Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle Virtual Chief information Security Officer at Cyber Risk Opportunities and Jake Bernstein partner at the law firm of K&L Gates, visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today on episode 115 of the Cyber Risk Management Podcast?

Kip Boyle: Man, I love that we're in triple digits. Jake, we're going to talk about the relationship between cyber insurance and technology, but we're going to do it in a way we haven't really done before. And you'll see what I mean in a moment, and we're going to do it with our guest. Andy Anderson is here. He's the CEO and founder of DataStream Cyber Insurance. Super glad to have you here, Andy. Welcome to our podcast.

Andy Anderson: Thanks, Kip. Thanks, Jake. Excited to be here.

Kip Boyle: So we would love to give you a chance to tell people more about yourself and what you do at DataStream. Maybe a little bit about why did you found DataStream? So please tell our audience a little bit more about you.

Andy Anderson: So coming out of business school, actually, I spent a little bit of time out on Wall Street and actually covered insurance companies. So I was a publishing research analyst for a big investment bank and learning all about the insurance industry through the lens that investors have for them, which was a great opportunity to really understand how insurance works at a very broad level and all of the different types of businesses in the space and the impact that insurance had on different ecosystems.

And then I sort of ran away from Wall Street and spent a decade plus in the technology space eventually ending up at some bleeding edge cybersecurity firms. And to me, particularly when I was sitting on the RSA Conference floor and looking at the thousands of vendors that were there and selling different cybersecurity products, I was going, "I'm not sure that this is the best way to address this risk."

For an individual walking into that room and trying to decide of the thousands of tools and products and procedures to try and do it, I think is really challenging. And so I thought this looks a-

Kip Boyle: That's an understatement.

Andy Anderson: Right? And I think it's one of those experiences when you can know less leaving the show than you did when you walked in.

Kip Boyle: For sure. I've had that feeling.

Jake Bernstein: Well, and the composition of those thousands of vendors probably changes year to year, which doesn't help make decisions any easier.

Andy Anderson: Yeah. And I think in particular, what I was stunned by was the lack of tangible metrics that so many of those products were using to measure their performance. You'd have a conversation with any of them, and pretty quickly they'd be telling you a story, an anecdote, which is interesting, but not really. It's the 21st century and everything needs metrics, right?

Kip Boyle: Definitely.

Andy Anderson: And once you have seen the world through the eyes of insurance, fortunately-

Jake Bernstein: And Wall Street.

Andy Anderson: Yeah, and Wall Street, you can't forget the way that insurance looks at things in thinking about risk, thinking about risk transfer, measuring risk. And to me, cyber attacks looked a lot like some of the risks that insurance deals with very, very well and has historically for a long time.

Cyber attacks look a lot like earthquakes and hurricanes. It's a low frequency, i.e., it doesn't happen very often relatively, but when it does, it's a high severity event, meaning it's very expensive when it does. That's just what earthquakes and hurricanes look like.

And insurance does a good job of dealing with that in a way that a regular business, because they don't have enough times at the plate dealing with that risk often doesn't get the knowledge, the understanding, the expertise that repetition brings. And so-

Kip Boyle: Or even the appreciation that it's something they should be planning for.

Andy Anderson: Totally. So out of that, I ended up really getting interested in cyber insurance and then reconnected with another friend who coincidentally had founded a cyber insurance firm. And so I joined that firm and then out of that larger firm, we ended up creating this new business, DataStream, to really be active in the US primary market. So we really connect more directly what's happening in the insurance ecosystem to frontline technology firms, technology teams, and what was happening in the cybersecurity ecosystem.

Kip Boyle: That's super interesting. What were you going to ask, Jake?

Jake Bernstein: I'm just curious. So Datastream Cyber Insurance itself, we've talked quite a bit about insurance on this show over the years, are you a broker? Are you a direct insurer? Are you a technology overlay? Maybe just talk a little bit about what is DataStream Cyber Insurance. What do you do?

Andy Anderson: So we are structured as a specialty broker and all we do is cyber insurance and occasionally another closely related insurance product called technology errors and omissions. The two typically go together if you're a technology firm.

So we're structured as a broker, but our backer is a cyber reinsurer actually. And so they sit behind a good portion of the market of all the different insurance carriers and products that are out there. So daily we're helping organizations understand what their risk looks like, placing them in specific insurance products, but we sit behind many of those insurance products as a reinsurer that we're selling.

And then we actually have quite a bit of data across this whole ecosystem in terms of understanding what actual claims, losses, postures that are tied to those claims and losses look like. So we operate at multiple levels.

Jake Bernstein: That's super helpful. I'm sure we've talked about it at some point in the past, but just for the current listeners, insurance as a concept relies upon data. You've got underwriters and you've got these actuaries and just the very basic data driven nature of insurance over time is ...

People, I think don't always appreciate the nuances of what insurance really is and it's a math problem. It's, how do I make money protecting against certain events such that I'm collecting enough premiums to still profit after paying out claims? This is the most basic kind of insurance equation that there is.

The problem though in cyber, is that in order to do that well, you have to understand the probabilities and the costs. And certainly when things first started to get going in the cyber insurance marketplace, nobody knew anything really. So I'm curious if we can continue this conversation by just, how have things changed in this zone?

And we very recently had a whole episode about how the cyber insurance market has hardened, that it's much harder to buy insurance. Not as much interested in that as I am in the data behind the insurance industry and then with respect to cyber insurance here.

Andy Anderson: Yes, absolutely insurance is a math problem in trying to estimate it, but it is also a collective product. You create a pool of risk. And one of the challenges, as I go back to why does insurance particularly have a role here? Because most individual organizations, they don't have the frequency of these events to really understand what's going on here. So by creating this collective product, you often have data sharing across a much larger pool of organizations.

And we daily are talking with individual organizations and even technology firms, and some of those technology firms have thousands, if not tens of thousands of clients, and they really struggle to understand the impact that their products are having on the reduction of cyber risk, both either on the frequency side or the severity side, because they know a lot about their own customers, but they don't know what their non-customer's data looks like. They don't know. Hey, we might have a 2% incident rate. Is that good? Is that bad? Is that terrible? And when an incident-

Jake Bernstein: They have no idea.

Andy Anderson: Right. You don't know because again, because of the natural competitive nature of different technology firms working in an ecosystem. One endpoint detection and response vendor is probably not going to share everything with their competitors, right? But insurance-

Jake Bernstein: Right.

Andy Anderson: And you've seen this across multiple ecosystems over ... Again, we all get excited about cyber. I love it. I'm incredibly passionate about it, but let's be honest, it's a pretty new industry, when you look at other industries across our economy.

We've been dealing with the risk for fire for thousands of years. And particularly there's been great movement in fire protection and fire risk reduction, really starting with the 1906 earthquake and related fire in San Francisco. And out of that event, there were huge moves between the insurance industry, the building inspectors and building codes, and actually the technology players in building systems.

And out of that, you saw additional sprinkler systems and fire protection in terms of fire escapes, and even how we're constructing buildings in terms of the walls and the nature of the materials, and the insurance industry really drove a lot of that even to ...

There's a famous collective that came around in Boston, where they were. Basically the insurance industry got together a lot of the sprinkler manufacturers, and made sure that the sprinklers actually worked with each other, because you had this horrible thing going on, where you were putting sprinkler systems together and parts weren't working, they weren't the right sizes and stuff. So you'd have a sprinkler system when you actually had a fire inaudible.

And so they set standards, simple stuff like sizes of pipes and sizes of heads, which again is the boring, unsexy, everyday work that actually keeps us from walking into a building and maybe worried about us not walking out because a fire breaks out and that burns to the ground. And that again still happens, but nowhere near with the frequency or severity that it did.

Jake Bernstein: A lethal fire in any kind of large structure is almost national news these days.

Andy Anderson: Yeah, because it's so rare.

Jake Bernstein: That's how unusual it is.

Kip Boyle: And Andy, I think you've absolutely put your finger on what it is we want to talk about today, which is how we can use technology in the cyber insurance arena to decrease the risk of an event and to look to other forms of insurance, to see how they've done it.

And I think you've done a wonderful example using fire insurance as a way of illustrating this point. And then I would also contribute airbags and other safety features in cars, anti-lock brakes and that sort of thing, which you and I talked about when we were doing show prep.

And so I'm wondering if we can now really focus on, in cyber insurance, how are insurance companies helping us to identify what will really drive down the risk of an event from a technological perspective? How are they figuring that out? How are you figuring that out?

Jake Bernstein: And maybe just to tie this back to the opening statements that you made, Andy, what I view this as, is cyber insurance starting to take an interest in those thousands of vendors on the floor of RSA and starting to think, okay, this is not really workable. We need to reduce risk, but we have to figure out how much all of these things are going to reduce risk. And I think that is really the core of it, which is what's good for the insurance industry that prevents payouts tends to be good for the insureds. That's the idea.

Andy Anderson: Yeah. Again, my view, and it's the reason I jumped from the security side of the world into the insurance side of the world is I think actually the insurance companies is the most aligned with the interest of the end companies that you're protecting.

Literally, the insurance companies are taking pennies on the dollar to own that risk. And if you take 5 cents and you lose 3 cents on that dollar, you're high-fiving and you're saying, "Oh my God, this is amazing. We're killing it as an insurance company," and you take it. And if you lose 6 cents, you're like, "Okay, well, it sounds like we're packing it up and getting out of here." That's the level of risk tolerance that you'd see.

But I think the way that the insurance industry is doing that I think is twofold. One is simply the collective data gathering and large populations that the insurance industry gathers by having many, many policy holders, many companies, which they're insuring. They're getting hundreds, if not thousands, if not tens of thousands.

And our relationship with the reinsurer, we have visibility into a significant portion. We believe at least the majority, if not significantly more of that, of the entire global cyber insurance market. So lots of organizations.
And I think one of the challenges in the cyber ecosystem itself is the cloak of silence and lack of data and secrecy that happens when an event takes place. And there's been governmental efforts to change that and to provide additional disclosure so that you can have more visibility. The sunshine cures a lot of ills, and so shining a light on what's actually happening.

But gosh, the green eye shaded actuaries are very, very good at gathering that data and actually knowing what matters. And as I've gotten into this space, more and more tearing apart the myths and the rumor of what actually drives losses and what's happening to organizations has been really fun and really eyeopening and the insurance industry has helped do that.

And the real raw data, the data on actual claims, okay, here's this incident, and then breaking that down into, okay, what are the components of those incidents, the claim costs, what did it cost to get the business back up and running, what did it cost to buy new technology, if stuff was literally destroyed, like it was bricked, what were the legal costs, all of these different components and putting numbers around that.

Kip Boyle: And then I think the next natural step is to then say, "Okay, now that we completely understand that as well as we can understand it, what are the controls? What should we be requiring of insureds? What are the subjectivities of the policy?"

And I can tell you that as a person who's been working in cybersecurity for a long time now, I am really excited by this because we have so many different frameworks that we've been relying on for years to try to do our job, but it seems to me that a lot of those frameworks are based on guesswork and-

Jake Bernstein: Theory. Theory.

Kip Boyle: ... theory, concept. And I've really struggled with a lot of them. The first framework that really came out that I really, really liked because I thought it was practical and based on what really works was the Australian NSA published something they called the Essential Eight. And they built those eight controls based on their analysis of actual malware attacks that they were suffering.

And I thought that was fantastic and I recommend it all the time, but even their perspective is limited compared to what you're describing and what insurance companies are able to bring to the table in terms of what works. I help people fill out cyber insurance applications all the time, and I'm talking to insurance carriers. And I just had a conversation with a very large insurance carrier because they denied one of my customers a policy, and I said, "Well, can you help me understand why?"

And they said the most interesting thing, which I wrote about in a recent newsletter I sent out, but he said, "We've looked at two years of ransomware attacks, and we know that in 100% of the successful ransomware attacks that we had claims filed on, a compromised domain administrator account was always present in the scenario. And so therefore your client hasn't shown us that they really have sufficient control over their domain admin accounts. We're not going to write because we know that the risks of them having a claim are super, super high." And I thought this is fantastic, thank you. Now I know for sure this is a control that's going to make a difference. So it's just wonderful. Anyway, so no question there, Andy, just-

Andy Anderson: Again, I think there's twofold things that the insurance industry does. One, it gathers that data and starts to put real numbers around things. The other thing is it's very good at imparting the requirements across an industry through the grinding, continuous ... Well, almost all insurance contracts are annual, so there's this natural, okay, we're going to have a bite at this apple every single year, and they draw hard lines often for the policy holders or the prospective insureds.

And relative to what we've seen in the overall cybersecurity market, that's kind of quick, actually. You're going to have to do this, this year, if you want to get coverage next year. And you have to do these three things, which I love the frameworks. I look to the frameworks every day that we work, but again, they're in some ways academic documents and they don't-

Kip Boyle: Yeah, in many ways.

Jake Bernstein: They are.

Andy Anderson: Yeah, they don't underlie ... And how you apply them is a lot of interpretation. So in some ways, insurance is great for doing ... It's a way of forcing compliance that's not from a regulator. And insurance is rarely leading, bleeding edge in terms of new technology, but it's very good at dispersion of technology, of making sure that technology spreads across an entire population or ecosystem. And yeah, so-

Jake Bernstein: Like seat belts.

Andy Anderson: Yeah. Again, we see that every day and why ... I think the folks that work in this space, you can either see the cyber insurance ecosystem as yet another thorn in your side of things that you've got to deal with, if you're dealing in cybersecurity, or you can see it as your best friend in making your customers do the things that you probably have been jumping up and down and telling them that they need to do every single day.

Kip Boyle: Definitely. Yeah. I just recorded an episode, which will have aired by the time your episode comes out, where I talked with Jason Rebholz, he's at Corvus. And one of the things we talked about was the fact that even if you don't buy cyber insurance, you should pay very, very close attention to the subjectivities, the requirements, because if you don't buy the insurance, at the very least, you really need to do all that stuff because it's going to make a difference to your risk profile. So again just, I think another benefit of having insurance companies bring what they do best into this situation.

Andy Anderson: Agreed. And I think it's not always inexpensive, but it is probably one of the least expensive products relative to the amount of risk that it is going to remove from your overall organization. And it's-

Jake Bernstein: Particularly since you don't know what all the other expensive, what Kip and I affectionately but not really, call flashy or blinky light security. You could spend hundreds of thousands of dollars on a whole lot of pretty looking dashboards and-

Kip Boyle: And we know people who have.

Jake Bernstein: ... platforms and software as a service and hardware. And you can spend all that money and people do without really knowing what they've spent that money on, other than the illusion of safety, perhaps. Maybe they're really safe, maybe it's an illusion. My point really is just that they don't know. And that's a major problem specifically in the cybersecurity provider industry space.

Andy Anderson: Yeah. And our view is what you really want to do is build a team, if you're in charge of the security for your organization. And whether that is your only job, you're a CISO or a CIO, or it's among the jobs that you have to do, you're a CEO or a COO, a pretty simple thing to do is to make sure that you have cyber insurance and your technology providers working together and basically starting with cyber insurance and saying, "Hey, I need to get this. What are you asking me to do?"

And then turning around and making sure that you, at a bare minimum fulfill those requirements. And then documenting it and making sure that you're actually not misrepresenting yourself, but you've, in some ways encapsulated the full issue there for cyber risk. You really have taken this problem.
And it's crazy to say that insurance is simplifying anything because I realize my eyes bleed from reading many, many page documents full of legalese, but that is what it can do-

Jake Bernstein: It's-

Andy Anderson: Go ahead.

Jake Bernstein: It is simplifying it for the end customer. There's a lot of complexity. And another metaphor or analogy or whatever you want to call it to what is going on is what you see every time there's a war, there's theory. And we just saw this with the Russian invasion of Ukraine, "Oh, all of their tanks are just going to roll over and they're going to be inside of Kyiv in three days." Well, introduce Javelin missiles and oh wait, Russia's lost a thousand tanks.
You can go now and you can find all sorts of articles written about these weapon systems have become obsolete because of the Ukraine war. And what that really is, I think ... And I just read this article that was really fascinating, it makes the very straightforward point that nothing gets to the heart of the matter, like live combat operations.

And isn't that really what we've been in for the last decade with cyber attacks? The way we even talk about it, it is an ongoing kind of war. And I think what is happening here is at the beginning, it was all theory, nobody knew what kind of things were going to be used, what was going to happen. And now finally, we do know. So we are starting to know certain things. And so Andy, where are we going with this kind of functional alliance between cyber insurance and technology and then how do we get there?

Andy Anderson: I think we're going to go to a place where we are seeing much safer online and cyber experiences for a significant portion of businesses. There are new areas that I would say that we're still early days in terms of understanding cybersecurity, I think. So the operational technology, industrial cyber, I think we're very, very early days and those challenges are going to get worked out.

So excluding that area, I would say things on the IT world have already really started to get much safer. I heard a quote, I'm trying to remember where it was from, but it's, the future is already here, it's just not evenly distributed. There are organizations that already put themselves in a really good place and they've thought a lot about ... And somewhat, it's just changing from cybersecurity to that idea of cyber resiliency.

And the way I define the difference is cyber resiliency doesn't expect bad things to not happen, it just appreciates that when they do, you can recover from them and you can do it quickly. And in some ways, cyber insurance is the ultimate in improving your resiliency because it's going to help your organization, if you've got the right amount of coverage, survive whatever that incident is.

The goal, when you're looking at security, it's okay, how do we drive down frequency and severity of these events? But resiliency is often looking at slightly different things and measuring really the independence and redundancy of the systems that you have in place.

A resilient organization is one that has on their core systems, redundancy, multiple versions of it and independence. So you took down my email, great, I can go flip over to my alternative email overnight. And gosh, I'm in two different-

Jake Bernstein: We just talked about that.

Andy Anderson: Yeah, two different worlds. So that's what I see is happening, and I think it's going to happen more quickly than people realize. You've seen really the cyber insurance industry really move quickly in the last couple of years to put some of these requirements in place, I think head snapping for many folks.

And either people appreciate that and get on board or sadly, you have this other force, which is criminals attacking you every day. If you don't want to believe this, the criminals will either unfortunately, very expensively educate you, or literally take you as a business out of business so that the strong survive, the people who are getting this and understanding.

Jake Bernstein: In this case the wise. Well, I think one of the things that Kip and I have always, maybe we've never voiced it openly, but we've definitely thought it, is that honestly, nobody should actually ... Ransomware shouldn't be a thing. It shouldn't ever work in theory. I don't think it's a long term threat. In fact, I think it's probably already on its way down, but unlike fire, Kip, which doesn't do what? Innovate.

Kip Boyle: Innovate.

Jake Bernstein: Fire doesn't innovate, these criminals do. And as long as there is money to be made, they will continue to evolve the threat. So I think one of the things that's going to be fascinating to watch over the next five to 10 years is auto, fire insurance, even flood insurance, all of these things, they just are different than cyber on one key metric, which is that they don't evolve with the controls that we put in place. They're just forces of nature for the most part, whereas this really does change things.

Andy Anderson: You get a special guest inaudible-

Kip Boyle: So yeah, I think people who ...

Jake Bernstein: inaudible.

Kip Boyle: I think people were shocked when insurance flipped on a dime like that over the last couple of years, because insurance is a fairly stayed product in other areas, highly standardized, commoditized in many ways, but insurance was getting its rear end handed to it over the ransomware epidemic and they had to do something fast. So I applaud them for doing something that I think is not characteristic of insurance carriers, which is moving fast and changing things quickly. So I think that's great. And I think what you're saying, Andy, is that we can expect to continue to see that quickness of reaction as they figure out what really works to decrease cyber events. Is that right?

Andy Anderson: Yeah. I'm always loath to say that the insurance industry moves quickly because for a while I wanted to paint a sign behind my desk that said, however long you think things are going to take, triple it because remember that you work in the insurance industry.

But on a relative basis, again, when you start to think about when you've been in the sausage factory and actually talked with corporate IT departments and corporate cybersecurity departments, particularly at large organizations and you realize that they are on the journey to digital transformation, but that journey is measured often in decades rather than in individual years.

Kip Boyle: Definitely.

Andy Anderson: And I guess-

Kip Boyle: So-

Andy Anderson: The one thing that I want to just double click on is I too would love to see ransomware go the way of the Dodo bird and not walk the earth anymore. I think the IT world is going to move and you will see drops in that because it is so easy to build redundancy and independence into IT systems.

And really the deployment of cloud infrastructure has allowed that to happen really, really quickly. You can have a whole completely independent server architecture for all of your core processes for pennies on the dollar, and maybe even in hours, if you know you need to stand that up.

The OT world, that's hard and expensive. We saw that with the Colonial Pipeline. The problem with OT is you have big, heavy, well-made equipment that's made of steel. And so it lasts like 30 to 50 years. And then we've tied all this silicon and technology to it, sometimes never imagining that we were going to then connect it to a worldwide network that could be accessed from anywhere in the world.

Kip Boyle: Exactly.

Andy Anderson: And the refresh cycle on IT is like three to five years in many cases where you're getting new stuff. The refresh cycle on OT operational stuff is 30 to 50 years. So think of a 15 year old computer, what that looks like. This is first days of the iPhone.

Kip Boyle: Yeah.

Jake Bernstein: Yeah.

Kip Boyle: 15 years ago, what OS were we running, XP?

Jake Bernstein: I don't even remember.

Kip Boyle: It's something like that. Andy, we really enjoyed having you as a guest on the show. I think you've done a really wonderful job of exploring this dimension of cyber insurance and technology with regard to true risk reduction, and really appreciate it. So if listeners want to find out more about you, about DataStream, where should they go?

Jake Bernstein: Or if they want that juicy data.

Andy Anderson: So they can find us right at our website, datastreaminsurance.com. We've got a ton of stuff there. We have a relatively active blog as well. I actually have my own podcast that I record called the Cyber Crime Lab Podcast, where we dig into these individual, real-life stories of what it's like to live through one of these incidents. That's been great uncovering what's happening in the shadows. And not nation state level, your everyday regular businesses that are getting torched here.

Kip Boyle: I love it.

Andy Anderson: And talking with the victims of that, as well as the folks that deal with them, the incident responders, et cetera. You can learn a lot from hanging out with the folks that work in the morgue about things that'll kill you as a business. So that's fun.

Kip Boyle: Yeah, that's great. Thank you for mentioning your podcast. Thank you very much, because I think that, that lack of imagination on behalf of senior decision makers is something that your podcast can help to address.

Andy Anderson: Yeah, if you have a client who thinks this isn't going to happen to me and how would it ever cost me this much, listen to a couple episodes. And every facet of it-

Kip Boyle: I love it.

Andy Anderson: ... not just the technology, but certainly the emotional preparation that you need to have for these incidents is-

Kip Boyle: Oh yeah.

Andy Anderson: You can't overestimate what it's like when your business that you've built maybe for 30 years is suddenly, overnight, potentially crumbling to the ground and how you get yourself ready for that.

Kip Boyle: Thank you so much for mentioning that too, Andy, because that's really a core reality for us at Cyber Risk Opportunities, which is, we just think it's wrong that all this value that a founder has worked really hard to create, possibly a legacy for their family, and it could be wiped away in an instant by an amoral group of people from some far away place.

We just think that's wrong and we love helping people protect themselves against the possibility of that happening, whether that includes insurance or technology or process or procedure, just trying to bring all that together and help people. So thank you so much, Andy, for being here.

And that wraps up this episode of the Cyber Risk Management Podcast. Today, we took a look at the relationship between cyber insurance and technology, and we did that with our guest, Andy Anderson, who's the CEO and founder at DataStream Cyber Insurance. Thanks for being here. We'll see you next time.

Announcer: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.