Modern Insurance Magazine Issue 65
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
INSURTECH<br />
Capgemini<br />
AXA XL<br />
QCaitlin, it was so great to catch up recently and<br />
hear your perspectives on the current state of<br />
cybersecurity. How have things changed in recent<br />
years from an underwriting perspective?<br />
A<br />
Hi Megan! Likewise, it was great speaking with<br />
you, and I’m excited to be here to chat with you<br />
today.<br />
Things have changed dramatically in cyber insurance<br />
over the last few years. The hard cyber insurance<br />
marketplace started after an influx of ransomware<br />
attacks in 2019. This hard market lasted through 2022,<br />
driven by the frequency and severity of these claims.<br />
Significant losses forced cyber insurers to increase rates,<br />
as well as analyzing the cybersecurity posture of each<br />
insured under scrutiny.<br />
Now we are back in a soft market, where there’s a lot<br />
of insurer competition driven by lofty new business<br />
goals. Rates have significantly dropped year after<br />
year; meanwhile, claims are trending upward. It will be<br />
interesting to see what happens over the next 12 months!<br />
QWhat are some emerging cybersecurity trends that<br />
we should be aware of, and prepare for?<br />
A<br />
A trend seemed to take off at the beginning<br />
of 2023 around some of the state-level<br />
comprehensive privacy laws that are being<br />
passed. At the start of 2024, 15 US states enacted<br />
stricter privacy laws - Connecticut (where I live) being<br />
one of them. It is a significant legal undertaking for<br />
companies to ensure that they are staying ahead and<br />
remaining compliant. On the underwriting side, we like<br />
to understand the different committees and the extent<br />
of legal involvement that companies utilize in order<br />
to remain in compliance. We also saw the SEC cyber<br />
disclosure rules passed last year, which requires public<br />
companies to disclose incidents within 4 business days.<br />
There is a lot going on in the privacy space!<br />
Another trend we have seen is SIM swapping, where<br />
threat actors trick a cellular device company or telecom<br />
carrier into switching the SIM card of an executive<br />
(or an employee with elevated privileges and access,<br />
like an administrator) onto the threat actor’s device.<br />
The attacker collects info on the victim, whether it’s<br />
through social media or phishing, then calls up the cell<br />
phone provider and pretends to be the said individual.<br />
The provider is then duped into switching the victim’s<br />
mobile number to the threat actor’s phone, which<br />
means that the attacker can receive incoming calls and<br />
texts - including authentication codes for multi-factor<br />
authentication (MFA) – in order to gain access to the<br />
network. In general, MFA bypass schemes are on the rise,<br />
particularly given the world of remote working that we<br />
are now living in post-pandemic.<br />
Lastly, I would say Artificial Intelligence (AI) is a very<br />
hot topic. Every company is looking at how they can<br />
incorporate AI into their business, and there are a lot of<br />
unknowns to the potential threats in doing so. We are<br />
seeing threat actors create sophisticated and believable<br />
phishing schemes within large language models, and<br />
copyright can be a very complicated element of AI.<br />
Ultimately, we look for companies to be approaching AI<br />
cautiously, closely tracking any employee usage.<br />
QWhat challenges are companies facing when it comes<br />
to cybersecurity issues?<br />
Vendor management comes to mind immediately<br />
as a continuous challenge within cybersecurity and<br />
A cyber underwriting. We ask questions around how<br />
an insured is vetting third parties prior to working with<br />
them, if questionnaires are completed, how often vendors<br />
are reassessed, and what contract provisions they might<br />
have in place to protect themselves. The supply chain<br />
issue is not something that is going away, and the risk is<br />
still there even when companies have best practices and<br />
procedures in place.<br />
Vulnerabilities with VPN products is also an issue. In<br />
a world where many companies now have a hybrid<br />
workforce, we saw a real increase in VPN vulnerabilities<br />
and related exploitations in 2023. In a similar vein, we’re<br />
seeing an uptick in Cloud-based attacks, with Cloud<br />
environments not being properly configured and secured.<br />
I think there is a misconception that the Cloud is safer<br />
or more secure, but it’s important for companies to have<br />
Cloud security experts on staff, or at least a third-party<br />
Cloud expert to assist in ensuring a safe and proper<br />
management of that environment. While major Cloud<br />
providers do offer many enhanced security features, these<br />
are not enabled by default. Therefore, it’s important for<br />
companies to check that they have a proper handle on<br />
how their Cloud environment is configured, ensuring that<br />
the proper features are turned on.<br />
The cyber workforce shortage is the final issue to mention<br />
here. Companies are struggling in their search for qualified<br />
cybersecurity IT professionals. There’s so much demand<br />
for expertise and experience in this area, and yet there is<br />
a huge talent gap and shortage of trained cybersecurity<br />
professionals. The war on talent can also result in<br />
significant turnover.<br />
70 | MODERN INSURANCE