The Canadian Cybersecurity Podcast – Episode 02 – The state of the cyber insurance market in 2023

On todays episode:

I’ll be talking with Lucas Black, who is a CISSP and Principle Security Solution Architect at CDW Canada. We’ll be talking about the evolution of cyber insurance, the challenges that organizations face due to the changing threat landscape, and the priorities that need to be focused on for 2023 and beyond.

Below is the transcript of the podcast and links to some of the references as well.

Cybersecurity controls checklist for cyber insurance – (Gallagher Risk Management, Insurance, and Consulting)

Cybersecurity Analyst average wage in Toronto, Ontario, Feb 2023

CyberScape 2021 – all companies in the security space

The Canadian Centre for Cyber Security

Daemon Behr: (00:01)
Today I’m joined with Lucas Black. Now Lucas has been in the security space for quite some time now. Currently he’s the principal solution architect for security at CDW Canada. Lucas, you have quite an interesting career, and, and you’ve probably been in the space for some time and seen all kinds of interesting things. Can you give me a bit of a background of how you got into this space?

Lucas Black: (00:28)
Sure. You know, I started in my IT career in about 1994, when I was still actually in high school. And really kind of, you know, did the traditional, building your own computer, then fixing family computers, and then it really kind of took off from there. As far as security goes, I feel like I’ve been in security kind of right from the beginning. You know, to me, security is doing things the right way, the first time. And I hate doing things more than once. So, call it laziness, call it whatever you want, but it doesn’t make sense to stand something up quick when you’re just gonna have to put a Band-Aid on it, five minutes later. So, kind of throughout my career, security’s always been my focus, really starting out of college.

Lucas Black: (01:18)
I helped set up a security program for home and small businesses, back in Ontario, and then, picked up a role at the University of Western Ontario where, really I was brought in for security. They didn’t have a hardware person, just an assistant. They had gone through a couple data breaches. That’s where I really gotten in deep with system hardening and database hardening. It was a very daunting task that I didn’t think I was ever gonna get through. You know, after being at the university and solving a lot of the security issues that they had, I moved to Calgary and have worked for, now my third, value added reseller, in CDW.

Daemon Behr: (02:05)
Thanks a lot for that background. Now, one thing that I’d like to talk to you about, today, which is top of mind for a lot of our organizations is the, the topic of cyber insurance. There’s an interesting evolution in what cyber insurance is. I think that back a few years ago when the first concept of cyber insurance really became a thing, the insurance industry didn’t really know what that meant from their perspective. So they got into it without fully understanding of what it would really mean at that time and what it would evolve into. What’s your perspective on that?

Lucas Black: (02:44)
Yeah, I think when the insurance companies started getting involved, three to six years ago, they didn’t realize, they didn’t have any clue of what they were getting into. I think if you compare a policy, an original policy when they first came out, compared to what you get today, it kinda looks drastically, drastically different. I think the insurance company thought it might be an easy way to make some money, because they could see that it was going to be a requirement. Insurance is always needed. But I think that they quickly, started paying out a lot more than they were taking in, for cyber insurance.

Daemon Behr: (03:23)
I definitely agree with that, and there’s been a lot of changes over the, the last few years because the insurance companies have really suffered a lot of losses and, and that’s something that they don’t really see in the other spaces that they provide insurance for because they have these, subject matter experts, that work in an underwriting capacity where they fully understand everything to do with that industry. All the risks associated with it. From a cyber perspective, it’s pretty hard to do that because for one, the risks aren’t static. They’re, they’re always constantly evolving. And yeah, over the last few years, there’s been quite a rise in know the number of attacks that, that are going on and the types of attacks and the threat actors that are doing those attacks as well.

Lucas Black: (04:11)
Absolutely. I mean, you know, if you compare the it security industry against automotive insurance, like how long have we been driving with automotive insurance? We know basically what’s gonna happen. We know who the problems are. But like you said, yeah, cybersecurity is, it’s new. There’s new attacks coming out every day, and, how do you fight them? Like where do you even start?

Daemon Behr: (04:37)
I liked the similarity to the auto industry in the way that you approach your insurance. Like you think, what are some of the, the ways that some people can reduce the insurance premiums from an auto perspective. You know, they can get winter tires, they can have a good driving record, they can be driving for long period of time. You know, all these things.

Lucas Black: (04:59)
Yeah, yeah. Not young, not be male. Yeah. Absolutely.

Daemon Behr: (05:02)
Exactly. Yeah. So yeah, all, all these things are, are like the, the controls that they have in place in order to make sure that they’re a good value for the insurers. Yeah. So when it comes to cyber, it’s the same sort of of thing. But the problem that I think a lot of organizations have when they’re trying to get cyber insurance these days is that they don’t really have the basics when it comes to security. It’s usually an afterthought. The controls that need to be put in place are quite a daunting task, when you go from zero to to a hundred, not having that background.

Lucas Black: (05:42)
Yeah, absolutely. And I mean, it has always been seen as a budget sinkhole for a company, right. You know, name a job that you don’t require a computer for nowadays, like even to troubleshoot a, a car or a, a piece of equipment, you’re not thumbing through with wrenches. You’re not taking stuff apart. Plug a computer in and, and, you know, look at the diagnostics of what’s going on, and it’ll tell you what the problem is. Those are the new world issues that we’ve got to face. Right. So it has always been trying to play catch up. I think, they want the new computer, but really, does that bring any value? And security for a long time has been the whole, it’s not been the focus of the company. And yeah, there’s, there’s a lot of catch up to be played. And it’s not just been small businesses, it’s in every size. I deal with companies from, one or two people all the way up to hundreds to thousands of people, right? So, you know, a lot of the small companies think, oh, the big enterprises, they’ve got it all figured out. And I can tell you for sure they don’t. They’ve got just as many holes or more holes than a lot of the smaller guys.

Daemon Behr: (06:58)
I think part of that, it comes down to what the attack service looks like. The large organizations, they have more places that they can be hit, so they have more things that they need to protect. Where as the, the small organizations, they may have no security whatsoever, but they only have a few places that it can actually hit.

Lucas Black: (07:18)
Yeah. Yeah, absolutely.

Daemon Behr: (07:21)
It comes to what place an insurance company plays in the IT industry. The way that I kind of see it is, when we’re talking about what risk is, it is associated with the organization. An organization first needs to understand where they are at risk. Like, where are their attack surfaces, like we were saying with the large organizations, but also for small organizations. And once they’re able to determine what their attack surfaces are, and where are they actually vulnerable in these attack surfaces? And then again, once they figure that, okay, what mitigations are they gonna put in place? Or are they gonna be able to remove that risk? Can they reduce the exposure? Can they patch their systems? All these sorts of of things. Yeah. The problem that a hundred percent of organizations really have is that there’s always a budget associated with it and with security specifically. And in order to patch everything, to have everything at, at the top level that doesn’t fit any anybody’s budget. So you have to prioritize what you focus on. The roadmap is always gonna be longer if you haven’t started anything at that point.

Lucas Black: (08:37)
Yeah, absolutely. And in doing that kind of architecture piece, for the last 10 or 12 years, one of my first questions is, (especially with a, with a new customer), tell me about your environment. What does it look like? And the number of times that nobody, like, I’ve never had anybody give me, oh, this is how many desktops we have, and this is how many servers we have. It’s always a ballpark figure, which is terrifying. Like, how can you protect something that you don’t, you don’t even know that’s plugged in. Like, yeah, that computer might have been slated for lifecycle, you know, a year ago or two years ago, but maybe it’s still sitting in accounting or in marketing, just plugged in, like not doing anything. Well, that’s something that’s attackable, right? Yeah. So, I think, asset management, vulnerability management, those are two huge, huge things that in any organization I’ve come across, I would say maybe 1% have a grasp on.

Daemon Behr: (09:39)
Yeah, yeah. Exactly. I’ve seen organizations that, they have kind of a re recycling process when it comes to computers, where they have the computers that are currently out in the field. And then after that, they get new hires, and then the new hires say, well, we want new computers. We don’t want these old computers. So then those old computers go into a storeroom for a period of time, or they may go down over to, some other lower tier staff or interns or so on. And then when they’re not using, then they go back in the storeroom maybe to a deeper box. And then , when, when somebody comes in and they need to use a computer and it hasn’t come in yet, then perhaps, you know, an IT had admin will go into the back office and say, well, we got all these computers, why don’t we use one of those? So they pull them up completely unpatched. Hasn’t been patched in three years, puts it on the network, and then boom, they get infected.

Lucas Black: (10:36)
Yeah, yeah. And it’ll be infected before you know it, right? Yeah. So, and I mean, not just desktops and like, I’ve seen servers rotated in like that, oh, we just need to stay on something up for a month. Okay, well, we’re not gonna buy anything. Let’s just plug our old domain controller in, well, it’s still got all the domain controller functionality to it. Maybe you shouldn’t do that. So, especially nowadays with supply chain issues, like it takes a long time to get hardware, and if you need hardware today, you’re going to use what hardware you’ve got.

Daemon Behr: (11:06)
I Know. Yeah. I’ve actually seen some instances where an organization has some machines that are infected, and they decided that the best way to deal with that is to just put them in the storeroom.

Lucas Black: (11:16)
Oh, Absolutely. Take ’em Offline . Yeah. I have in mind. Right? Yeah. I’m a firm believer in taking an infected computer off the network, but the next thing I do is either replace the hard drive or completely wipe it. Even after I wipe it, it’s probably not going back onto the main network right away. Yeah. I’ll see if there’s something hidden in it that maybe I missed. Right. I’ve definitely seen that, and I’ve definitely seen, especially with IT turnover, the help desk person or assistant men put it in the closet and, all of a sudden, an IT manager, somebody’s like, well, why do we have this brand new asset sitting in the closet? And that’s it, then it’s back online, and then everything’s infected.

Daemon Behr: (12:03)
So Yeah. And I think a lot of times it’s, it’s with best intentions in mind, like perhaps they have some data on there that isn’t anywhere else on the network. So they say, okay, well, we’ll take it offline for now, but I really need to get that data off there at some point.

Lucas Black: (12:16)

Daemon Behr: (12:17)
And then that’s in the get a round two pile and, yeah. IT staff or, or ops maybe dealing with the rest of the infected network and never get back over to that one, you know, infected.

Lucas Black: (12:29)
Yeah, absolutely.

Daemon Behr: (12:30)
Yeah. So getting back over to where the insurance companies fit into the whole space. So I think that it’s important to understand the attack surface, have risk avoidance in place, remove as much as you can do the mitigation, that you can have a, a roadmap, but it gets to a certain point where they have to say, okay, we’ve done everything we can. This is the residual risk that remains after mitigations are in place. Therefore we need to do a risk transfer. And then that’s where the, the insurance companies really come in.

Lucas Black: (13:05)
That’s obviously the reason why you get insurance in the first place, right? One, what the insurance companies are now asking for seems, I mean, on paper it looks good, but a lot of them, there’s a lot of variability. Like there’s not a Canadian insurance cyber insurance checklist. Like there’s not a definitive list. When I was doing some research for this discussion, if you go to Google and type in, Canadian cyber insurance checklist, you’re gonna get pages and there’s gonna be some common themes, the standard; have backups, train your users, multi-factor authentication, all that stuff’s great, but, everybody wants it at a different level, right? Everybody wants it to be train your users this often, or every week or every month, or every quarter. Like there’s no definitive guideline at this point in time. Yeah. And again, I think it comes down to that it’s, it’s still too new. The insurance is too new to know what’s going on, but what do you see, like when you were, when you’re out talking to customers, like where do you see the big, the big holes, the, that they’re struggling with?

Daemon Behr: (14:15)
It’s kind of interesting because I talked to customers and I also talk to insurance brokers, and the insurance companies as well. So I can see things from both sides or both perspectives. From the client side, what what they’re seeing is they may have gotten into cyber insurance early and they had a one page thing that their CFO could basically just go check, check, check. Yeah. And then when they go up for renewals, especially now; It takes a dedicated team to upwards of a year to really go through all the mandatory controls before the brokers will even talk to them. Right. So, they can’t, the brokers will not go over to the, the greater insurance market and say, this is what I’d like to get a policy on because the customers haven’t gotten to the point where they have the minimum controls in place. So what, what I’ve seen from the broker side is, um.. Have you ever heard of the, uh, the, the stoplight methodology?

Lucas Black: (15:22)

Daemon Behr: (15:23)
Yeah. So you have like a red, amber, green. Red would be like the, the top things that are most important for the brokers, that would be things like, MFA, you know, across the environment, offsite, backups of critical data, endpoint protection, and a written plan for vulnerability scanning and patching. So that would be like the red. And then, for Amber, then you’d have cybersecurity training, email filtering, removing all end of life assets from the environment and then having an IR plan. So if you get breached, that’s what you have. And then, from the green standpoint, that would be things such as, having a SIEM in place, having, data loss prevention in place, and then following a security framework, whether it’s, CIS or NIST or something else. Having an actual plan, a strategy. And then once the clients meet all of those different levels of controls, the red and amber and the green, then the broker or will say, well, this is an optimal candidate to bring over to the market. And then they’re going to get the best policy that they can.

Lucas Black: (16:39)

Daemon Behr: (16:40)
Not including other factors…

Lucas Black: (16:42)
Yeah, absolutely Not including, you know, industry and that type of thing. Yeah. And all those things are absolutely necessary. But, like what you said, it comes back to like how many of your customers are small IT shops that you know are one, maybe two to five, resources. That’s not a lot of people because you’re gonna be doing all these checklists for your insurance company to try and get a policy, but you still have to do your everyday job. Yep. Right. So where do you, where do you factor that time in? Is the organization prioritizing that? They seem like very simple things to do, right? Like, oh, is MFA installed? You know, across the board is, do we have MDR? Do we have an EDR across the board?

Lucas Black: (17:39)
Do our backups go offsite? Do they work? Like, all of these things take time and most IT people don’t have time. Yeah. Like at the end of the day, there’s just not enough time in the day for an IT person to get all their tasks done. And to have this added on top of it, especially when it’s kind of just passed on to it. The only time I’ve seen security work is when it comes from the board, right? Like CFO, CTO, whoever says, we have to make this a priority because we don’t want our name in the papers or on TV or anything. Anything like that. So it all comes down to time and money, unfortunately, I think,

Daemon Behr: (18:30)
And I think that at least in Canada, there’s a lot of organizations that they are not large enough to actually have a CTO. They may just have one or, or two people on, on the small side, or perhaps there’s, an IT ops manager that has every hat under the sun, and then they have a few people over there that, that do some of the day-to-day admin ops, onboarding, all that kind of stuff for those companies. And there’s a lot of them in Canada that fit that profile. They kind of have to look outside the company in order to get the minimum things that they need to do from an IT ops standpoint.

Lucas Black: (19:09)
Absolutely. Yep.

Daemon Behr: (19:11)
Companies that are able to provide that, v CISO services, you know, from a security perspective are able to help offset some of those lacking capabilities or deficiencies.

Lucas Black: (19:21)
Yeah, absolutely. No, I agree. I’ve seen it over the last, three years. Every IT company is looking to get some sort of managed security services in place, right? And, it comes down to resources. I don’t know if you’ve looked at an entry level cybersecurity position, but it’s not like you can just hire somebody out of school. You know, they’re looking for three to five years of IT experience. Well, you know, maybe after three to five years, you’re still not ready for security or maybe you’re more interested in cloud or, automation or maybe you see people you know, pulling their hair out in cybersecurity and you don’t want anything to do with that. You know, I have, I lost sleep at night because of an issue in my environment. Yeah, absolutely.

Lucas Black: (20:11)
When I was at the university, I didn’t sleep well a lot of the times cuz until I had fixed the holes that I could find. Right. So, if I can find the hole somebody else can, it’s not a great feeling. So you want to get insurance to transfer that risk, but what does that cover nowadays? Like it used to be: “Yeah, we would pay your ransom.” Yep. And now it’s, there’s not a lot of things that they actually will cover. And really with cyber insurance, are you better off spending that money with an insurance company or getting an IR retainer from, you know, one of the big security providers,

Daemon Behr: (20:50)
Organizations are asking that question. Is cyber insurance really worth it at this point? Maybe it was in the past, maybe instead of investing that money into insurance and having it go away, let’s invest that money into the actual security posture.

Lucas Black: (21:10)

Daemon Behr: (21:10)
Yeah. So that kind of goes back over to what I was originally saying over to understanding where you’re exposed, doing the mitigations, having a plan, getting, an MSP or an external 3rd party to come in and help develop that plan.

Lucas Black: (21:28)
Yeah, absolutely. Yeah. So if you, if you had to do three things right now to say you’ve got a hundred endpoints, uh, a hundred users, what, what are the big three for you that the absolute must haves before you even think about insurance? What is necessary?

Daemon Behr: (21:50)
Patching. Endpoint protection, and MFA. You know, those would probably be the big three as table stakes.

Lucas Black: (21:56)
Know? Yeah, absolutely. Yeah. I, I agree with those. MFA is definitely shot up. The list of things, you know, it’s beatable, but it, it’s definitely adding another layer to the onion, right? So it’s all we can do as security professional sometimes.

Daemon Behr: (22:15)
Well, yeah. I think it’s, it’s also really important to, to have a plan , you know? Yeah. Because if those same questions were asked to a lot of organizations, they wouldn’t necessarily have any idea of where to start. So absolutely, sure. We say MFA, what does that mean? You know, the, the number of vendors that are out there is huge. Same with endpoint protection. You know, same with everything else. The sheer volume of companies that are out there providing a solution for security is just mind boggling. There is a chart that shows all the different vendors in the security space. And I think that there was hundreds and they all have different approaches. So if a company wants to make themselves like the “Bulletproof Company”, they can pick and choose best of breed tools and put them in there and then try to make them all work together. Get an ops team that they can train into SecOps, get a SOC, get a SIEM in place, have a CISO, build that practice up, build in automation. It’s millions of dollars to get that going.

Lucas Black: (23:20)
Millions. Absolutely. Millions. Yeah. The number of times, you know, I get brought in to a conversation with: “I wanna stand up my own SOC”. Okay. Do you have seven, eight figures to start? Yeah. To start the conversation, not to do the project, just to start the conversation. Cuz you’re gonna need a team of users, a team of security professionals, gonna need all the tools, you’re gonna need all the monitoring, you’re gonna need threat feeds, everything. Yeah. That’s generally a non-starter for a lot of companies. And then going back to your, your top three, they may not have MFA in place, A lot of them don’t. Almost nobody has a patching strategy. Especially a confirmed and written down one. Right? Yeah. So, especially when they get these checklists of, what their insurance company’s looking for, they are better off spending the money to lay the groundwork, get the proper foundation first before trying to instigate your own SOC. Even having SOC-as-a-Service, if you don’t have a solid MDR, if you don’t have MFA, if you don’t have patching, you’re probably not gonna get any value out of a SOC service. You’re just gonna have a SOC service basically saying you need to fix all this.

Daemon Behr: (24:36)
Yeah. Yeah. That’s why it makes me laugh when, when I hear about organizations that don’t have any security posture, you know, no plan or anything like that. And then they hire a company to come in and do a pen test.

Lucas Black: (24:49)

Daemon Behr: (24:50)
Biggest waste of money in the world.

Lucas Black: (24:52)
Absolutely. And I mean, you know, I work for an organization that offers pen tests and Yeah. I mean, am I gonna take your money to do a pen test? Sure, I’ll take your money. Is that money well spent? Probably not. Especially when they say, oh, we need a full pen test out of our environment. And when I start asking and probing, what they really are after is like a vulnerability assessment. Right? Like, what is wrong in my environment? Because that’s, I mean, you can pen test an application or an entire organization, but where are you getting in? Yeah. Either a user of vulnerability, so if you take care of MFA and patch management, you’ve just reduced most pen testers ability, right? So I think I, I think there’s a lot of these checklists have to be more granular.

Lucas Black: (25:50)
You have to get down to, “do you have patch management?” It doesn’t matter what it is, but do you have it and not just for Windows, but for all your third party apps as well? You know, do you have MFA on anything outside of the organization, any cloud asset or even just to log into your computer, all these tools are out there, it’s just time and money to get them installed. There is no one solution, right? Like Yeah. There’s like you said, hundreds of IT security vendors out there. Well, most of them are existing as a company for a reason. You know, they’ve got a product that works. Does it fit for you? Well, you can make anything work, any, like most IT people are, are MacGyvers, right? Like they can make anything work. So is it the best thing for the organization? Does it work? Does tool A work with tool B? Can they share information? And I think that’s really where the IT security, industry is headed. Which tools can share data amongst each other. Yeah. Right. If laptop A is a problem, can a network device kick it off? Or can the endpoint kick it off? And, and doing that with as little human interaction as possible.

Daemon Behr: (27:09)
Yeah. I, I definitely agree.

Lucas Black: (27:11)

Daemon Behr: (27:12)
Well, this has been a great discussion. All kinds of interesting avenues we went down and I definitely appreciate the time, spending it with me discussing this. So before we go, is there any last thing that you’d want to say to our listeners?

Lucas Black: (27:28)
Whew. Um, create a plan. You know, get something and not just in the IT department. It really is something that has to come from the business, and top down because otherwise it, it won’t work. It needs to be dictated from, from the boardroom and say, we need something. And you can use it to give you the information of, of what’s possible. But it needs to be kind of regulated from the top down.

Daemon Behr: (28:00)
Well thank you very much.

Lucas Black: (28:02)
Thank you. Yeah.