at $9.2 billion. And we're expecting a ton of growth in this space. Many companies are waking up to the fact that they need to have cybersecurity insurance. And why is that? Well, we know that ransomware and cyber attacks on both supply chain and critical infrastructure are on the rise, a huge problem. Ransomware accounts for 60% of all claims that cyber insurance companies are getting.
So this is one of the top things that we're looking at. And you can see here that we are-- the ransom that's being asked sometimes paid out in some cases not even being paid. And our C-level respondents from this questionnaire that Munich Re did said that 83% of them, although they recognize that this is so important, that they still feel like they're not adequately protected against cyber threats. So we need to do something about that.
We think about, when we asked our respondents, why don't you have cyber insurance, there were a few different reasons. The ones that really stand out to me here-- and this is why I wanted to talk about this topic-- 25% didn't even know that they needed it, that it existed. 22% didn't understand the product that they were being offered and what coverages they would have. And then 29% thought that the price that they were being asked to pay was just too high.
So now we're going to dig a little bit deeper into cyber insurance, what's offered, and how to kind of unpack that a little bit more. So the first thing I want to talk about is the two sides to cyber insurance. We have first party and third party. So what does that mean? First party is insuring you, the company, and your systems. So it's going to protect you against things like ransomware or breaches on your own network or systems.
It's going to allow you to pay for notifying your customers if you're breached, purchasing credit monitoring services for any of your customers that data has been impacted. It's going to allow you to investigate the source of the data breach and also to reimburse for business interruption. When you have a breach or you have ransomware, there's going to be a period of time that your company is not performing either at all or to the level that it should be. So there's going to be some loss of funds during that time as well.
Now, third party-- this is newer. But it's also important, especially for you, partners, implementers in the room. So third-party cyber coverage is for when you're working on somebody else's systems. So if a company has a breach, they may name in a lawsuit anybody who's touched their systems-- so implementers, freelancers, even if you never had direct contact with that company but you were called in to do some work attached to their system. So you could be liable in that case as well.
So we've talked about the two sides. And then we've got four buckets. So the four buckets make up pretty much everything that's going to be insured against. So the first thing is the pure data breach. So with the data breach, it's all those things that I talked about a little bit before-- so making sure that you can do the forensics on what was happening within your environment, making sure that you are totally covered to be able to cover loss of funds, anything like that.
The second bucket that we have is ransomware, arguably the biggest bucket that we're talking about here. So this one is going to be, perhaps, to pay the ransom that's been extorted from you or also just to cover that time that you're down and being able to decrypt all of the data that's been attacked in your environment.
And then the third bucket is loss of funds. So company shuts down for a period of time, that's considered loss of funds. Also, brand reputation could be covered under loss of funds as well. And then the final bucket is just kind of everything else. So this is going to be situationally-important to your specific industry, your company, and the things that you're going to need to have covered there.
So that's a lot. How do you figure out which is best for you? There's hundreds of insurance companies. There's thousands of policies to look at. Well, really, what you need to do is be individual about this. You need to balance the premiums against the risk to determine what's best for your organization. You need to consider what does a disaster look like in my environment? What are the things that I want to protect against?
And you also need to think about the fact that one person shouldn't be making all of the decisions on their own-- not the CFO, not the CRO, not the CSO. But you bring all of those people to the table plus many more, all of the stakeholders who can provide all of the data that you're going to need to make the best choice.
The next part I want to talk about here is ballparking or estimating, kind of goes back to my baseball theme at the beginning, and some tools that you can use. If you write anything down or take a note right now, this would be maybe it. I think the slides will also be provided to you afterwards. But these are three examples of tools that can be used prior to engaging with an insurance company to determine what limits you would like to have for your insurance and also what premiums you might be expecting to pay.
So now, we're going to get a little bit more into the technology and the security that you need to have in your environment to even get entry point cyber insurance. And then we'll talk even beyond that, how to get your premiums lower.
So be the adult driver. Be me and my husband. Don't be those teenage drivers. I have a top 10 list here for you. My colleague, Darren Thompson, actually created this top 10 list. And you'll see it published soon on our website. But I love a top 10 list right made famous by David Letterman, maybe on his show. I thought about in his show he had his top 10 items on big cards. And he would throw them out into the audience after he read them off. But I figured talking about insurance, throwing pointy objects into the front row is probably not a great idea.
So we'll just talk through them. So number 10, what you want to do here, this might seem old school. It might seem table stakes. But people aren't even doing this well always. You need to regularly patch your systems. You need to have a documented plan and stick to it. So we're talking about patch Tuesday for Microsoft, we're talking about patching all servers, applications, OSs that you might have in your environment.
Number nine, implement multi-factor authentication. And this is everywhere in your environment. Don't just say, OK, I've got multi-factor for my VPN. I'm good. Nope. You need it everywhere in your environment. Defense in depth. So you want multi-factor at the desktop, multi-factor at your VPN if that's what you're using, in your privileged management system, and all applications. Also, make sure it's running all the time and all users are required to use it.
Number eight-- also somewhat old school-- but you need to use encryption for all of your data at rest and in flight. One of my favorites, because it's near and dear to my heart, implement privileged access management practices-- so things like vaulting up credentials. I'm sure you've heard a lot about this this week, session management, and making sure that everyone is sticking to this and thinking about the concept also of everyone might be a privileged user in your environment. It depends on what they have access to, what applications they're using.
So number six, create redundant and reliable backups. It's not just enough to have backups anymore. You need to have both on-prem backups and store them in the cloud as well. You need to test your backups, practice, make sure that you can recover from any kind of problem.
Number five, conduct regular access reviews. So this is things like who has access to certain applications in your environment, making sure that on a regular basis, perhaps quarterly, you're reviewing whether those people should still have access.
Number four, Active Directory may still be one of the most important things that you need to protect in your environment. This is the single point, for those who have Active Directory, where you're both authenticating and having authorization throughout your environment.
Number three is risk-based authentication. So this kind of goes along with the multi-factor, making sure that when someone's doing something risky or accessing something more risky, we do a step-up authentication.
And number two, is regular pen testing. So many organizations can do this themselves. But you also should hire third-party pen testers. The idea here is to know about the faults, know about the vulnerabilities before the hacker knows about them. You're never going to be completely secure. So you want to be continuously doing penetration testing so that you can find those faults.
And number one-- and I really love this one-- is establish an incident response plan. Like any good football team, sports team, you have plays. You have plans. You learn them. You document them. You practice them.
So it's not just enough to have the plan. You need to practice. And sitting kind of at a roundtable and doing that incidents incident response plan is really a great idea to make sure that you're completely covered.
So don't get that insurance and then drive drunk or maybe not wear a seat belt. You want to get the insurance and then continue to do the things that will keep your environment safe. The number one thing I would tell you if you leave here today is don't view cybersecurity as a project. It's not an MFA project or an encryption project.
This is a program, which means it's continual. You have to continually be looking at what you've done, what's still to be done, what new technologies are out there, what new types of hacking are out there so that you can continue to improve. And there's no such thing as completely secure. You need to determine your organization's preferred risk posture or appetite.
So Darren talked about this a little bit earlier in the week. And I know you guys were really interested because I saw the cameras come out when he had that diagram up on the screen. You want to look at what is acceptable risk in your environment and what is unacceptable. And then there's the shared risk.
So anything that's shared is what you're going to share with your insurance company. So you're going to own part of that. And they're going to own part of it. The key is being resilient. And you definitely want to have defense in-depth.
We've talked a lot about all of the different areas this week where you can secure your environment. Don't just do one of those things. Operate your program so that you're doing all of the things that you can do to keep things safe. I did want to thank our sponsors. I know you guys have spent a lot of time and money to be here this week. We really appreciate all of our sponsors. And that's all I had to say. Thank you.
[MUSIC PLAYING]