As interest in cyber insurance grows, people are asking more questions about the industry: What does the cyber insurance market look like right now? What kind of risks should SMEs insure against? Is it actually a good idea to insure against making payment after a ransomware attack? Or is it better to just not pay? In this interview series, we’ll talk to industry experts about what’s happening in cyber insurance. Alexander Schudra, our first interview partner, is Head of Cyber Insurance at ERGO.
Mr. Schudra, can you tell us a little about your background?
Sure. So actually, I don’t have a technical background, but an economic one. I spent nearly 13 years working in various roles at ERGO: 9 of them in Sales and 3 in central functions. In late 2019, an opportunity came up to take on a new challenge in cyber – and I was happy to accept it.
What is your perspective on the cyber insurance market – both looking back and right now?
My job means I’ve spent the last two years on a real deep dive into the market. Two years is an objectively short amount of time, but it feels like an eternity to me because the cyber market is so outrageously dynamic. It seems like every week there are new clauses, new players, extremely fast-moving threats, capacities. Not only that, but you blink and capacities and prices might easily fluctuate by more than 50 percent. It’s exciting, of course, but planning is a real challenge. A lot of that uncertainty is caused by a lack of technical expertise in most companies – large and small. And they often have very little awareness – or none at all – of their own threat situation. That means insurers, customers, and their brokers are all in the same boat. Naturally, that level of uncertainty means everyone is justifiably looking for insurers to offer appropriate risk transfer solutions. Long-term, however, that’s only possible and sustainable when the risks are transparent and actually insurable.
What organizational and technical steps should SMEs take to protect themselves, and against which cyber risks would you recommend taking out insurance?
That’s a good way of phrasing the question, since all of those issues build on each other. Without a certain level of technical and organizational cybersecurity in place, it’s likely going to be difficult to get insurance coverage in future. Same as if you don’t lock your car, then that briefcase on the passenger seat also isn’t insured against theft. Overall, and of course industries do vary in what they specifically need, it is always worthwhile getting insurance coverage to protect against exceptional situations. Only a few companies will be able to afford to recruit their own permanent crisis managers, PR advisors and IT forensics experts. Insurers can provide access to that expert network and also pay the costs of the work. The same can be said of preventive measures: it is entirely possible to implement these in cooperation with your insurer. Many smaller companies might otherwise find the time and cost it takes to realize these measures too much to bear.
What preventive measures would you advise that manufacturing companies in particular take?
Definitely training for all employees regarding cyber fraud and phishing, as well as regular reviews of the current situation based on objective criteria – a sort of stock-take once or twice a year, depending on complexity.
Is it actually a good idea to insure against payment in the event of a ransomware attack? Or is it better to just not pay?
Generally speaking, we have solid evidence that even if the costs are not going to be reimbursed by your insurer, paying a ransom can be a solid option in certain circumstances, to prevent longer-term business disruption or where there is a threat to release sensitive data. It really depends on the situation, there’s no one-size-fits-all solution. But what is true in all cases is that in the end, it is always worth reaching out to the attackers through specialists! Very often we can reduce the ransom amount significantly and obtain information about the timing of an attack or its origins. And that itself is an enormous help in recovering data and restoring operations, regardless of whether a ransom is paid.
What technical innovations in cybersecurity have you found especially interesting?
I think people really underestimate the issue of outside-in scans. These are scans that give an external perspective on a company’s publicly visible interfaces – like a website or mail server. This simple test can help detect easily identifiable vulnerabilities. It’s similar to the approach an attacker would take. Personally, I think these types of tools can help at least get some control over the moving parts in a threat situation and quickly identify obvious gaps in security. However, there is still a lot of work to do in this area; right now the different providers are producing very mixed results.
Are there industries or types of business that are especially challenging to insure?
Of course. There’s evidence that companies with revenues in the double-digit millions are slowly becoming more complex, and that there is a growing dependency on functioning IT infrastructure. If acquisitions of companies or subsidiaries increase the complexity of that infrastructure, that’s where it gets challenging.
Specifically in terms of industries: logistics and manufacturing are typically more prone to attack than, say, the ancillary construction trade. Also, industries involving large volumes of sensitive data are fundamentally more exposed, e.g., medical, tax, and legal services.
Are there maybe two to three aspects – that are not completely obvious – which SMEs should pay attention to when it comes to cyber insurance? Can you share any tips or tricks?
There’s no blanket answer to that question. Generally speaking, as well as being sure to review the conditions and obligations in great detail, it’s always important to ask which service providers will be available in the event of a claim and whether the insurer prescribes a specific provider with no alternatives. It’s also important to understand each party’s obligations and ask questions during the initial stages of the process, and make sure to follow up if anything is unclear. It’s so important that everyone understands exactly what the insurer wants to know or what conditions it sets out.
Is it true that cyber insurance tends not to pay claims if, for example, certain steps are not taken in good time, or if false information about IT was provided during the application process?
We can tack this on to the answer to the previous question. Like in other insurance segments, such as health, insurer queries about facts must be answered truthfully and upfront. In the event of a claim, it very quickly becomes clear how the attack happened, and whether the security mechanisms reported to have been put in place actually exist. Another example would be P&C insurance in the event of a fire: if a fire breaks out and there are no extinguishers in the location where the loss occurs, then that’s a conversation that’s going to happen regardless. Insurance firms often mandate a set of basic security measures. If those are not in place, then in certain situations the insurance may not even come into effect.
Are there other types of common false statements or half-truths that you hear from experts?
Let’s come back to the issue of outside-in scanning. Does that type of activity alone tell us anything about the state of cybersecurity? Obviously not. Is it pointless for companies to regularly evaluate their own infrastructure to detect any vulnerabilities? No, I don’t think so.
Looking at how things stand today, do you think premiums are likely to keep rising, or will they start to fall (adjusted for inflation etc.) as corporate security measures gradually become embedded in the longer term?
I wish I had a crystal ball that let me make those kinds of predictions. But I’m going to assume that the trend of rising premiums will continue. The tangible hardening in the market correlates directly with the massive rise in cyber claims in recent months. As such, we can assume that customers will not be able to keep buying cyber coverage at the same cost and under the same conditions. Everything will revolve around using active risk management to make existing risks transparent and insurable.
Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.
Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.