This article was produced in partnership with CFC.
Mia Wallace of Insurance Business sat down with James Burns, head of cyber strategy at CFC for a deep-dive into the power of proactive cyber solutions.
Benjamin Franklin’s assertion that “an ounce of prevention is worth a pound of cure” may have echoed for hundreds of years now but for many in the insurance market, the concept and application of proactive cyber solutions – aimed at preventing rather than mitigating threats –appears a new phenomenon.
But that’s not to say that these solutions haven’t been around for some time, noted James Burns (pictured), head of cyber strategy at CFC which launched its first proactive cyber offering as far back as 2015.
“So, we’ve been doing this for a while,” he said, “and we’ve spent a lot of time, effort and resources on building a world-class solution and all the infrastructure that goes with that. Because we think proactive cyber makes everything easier. If insurance is a promise to pay, then proactive insurance is a promise to protect.”
The cyber insurance market has been on a distinctive journey and Burns identified the three key stages of evolution that have marked its progression.
The first was the insurance policy itself, he said, which was there solely to reimburse financial loss. Then came the provision of incident response services which gave impacted customers access to cyber emergency services. Stage three was the emergence of proactive cyber – which sees CFC not just financially indemnifying customers and providing response services but also working around the clock to remotely monitor and protect insureds.
“That feels like a logical progression and evolution,” he said. “Because insurance is a strange product in many ways. It’s a product people buy but never want to have to use because it means something has gone wrong. While insurance is there to make you whole again, you’d probably rather not have gone through the whole sorry experience in the first place.
“Proactive cyber is there to try and prevent that incident from happening. We can monitor our customers’ online presence and identify gaps in their security or areas where they’re vulnerable which makes them more secure than they would have been without the policy. We can also access intelligence feeds, which tell us when our customers might be on the target list of hackers and intervene to stop them from destroying critical software systems.”
The core value proposition of proactive cyber is that it helps prevent customers from suffering attacks and having to claim on their insurance policies. And Burns highlighted that CFC has made that possible by giving insureds access to a holistic slate of 24/7 cyber services which would otherwise be unaffordable for your average SME.
A CFC policy wastes no time in getting to work, Burns said, with some threat discovery happening before the policy is even bound. What’s interesting to note is how little information is required for this to take place – a web address alone holds a wealth of information, particularly when complemented with multiple other data sources which generates the most accurate possible picture of an insured’s risk profile.
“When a business connects to the internet, the computer systems and devices they use can be seen by others,” he said. “These assets are now there to be found. They’re there to be hacked. Once a client goes on risk we immediately start searching for those assets. We can work out how secure they are.
“Knowing about these weak points can stop you from getting hacked. It’s an education experience for brokers and customers because they often don’t realise how much of their network is accessible from the internet. And how easy it is to remotely access your wider computer systems through your internet-facing assets.”
Once CFC is confident it has mapped a client’s network as accurately as possible, it moves onto the scanning phase – which involves assessing all its customers’ internet-facing assets for a wider range of critical vulnerabilities including insecure ports and vulnerable assets. This is a 24/7 analysis piece, he said, because over the course of a policy period, the number of internet-facing assets of a customer will change as will the security of these assets in the event of a zero-day vulnerability.
“The other key area of proactive is threat intelligence,” Burns said. “So, while our scanning is constantly monitoring our policyholders, we’re also collating threat intelligence feeds. This consists of information pertaining to the activities of hackers and Dark Web actors which we get through a variety of sources including government, some private security sources and our own proprietary threat intelligence.”
CFC has an in-house security team of over 130 cyber security experts who are constantly monitoring the digital threat environment and cross-referencing information from the aforementioned sources with the firm’s policyholder database. When a policyholder is on the list of a known threat actor, he said, that means they’re almost certainly going to be – or have already been – compromised and that an attack is likely to occur.
At this point, CFC reaches out immediately to appraise the policyholder, in order to intervene and to mitigate the evolving cyber incident before an attack can happen. It’s a very involved process, he said, which requires a lot of infrastructure, personnel and expertise but it means that from the moment a CFC policyholder buys a policy, they’re instantly in a much stronger position than they were previously.
The real magic of an insurance policy is the impact it has on a policyholder in a worst-case scenario and the same is true for the proactive cyber offerings, with the added bonus that the loss – both financial and otherwise – and stress of a cyber attack has also been avoided. Citing an example, Burns noted that a children’s hospital insured by CFC was the victim of a recent trick bot infection.
Trick bot infections are a form of malware that infect devices and connect them to criminal networks over the internet, he said, and this visibility into an organisation’s assets makes for a high probability that a ransomware attack will occur at some stage. After becoming aware of the infection via CFC’s threat intelligence feeds, CFC’s security team was able to contact the IT department of the insured to appraise them of the situation and help remotely support them in removing the infection from their network and securing their wider network against subsequent attempted attacks.
“Based on our claims data, the average ransomware demand for that type of customer of that size could easily have been up to £1.3 million had the attack been successful,” he said. “That’s an absolute game changer for an entity like that, as the limit on their policy was £1 million. So, not only do you avert them from having to claim on their policy, but also you protect them against any uninsured losses they would have had as well.”
There’s no doubt that the narrative around proactive cyber has changed, Burns said, though it is really only in very recent years that it has started to be spoken about more widely. Brokers are now seeing proactive protection as a core component of any cyber insurance proposition, and it’s becoming a must-have for those brokers who know the market well and want to sell their clients the best possible product.
“On the other side,” he said, “reinsurers are also looking at the extent to which cedents have these services in place because it can help protect the bottom line, help control and mitigate losses, and help in the event of more widespread systemic events. So, it’s certainly become a much more popular talking point, both on the customer side and on the supply side.”
Despite the uptick in interest from brokers and reinsurers alike, however, Burns noted that while proactive protection in cyber is more widespread than it was, there’s still a dearth of cyber insurers which offer these services in-house. CFC has found that there’s an enormous benefit to being able to provide these solutions in-house, he said, and in actually owning the technology, the resources, the expertise and the security teams that enact proactive protection.
“It means that we have total transparency across all the proactive services that we offer, which means that we can respond quicker, and it also enhances the service for the client,” he said. “In terms of where it goes next, I can only see proactive protection having to become a mainstream service that cyber insurers offer.
“It is increasingly requested by brokers and I think that to succeed in this market, you’re going to have to show that you have robust loss prevention services. What's going to be interesting is when brokers start getting to know more about how this works because I think we’ll get more questions around how one insurer service might compare with the other.”