Bolstering Resilience to Avoid Disruption: The Evolving Role of Cyber Insurance
Sezaneh Seymour, VP and Head of Regulatory Risk and Policy at Coalition, recently made a guest appearance on The Cyber Insider podcast by Emsisoft.
During the interview, Seymour spoke to hosts Luke Connolly and Brett Callow about how the cyber threat landscape is evolving, how policymakers and businesses ought to respond, and where Coalition fits into the equation.
Below are some lightly edited highlights from the conversation:
What changes in the threat landscape have you seen in the last 12 months and what do you expect to see moving forward?
Cyber insurance providers have a unique perspective because we see how threat actor behaviors result in real harm. Overall, 2023 was worse than 2022 in terms of both frequency and severity of digital crime. At Coalition, we measure that harm in terms of insurance claims, and we saw year-over-year increases. We did observe a drop in the second half of the year, so it ended better than it began. Interestingly, claims severity dropped by more than half in the second half of 2023.
We also observed more than half of all claims originating in the inbox, either as business email compromise or funds transfer fraud. This highlights the importance of email security as a key element of any business’ risk management strategy, especially as artificial intelligence makes it harder and harder to detect phishing and other cyber attacks.
Businesses that used certain technologies and vendors, such as boundary devices with known vulnerabilities, were at greater risk of a cyber incident. Policyholders using internet-exposed Fortinet devices were twice as likely to experience a claim; those using internet-exposed remote desktop protocol (RDP) were 2.5 times more likely to see a claim; and Cisco Adaptive Security Appliance (ASA) devices were nearly 5x as likely.
"Cyber threats are a complex societal problem. The government certainly has an important role, especially when addressing larger failures, but the rest of us have important roles to play, too."
We’re facing more cyber threats than ever before. Vulnerabilities are an all-time high and growing at an alarming rate. How did we get here? Should we have done something differently in the past?
The best way to answer is this to start by acknowledging that we’re navigating three concurrent realities:
Widespread digital vulnerabilities in old and new infrastructure. Each of these is an unlocked digital window or door that criminals can breach. We have them installed across some of our most sensitive systems — they’re in our subway trains, pipelines, power plants, and bridges — and we’re installing even more in new infrastructure because we’re building more products.
The majority of our critical services infrastructure is owned and operated by private entities. Each of those entities make individual cybersecurity investment and risk tolerance decisions. Those decisions are often opaque to policymakers and other folks on the outside, but the consequences of those private decisions are imposed on the public when critical services are disrupted. Sometimes, that means the government and others need to step in and mitigate the damage.
Threat actors leverage these digital intrusions to achieve their own goals. These vulnerabilities are accessible and profitable. Threat actors extract ransoms, steal trade secrets, and leverage digital intrusions to advance geopolitical objectives.
So what do we do differently? We have to accept that this is the complex reality in which we’re operating. To change the status quo, policy solutions really have to address all three of these realities.
Cyber threats are a complex societal problem. The government certainly has an important role, especially when addressing larger failures, but the rest of us have important roles to play, too. Arguably, the rest of us may be in a better place to move the needle because we don’t need to wait for government regulation to do it.
Tell me about Coalition. How does Coalition differ from other insurance providers?
Coalition is one of the largest cyber insurance providers. I can’t truly tell our story without also talking about the evolution of the cyber insurance market broadly because, in a lot of ways, we’re leading that shift.
Cyber insurance has had to evolve dramatically to keep with the realities of cybercrime. Today, the most advanced insurers are combining security technology with traditional financial risk mitigation. At Coalition, we use technology to assess an organization’s risk profile both at the time they’re seeking coverage and throughout the life of the policy. We continue to monitor policyholder risk and even help them mitigate vulnerabilities.
Here’s how Coalition’s model works in practice: Most in the security community will be familiar with the Citrix Bleed vulnerability. On October 10, 2023, Citrix announced a vulnerability and issued a corresponding patch in its NetScaler application. That same day, we scanned our book of business and notified all of our impacted policyholders that they were at risk. In some cases, we actually helped policyholders patch their systems. About one week later, Citrix reported that vulnerability being exploited in the wild. Four weeks later, CISA released a security advisory.
"Cyber insurance has had to evolve dramatically to keep with the realities of cybercrime. Today, the most advanced insurers are combining security technology with traditional financial risk mitigation."
What that means, in practice, is that there’s a subset of our PH that avoided business interruptions because we effectively supplemented their security and contacted them, so they patched a full five weeks before a CISA advisory went live. That’s how cyber insurance has evolved. Insurance is just as much about bolstering resilience to avoid disruption as it is about helping businesses recover technically and financially.
Click here to watch the entire interview or visit coalitioninc.com/security to learn more about Coalition Security Services.