P&C Technosavvy the April 2022 issue

A View into the Cloud

Q&A with Isabelle Dumont, SVP of Marketing and Technology Partners, Cowbell Cyber
By Michael Fitzpatrick Posted on April 1, 2022
Companies across the business spectrum are becoming ever more dependent on cloud providers such as Amazon, Microsoft and Google. How does that impact their cyber risk overall?
Some are of the view that the cloud is more secure than traditional data centers. Some argue that the cloud is less secure. The reality lies in between. There is a little bit of a misunderstanding when organizations move their assets to the cloud. There is a layer of the technology stack that is supposed to be protected by the cloud provider, but you still have to do some work on the security front. You still have to configure the use of the cloud (or the cloud service) for security, make sure you only give users access to the information that they are supposed to have access to, and patch any software deployed in the cloud. It might be a little bit different whether you are talking about infrastructure and putting IT workloads on Amazon Web Services versus using an out-of-the-box application like Microsoft Office 365, where you just get an online log-in to the cloud service. Bottom line, there is still a lot of work to be done on the customer side to actually make that environment secure.
Are there cyber risks companies may be overlooking with cloud services?

Insurers, cyber-security players, even the FBI all recommend multifactor authentication [MFA] as one of the easiest and most effective ways to stop a great deal of the basic attacks on businesses. Microsoft just released a report where they said that 98% of attacks from the internet could have been stopped by multifactor authentication and they still only see 20% of their customers deploying it. There is still a lot of work to be done on basic cyber hygiene like MFA.

With applications and systems deployed in the cloud, businesses might give up a bit of control and visibility on what’s really in the cloud. Know that when you deploy any online service there is really a risk that comes along with it.

How does Cowbell work with cloud providers to mitigate those risks?

I can give you the example of Microsoft because it is probably the most accessible—and a really important one because Office 365 is a widely used cloud-based email service and one of the primary targets that the bad actors, the cyber criminals, use to infiltrate an organization through phishing. They send a fake email to impersonate someone you trust—whether it’s your manager or your CEO—to get you to click on a malicious link that gives bad actors access to the infrastructure of the organization so they can deploy a ransomware attack. It’s quite basic. There is a list of controls that represent security best practice on Office 365 that are made available by the Center for Internet Security (CIS) and Microsoft. This includes straightforward controls such as how many users have admin privileges—obviously you don’t want a lot of users having admin privileges. Do all your users have multifactor authentication? That’s a big one. It’s free and easy to deploy. So, all the basic security hygiene you would expect to have in place.

What we do at Cowbell is, through APIs, we validate whether Microsoft Office 365 has been properly configured for security. This feeds automatically and continuously into our assessment of a company’s cyber risk profile. The better the organization fares on security controls, the better risk they are for us as an insurance company, and that is translating potentially into better insurance options, such as higher limits or better coverage. It has an impact on the premium for insurance as well.

We don’t just get that information at the time of reviewing the account and underwriting it. We also ingest the information continuously, and every noteworthy risk signal is made available to the policyholder online, in Cowbell Insights, so that the organization always has access to all the findings we have. Occasionally, we will raise a red flag to say, ‘Hey, your risk rating, what we call Cowbell Factors, for the dark web has changed dramatically, and we think you should investigate further.’ We go beyond insurance to actually do risk monitoring for policyholders.

How important is it to do that on a continual basis?

This is a big divide between traditional insurance and a more modern form of cyber insurance. If you look back a couple of years, evaluating cyber risk might have been done once a year based on revenue and industry alone. Insurers are moving to a model where cyber risk is evaluated on an ongoing basis with more direct collaboration with their policyholders on how to mitigate risk exposures. We refer to this process as closed-loop risk management. Step one is assess, then insure, then improve. The key is to do this continuously.

If you’re issuing a policy in February 2022, the technology landscape at that company 10 months later will be different. The company might have hired new employees or deployed new systems, and of course the cyber threat landscape will be different. A cyber policy can get out of sync with risks covered. You find a lot of cyber books of business that have been underwritten for certain types of accounts that are completely disconnected from the risk they are covering now. We pride ourselves at Cowbell with our continuous risk assessment process. We want to stay aligned with what our policyholders are using in terms of technology and work with them to make sure that they keep technology updated, that they are aware of new risks appearing. We are engaging numerous security and technology vendors especially for that purpose to work jointly to help customers do the best in terms of security.

Microsoft is one example. Cowbell has connectors to cloud providers like AWS and security vendors like Qualys and Secureworks and more. We ingest data from Dark Owl about dark web exposures on a continuous basis. Our goal is to strengthen our risk model by expanding our data sources and always ingesting more data and risk signals. We announced a partnership in December with Cloudflare, an important player in the internet infrastructure layer, and we are always adding members to Cowbell Rx, our referral marketplace for risk management resources.

We have entered a world where it’s not whether a business is going to be attacked it’s when it’s going to happen. You obviously need to invest in cyber security to keep your organization protected, but you also have to be ready for when you will face a cyber event. And that’s where cyber insurance comes into play.

Cyber premiums have been climbing. Do these kinds of measures make cyber more affordable?
Yes. We are also more demanding of businesses when they apply for cyber insurance. In a way, we are helping the business get more secure but reiterating that you need to have MFA in place, you need backups in place, you need to be prepared for bad events to happen by having an incident response plan in place. We also offer with our policy the ability to set up training programs to raise employees’ awareness about cyber security on an ongoing basis so employees know how to recognize a phishing attempt. There is still a lot of work to be done there.
How is technology changing cyber insurance?
Cyber insurance used to be a little like a black box, and people had a hard time understanding coverage. With the number of attacks that have happened, there is a great opportunity to use technology to make cyber insurance more accessible and easier to understand—just like you have a company like Amazon that made a lot of IT services available online more easily. Who thought you’d ever buy a database with a credit card online? The same opportunity is there for cyber insurance. Digital access or distribution of cyber insurance is also something we are paying a lot of attention to, trying to make it easier for agents and brokers to distribute cyber insurance online.
Michael Fitzpatrick Technology Editor Read More

More in P&C

The Future of Workspace
P&C The Future of Workspace
Creating spaces employees want to come back to.
P&C Retail a Go-Go
Ghost malls give way to experiential retail.
Extend and Pretend
P&C Extend and Pretend
U.S. commercial property is mired in overdue loans, rising construction costs, s...