Cyber Insurance: ThreatBlockr, Open Systems, Sectigo, More Address Challenges
Cyber insurance providers are getting more relentless about requirements for coverage.
![Cyber Insurance Cyber Insurance](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blte9a623a61ec692e1/6523f895bbdcabff69ef8e66/Cyber-Insurance-1.jpg?width=700&auto=webp&quality=80&disable=upscale)
TenPixels/Shutterstock
Keeper Security‘s Marcia Dempster said her company’s part in obtaining cyber insurance is focusing on the beginning of cybersecurity.
“I like to think that credential management and privileged access management (PAM) is probably the easiest part of cybersecurity to stomach and to pay for because it gets more and more complicated,” she said. “But with cyber insurance getting more relentless about what you need to have before they’ll give it to you, you’ve got a whole checklist and it just keeps getting longer. So … get it right now before the checklist keeps getting longer, and you have to do more and more things.”
Photo coutresy: Pasuwan/Shutterstock
ThreatBlockr‘s George Just said one of his company’s largest partners is global insurance provider AIG.
“One of the things that they did, and this goes back a number of years, is they were offering our service as part of their insurance offering,” he said. “So if you’re a company that’s buying this much cyber insurance, we’d like you to have this ThreatBlockr instance because we believe you’ll be protected. And it’s been great for us because those customers expand. It ferrets out a key point, which is, you’re going to insure something and you’re insuring over something you don’t know. So do they have multifactor authentication (MFA)? Do they have any kind of password protection and do they even have good firewalls? We’re seeing audits of all that stuff.”
Photo courtesy: DCStockPhotography/Shutterstock
One of the problems in cyber insurance is providers move slowly, Just said. They’re auditing things that were important two or three years ago that aren’t necessarily important now.
“We’re also seeing people pull out of the insurance game,” he said. “There are big players that are just saying, ‘We’re not going to be in cyber insurance anymore.’ Along with everybody’s rates going up like crazy, and then deductibles per instance, per threat vector per whatever, it becomes really cumbersome for a lot of people. So I’m seeing people starting to self-insure and just saying, ‘I’m going to take that budget and I’m going to put it into more cybersecurity, and I’m going to protect myself as best as possible and assume there’s going to be a breach someday.”
Photo courtesy: Photon Photo/Shutterstock
Open Systems‘ Tim Roddy said one positive development is cyber insurance has forced boards of directors to get involved in their companies’ cybersecurity and risk management.
“You have to have a strategy and a plan,” he said. “It needs to deal with everything from 2FA to how you handle data and where you store it. And we in Europe need to [comply with] the General Data Protection Regulation (GDPR), all those kinds of things. And then you look at how you configure the products you have, or make sure you buy products that allow you to achieve and check those things off. There’s still risk. There are still going to be mistakes with human beings running these things. And then when you’ve got your act together, then you have a prayer or a chance of someone insuring. Their job is to manage risk and make money, and our job is to limit the risk. And for awhile there, we had companies on zero trust saying, “Buy our product and you’ll be zero-trust compliant.’ That’s complete nonsense. They don’t even know what zero trust is if you’re buying on that basis.”
Photo courtesy: Berg Dmitry/Shutterstock
Sectigo‘s Jennifer Binet said her company provides email encryption, and “if they have it, they get that check mark” for cyber insurance.
“For almost all the customers that leverage us, it’s a huge value-add for them to have,” she said. “Anytime I get into legal negotiations, it’s the biggest legal sticking point I have. It’s probably the one that I spend most of my time with counsel from both sides. But it’s mandatory, so I don’t see it somewhat changing.”
Photo courtesy: Markus Mainka/Shutterstock
Sumo Logic‘s Timm Hoyt said his company focuses on helping customers pass the “sniff test and the red face test” in audit and
compliance.
“That’s one of our core use cases and we help them achieve that,” he said. “That’s helping to get them in the best position to get insured or reinsured.”
Photo courtesy: EtiAmmos/Shutterstock
Dempster said zero trust may be required for cyber insurance, but “what good is zero trust if it’s not also zero knowledge?”
For example, if a user forgets their password, they shouldn’t be able to access it from the vendor, she said.
“I shouldn’t be able to see any of that either,” Dempster said. “I work at Keeper Security and I can’t help you with your passwords if you’re locked out. Zero knowledge is a super popular term that people like to throw around, but I don’t think people fully understand what it means. Zero knowledge is zero trust. You cannot trust me to know it either. Don’t trust me. You don’t know what I’m going to do with it.”
Photo courtesy: Mongta Studio/Shutterstock
Dempster said zero trust may be required for cyber insurance, but “what good is zero trust if it’s not also zero knowledge?”
For example, if a user forgets their password, they shouldn’t be able to access it from the vendor, she said.
“I shouldn’t be able to see any of that either,” Dempster said. “I work at Keeper Security and I can’t help you with your passwords if you’re locked out. Zero knowledge is a super popular term that people like to throw around, but I don’t think people fully understand what it means. Zero knowledge is zero trust. You cannot trust me to know it either. Don’t trust me. You don’t know what I’m going to do with it.”
Photo courtesy: Mongta Studio/Shutterstock
Getting cyber insurance can be a daunting task for any organization as it requires improvements in cybersecurity, compliance and more.
A cybersecurity roundtable during this month’s MSP Summit and Channel Partners Conference & Expo tackled the issue of obtaining cyber insurance, and how they’re helping partners and customers obtain it.
Demand for cyber insurance is skyrocketing, while at the same time some insurers have left the market, while others have hiked premiums, limited coverage and instituted more stringent requirements.
Roundtable participants included:
Marcia Dempster, Keeper Security‘s senior director of channel sales.
George Just, ThreatBlockr‘s chief revenue officer.
Tim Roddy, Open Systems‘ vice president of marketing.
Jennifer Binet, Sectigo‘s senior vice president of enterprise sales.
Timm Hoyt, Sumo Logic‘s senior vice president of worldwide partners and alliances.
First Thing Cyber Insurance Providers Ask
Keeper Security’s Marcia Dempster
ThreatBlockr’s George Just
Open Systems’ Tim Roddy
Sectigo’s Jennifer Binet
Sumo Logic’s Timm Hoyt
Dempster said the first thing cyber insurance providers ask when you’re applying is if you’re using two-factor authentication (2FA).
“So that is the easiest thing that we can all do,” she said. “What is a new thing and great for me, and also great for all of us is how are you securing your employees’ passwords? Is this person in accounts payable using their Facebook password for their workstation password? Because that’s a problem. We can’t do that. Who’s managing that? How are we taking charge of that? Which servers are talking to each other? Who has clearance? Who has access? All of those things are so important.”
Scroll through our slideshow above for more from the roundtable on cyber insurance.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like