May 28, 2024

EP 53 – Cyber Insurance: Managing Risk and Protection

In this episode of Trust Issues, we dive into the complex and rapidly evolving world of cyber insurance. We discuss the challenges and opportunities facing companies seeking to protect themselves from the ever-present threat of cyberattacks. Joining host David Puner, today’s guest is Ruby Rai, Cyber Practice Leader, Canada at Marsh McLennan, who shares her insights into the current state of the cyber insurance market, its future trajectory and the key requirements companies need to meet to obtain coverage. We also explore the impact of third-party access and non-human identities on cyber insurance requirements and how companies can adopt an identity security approach to meet these requirements. Join us as we dig into the complexities of the cyber insurance market and discuss the importance of collaboration between insurers and clients in ensuring that companies have the coverage they need.

[00:00:00] David Puner: You’re listening to the Trust Issues Podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security. In today’s digital age, the threat of cyberattacks is ever present and constantly evolving. From ransomware to data breaches, companies of all sizes and industries are at risk of falling victim to these attacks. The consequences, of course, can be devastating both financially and reputationally. In response, the cyber insurance market has emerged as a way for companies to mitigate the risk and protect themselves in the event of an attack. But as the need for coverage grows, so do the complexities. In today’s episode, we explore the world of cyber insurance, its complexities and challenges, and trends and best practices. We also discuss the importance of collaboration between insurers and clients in navigating the complexities of the cyber insurance market and ensuring that companies have the coverage they need. And we do that with today’s guest, Ruby Rai, Cyber Practice Leader, Canada at Marsh McClellan. With her extensive experience in the industry, Ruby provides valuable insights into the cyber insurance market’s current state, its future trajectory, and the key requirements companies need to meet to obtain coverage. She’s also highly tuned in helping clients manage risk, which is inherent to the context of cyber insurance itself. So we talk a bunch about risk. We also explore the impact of third-party access and non-human identities on cyber insurance requirements, and how companies can adopt an identity security approach to meet these requirements. Let’s do this! Here’s my conversation with Ruby Rai.

[00:02:10] David Puner: Cyber Practice Leader, Canada at Marsh McClellan. Welcome to Trust Issues.

[00:02:14] Ruby Rai: Thank you, David. Glad to be here.

[00:02:15] David Puner: Yeah. Thanks for joining us. We’re excited to have you here. The subject of cyber insurance is obviously a big and important one that we haven’t really covered in earnest here on the podcast yet. So really excited to talk to you about it. And I think to start things off, what does your role as a cyber practice leader entail and what do you and your team do?

[00:02:37] Ruby Rai: As cyber practice leader at Marsh, Marsh being an insurance brokerage, our primary role is to be insurance and risk advisors for our clients, and in this case, specific to cyber risks. From Marsh’s perspective, our practice entails everything related to risk assessment, giving clients tools to manage risk, even without the need of insurance. However, insurance being a restressor mechanism that we really feel can come to a client’s aid. We try to create solutions that are best fit for our clients and not off-the-shelf products. So any efforts or time that our team spends in understanding what our clients’ needs are, the more wholesome and more effective insurance solutions can be.

[00:03:23] David Puner: I don’t know if I’ve seen the word or heard the word wholesome used besides cyber insurance. What does wholesome mean in the case of cyber insurance?

[00:03:32] Ruby Rai: Yeah, wholesome, that’s my view of insurance for you. It should be fit for purpose, right? Cyber insurance still being or considered a new product. If you talk to industry insiders, of course, we don’t necessarily feel it’s too new. But compared to other insurance products like property, casualty, auto home, it is a fairly new product. So making sure that the product is addressing any organization’s existing or emerging cyber risks, that’s what wholesome would mean to them. Insurance being one mechanism that addresses their needs. So making sure it, you know, it’s fit for purpose. And from a cyber perspective or insurance perspective, if you look at different industries, financial institutions will have different needs. Manufacturing clients will have different needs. Any organization that has operational technology will have different needs. So again, the product should speak to those risks.

[00:04:28] David Puner: So then I guess to dive right into the cyber insurance market, how has the cyber insurance market changed in recent years and what’s driven that market?

[00:04:38] Ruby Rai: We do need a lot more time to discuss the market and maybe, um, you know, an evening beverage.

[00:04:45] David Puner: All right. Part two.

[00:04:46] Ruby Rai: Yes, definitely. Let me start with a little bit of a background on the insurance market again. As I said, it’s not a very old product. It’s a maturing product, which means it’s been around for only 20 years or 20-plus years in terms of its evolution. So markets or insurance capital providers are still learning how to effectively provide capital, but also charge for that capital or price it effectively. So in the last three years, this was the first time the cyber insurance market has gone through an evolution where the capital is now priced at the level that the insurance markets are actually comfortable covering or paying for cyber incidents or cyber losses, uh, for our clients. And that was difficult, um, because historically it’s a very, in insurance speak, soft market. So buyer’s market. And it’s switched very quickly in the last three years, of course, primarily driven by the pandemic, but also the speed at which the cyberthreats evolved. So the market had to pivot very, very quickly.

[00:05:56] David Puner: So how has that expanding threat landscape over the last few years made obtaining or renewing cyber insurance more complicated or simpler? And how have high-profile incidents like SolarWinds and Log4j affected the cyber insurance market?

[00:06:12] Ruby Rai: I’ll address the first part, whether it’s simpler or not, it is definitely not as simple as procuring cyber insurance at, say, 2014 or 2015. Insurers, myself included, I have an insurance background as well. Our lens was definitely not as broad as it is now. Again, we were not necessarily looking for controls that we require now. Focus was also on when we were reviewing larger risks. Yes, we had more stringent requirements, but smaller to medium-sized organizations, those controls were not necessarily requested. In the last three years, I would say the expectation for most organizations to have minimum standards of cybersecurity or cyber hygiene is absolutely critical. So getting cyber insurance for small, medium, and pretty much every size of organization is a lot more complex process because now underwriters want to hear more. They want to understand more and not just controls, but governance and governance really dictates how an organization would proceed as a risk overall, but specifically speaking to SolarWinds, Log4j, or even because they, uh, in a silly on, there were some additional incidents or vulnerabilities that came to forefront. It really brought to forefront the impact or the collective impact of one incident or one technology provider, which was always at the back of our minds, right? As insurance industry specialists, you’re always worried about the what-ifs. You talk about, you speculate the connectedness of cyber as a risk, and we got to see what can potentially happen. And it gave pause to a lot of insurance providers. There was a lot of discussions on can cyber risk on an aggregated basis or can systemic cyber issues be addressed by insurance or not. And now where we are in 2024, two years later, there’s definitely a lot more comfort in addressing those systemic risks. Again, as long as an organization is able to demonstrate they are maintaining controls, they are not necessarily relying on one party. There are compensating controls, they can mitigate systemic issues effectively. So it’s more risk by risk offer of insurance.

[00:08:43] David Puner: So, despite the severity of attacks increasing and the frequency and sophistication increasing, based on what you’re saying, it seems like there is more of a stabilization of the industry.

[00:08:55] Ruby Rai: Yes, that’s the right word, and that’s what we’re aiming for. Our clients want a stabilized market. We want a stabilized market. We want the product to be sustainable, which means paying for multiple losses, incidents that we still see to this day. So yes, from a pricing perspective, from offerings perspective, a lot more stable than it was in, say, 2021.

[00:09:18] David Puner: Yet the average loss of a ransomware attack, I think off the top of my head, I could be wrong, is something like over 5 million. Is that right?

[00:09:28] Ruby Rai: It used to be. It’s definitely come down. So there’s good news on the horizon from a Canadian industry perspective. If we look at 2021, and perhaps even 2022, I will double-check my numbers, and these are reported on OSPI’s website. Listeners are more than welcome to go check it out. In 2021, Canadian cyber insurance markets, so capital providers in Canada for cyber, collected just over 200 million in premium. Or 220, um, and paid over 600 million in losses. So that wide spectrum or gap, rather, was very difficult to survive from. So a lot of insurance providers were struggling to make a profit, right? This was not a profitable line of insurance to be in. But again, you know, from a losses perspective, that has improved. So for example, because the quantum of loss has come down. So now an average, uh, cyber claim that we see can be two million, not five.

[00:10:38] David Puner: So…

[00:10:40] Ruby Rai: That has definitely helped. However, the frequency is still there. So we’re not seeing the big, the mega, mega losses, which go in excess of 20 million, 30 million, or 40 million. And in some cases, more than 70 million. Those are very far, or few in between. However, the frequency of like, the two millions, the one millions is still there.

[00:11:03] David Puner: All right, so seeing a positive trend while still sort of on the subject of Canada, you’re of course Canada based. How do regulations and laws differ between Canada and the U.S. in terms of cyber insurance?

[00:11:16] Ruby Rai: Again, most changes have been made in the last five to seven years, I would say, both at a federal level and in some cases at a provincial level. Some provinces like Quebec, Alberta definitely lead the pack in terms of changing and adapting or coming, you know, getting more closer to say GDPR or CCPA in terms of regulations. The key difference being fines and penalties. In Canada, the litigation environment is still not as high as say in other geographies like the U.S. So we still do not see a huge litigation environment. However, the class action trends are starting to take up a little bit more. But we are catching up. But definitely nothing in comparison to other geographies. Um, you know, our argument is and always has been that Canada as an insurance market is less litigious. So our insurance market pricing and offerings should reflect the same.

[00:12:16] David Puner: So then back to the, the broader questions here, what are the top challenges shaping today’s global cyber insurance market?

[00:12:25] Ruby Rai: I’m sure there are a lot, um, but let’s talk about, you know, one thing that you, you raised in terms of SolarWinds and Log4j. It’s the key technology providers. So specific solutions that all of us rely on and the inherent vulnerabilities that they come with or zero day attacks. I think that still continues to be top of mind of a lot of CISOs and CIOs because no matter how much investment is made in internal controls, the catch up or being, not being ahead of the curve in terms of handling zero-day vulnerabilities is something that a lot of organizations struggle with. Secondly, again, a controversial topic is nation-state attacks as the landscape continues to evolve. And, you know, you add in geopolitical environment to that, you have threat actors effectively and actively trying to utilize technology or cyber vulnerabilities or technology vulnerabilities as a threat mechanism, we’re going to see those lines blurred a little bit. What is considered an insurable business risk versus a geopolitical risk, which is not within the confines of insurance. You know, insurance is not here to cover war or nation-state attacks. So there is a little bit of nuance to how these threats will emerge and how long will the insurance industry continue to provide that coverage. As it currently stands, and that has been, you know, we’ve spent a lot of time making sure that the insurers are not taking too much of a punitive approach to this concept that has not yet been tested. So currently, you know, insurance policies are written to protect our clients through insurance and providing capital in the event there is.

[00:14:28] David Puner: Do the insurance providers ever seek your guidance? Do they ever bring you in on any conversations in order to determine how they’re going to evolve, how they’re going to change?

[00:14:39] Ruby Rai: Yeah, insurance industry as a whole is very collaborative. It’s a small industry. Our insurance trading partners globally, they will reach out to all insurance brokerages like Marsh and others and consult because we have our clients’ attention. We listen to our clients and we take that feedback to the insurance providers. And that includes clients’ concerns, um, making sure there are no gaps in insurance products. So again, there is a lot of collaboration and that collaboration actually, David, has been very visible in the last three years. One example being the underwriting process. Insurance industry, insurance providers, uh, brokers included, really increased the bar in how we protect our clients. Not only providing them insurance, but making sure they are addressing key gaps, which were the leading causes of this huge influx of cyber incidents. So what are the top 10, top 12 controls that we can guide our clients with? The goal is to prevent these losses and insurance industry really came to the forefront in creating that awareness, in some cases mandating that organizations implement now what we call basic cybersecurity hygiene.

[00:16:01] David Puner: And that’s a great segue into requirements. What are some of the key requirements that companies need to meet to obtain cyber insurance?

[00:16:10] Ruby Rai: It’s a long list, but let’s talk about the most key requirements. If you look at, simply speaking, we want to make sure that organization is protecting any access points. So starting with multi-factor authentication, privilege access management, who’s accessing your domain, not only internal or internal employees. But external external parties who have access to your system, you know, what are you deploying and point detection, your visibility into the threats, and then your capabilities to monitor and react to those threats. Again, are you handling it internally? Are you relying on third parties? And who are these that you’re giving access to? So these are some of, um, you know, absolute critical requirements to have, but then also patch management. So cadence again, as every organization or any InfoSec individual you speak with, patching cadence is not as easy as deploying the next patch that is available. There are thoughtful considerations that need to be made. So how an organization prioritizes those patches, the speed at which they deploy, and how integrated and collaborative are all stakeholders in making sure they’re prioritizing security, reflecting security by design principles, privacy by design principles. Those are all requirements that the insurance companies like to see organizations have.

[00:17:41] David Puner: So, how is a company’s risk profile determined? How do insurers assess a company’s security systems and practices when underwriting cyber insurance policies? Are they assessing their capabilities within those realms that you just laid out?

[00:17:57] Ruby Rai: Most insurance organizations have what you call an insurance application. Here at Marsh, we have our own proprietary solutions, uh, or tools. It is a cyber self-assessment, but geared to work from a mindset of insurance as opposed to an assessment, cyber assessment you would do as part of a SOC audit. It’s a very similar framework. However, it’s a little bit more granular or more focused towards meeting insurance requirements. The goal being that we have the right person completing those question sets. And it starts from the same philosophy governance. What is the focus top-down and how seriously an organization takes in terms of cybersecurity investments. And then it drills down to these key controls. So access management, everything related to internal and external third party due diligence. Legislations and adherence to legal requirements representation from different stakeholders, so it can go on and on. It’s pretty robust. It’s no longer set of 10 questions. Do you have XYZ and do you patch a, it’s not a yes or no anymore. If it’s an easy answer, like, yes, we have MFA or no, we don’t have MFA, but here’s what we have in lieu of MFA. So there’s potential of adding comments and, um, compensating controls a client has. So it’s a lot more involved. That’s one aspect, David. Another aspect is external scanning. Again, it’s not necessarily the be-all and end-all, but it does give a quick analysis of what is visible to, or what can be potentially visible to threat actors as well. So a lot of organization, insurance organizations will conduct external scanning. So they will utilize solutions like Insight Security Scorecard, etc. To have, I would say, the first check of an organization’s control. And in combination with an assessment.

[00:20:08] David Puner: How much are clients when they’re thinking in terms of losses and preventing losses, how much are they concerned with the obvious financial losses and then the other part of it, which is a little harder to quantify, which is, of course, reputational damage? Are they thinking about both of those things? Typically, when you start your conversations with them?

[00:20:30] Ruby Rai: It depends upon the organization, and I know it’s a classic example. It depends. It’s, I would say, now, as war boards and C-suites are aware of threats and just the visibility into just the threat landscape, the reputation is the driving force. And the reason why I say that, because most organizations, and many organizations, even to this day, struggle to understand the financial impact of a cyber incident. Of course, it depends upon the maturity of an organization. If they have assessed the impact of say a ransomware event or a system outage, or if one of their key security provider or software solution or technology provider was to be impacted by a cyber incident. They’ve talked about those scenarios, but to truly assess the impact on the balance sheet can be a question mark for many organizations. So yes, there is that fear or hypothetical scenarios of what-ifs, but the decision is typically driven by the reputational impact. So again, one of our challenge or tasks where the time where we spent with our clients is putting forth terms of numbers, because again, numbers speak for themselves. It helps them assess. Should we be even looking at insurance? Is it worth spending on insurance?

[00:22:05] David Puner: Have you seen any particular segment, let’s say SMB or enterprise, for instance, or industry struggle more than others to meet cyber insurance requirements? Or is it maybe struggle to communicate with insurers about what controls they have in place and their impact on mitigating risk?

[00:22:23] Ruby Rai: I’m going to speak from a Canadian perspective, and this might differ from different geographies, but here in Canada, public sector still continues to be a challenge from an insurance perspective, cyber insurance perspective. It’s unfortunate because we all rely on the public sector. And when I speak to the public sector, it includes at the province level, it could be even federal level, municipalities, education, healthcare, they’re all part of public sector. And just given the scale and controls, I’m not saying there aren’t controls, there are definitely good controls in place, but making sure they’re kept up to date, uh, the investment in cybersecurity tends to not be at the private sector, and then the staffing challenges, uh, so the talent challenge is still there, but just there across the board, but we do see it in the public sector more often. So that continues to be the difficult segment from an insurance perspective.

[00:23:21] David Puner: And when you say the talent aspect, you mean security practitioners?

[00:23:25] Ruby Rai: Yes.

[00:23:26] David Puner: How do we solve for that?

[00:23:28] Ruby Rai: I guess more investment in, uh, cybersecurity education or just making sure, um, those investments or staffing is prioritized at that level.

[00:23:39] David Puner: Long term. Do you have concerns over that challenge or do you feel like that’s something that’s going to resolve itself? I mean, it won’t resolve itself, but do you think it’s something that, uh, that we’re on the right trajectory at this point?

[00:23:50] Ruby Rai: Hopefully we can only wish for it, but we’re starting to see changes or more investment come that way. Just because of the nature of attacks and incidents, they’re pretty well known in terms of publicly known incidents in terms of cyber incidents across the public sector. So there is scrutiny and attention in that area. I believe it comes down to investment. It’s moving in the right direction, but I’m not sure if it’s there yet.

[00:24:18] David Puner: Are you finding that organizations are struggling in general to explain their future state of cybersecurity and risk like where they plan to be by the time the next policy renewal comes around?

[00:24:31] Ruby Rai: Not across the board, and this is an interesting dynamic of our industry.

[00:24:37] David Puner: Mm-hmm.

[00:24:37] Ruby Rai: From an insurance perspective, we typically deal with finance individuals, so like the CFOs and the treasury or the risk managers, right? They speak the insurance speak. They’re used to interacting with insurance organizations or underwriters and actuaries and so on and so forth. But here we bring in cybersecurity individuals, CISO, CIO, IT directors, we BFIT, InfoSec, and all of that. The interaction is very different and interesting. I think we’ve come a long way in terms of that collaboration. I started in this area almost 20 years ago and the shift has, it’s all positive. InfoSec individuals are key stakeholders and they are now a lot more collaborative than, say, 20 years ago. But, there is still not necessarily the meeting of minds in terms of how to communicate controls to the insurance and the same way how an insurance underwriter should ask for information when it comes to cybersecurity controls to an InfoSec individual. So it can’t always be yes and no, and if it’s a no, it should not be a negative reaction or a cross against an organization’s security culture. As an insurance broker, our role is to bring them together and translate our insureds or our clients’ controls in a manner that the underwriter understands and appreciates. So long answer to your question, are they working towards and, you know, are they able to? Yes, they can. And again, they need to partner with someone who understands what is more meaningful and what year over year, and they need to trust us too, right? If there’s a roadmap, 24-month roadmap or 18-month, you know, nothing is 12-month roadmap. Everything takes time, but making sure we are aware. It’s communicated to us so we can position the risk.

[00:26:38] David Puner: In such a fast-evolving area, how do audit teams gaining experience factor into the bar getting set higher each time organizations are up for renewal?

[00:26:49] Ruby Rai: You know, insurance underwriters see claims every day. They’re the ones who are paying for claims. There’s a lot of knowledge that comes with, you know, they know who the patient zero is or what happened or what lacked that led to that threat or incident or impact to the client. They also observe client’s reaction and behavior. They also observe the improvements post loss or post-incident acclimates. So there’s a lot of wealth of knowledge which should inform and which does. Most insurers learn from that and they’re able to evolve, make changes to the product that they’re offering, broaden it, hopefully, and also sort of find what type of questions they’re asking, right? If something is not relevant, take them out, ask more relevant questions.

[00:27:40] David Puner: Right. Because, you know, I think of a scenario where my car gets hit in the mall parking lot and the rear quarter panel is massively mangled. This is not exactly a hypothetical as you may be able to already tell. And the insurance adjuster comes to check it out. And they’ve seen this scenario a million and one times. So they know the exact drill. In the case of cyber insurance, everything in cyber is so quickly evolving and the landscape changes. I can’t imagine that there are two claims that are super similar. Is that kind of what this looks like?

[00:28:19] Ruby Rai: Very much so. Let’s take ransomware as an example. You can have a very sophisticated organization, uh, with, you know, what you would consider best-in-class security controls. And they have done the incident response planning. They have discussed ransomware tabletop exercises. And when a true or real incident happens, you will be surprised how quickly positions and stance can change just because of how we as humans react to an incident. So and then you can have a very small to medium-sized organization react completely different. There are a lot of surprises when incidents do happen. And also, yes, to your point, the https: otter. ai then a smaller one. So the footprint or the impact would be obviously it’s much larger than the small employee cost issue. So if there is a rogue insider issue, it could look very different from one to the other. The cost might be similar, but the impact is quite different from one organization to the other.

[00:29:34] David Puner: Yeah, and you really bring up an interesting point, which is, you’re obviously interacting with clients sometimes in their worst moments, so there’s got to be a, a psychology aspect to what you do. How do you and your team get involved with clients during crisis situations?

[00:29:51] Ruby Rai: Our involvements typically start pre-incident. Part of our responsibility is to make sure clients are fully aware of their obligations and the insurer company and the other party’s obligation in the event of an incident and making sure that they practice it, they understand it. Insurance being a legal contract, there are requirements that all parties need to follow. So, making sure that they are aware, but especially at the time of the incident, we advocate on behalf of our clients and their rights. So, making sure the insurance provider is aware of that. Keeping the promise, all of the promises that they made, which includes responding within hours or minutes of receiving an incident again, based on the nature of the incident, of course, and providing all of the assistance their breach coaches are doing what they need to do and be advocating on behalf of our clients. So our goal is not to impede any efforts just. Make sure all parties are aligned and the information flow is constant. And sometimes it’s hand holding. In terms of reactions, there can be a little bit of perception that the insurance organizations don’t want to pay losses.

[00:31:11] David Puner: Mm-hmm.

[00:31:12] Ruby Rai: Right. It’s far from the truth. That’s the reason why I shared loss ratios with you earlier. Insurance, especially cyber insurance, do you pay claims? And hence why we were in such a tough environment, great environment. The goal is to pay, but sometimes the ask for information can be considered too much, right?

[00:31:34] David Puner: Right.

[00:31:35] Ruby Rai: So again, helping clients go through their process, it’s totally okay. Insurance organizations ask questions to be able to pay.

[00:31:44] David Puner: So how does the level of understanding about cyber insurance vary among clients coming into the process with you and your team?

[00:31:51] Ruby Rai: It varies based on who the client is. So if they are a first-time cyber insurance buyer, they have never looked into it. They come with certain perceptions based on sometimes media headlines. Cyber insurance doesn’t pay. I’m not sure why I even need this product. I don’t know what it covers. And then, you know, on the other side, there are organizations who have been purchasing cyber insurance for the last 15-plus years, and they are more aware. They understand the product a little bit better. So again, varies. It also varies based on the industry. The non-traditional cyber insurance industry or buyers are, you know, manufacturing still catching up. You have mining, you have marine and cargo and logistics or transportation. So there are new industries that are now taking a look at cyber insurance because I can’t think of any industry that is not utilizing information technology in one shape or form. So there’s definitely, you know, they require a little bit more information and training to understand what the product really does.

[00:32:56] David Puner: Staying on the subject of the product itself, what does the coverage include? What are the varying coverages and how do you determine which clients need what?

[00:33:07] Ruby Rai: We want to make sure the client gets the broadest scope of coverage. So the product itself needs to be broad, but let’s look at it from two lenses. There’s a lens of privacy, and then there’s the lens of information technology. They’re interconnected, but they can also be independent of each other. So making sure, you know, say, for example, an organization might have only 10 employees. However, their IT footprint could be much bigger than 10 employees. So that client needs making sure that the insurance policy speaks to that. The privacy aspect will still be there, they might never need it, or rarely need it. And the same goes for a manufacturing organization. They definitely have a lot of operational technology. So making sure the insurance policy speaks to operation technology. Same with business interruption. So, you know, contingent. So making sure all of their third parties that they’re interacting with are contemplated in it. In the insurance policy as well. So it can change based on what the client does.

[00:34:15] David Puner: So then back to a subject near and dear to this podcast, Hark, which is identity and identities. How do third-party access and non-human identities factor into cyber insurance requirements?

[00:34:29] Ruby Rai: It’s one of the most critical aspects. Because from an insurance perspective, you can only assess what an organization ABC Co has internal controls. You can ask them. It’s like, Hey, are you mandating and asking your third parties that you’re interacting with to maintain controls, if not better than similar to yours, right? The lens is very limited. So how do you make sure that the organization that you’re bringing in third-party risk that is monitored to the same level? So that needs to be demonstrated. What solutions are they using? Which third-party solutions are they using? Are they best in class? Then you are relying on an external reputable product as opposed to the client’s internal control. And that is absolutely okay. Sometimes that is preferred because not every organization. Even the largest of the organization, you know, you’re not going to turn into a cybersecurity or a managed security provider at that time. You want to see an organization using a reputable product.

[00:35:40] David Puner: So then on that note, how can companies adopt an identity security approach to meet cyber insurance requirements?

[00:35:48] Ruby Rai: Start at the top or down, up security as a practice or security by design. The more the InfoSec team is brought into business discussions. So whether you’re creating a product, you’re launching in a new geography, or you’re giving up visibility, it’s like, hey, we have this contract and we’re doing an RFP and we’re gonna give this RFP to this vendor, and the IT or InfoSec leader is like, whoa, whoa, whoa. I haven’t done the check yet. I don’t know what they’ll be using. I haven’t deployed this in their environment. We need to have our own requirements in place and they need to follow this. So it really starts at the collaboration level or making sure those, those assessments or those procurement requirements are built into each and every contract. With a third party who’s being brought in and then, you know, whatever solution are best fit for the organization are implemented on the third party level as well.

[00:36:48] David Puner: As interviews often do toward the end, um, we’re going to break out the crystal ball here for a moment. Where do you think the cyber insurance market is headed over the next couple of years? What do you foresee the positives and the negatives being?

[00:37:02] Ruby Rai: You know, I would take a stable market over a soft market because our clients and organizations deserve a stable product. Because it is truly beneficial to help organizations recover from a sometimes a devastating financial impact when the operations are down, uh, when you’re not able to access your networks or environment and you have employees to pay contracts to fulfill, you know, which it’s to manufacture being able to have a financial backing that, you know, you’ll be up and running and you will be compensated for your losses. It’s a huge relief for many organizations. Some might not recover from large might, of course, it might reflect negatively to their investors. For many organizations, this is really needed in the future or like forward looking, again, this is not just my view, pretty much across the industry. We want more public-private partnership. Cyber insurance industry can’t only be the one. Taking on all of the risks, but we need that participation, especially in Canada, more collaboration, more funding, more grants, more awareness at each level. So whether it’s small business community entrepreneurs, um, making sure that they have the right tools to implement at the get-go. So the threats are further mitigated. So that kind of partnership is something that we’re hoping future will bring.

[00:38:34] David Puner: Looking one more time into the near future crystal, we’re recording this podcast episode mid-April on a Friday. We got the weekend right around the, uh, the bend. How are you able to separate your job from the weekend? Are you constantly, do you have like a bat phone and could it ring at any point on the weekend and, and how do you sort of separate yourself mentally from that?

[00:39:00] Ruby Rai: It can, especially on a long weekend, uh, we’re on high alert because everyone is in this, in this industry. No, there is a lot of exciting things happening, but yeah, I’m always able to take a break when we know our clients are well protected, right? Um, there is an entire ecosystem of professionals who take care of them, and it’s a big team that needs to come to our client’s aid. So I’m not worried on the weekends, typically, unless, unless it’s really out of hand, but, uh, typically it’s, it’s in the back.

[00:39:29] David Puner: Great. Well, everybody’s working for the weekend. I’ve heard, uh, at one point or another, I’m not, not sure where, um, actually I do think I’ve, nowhere I’ve heard it. Ruby Rai, thank you so much for coming on the Trust Issues. Really appreciate it. This is a really, really interesting subject. Thanks for helping us dive into it.

[00:39:45] Ruby Rai: Thank you, David. Thank you for having me. It was a pleasure.

[00:39:57] David Puner: Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors, and don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. And let’s see. Oh, oh yeah. Uh, drop us a line. If you feel so inclined, questions, comments, suggestions, which come to think of it are kind of like comments. Our email address is trustissues, all one word at See you next time.