Catastrophic Loss: The State of the Cyberinsurance Market, with Josephine Wolff

JONATHAN REIBER:
Welcome everyone. Thank you for tuning in. I’m extremely pleased to have Josephine Wolf here today. She’s a professor of cybersecurity at the Fletcher School, which is my alma mater, so I’m like really proud about that. Hey Josephine, thanks for coming on board.

JOSEPHINE WOLF:
Thank you so much for having me.

JONATHAN REIBER:
So, Josephine is not only a cybersecurity professor; she’s recently authored this great book Cyberinsurance Policy, Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches and Cyber Attacks. And we’ve got some links in the podcast to a couple of articles that Josephine’s recently published in the Wall Street Journal and the Financial Times as well as Slate. I’d say I just recently learned that Josephine was actually a math major, right? Where did you study math?

JOSEPHINE WOLF:
I did my math degree at Princeton and studied a lot of cryptography and then sort of realized towards the end of undergrad that I was not going to be a great theoretical mathematician and pivoted a little bit towards computer science and then cybersecurity policy.

JONATHAN REIBER:
That’s cool, and I’ll say you’re also a hell of a writer. Like this is really, really good writing.

JOSEPHINE WOLF:
Thank you so much.

JONATHAN REIBER:
Yeah, I mean you clearly have both your left and right brain developed, because there’s a ton of cybersecurity people whose writing I just don’t ever want to read, and this is the opposite. So for all listeners, I would say check out these articles. You’ll enjoy the romp through history. I mean, you must have studied history at Princeton as well.

JOSEPHINE WOLF:
I did take some history classes. I remember in particular a seminar on Soviet science history that I enjoyed a lot. And I think it’s useful when you’re studying a relatively new industry, which of course cyberinsurance is, to look for some of the analogies and some of the important precedence from before the internet, from before cyberinsurance.

JONATHAN REIBER:
Yeah, I mean it’s really striking how deeply informed it is. And I think for policy makers and readers of the FT and the Wall Street Journal, they’re going to touch into that and feel very seen because a lot of them are in computer nerds right off the bat. So, congratulations. Can you tell us, why did you decide to write a book about cybersecurity insurance?

JOSEPHINE WOLF:
It’s a great question. Because it’s a fairly small, niche market and it came out of really my earlier interests, which are largely around who pays for cyber-attacks and cybersecurity breaches. What happens kind of after the dust settles when everybody is recovering and picking up the pieces, who ends up suing whom and who actually has to lay out money to cover the costs of these incidents? And I’m interested in that because I think that really dictates who is going to be willing to invest in security, right? If you don’t have any money on the line when something goes wrong, why would you want to spend a lot of money shoring up security for computers and networks? And so, my previous project was looking at the aftermath of a series of cyber-attacks and trying to understand, okay, who ends up paying, what are all of the various kind of complicated legal and liability issues here?

And what can we say about who gets held responsible and who doesn’t? And one of the things that people said to me when I was studying that project was, you know, this is very messy and there’s not a lot of clarity of who’s responsible for what in cybersecurity, but the insurers are going to come in the next five, ten, however many years and they’re going to really sort this out, right? They’re going to, you know, use their fancy risk modeling techniques, and collect a lot of great data and have the ability to say to companies, okay, here’s what you need to do in order to be covered’ and that is really going to kind of sort out the private sector cyber risk landscape. And so, because of that, I was sort of interested after finishing that project and trying to get a better handle on what was going on in cyberinsurance and I started talking to some of the insurers who were selling it, started trying to talk to some of the companies that were buying it, the brokers who were negotiating those sales.

And I think one of my big takeaways, and the reason I wanted to write this book is that it really wasn’t as straightforward as the insurers are going to come in and fix everything. It was in fact a really complicated set of risks for insurers to tackle. And a lot of the tools and techniques that they had used so effectively on other kinds of risk on fires, on floods, on car accidents, all the things that we know are covered by these fairly robust insurance industries, were not really working entirely right or entirely well when we tried to apply them to cyber risk. And that’s a large part of what the book is about. It is sort of how and why is cyber risk different and what do we do about it?

JONATHAN REIBER:
Yeah. What are some of the forces driving the cyberinsurance market for folks that don’t know much about it?

JOSEPHINE WOLF:
So, I think the big force driving the cyberinsurance market is this is an expensive kind of risk or a potentially expensive kind of risk. You can lose a lot of money, you can lose a lot of business because of various kinds of cyber security incidents. And the way that we generally deal with expensive risks is we buy insurance for them. We say, Okay, you know, I know this ransomware is a big thing. I don’t know exactly how to protect myself against it. Everything I see online says there’s no perfect security. And there are other things companies do as well, right? There’s multifactor authentication and there are intrusion detection systems, but everybody who sells you those or study security will say, well, none of those are going to be perfect. None of that is a guarantee you’re not going to get hit by ransomware or data breach or denial of service attack or whatever else.

And so, then you get to the point where companies start thinking, and this goes back more than two decades now. Gosh, it sure would be great if I could have some insurance so that if something does go wrong in this space, I am not on the hook by myself to cover all of the costs. And that’s how you start sort of seeing companies get interested in this and thinking about what if something goes wrong and I have to shell out millions or in some cases billions of dollars to cover it. And I’d say really sort of going back to the late nineties, there’s some interest in this from, from the private sector. And so insurers start coming up with policies to meet that demand.

JONATHAN REIBER:
So, your book and your writing has obviously come out at an important time because insurers are saying they’re not going to ensure. Well, I want to hear your thoughts on it, but they’ve come out with a statement saying that they’re not going to pay out for what would previously sort of be called acts of war, acts of God because it’s a nation state involved. Can you talk a little bit about what’s going on and what the challenges are that of leading insurance companies to make this determination?

JOSEPHINE WOLF:
Yeah, so I think the real fundamental challenge with cyber risk for insurers is the sense that all of their policyholders have interconnected risks in this domain, right? And if you think about other types of risks that insurers cover, if you think about fires or floods or car accidents and if you insure a bunch of people in Massachusetts and you insure a bunch of people in California, pretty good odds that all of those policy holders are not going to be hit simultaneously by the same fire, by the same flood, by the same, you know, car accident. And so you have these ways of diversifying your risk portfolio and saying, okay, pretty much no matter what happens, I’ve got a diverse enough set of policy holders that even if there’s a terrible natural disaster in one place for one set of policy holders, I’m still going to have a whole bunch of policy holders who weren’t affected and I’m going to use their premium payments to cover the claims from the group of affected policy holders.

And that’s the whole idea of insurance, right? You collect premiums from a bunch of different policy holders and not everybody files claims because if everybody filed claims, then you would be able to cover all of those claims with the premiums that they were paying in. With cyberinsurance, you have this very tricky thing where there is no equivalent to saying, okay, I’ve covered you and there’s no chance that a cyber-attack that hits you won’t also affect another customer and a different sector or a different state or different country even. And so diversifying that risk before portfolio becomes much more difficult, right? It’s made more difficult by the fact that there are really only a couple operating systems, a couple big cloud providers. So we’re all relying on the same infrastructure or the same fairly small set of infrastructure for our computer systems. And so you get an attack like NACHA in 2017, which targets Microsoft Windows and you have companies across every sector across the whole world that are suffering huge losses because there’s no way for the insurers to have been able to say, okay, I’m only going to cover a portion of my portfolio that’s using the Windows operating system because there simply aren’t enough different operating systems to make that a small piece of your policyholders. And so, because of that, you get sort of this concern about these really big cyber-attacks that can hit everybody all at once and the insurers are going to be on the hook for all of those claims. And that’s how you get to these exclusions around state sponsored cyber-attacks.

JONATHAN REIBER:
One of the points you made in your piece, perhaps, I thought that was really brilliant was during war, if insurers were to ensure an entire city, for example, and there was something catastrophic that happened, they would be out of business. And I’m sure there are examples you could use in history where accidents have occurred, probably hurricanes I would imagine, that have almost bankrupted an insurance company. But are they saying we’re not going to cover acts of war because they’re afraid of being bankrupted by too many similar incidents at the same time?

JOSEPHINE WOLF:
So that’s definitely a big part of it, right? Insurers are understandably always nervous about what if something really massive and unpredictable happens. Another example was September 11th. After the September 11th attacks, the insurers were really concerned about “how are we going to pay for all of this property destruction?” And you get the Terrorism Risk Insurance Act, which is the US government’s attempt to sort of say we’re going to help out with that. I think what you’re seeing in cyber-attacks is this fear on the part of the insurers that unlike war, unlike a terrorist attack like September 11th, which really is a fairly rare occurrence, where you could probably at least to some extent rely on the government to step in and help you out after the fact. I think what they’re worried about with cyber risk is these state sponsored cyber-attacks are happening all the time, right? It’s not like once every 10 years there’s a big cyber-attack and the insurers might have to go to policy makers and ask for help. This is something we see multiple times a year that are large scale destructive or at least very disruptive cyber-attacks.

And so I think the insurers are trying to sort of get out ahead of that and say, okay, if we can’t call these acts of war because the courts have been a little reluctant to accept that as a designation for a kind of nonviolent cyber-attack situation, then maybe instead we just say we’re not going to cover certain types of cyber-attacks that were backed by nation states or we’re not going to cover certain kinds of really large cyber-attacks. And I think that part of that is actually about the frequency with which cyber-attacks happen, which is definitely, you know, much more often than large scale terrorist or war operations.

JONATHAN REIBER:
Yeah, I wonder if you could walk through some of the variables that insurance companies keep in mind when you were talking about NotPetya and you talked about some of the risks in Microsoft for example. The way that I perceive this is like a cybersecurity suite, a defensive suite, if you’re an organization’s trying to protect yourself. You have your people and your processes, and your technologies and you make investments in defensive capabilities to prevent the attacker from achieving certain kinds of effects. And our purpose at AttackIQ is we test those defensive capabilities. That’s what we do. We do automated security control validation. The market has grown from a defensive side so much in the last decade. You know, everything from endpoint detection and response to next generation firewalls, to zero trust security segmentation. There’s a litany of capabilities available on the market that can stop intruders in their tracks. And one of the things that has frustrated me is I’ve watched events like Colonial Pipeline or Solar Winds unfold, and you know, I’m a little bit of like, if only they’d done X and Y then they wouldn’t be in this position. And it was clear after Solar Wind, that they did not have zero trust capabilities within the federal government, right?

So, if I think about it from an insurance standpoint, I want to know that the person I’m ensuring is prepared. Do you, in your research, see them saying, we’re not going to ensure because we don’t know the nature of the defenses that are in these companies? Or what’s the kind of information that they look for that leads them to want to say, okay, I’m going to give you a policy and I’m going to give you a decent rate and I’m going to insist on being able to ensure you?

JOSEPHINE WOLF:
That’s a great question because it was sort of one of the big promises of cyberinsurance a few years ago was this idea they were going to come in and do exactly that. They were going to assess everybody’s defenses and then they were not just going to assess them, but they were going to say, okay, if you want insurance, you have to do these five things, right? In the same way that your insurer comes in and says you need to have smoke detectors and sprinklers or, you know, whatever the sort of accepted known best controls for dealing with fire or dealing with auto safety, right? And there was this whole kind of idea that the insurers are going to collect all this great claims data, they’re going to figure out what’s the equivalent of seat belts for cybersecurity, and then they’re going to require it from everybody. And instead of having a really long unwieldy, difficult to update regulatory process for security standards, the insurers are going to figure this out from their great data analytics and all of that.

And I think you’re right to feel that is really not what has happened in this industry. And there are a lot of explanations for it. I think sort of the, the practical question is what are they looking for because they certainly do an assessment before they sell a policy. The assessment typically looks like they send a long questionnaire to the company that they’re considering covering, and the company has to sort of spend usually a good bit of time because these questionnaires have gotten longer over the past few years answering questions about do you have access control? Do you have an incident response plan? Do you have multifactor authentication? Right? All of these different things. I think there are a couple problems that we run into with that part of the process. One is that often those are questions with very nuanced answers, right?

So often the, the questionnaire is kind of framed in a yes or no way, but in fact if you are being asked about access control that may be different from your MAC devices to your Windows devices, the multifactor authentication may be in place for certain services, but not for others and stuff like that. And so the insurers are not always well equipped to kind of process the responses to those questionnaires if they involve a lot more nuance then “yes, we do this, Yes, we do this, yes, we do this.” Which I think is also kind of the default instinct of the company’s responding is to say, we want this insurance, let’s tell them we do everything and, and then we’ll kind of figure it out afterwards if, if there’s something that we need to, to do a little better. I think the other piece is that those questions often leave a lot of room for variations on things like, do you have an incident response plan, right?

You can answer yes to that question and have a terrible incident response plan. You can answer yes to that question and have a great incident response plan and the only way to really know is if the insurer is willing to spend the time kind of going through the fairly time-consuming process of individually assessing each company’s security posture, which on the whole, they’re not willing or able to do. And so I think that’s where some of this frustration that you have comes from is this sense that sort of, there is a vetting process. They are asking questions about policy holders, security practices, but it’s not a very technical process. It’s not a very individualized process to sort of, what is your company, what are the resources you might want to try to protect? And there’s a still, I think a huge disconnect between that process and the actual pricing of these policies, right? So the ideal would be your insurer comes in, they assess your security posture, and then they price your premium based on how good your security is. And I think what a lot of companies feel now is like, they come in, they do this endless questionnaire, and then they’re just going to price your premium based on how big your company is anyway.

JONATHAN REIBER:
Yeah. Well obviously, we see a lot of room for innovation in that space, and that is really interesting to hear about. Do you think that the questionnaire that they’re putting forward, the questions that they’re asking and the relative degree of uncertainty from the data that they get back would be from who I forget word how you say it, the insurer, or the person that the company says that they’re ensuring, the relativity of verifiable data that they get back is part of the reason that they’re saying, we’re not going to ensure nation state attacks anymore? Or are these two things not related?

JOSEPHINE WOLF:
I think that they’re related in the sense that one of the reasons insurers are reluctant to sort of cover any of these larger incidents is that when they look at their claims data, for the most part, they do not see, oh, if we just make everybody do X, Y, and Z, then we can protect our policyholders from attacks, right? I think if they were really confident that they had empirical evidence, if we just tell everybody you need multifactor authentication, then we’ve solved it and there are no more risks, they’d be much more willing to sort of roll the dice on some of these bigger cyber-attacks. And instead, I think what they see is everybody tells us they’re using multifactor authentication and then Colonial Pipeline gets hit by ransomware, and it turns out there are some legacy accounts that never had that multifactor enabled.

And it’s just really hard for the insurers to rely on these defenses when they look at their data, right? Because the data says all of your policy holders said they did these 20 things and there was no correlation between that and smaller losses or not getting hit. So, I do think it plays into this larger dynamic of sort of caution on the part of the insurers and saying, we don’t really feel we know how to defend against these types of incidents, so we would rather not be on the hook to be covering more and more and larger and larger of them.

JONATHAN REIBER:
That’s fascinating, that’s really great. Okay so I have tons of questions for you, but in the interest of making sure listeners listen to all of this podcast, I don’t want to go too much longer. So you’ve made a very strong argument I think, and I may or may not have it, right; so correct me and what I have wrong. So, in the Financial Times piece you said that they’ve said that they won’t ensure against nation states operating, and I’m paraphrasing, in the kind of gray space below the level of declared hostilities. What if instead they modified that position to say we’re not going to ensure for cyber-attacks that occur in concert with conflicts in the physical domain as well. Do I have that right?

JOSEPHINE WOLF:
So, that I think is arguably what they already exclude and just using the sort of standing exclusions for war and war like actions. I think that if you look at the NotPetya attacks in 2017, which were also a cyber-attack by Russia directed at Ukraine, though it spread throughout the rest of the world, you could make the case right now that when there was sort of much more explicit and violent war between Russia and Ukraine, that a cyber-attack in that vein at this moment might have a better shot at being treated as war and therefore being excluded from certain insurance policies. But yes, I think that that would be a sort of clearer delineation of what do we consider to be cyber-attacks that are so rare or so extreme or so difficult to model that we need to exclude them from our kind of standard baseline insurance coverage.

JONATHAN REIBER:
So, in other words, we’re going to exclude cyber tax that occur within declared hostilities, but we won’t exclude cyber-attacks that occur in the gray space below the level of declared hostilities. Do I have that right?

JOSEPHINE WOLF:
Yeah, I think that’s sort of what the courts have interpreted the existing exclusions to mean and that what we’re now seeing are the insurers trying to push for exclusions that cover that gray space as well.

JONATHAN REIBER:
I see. But Mondelez is the one who won their case, is that right?

JOSEPHINE WOLF:
So, no Mondelez is still pending, and Merck is still pending in the sense that insurers are appealing. But Merck did win an initial victory in December of last year in which the court said, look, this isn’t war, there was no use of armed force, there was no sort of traditional warfare. And I think you could argue that in the context of a different kind of conflict from the one that was going on between Russian Ukraine in 2017, more like the one going on between Russian Ukraine right now, it would be harder to say there was no use of force and there was no sort of traditional warfare if you had a large scale cyber-attack kind of embedded in that conflict with the use of force with traditional warfare tactics.

JONATHAN REIBER:
Yeah. Well, that’s very well said. Again, I commend you for this writing. Is there any further comments before we leave the listeners to go and buy your books?

JOSEPHINE WOLF:
No, thank you so much for having me.

JONATHAN REIBER:
Yeah, well I for one am very pleased. When I was at Fletcher, I studied in the International Security Studies Department. I wouldn’t say that it was as if no one had had discovered the internet, there was a lot of effort on communications. Carol Gideon at the time was, I think she’s still there. She did a great job, but there wasn’t a course on cybersecurity, so it makes me very happy that you’re up there doing this. And congratulations on this great writing. It’s a really, really, really compelling set of narratives you put forward and you’re doing a great job informing the world on this issue. So, and as I said earlier, it’s a great read, so congratulations.

JOSEPHINE WOLF:
Thank you so much and thank you for having me.

JONATHAN REIBER:
Yeah. Okay folks, thanks again for tuning in and tune in next time. Take care.