As networks and their connectivity expand, so too does the threat landscape and the bad actors who want to take advantage of enterprise security vulnerabilities. Resilience, a cyber insurance and cybersecurity company, is one of the organizations that is spearheading cyber insurance as an industry.
They also look to foster a broader understanding of the cybersecurity safeguards companies need to be insurable, as well as the best strategies for protecting against ransomware and other cyber threats.
In this interview, you’ll learn more about cyber insurance and what CIOs can do to improve their organization’s stance against cyber threats from Amy Chang, Head of Risk and Response at Resilience.
Read more: Interview: The Growing Challenge of Fourth-Party Risk
What Is Cyber Insurance?
CIO Insight: What do you do in your current role at Resilience? What does Resilience do as an organization?
Chang: It’s interesting because, with Resilience, we’re wondering ‘how do you brand a company that does something that doesn’t really exist yet?‘ So, at the moment, we are a cyber insurance company, where we underwrite cyber insurance policies for midmarket companies; those are companies in the 100 million to $5 billion revenue range.
And our services range from holistic insurance coverage to loss mitigation services that happen post-bind, as well as custom and ongoing security services throughout the lifecycle of their policy. So basically, we pair up cyber insurance with cybersecurity. And what we want to do is basically risk orchestration across a company’s ecosystem, to be resilient against cyber threats and attacks.
As for my role, my title is the Head of Risk & Response at Resilience. So what does that mean? Partly it’s helping to lead risk visibility operations and providing insight for our underwriters, for our security services team, as well as the insured and the brokers that we work with.
This information is about the risk posture of the clients that we underwrite, as well as helping to improve — and this is more of the response side of the equation — the cybersecurity postures of our insured clients, whether it’s through notifications of vulnerabilities, relaying of pertinent security information, all those types of things.
I’m based in Washington, DC, and I’ve basically done every typical DC job, from defense contracting to working on the Hill to working at a think tank. Eventually, I found myself at JPMorgan, which is where I was prior to coming to Resilience.
[When I found Resilience,] I really wanted to find something that was mission-oriented and driven. [I] liked working at a veteran-owned company where they’ve served in the military, they’ve served in the government, and they understand the mission to protect our economy and our businesses. That was what drove me to cyber insurance and cybersecurity.
It’s interesting because of the mid-market portion as well; these are companies that undergird our economy. You don’t hear about them as much, however, they’re the ones that get affected by the supply chain hacks and things like that. Colonial Pipeline and Kaseya: You never heard of them before they were attacked, but they’re actually very critical service suppliers to many different companies in America.
CIO Insight: How can insurance companies play a part in fighting against cybersecurity threats and/or ransom payments?
Chang: I think this is a great question that requires looking at the trajectory of cyber insurance to date, and how, over the past few years, ransomware has completely changed the calculus. Insurance companies really look at metrics and data to kind of drive where they need to underwrite and where they need to focus. As the ransomware threat continued to grow, there was a need to change the way that underwriting occurs.
I think insurance companies can work towards changing the way that we address cyber threats by taking a better and deeper look at how we can incentivize better behavior, using insurance as a tool. I think a lot of [insurance] companies ended up making the mistake, leading into this year, of underwriting a lot of companies without necessarily understanding their security environment. And as a result, they’re now responsible for all these ransomware payments that occur.
Having more robust security standards prior to underwriting and binding a client, as well as continuous engagement with the insured through the lifecycle of their policy, can both be really beneficial to mitigating the risk of the insured, but also decreasing the risks that insurers face.
Read more: How to Handle Security Incidents and Data Breaches
CIO Insight: Would you say that the average insurance company knows what cyber insurance looks like, or is it more of an area of weakness where companies need to start educating themselves?
Chang: There are a number of firms out there that specialize in offering cyber products and cyber insurance products. However, when you’re an underwriter that understands cybersecurity, it’s different from a security practitioner that understands cybersecurity. And when you’re in the seat of an insurer, you’re talking to chief financial officers (CFOs), chief risk officers (CROs), as well as CEOs. So you’re talking to a totally different audience.
And the security practitioners are in the CIO or CISO kind of mindset, where they’re able to look at the nuts and bolts of a network and have a deeper understanding. And so I think that the maturity level of the industry is definitely trending in that direction.
However, I think there needs to be a lot more close engagement between security practitioners and insurers to have a better holistic understanding.
A National Spotlight on Cybersecurity
CIO Insight: How/why did Resilience get involved with the US Government’s Institute for Security and Technology’s Ransomware Task Force?
Chang: I think what happened was the IST really acknowledged ransomware as a threat and a growing threat, [and they recognized] us as an organization that’s mission-oriented and understands the threat that’s facing our nation.
Seeing that ransomware is a major threat to both public and private economies, we wanted to be a good steward and thought leader on how to cope with and address the ransomware threat. We are one of the co-chairs of the Ransomware Task Force with the organization.
CIO Insight: How is the private sector currently working with the US government to mitigate cybersecurity risks?
Chang: I would go as far as to commend the government over the past year or so in terms of being more proactive and engaging in an offensive sense, in terms of taking visible action against cyber threats or cyber actors — which shows that the government is taking this threat seriously.
And that creates a good symbiotic relationship where you’re able to leverage what the government is doing in terms of justifying engagement with your insured, or justifying the terms that you’ve provided, or increased security engagement, or whatever it may be.
On the other hand, I think there’s more information sharing as well, across the private sector with the government. And information sharing itself is an incredibly difficult task to handle, especially when it ends up in classified spaces and all that kind of stuff.
And timeliness is also another consideration; if intelligence that comes back from the government isn’t timely, then it’s kind of like a moot point. But the fact that they’re having these conversations, the fact that they’re going in and engaging across the sectors is an important development.
Our CEO, Vishaal “V8” Hariprasad, did participate earlier this year [when] Biden held a White House Summit on cybersecurity. It was the CEOs of Google, Amazon, and Microsoft; insurers; universities; and nonprofits that all came in, and were trying to address [cybersecurity] not only from a critical infrastructure perspective, [but also] from a technological development perspective.
They focused on topics like ensuring that your technology is safe, all the way down to how you create a more conducive human capital ecosystem that creates better talent to feed into understanding and practicing cybersecurity.
Read more on TechRepublic: Expert: Biden’s executive order on cybersecurity is a good start toward protecting organizations
Today’s Ransomware Threat Landscape
CIO Insight: How would you describe the ransomware threat landscape of today? Similarly, what does the typical response to ransomware look like today?
Chang: Ransomware started out relatively small, where you were able to target institutions here and there. And then, over the past few years, it’s shifted towards what the industry calls ‘big game hunting.’ So targeting large corporations that are really sensitive to downtime, as well as bad press and all those types of things. And so they know that adds another level of pressure on the executives to act against a ransomware attack.
So then in addition to that, we are seeing multiple extortion levels. So first of all, there’s the smash and grab, you take all the sensitive data, and then there’s the ransomware part where your systems are encrypted.
And then the second part, the second level to that is that they steal your sensitive data and threaten to release it if you don’t pay by a certain time. And the ramifications of that are more regulatory in nature, as well as reputational.
So for example, if you’re violating GDPR, because you have sensitive health information or personal information, then you would open yourself up to a lot of lawsuits and inquiries from the SEC, and things like that.
Then the third level of extortion that is occurring is ‘if you don’t respond to our threats, we will talk to the press or we will start contacting your clients to let them know that you’ve been compromised.’ All of these methods are them trying to find new ways to exert pressure onto executives to take action against ransomware.
And then on the threat actor side of it, you’re also seeing an evolution towards more specialization of the ransomware kill chain, which is the steps needed to make a ransomware attack.
So for example, you have one group that is very focused on initial access as a service. You’ve heard of the term ransomware-as-a-service, right? So you also have access as a service. And these people are specialized in crafting spear-phishing messages that are actually so convincing that someone would actually click on them and grant initial access into a user’s network or a company’s network.
Then you also have specific malware developers, and you have [hacking] infrastructure as a service. So these are the people who build the IP infrastructure that an attack occurs on, and then they take it down afterward, so it’s untraceable.
Every step of the chain has become professionalized and specialized and just shows how much the criminals have honed their craft over the years. However, I think in any type of, especially criminal organization, over time, it becomes bureaucratized. Basically, you have the top people who are running the operations and it trickles down to eventually, you have some random kid that you’ve hired to set up IP infrastructure, take it down, create websites and take them down, all that kind of stuff.
And that becomes really draining over time, so you’re actually also seeing cybercriminals facing burnout. And that has tons of ramifications as well, in terms of sustainability rates for ransomware operations over the long term, as well as the potential for law enforcement to go in and potentially use these people to work their way up. So that’s another interesting thing that’s been occurring as well.
And finally, what a typical response to ransomware would look like: what it should look like is these companies have an incident response plan in place. If they are affected, they’ll call their claims person for the cyber insurance, and then that kicks off a whole panel where you’re doing incident response, you’re doing forensics, you’re trying to locate the data, you’re trying to secure back. And then they could potentially bring in a professional to help do negotiations on your behalf if you choose to pay a ransom.
Read more on project-management.com: Project Management Techniques Used by Hackers
Tips for CIOs and Other Top Executives
CIO Insight: What can CIOs and other executive leaders do to better prepare for ransomware threats?
Chang: Besides getting cyber insurance policies? No, I’m just kidding. I think that coordination across the executive level, you know, whether you’re a CIO or CISO, with your chief risk officers or chief financial officers is crucial.
I know CIOs and CISOs always face the conundrum of ‘how do I justify a larger security budget for an incident when I don’t know if it’s definitely going to occur or not?’ And I think that when you put security in terms of risk orchestration, riskiness speaks a lot more to the financial side of the house.
And it better orchestrates, I think from a company’s perspective as well, in terms of being able to have a unified front with the understanding that cybersecurity is important. Investment in your cybersecurity is an important asset to not only prevent anything from happening, but also, I think we’ll see over time that people will want to work with companies that are cyber-secure. So the focus is using [cybersecurity] less as a cost center and more as an asset that helps drive business as well.
CIOs can also do a lot of messaging to their peer executives and across the organization about security hygiene and how important it is. Having a security mindset that’s across the organization, up and down, definitely hardens you against potential threats.
Read more: Don’t Overlook IT Risk Compliance When Defending Against Cyberattacks
CIO Insight: What changes do you think we will see to cyberattacks and responses to cyberattacks in the near future?
Chang: What makes cybersecurity so interesting is it’s always evolving. And as soon as the defenders innovate, the bad guys will always find a way in. That’s to say that things are always changing, but things will always stay the same as well.
You’re always going to have cyberattacks, you’re never going to be 100% cyber-secure, especially with the amount of technology that’s coming on board and the interconnectivity of our networks and our systems across the globe.
And so I think that, as long as we continue to innovate on the defensive side, the bad people will innovate as well. But at the end of the day, they’re going to look for the easiest way to get in. And those are the tried and true methods like phishing, clicking on links, and finding unpatched vulnerabilities.
CIO Insight: Anything else you’d like to add?
Chang: I just want to note the way that traditional insurance has evolved over time. We didn’t always have perils-based insurance for things like fire, earthquake, flooding. Or even if you think about auto insurance, it did not used to be predicated upon you wearing a seatbelt or driving properly.
Now, you know that if you want to be insurable, you have to have a fire alarm at your house, you have to wear a seatbelt, you have to have headlights that work. All these types of safeguards are in place that ensure we decrease the risk of a particular peril occurring.
I think we’re working towards that point where we’re able to identify those perils from a cyber insurance perspective and, basically, what we’re driving towards is minimum standards that companies need to adhere to in order to be insurable. So from a CIO’s perspective, what are those minimum standards that I need to work towards? What are those things that I need, like multi-factor authentication, that are going to be so necessary and baseline that if I didn’t have that, then I wouldn’t even be insurable?
I’ll note one more thing, but it’s a little bit separate. It’s important to have CIOs or executives in general, who are more open to information sharing as well, sharing that incidents occur. Because we all know that it does occur, but it doesn’t help us defend against the threat unless we know what happened. And from an aggregate level, I don’t even need to know that x company was the one that got breached.
But we need to know how it happened, why it happened, who did it, and how did they do it? And then that helps us as defenders drive towards tools that we could use to prevent those [breaches] from happening in the future. There’s a lot of humiliation and fear associated with reporting, just because when you have a large incident, you don’t want to get all the bad press about it. However, I think we’ve evolved to a point where having more of that data will end up actually being beneficial for all of us.
Read next: Best Threat Intelligence Platforms & Tools for 2021
About Amy Chang
Amy is Head of Risk & Response at Resilience, where she leads risk visibility operations and improves the cybersecurity postures of our insured clients. Prior to joining Resilience in 2021, Chang served in numerous leadership roles in the Global Cybersecurity organization at JPMorgan Chase, the world’s largest financial institution, protecting the firm and its employees from cyber threats.
Chang is an affiliate with Harvard’s Belfer Center Cyber Security Project and has over a decade of experience in cybersecurity, policymaking, and strategy. She served in the U.S. Navy as an Intelligence Officer. Chang holds an MA in Public Policy from Harvard University Kennedy School of Government and an AB from Brown University.