Each month, Antigen CEO Steven Legg is joined by Cysurance CEO Kirsten Bay for a podcast in which they discuss all matters relating to cyber liability insurance and the security controls organizations need in order to be insurance-ready. You can listen to the podcast on many popular streaming services including Spotify, iHeartRadio and Amazon Music. Or, just visit our YouTube page to see the original recordings!
While you are waiting for the next episode to drop, here’s an excerpt from the May episode, in which Steven and Kirsten are discussing good cyber hygiene, the right path that you can take for your customers, and the changing risks that you could face. Both the video version and text version are below. Be sure to subscribe if you found the information to be helpful!
Transcript:
Steven Legg: “What do you see, and do you think good cyber hygiene is kind of the right path moving forward down that path?”
Kirsten Bay: “Well, you know what I’m going to say, of course, is the answer. It’s really the thesis, of course, of what we do as an organization. That we put cyber controls first and then we write around them and we measure them. So, it is really wonderful to see validation, but of course, we know that that’s what should have been the outcome, right? And so what’s more important, I think, is focusing on how we continue to measure, how we continue to prove, how we continue to improve, and how we continue to get people to not only check those boxes because they’ve done it but actually go through a verification process where there’s a continuous compliance component where we are able to measure efficacy from the point of looking at an IOC or an indicator of compromise and how we can remediate those rapidly to measure that in relationship to then full-scale breaches. And I think what we can really start to get through is in the relationship to what question between breaches and cyber hygiene starting to reduce the severity and impact of events.”
Steven Legg: “Completely agree. And I think you drew a conclusion inside of that that’s especially important, and that’s the relationship between those. Whether it’s a zero day, whether it’s a new vulnerability, whether it’s a specific attack being levied by a particular threat actor or family of threat actors. The analysis, understanding, and then response to those points of learning, I think, are especially important. I’m curious because we have a lot of folks in the IT services space and work with a lot of those folks, both of us. What are your thoughts on how that conversation changes when you’re not only responsible for your own risk but responsible for a portfolio of risk?”
Kirsten Bay: “Well durability and the premises in that particular group are still very unstable. And so, you know, it’s one of those things where it’s nice to see in general that the market is leveling off. I mean, we’re leveling off at a rate where we’ve already experienced triple to quadruple digits in terms of increases, so it’s not like we’re going, we’re not reverting to lower premises, but we’re not seeing the increases that we’ve seen in the past. MSPs, unfortunately, don’t really belong to that group. We are still seeing increases, particularly for their own coverages because of the point you just made, which is that they’re responsible for a bunch of organizations, and it hasn’t yet been proven out that they are writ large reducing the exposure to their own organizations from a supply chain perspective. So, the proving out of that is a little bit slower or has leveled off, but there’s still this anxiety around, you know, do we have it right yet? I think certainly one of the things that we know is there were a lot of MSPs, particularly, who were not putting MFA in their RMM tools, and that had that really had very broad level implications. So, we have seen a lot of, you know, privileged access management, identity and access management, and improvements there that I think really have impacted the losses that we’ve seen. But when I do talk to carriers, we’re still seeing that when incidents are occurring at MSPs, it’s not like, ‘Oh no, this bad thing happened,’ it’s like, ‘Oh my gosh, another catastrophe.’ And so that’s the thing I think that we really need to start paying attention to, is how do we help dial back the severity of those incidents? Because when they’re getting hit, they’re still incredibly severe losses. And so, it’s in relationship to managing their own premises and being able to become insured, but also how they manage their liability and being able to prove to their clients that they’re protected in the right way.”
Steven Legg: “Yeah, I know I completely agree. And I think what’s interesting there is that a lot of the things that we’ve talked about in the past and that we continue to talk about as we work together in this industry are really things that directly touch on and address a lot of those points. You know, I get asked all the time by MSPs, ‘How do I sell security? How do I use the insurance to sell security services and do all these things?’ It’s like, ‘Well, guys, let’s take a step back and stop looking at things like their widgets, and let’s first start the same way that I recommend that somebody looking to transition, as an example, from technology to security as a discipline might do this. Start at home, look at those frameworks, look at the industry frameworks, look at the security controls that enterprises and larger organizations are implementing. Implement those in your own backyard, get that muscle memory, get that practice, understand what your risks are and how to quantify them and how to craft intelligent contingencies and responses. And also, you know, layering your defense in a defense-in-depth manner around those risks. And that’s really kind of the conduit to doing everything else. You know, I hate to repeat myself, but it’s one of those things that until you’ve gone down that road, if you’re still thinking that a product or any particular one piece of that, what should be a fabric of risk mitigation measures, is the solution to all of it, you’re going to be left in one of those disaster scenarios. And that’s what everyone wants to avoid. But the MSPs obviously don’t want to make those claims, and the insurers don’t want to pay them out. So, the meat in the middle solution, I think, is the apex of all of it.”
