Cyber Insurance , Governance & Risk Management , Training & Security Leadership
David Derigiotis on the Complex World of Cyber InsuranceEmbroker Officer on Crypto, Breaches, and Insurance as an Investment in Security
The world of cyber liability insurance has become more and more complex with the rise of cryptocurrency. The collapse of the FTX crypto exchange has made "an already difficult area of insurance that much more complicated," says David Derigiotis, chief insurance officer at insurtech Embroker.
"It's going to take a little bit of time to dig out of this," Derigiotis says. Still, he thinks crypto can be a viable investment after the market can "earn back that trust." Although "we've seen constant hacks in the crypto space," he says, "with the rise of insurtechs, we're seeing many more proactive services … to help the customer help the client harden their cybersecurity posture."
Insurers are getting better at underwriting and evaluating risks in the cyber space and are requiring stricter cybersecurity and regulatory measures from potential policyholders, he says. "What we're seeing in cyber insurance, and what we've been focused on, is having that policy work for you, having a number of services that are being provided upfront that are useful and are beneficial to the organization. It's almost like looking at cyber insurance as an investment in the organization and investment in improving their security."
In this episode of "Cybersecurity Unplugged," Derigiotis also discusses:
- The importance of partnerships between insurtechs and cybersecurity firms and how they benefit both the insurer and the policyholder;
- The consequences of the Uber and Drizly breaches and their implications for CISOs;
- Sound backup strategies, endpoint detection and other security measures cyber insurance carriers are paying attention to now.
As chief insurance officer for Embroker, Derigiotis is responsible for providing the strategic direction and leadership for the performance of the company's insurance operations, which include underwriting, claims and other functions. He previously served as Embroker's corporate senior vice president and as a national professional liability practice group leader for international wholesale brokers. Derigiotis is a member of the International Association of Privacy Professionals and a Fellow of Information Privacy.
Steve King: [00:13] Good day everyone, this is Steve King. I'm the managing director for CyberTheory and our podcast today is going to explore the world of cybersecurity insurance. David Derigiotis is the chief insurance officer for Embroker and he's going to join us. He's previously served as their corporate senior vice president and national professional liability practice group leader for international wholesale brokers, and knows a lot about complex cybersecurity exposures, data privacy law and regulatory requirements. He also knows a lot about emerging technologies like blockchain, DeFi and crypto. He has been a guest on Fox Business and CNBC, talking about complexity and value of the cyber liability insurance world - if it's not already really important - is going to be very important in the coming months here. Welcome, David. I'm glad you could join us today.
David Derigiotis: [01:18] Thanks, Steve. Great to be here.
King: [01:20] Thank you. Let's dive right in. What is the impact of young Sam, FTX and Alameda and the insurance industry?
Derigiotis: [01:36] The insurance industry - as it relates to any type of cryptocurrencies/blockchain - is already a very difficult space. I think there's still a lot that needs to be learned from an insurance company standpoint in ensuring all of the risks. We're talking about a broad spectrum of things. You have bitcoin, you have the broader cryptocurrency space, you have blockchain, and you have decentralized finance, where really these are technology service providers that are tied in and utilizing different types of blockchain technology to provide different financial services. I think that the market was already very difficult to begin with. Then you have the collapse of one of the largest cryptocurrency exchanges, and no doubt tied to fraud, misappropriation of customer funds, and the domino effect that it's had, just across the broader industry. This isn't just one organization that operated in a vacuum. There are so many different players in the crypto space and you look at others, in BlockFi, for example, they were dependent on them for an open line of credits. It's now having an impact on them. So it's really poisoned a lot of other very good organizations, because you have the criminal acts of a small few, who really were using deposits for their own personal gain, using it for their own personal financing, purchases of homes and all sorts of incredible things that you just heard come out of the bankruptcy letter. So it made an already difficult area of insurance that much more, I think, complicated. It's going to take a little bit of time to dig out of this, I think. A lot of people lost money, who are depositors and depending on FTX, to be able to transact and acquire various crypto. Now you have people that lost, in some cases, life savings. I think it serves as an expensive commercial for why cryptocurrency was developed to begin with Bitcoin being the kind of reigning king within that space. It was to thwart or get around a corrupt system, to be able to take destiny in your own hands for controlling your own money, being able to transact with people all over the world, giving financial freedom to people that are unbanked. I think it's a very expensive commercial for Bitcoin and what the thought behind having a cryptocurrency like Bitcoin was intending to do.
King: [04:02] It'll be interesting to see what happens to that whole market going forward. I'm not sure that it has any remaining viability, at least from an investor point of view, do you?
Derigiotis: [04:16] I think it does. I think it's going to take some time to earn back that trust. I think that's what's so important in knowing what you're investing in, knowing the people that are behind these different projects, knowing that they're properly backed with enough collateral, not just minting their own made up currency like FTX. They had their own cryptocurrency that they were just minting on an unlimited basis. There was no value behind that. So if you're using this made up, fake, funny money - internet money - to be able to transact and acquire real currency or Bitcoin, some of the hardest money that's been developed, I think that you're on very slippery slope. You're on thin ice, you need to know that the organization has real legitimate assets that are backing the investments and the money that's being given.
King: [05:11] That creates a market for middle folks that can manage that part of the transaction, I suppose. But our understanding was that this was not some big cyberattack/hack, but rather compromised credentials, and somebody got a hold of and was able to get through all that without ringing any bells, right?
Derigiotis: [05:39] We've seen constant hacks in the crypto space. A lot of times they have to do with what are called bridges, where you're bridging between two different blockchains. That's usually the weak spot. That's where we've seen hundreds of millions of dollars' worth of various cryptocurrency being taken. That's where you have that unauthorized movement into other wallets. They're washing it, they're trying to hide their tracks. It's just interesting. You look at FTX, they were valued at $32 billion dollars. They've gone from that to nothing, to wiping out people's life savings. It makes me think back to Enron. You look at the rise and fall of Enron and that's what really instituted the whole Sarbanes-Oxley being having that financial transparency, with accounting practices, I think, this could be the Enron moment for the crypto industry, where we see now, some type of regulation where you see more transparency, but again, even with proper regulation, even with all the technical safeguards and protections in place that doesn't necessarily protect you from fraud and from criminal activity. That certainly still happens quite a bit in the traditional financial system.
King: [06:48] Sure, it does. If it's if the regulator's get their hands on this, it won't be any fun for the kids anymore. What fun is it for guys like Sam, if he can't do the magic thing? It's just crazy, but leads me to another question about the cybersecurity insurance space at large. Where is it going? It still looks to me if so many breaches and so much unrecoverable money that is leaving the house here, are we ever going to be able to get a cybersecurity policy hearing, like in a year or so?
Derigiotis: [07:33] That's a great question. I know that for small and mid-size organizations, it's been a very painful process. I can tell you, in working with a wide variety of clients. I've seen 100% plus increases on premiums, and those are very difficult conversations to have with a client, even if they've been doing everything right. There have been no losses, they've tendered no claims against the policy to go back to them, and say that, "hey, sorry, the rest of the marketplace has gone through a real correction in your premiums going from 200,000 to 400,000 because you've been caught up in some of those changes." Those have been difficult conversations over the past couple of years. I think it's been a real transformation that the cyber insurance market has gone through. For so many years, it really has been a race to the bottom who can ask fewer questions, who can charge the least amount of policy premium and attract the most business? That worked for a while until it suddenly it didn't. If you look back at the last couple of years, the frequency and severity of ransomware attacks, and this is nothing new to anybody in the cybersecurity space. You know that ransomware has been a rampant problem for the last couple of years. You look at the social engineering attacks, business email compromise, the FBI data, they released great statistics on internet crime, every single year. Business email compromise is always the leading loss leader, when you look at all of the complaints of the 6.9 billion in losses that were reported last year. Nearly 2.4 billion were due to business email and email account compromise. That was up from 1.9 billion roughly the year before. Saying all that, there's been a real transformation that the insurance marketplace has gone through. It's gone through a correction whereas now I think the rates are starting to stabilize, we're seeing a lot more partnerships with a variety of risk management providers, cybersecurity providers, Embroker being one. In particular, we partnered with LastPass to be able to offer really topline, leading edge, password management credential protection options for our clients. So with the rise of insurtechs, we're seeing many more proactive services being offered to actually help the customer help the client harden their cybersecurity posture, which is a win-win. They're able to operate a more efficient, stronger business with having data collection practices in mind, having better privacy controls in place, making sure that they're complying with whether it's state or federal privacy laws, and then it's a win-win for the cyber insurance provider, because obviously, that's going to be a lower risk to take on an insurer. Like Embroker partnering with LastPass, we're seeing more partnerships across the board, where it benefits both the policyholder as well as the insurer. That's what we're seeing now. It's going to become more affordable going forward because the security posture and the requirements that an organization has to have in place is a much higher bar from where it was a couple of years ago. The insurance industry is getting their arms around properly underwriting and evaluating these types of risks and insuring them. From a standpoint that makes sense. You can't be a small business and pay $100,000 for premium if you don't even have that type of cash flow available. So it's got to be cost effective for the insured. But it's also has to make sense for the insurance provider as well from a risk management standpoint and a loss leader.
King: [10:55] If I were a provider, it would be hard for me to rationalize why I would provide any sort of coverage that wasn't bracketed with a lot of loss limitation around any of these companies, I don't know if you guys underwrote Uber or not, but what happens in an Uber situation and what if they get breached again, tomorrow? Who pays for that? How does that work?
Derigiotis: [11:28] Uber is a very interesting organization, you look at some of the things that have taken place over the last couple of years. You have their Uber security chief. Arguably, he was found to have covered up and really obstructed FTC investigation. He was guilty. At one account of obstructing the FTC investigation that they had, he was also guilty of kind of what's called misprision of felony. That's act to conceal a felony from authorities. You have him doing things that are unethical and immoral. When they were breached a couple of years ago, he was going through or they were going through Uber, a FTC investigation with regards to a prior data breach that they experienced. He essentially took unauthorized access hack, and he tucked it under their bug bounty program and paid $100,000 to the criminal actor. He concealed a data breach, and he concealed unauthorized access from the general public and from the FTC's regulators. But then you also have an Uber-owned company Drizly. This one's pretty fascinating to me again - owned by a subsidiary of Uber, and you have the CEO that's being held personally accountable by the FTC. Uber and the CEO of Uber Drizly were warned, a couple of years that their security practices were inadequate. They didn't make any necessary changes, they get popped again and no surprise, now the FTC is stepping in saying you need to do these things to better protect your insurance to take privacy more seriously. They instituted a number of things that they typically do against an organization. You need to destroy unnecessary data. You need to limit future data collection from any of the customers and clients that you're working with. You need to implement an infosecurity program. We typically see those types of things. But what's unique about this particular case is that they're going to follow him around as an individual. If the CEO moves on to any other company, from Drizly, they're telling him that you need to make sure that you're implementing a cybersecurity program for whatever company you go to. Now we have actions that are not only taken against an organization, but they're going to follow that individual around whatever company he goes to. At any point in the future, those things are very fascinating. We're seeing a lot of advancements and types of actions that are being taken against individuals. You look at the CEO or the chief information security officer at Uber, he's going to be pursued now at this point for criminal charges. We haven't seen that before. We haven't seen a company executive being held responsible for criminal prosecution over a data breach, over a hack. It's just all of these things are very fascinating. Insurance is never intended to cover the CEO or C-suite intentional or illegal action. I don't think it's going to change the perspective of insurance because the coverage never would have existed, if it was something that was intentional or illegal to begin with. Now, it's going to cover an employee's actions. Forget the CEO for a second, but if you have an employee who is stealing cardholder data, or is a malicious insider stealing some type of information and providing access, the policy is meant to cover those types of exposures and threats, but not if it's an intentional action that's coming from, you know, a C-suite member such as Uber is a very interesting company with some of the things that they have going on right now.
King: [14:57] We could argue for a while about whether that verdict was a reasonable verdict or not, and whether Joe did a good job or a bad job or what he thought was the right thing to do there and that they got the right guy or the wrong guy. They initially went after everybody but Joe but as they sorted through that, and the Justice Department is certainly compliant in this that those prosecutors would have been much more difficult. Everybody, everybody got a plea deal. They all testified against Joe and now we get looking at eight years. They better be careful here because I served six years as a CISO myself for a really large bank. I don't know too many folks that would be willing to take that job today. If we have this weird, implied fiduciary responsibility that - as far as I'm concerned - the "chief information security officer" shouldn't really have. It's not a true officer of the corporation. If they think there's a liability there, nobody's spelled it out for Joe or anybody else that I know, for example. I think it's overly aggressive for the FTC to pursue.
Derigiotis: [16:21] Hasn't been done before. It's just interesting, like you said, who in the world not only want that job in particular, but you think about the responsibility that sits on your shoulders in any organization to keep them in a sound environment to properly protect data, to make sure that you're giving consumers proper notice and transparency. If a data breach occurs, what we've seen in the past, you see the CISO, get bounced immediately. They're terminated, they're thrown over the coals. It's just a very difficult position to be in, to begin with, the responsibility, the organizational security that's required. All it takes is one employee to make a mistake to reuse a password, to click on a link, to open an attachment, whatever it may be. The organization just opens up to an incredible exposure. It's already a tough job, but now you have individuals that are going to be held personally liable or criminally liable. It really makes you rethink - is this a position that I want to take on, both professionally or personally, for that matter?
King: [17:31] Negligence is one thing, but I don't think that was the essence of the case here. Nor was that the case in Jersey, and he got a CEO of a company who now is going to be followed around for what 10 years. Was that the deal to make sure that he puts in these systems or plans or whatever in place, which none of those things are going to prevent a breach going forward? That's the irony of all this. MFA is easily worked around. The FTC makes a big deal out of MFA. But it's not going to prevent a breach, period. We've proven that, a lot. So I'd certainly want a contract that specified all that stuff very clearly. If I were to go back and do that job again. I wouldn't want to, that's for sure. It's very hard. It was hard then now it's much harder. Were you guys involved in the Capital One breach at all?
Derigiotis: [18:35] We were not. You look at some of these judgments and some of these payouts across multiple organizations. What was Capital One? $190 million? It was AWS engineer, insider threat type thing where 100 million individuals had their data compromised. But again, this is nothing new. You look at the Capital Ones $190 million payment and look back to some of the others that have just been within the last couple of years - Equifax, the largest, $700 million; T-Mobile, $350 million based on that data breach. Then another $150 million that has to be spent incrementally over the next two years for updating their cybersecurity posture. We talked about Uber a little bit at the beginning for that data breach that was covered up by the CISO. They paid out $148 million on that and there was a 50-state settlement that went out with all the attorney generals. On top of the FTC investigation that's taking place, they've already paid nearly $150 million a few years back for that data breach. Things are nothing new.
King: [19:42] The industry at one point had flirted with this idea where I think you were, I think it was Marsh and Microsoft. They were all going to create a standard for what a company must do in order to qualify for the classic cybersecurity insurance policy. That kind of went by the wayside, I think. There were a bunch of things wrong with that, but I don't know if there's a comparable movement going on today, but what do you do? We're only talking about the breaches that are reported here. There's 10 to one that aren't. How can you guys protect yourself?
Derigiotis: [20:32] I think the industry as a whole has collectively raised the bar across what they're expecting an organization to do from a cybersecurity standpoint, from a regulatory standpoint. There hasn't been any one group that's driven it, but it's really been born out of necessity, due to the losses. You look at what organizations charge. For so many years, when you talk about loss ratio for every dollar of premium that you charge a policyholder, and there are some companies that were paying out $1.10, so they were losing money on every single account, or their portfolio on a larger scale. That type of underwriting was not sustainable. You look at the number of big headline ransomware attacks - for every Colonial Pipeline that you see, there are countless others that never hit the headlines that you never hear about, that caused real financial harm and destruction. But collectively, what's been done over the last couple of years, there are a number of things that insurance companies now at this point are requiring. Steve, you mentioned MFA, that is one of the things that an organization almost universally now has to have in place. But we know there are varying degrees of MFA that can be applied, you have somebody that's using their personal cell phone for MFA, that's one of the easiest ways to get around. You poured out somebody's number, their essentially their phone access is shut off, the number gets ported into a criminal, and then they instantly have access to the code that was being sent. Then of course, you have software options that are being provided, or hardware that can be used like a YubiKey. There's so many different variations of that. But broadly speaking, MFA is probably the lowest hanging fruit in terms of what's being required of organizations. Having sound data backup strategies in place and data recovery methods in place has been a big one. I've personally seen cases where somebody says we backup all of our data, and then three months later, they experience a ransomware attack, and they weren't doing an effective job, or they weren't doing it on a regular basis. The data that they had was either out of date, or they had never practiced going through the scenario, and recovering all that information. So they might as well not have even been doing it to begin with. I've seen cases where even with data backup, it wasn't effective. They weren't practicing. And then the ransom still had to be paid because of that. So having stronger controls around data backup, how often are you instituting data backup? Are you using multiple methods, whether it's the cloud/off site? Those are questions that a carrier is asking. Endpoint detection, is an important area that a lot of insurance carriers are taking a closer look at, to making sure that that's in place, that you have logs that you can look at, different behavioral characteristics, as people move through a network, being able to spot unauthorized access. Closing open ports, if you're using Microsoft Office. They want to know that you're locking down some of that access points, some of those access points from anyone getting in from outside the organization. Some of those things around data backup, data recovery, MFA, posing open ports - those are a lot of the questions that that carriers are really digging into and asking where it was an afterthought, going back before 2020.
King: [23:52] You're right. It's getting only more complex as we go ahead here. Assuming that you, except the fact that there's going to be a breach and what you're really looking for is improved resiliency on behalf of your customer, it would seem to me that if you know that there are a lot of independent research firms around like Mandiant, for example, or Kaspersky, that you could hire to do audit, if you will, and then give you a report that says, here's our view, here's where the weaknesses are, and then you could write policy based upon those weaknesses and corrections to them, etc. It seems to me that if you had more of a structured approach, and we're using a respected third party like that, those two companies that do that thing then you would be much better off in terms of you maintaining those incredible margins that you guys have but also that your likelihood of success would be improved too.
Derigiotis: [25:06] Completely agree. Going back, looking back at the cyber insurance industry prior to 2020, to put in perspective, it's almost like underwriting a property policy, offering property insurance, but not asking what type of structure you have or is it located in an area that's prone to hurricanes? That's like the equivalent of what was being done because you have to be looking at what type of resiliency does an organization have? Are they training their employees regularly on phishing? Are they providing data backup and recovery on an annualized basis at least? Do they have the proper security protocols in place? Do they have a firewall? Do they have a cadence for updating security vulnerabilities and patches or different cadence for critical vulnerabilities? A lot of that was just swept under the rug. With the rise of venture tax, Embroker as one of those, we have and we're seeing more partnerships with reputable cybersecurity firms that are able to do active monitoring, that are able to take a look at the perimeter, they are able to offer a variety of training and development services to make the organization more secure, to give them more resources on the front end so that the policy just doesn't become important when a claim occurs. Because what happens is, most people purchase insurance as an afterthought. You throw the policy on the shelf and dust collects on it. You only need it when something bad happens. But what we're seeing in cyber insurance, and what we've been focused on, is having that policy work for you, having a number of services that are being provided upfront that are useful and are beneficial to the organization. It's almost like looking at cyber insurance as an investment in the organization and investment in improving their security. That's particularly critical for that small and midsize business space where they don't have all of the relationships, they don't have necessarily the budget, and they don't have all of the resources to be able to invest from cybersecurity or regulatory standpoint. The cyber insurance companies and insurtechs, they've begun now for the last couple of years to focus more on that, because the business can be more resilient, it will be a better risk for the insurance carrier, everybody wins in that scenario. That's what we've seen, it's been a rise in the offering of resources, the rise in offering services to make an organization more secure. I think that's very important.
King: [27:39] You're right. That's a great point we can leave this at. I'd love to pick this up again, maybe midway through the first quarter, just to see what by that time with the continued fallout from SPF and FTX had been, and talk about that some more. If we're not careful, the government will be running all of this for us. That's not a good outcome. My humble point of view.
Derigiotis: [28:13] I agree.
King: [28:14] Thank you, David. It was a real pleasure. Thanks for taking the time to visit with us today. David Derigiotis is the chief insurance officer for Embroker. I hope that our audience enjoyed this half hour. There is a lot to talk about here and there's a lot going on in the space. It's going to get more interesting as time goes on. We'll talk again in a few months, David. Thank you to our audience as well for taking the time out of your day to join us. Until next time, I'm your host Steve King. Signing off!