THEOS Cybernova - Rory Young: What Every Business Needs to Know About Cyber Insurance

Show Notes

THEOS Cybernova Ep. 8 - Rory Young: What Every Business Needs to Know About Cyber Insurance

When a cyber incident occurs, can your cyber insurance policy come to the rescue?

In this episode of THEOS Cybernova, host Paul Jackson chats with Rory Young, Marsh Hong Kong Cyber Practice Leader, to uncover the realities of cyber insurance.

They discuss the differences between brokers and insurance carriers, highlight common oversights in the fine print, and explain why having a policy doesn’t guarantee full coverage.

In addition, Rory shares insights on the role of cyber insurance in incident response, financial protection, and business resilience. From navigating policy exclusions to strengthening cyber resilience before an attack, he also unveils expert advice on the key considerations in securing cyber insurance.

Tune in to learn how cyber insurance really works and how to maximize your coverage.

Production Credits:

Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio

Chapters

• 0:00: Intro
• 12:02: Navigating Cyber Insurance Claims and Policies
• 24:41: Ransomware Coverage and Negotiation Insights
• 30:09: Insurance Carriers Cybersecurity Standards Update
• 34:26: Exploring Music and Cyber Insurance

Transcript

Paul Jackson: 0:00

Wherever you are in the world, welcome to the Theos Cybernova podcast. My name is Paul Jackson, your host, and before we begin, I've got a quick favour to ask from you. There's one simple way that you can support our show, and that's by hitting that follow or subscribe button on the app that you're listening to the show on right now. It makes a huge difference in helping get the show out there to as many people as possible, so please give us a hand and click that button now. Thank you very much.

Rory: 0:38

The Theos Cybernova podcast hosted by Paul Jackson.

Paul Jackson: 0:42

So here we go with yet another fantastic episode of Theos Cybernova podcast. I'm Paul Jackson and each week I'm digging into the latest trends, challenges and innovations shaping the cybersecurity landscape, as well as talking to a fantastic mix of leading industry experts, thought leaders, legal eagles and technologists, all with a particular focus on the Asia-Pacific region. So, whether you're a professional in the field or simply curious about staying safe in the digital age, we hope Theos Cybernova will offer up valuable knowledge and actionable insights for everyone. Today, I'm delighted to welcome Rory Young to the show. Today, I'm delighted to welcome Rory Young to the show. Rory is based in Hong Kong and is a prominent figure in the cyber insurance ecosystem. Rory, thanks for joining us today and rather than me reading your bio, why don't you tell us a little bit about yourself, your professional journey and how you ended up in Hong Kong?

Rory: 1:42

Yeah, thanks, paul, and I just wanted to start by saying I'm very excited to be on the podcast today. It is my first podcast I'm participating in. I'm a long-term listener, as it were, in many different podcasts, namely rugby and sport, etc. But I'm really pleased to be here. So, yeah, look, I'm more young. I head up Marsh's Cyber Practice in Hong Kong.

Rory: 2:03

I started off my career around 10 years ago now, so I graduated from university. I didn't study anything to do with cyber whatsoever. I actually studied politics and international relations and it's a bit of a weird journey really. I knew that I wanted to enter into kind of the London, chuck a suit on every day in the morning, go into work. I was applying for a number of different, different jobs and it just so happened that I basically found an insurance job that I got further down the line with an interview process. I happened to play rugby with an individual that worked or his brother actually worked at the company, ended up randomly basically joining this cyber team at a company called Lockton and since then I haven't really looked back. It's been, you know, two weeks.

Rory: 2:52

It took me to to fall in love with the industry. Um, it's very sociable. The actual work itself from respect to the risk management side and the sales side and the client piece. I think it's quite an exciting industry if you're not familiar with it at all. And from a cyber perspective I found that the cyber insurance market is a lot younger than, say, the marine industry you'll find. So it didn't take long to when you're in Lloyd's of London and you're sort of walking around from box to box and you're seeing that ecosystem of all the insurances that companies are buying go, you know, riveting away, and you know all the marine brokers have been doing for 50 or 60 years potentially and that you know they're in their sort of twilight, their careers to some extent. And the cyber insurance market was a lot different. I feel like if you were a 20 something year old and you had three or four years experience under your belt, actually you were becoming a bit more of a senior body in that world and quite quickly you realized that or I realized I was quite lucky to accidentally fall into it and really, really enjoy not just the actual solution that I'm involved with being cyber, but actually the insurance industry as well is quite special and from Lockton Lockton I worked as a Lloyds of London broker I was doing mostly US domiciled business.

Rory: 4:11

It's a very, very popular kind of product to buy in the US for a number of reasons and we'll get into that later on and I put my hand up to do something a bit more retail, focused directly in front of clients, and Lockton basically sort of said look, go to Hong Kong. We don't really know much about that part of the world. We have all this business coming in from the US, but we don't have anything from Asia. We want to grow Australia as well and that's really why I came out to Asia in the first place. It was an exploration from Lockton's perspective. The local office didn't necessarily have expertise in this area as well, so I was going in and being that subject matter expert, which was really well received, and since then I haven't left a familiar story right yeah, exactly, exactly.

Rory: 4:56

It is a familiar story. You know that, one or two years becoming a bit more, and I'm actually getting my pr in hong kong in a few months time, which is exciting. But, um, yeah, I joined Marsh just over three years ago. But, yeah, very, very similar role. It's leading a team in respect to cyber and technology and multimedia insurance businesses. But that really is kind of the crux of how I started off and why I'm in insurance, why I enjoy it and why I'm here today. Really, Fantastic.

Paul Jackson: 5:20

And look you know, I know what you're saying about the insurance ecosystem being very social. Whenever I go to insurance-related events, I think net diligence is probably the pinnacle of this.

Rory: 5:32

It turns into one very big social event and there's a great sense of community amongst those who are involved, right, yeah, definitely I think, especially in London, if you think that there's only a handful of live trading floors that exist across any industry and you have the stock exchange, you have the metal exchange and then you have Lloyds of London and it does captivate a certain individual. It is very sociable, you're expected to be in front of people. It is about relationships and I don't think many people people or maybe it's changing a little bit are actively seeking to enter into this industry. I think it is changing a bit, but the characters you get tend to be quite similar. They are very sociable and, yeah, you do tend to find them probably staying a little bit later in the night than than other sort of industry professionals you'd expect.

Paul Jackson: 6:20

yeah, and it's great to have another rugby player on the on the show as well. We had dickie wong on an earlier show, who's a great rugby player, and and yourself, who's um, who's obviously given a lot to that rugby community which is so strong in hong kong, and, uh, it's great to see yeah, yeah, no, I'm still playing.

Rory: 6:36

I'm not. I'm not sure how many years I have left in me, but it's um, yeah, no, I've played for 25 years consecutively, or something like this now, so something that's always going to be part of my life, I think.

Paul Jackson: 6:47

I've played many more years than that, so you've got a few more to go yet, all right, so let's start at the very beginning, because the insurance industry is often a little bit misunderstood. So let's start with some of the basics, right? The difference between a broker and a carrier. I mean, it may seem obvious to obviously yourself, but to many, what are the key differences?

Rory: 7:10

Yeah, absolutely. I think the best way to look at this is an analogy that maybe people are more familiar with. So I tend to basically relate my role as to a real estate agent as a broker. So if you think that you're a first-time buyer of a house or you're looking to move house, you're not going to do that on your own right. You're going to hire, basically, a real estate agent. They're acting as the intermediary. They're listening to what you want, where you want to live, what size the house needs to be, and the house you can probably look at as the policy, the coverage that you're looking to get access to. You're giving a very broad understanding as to what specifications you want, what risks that you have, exposures you may be concerned with.

Rory: 7:49

And basically my role as that real estate agent, that real estate broker, is to give you advice as to which builder and what house that actually suits your organization, what's the best price, what are you looking for, what are the specifications. And that's really kind of the key roles in the insurance industry. That house and that builder, they're the insurer, they're the product, they're the ones that actually materially the thing that you're buying, and me, as the role of the broker. We're here to give you that expert advice, to tell you what makes sense, what's right for you. Is there a better deal on the table? Can I move next year all these types of questions, and so that's probably the best way to understand it.

Paul Jackson: 8:28

I would say that's a great analogy, thank you. But obviously the the market has evolved, there's a lot of competition out there. So, marsh, you know, as a company you offer value ads, don't you really to your um, to your clients? Uh, that goes above and beyond finding the right insurance product or solution for them.

Rory: 8:45

I think it's difficult as a broker now to operate in a way in which you're just solely relying on price and a product and seeking out a solution from insurers. I think the insurers pride themselves on basically giving the same quotations and pricing to any broker. So, marsh, yeah, we are the largest insurance broker in the world, but if you had a local broker or a smaller broker that you dealt with, actually you get the same quotes from the big insurers that you would get the same from us, and so how we differentiate ourselves is very much, I would say, the process in how you go about buying cyber insurance. We have a number of tools that help you actually understand how good you are at cyber risk. It starts with a self-assessment tool that we have. We put a lot of work and effort in understanding basically what the insurers focus on for their underwriting and giving you an insight as to what the outcome will be before you even go to the market. And this is a tool that, over a number of years, has been developed and tens of thousands of will be before you even go to the market. And this is a tool that, over a number of years, has been developed and tens of thousands of clients at Marsh use this and that really gives us a headstart and a bit of a differentiator amongst our competitors by giving clients that kind of insight. And we couple that self-assessment with some of the analytics surrounding loss quantification as well.

Rory: 10:02

So, if you think, most clients that we deal with, especially in Asia, where cyber insurance, although it's a growing solution, is still purchased by not that many organizations or businesses compared to other lines of insurance the questions that they ask is okay, well, how am I at risk? What is my risk? And we can kind of sit there and say, okay, well, well, we have this self-assessment tool. You go through this process. We're going to give you a really good insight as to how strong you are per the NIST framework. Give you a score. We're going to give you a traffic light as to these 12 key controls that we know all the insurers focus on.

Rory: 10:39

We know that you're going to have a good outcome, a bad outcome.

Rory: 10:40

We know areas that we can advise you to improve and that's going to have a good outcome, a bad outcome. We know areas that we can advise you to improve and that's going to have a positive impact on your perception from the insurers before we're even actually having these conversations and, like I said, we then can use that data to kind of give you a rough idea, from a lost quantum perspective, how big the issue you have when it comes to cyber risk. So is it a $5 million problem or is it a $50 million problem? And everything in between, from an average loss amount to a really catastrophic you know, one in 500 year event and so that kind of process that we have and how we kind of deal with clients, I think is our differentiator. It's, yes, you want to get the best quote, but really we're there giving you advice as to how to improve the quote, how to get the best from the market and how much limit you should be buying, and really kind of embedding ourselves, I would say, with your enterprise risk management strategy.

Paul Jackson: 11:29

Right. So I mean this is really well explained. And when you talk about cyber insurance, you mentioned that it's not as much uptake in cyber insurance compared to other more traditional lines of insurance. Are you seeing that change in our region? Are you seeing an uptick? Is it static? Is it dropping? I mean, what's the current situation regarding the Asia-Pacific region for cyber insurance?

Rory: 11:56

Yeah, there's definitely an uptick, and I was, you know, to give you maybe an anecdote and then I can give you some stats. But I remember, even when I first moved here in 2018, lots of the conversations I was having with clients surrounded okay, well, what literally is the policy, what does it do? How does the coverage actually work? And I think since then you fast forward now seven years and actually the questions that clients are now asking is okay, well, how can I improve my coverage and is the limit appropriate for me? And it's a lot more technical, and so my observation just over that period has definitely changed and that means that, in general, the actual buying community is grown a lot.

Rory: 12:38

From a statistics perspective, I know that Swiss Re did a study a couple of years ago and I think they cited that the actual premiums that were being placed in Asia were growing around 30% to 32% year on year from the mid-2010s to 2022. And so that's massive growth compared to some of the other areas of insurance that you might think about and I know the S&P I think last year they were speaking about APAC as a region being kind of the fastest growing market for cyber insurance. Globally, it still makes up only around 10%, maybe even less than that, but it is kind of the fastest growing and we can see 30% from a growth rate perspective in general, compared to other lines of insurance is kind of unheard of.

Paul Jackson: 13:23

Are there more carriers now entering our market as a result of that growth, or is it the same sort of players?

Rory: 13:29

Yeah, there is. I think there's twofold explanation as to an increase in the insurer interest, I think, in this part of the world. I think it's carriers that have been present here or certainly have been been operating in Asia. They're certainly looking to enter into the market a bit more seriously, so they're the ones upgrading their policy wordings and investing in the underwriters and investing in the claims handlers, and they're actually looking to make a bit more of a serious play for market share. And then you are getting brand new insurers, mgas, smaller insurers that are kind of entering in as well, and so that definitely has led to a position where, if you're an insurance buyer today, you've got a pretty good situation where the competition between all these insurers is quite rife and, as we know, when the capacity and the supply is there, you're going to get a pretty good deal, and that's what's happening with most of our clients today.

Paul Jackson: 14:24

Interesting, interesting. So let's talk a little a few specifics around cyber insurance and how it works in terms of well, say, you know, they have an incident, right? So firstly, let's talk about the. You know the whole process of what happens, right? Suddenly they've got a data breach. They're an insured company. What should they be doing? Because when we talk to clients, often they say, oh well, we don don't really know, but the insurance company will handle it and, um, you know, if we get a breach, we'll just call the insurance company and it'll be sorted. I mean, that's kind of a fallacy, isn't it really? And uh, what are you? How are you guiding your, your clients around this to be better prepared for an incident, rather than just saying, hey, I've got cyber insurance?

Rory: 15:03

yeah, no, I, I've always sort of sat there and you get a whole range of clients maturity right. You get some businesses that have designated cybersecurity teams and they're very used to putting together incident response plans and pulling together their senior management and you sit there and go. Actually, the policy won't be super active in terms of them responding to an incident. It's going to be designed to kind of pay for all the costs and expenses once they've actually, you know, arranged to sort the issue out and they've hired all the expert vendors and the forensic investigators etc. And then the other end of the spectrum is clients that don't even have a codified incident response plan. I would say, you know, a cyber policy in some ways can act as a breach response service. It can be built in quite heavily in terms of the response that these clients can have. Each policy will have a designated breach coach. It will have a number. Typically this will be a law firm or an IT data incident response recovery firm, such as EOS, an IT data incident response recovery firm, such as EOS. And once there's an incident, we really encourage the clients or businesses to get in contact with that individual and that breach coach will then coordinate, depending on what experience that client is having from an incident perspective, what vendors need to be engaged.

Rory: 16:24

So if you're experiencing a ransomware attack, you're going to want to understand how that incident occurred. You're going to want to introduce an IT forensic investigation. That's really important. If you were to use the analogy of your house being broken into, the first thing you do is checking if that person is still there and how they're operating and what they're stealing, etc. And you're going to want to understand whether or not you need to engage a law firm if data has been stolen, or do you have notification requirements? Do you need to engage a specialist ransomware negotiator, even if it's a delay tactic? Are you thinking about paying a ransom?

Rory: 17:01

And the policy will look to pay for all of those costs, look to reimburse the business for those costs, but I think most importantly, it's about connecting them with those individuals. Look to pay for all of those costs, look to reimburse the business for those costs, but I think most importantly, it's about connecting them with those individuals. Is the policy will have the means for the business to go? Okay, I'll call this number or email this individual, this business and then then that business. There will then help coordinate that response for all these different vendors that may be possibly needed for an incident, and then at the end our role as the broker is basically getting as much of that reimbursed by the insurance company as possible.

Rory: 17:32

So we go from representing an organization with buying. An incident occurs and then really it's outsourced service providers that are going to be assisting you with all these types of loss and costs and potential liabilities you're experiencing. And then thereafter we're getting involved again by saying, okay, let's take all these invoices, all these costs, all these damages that you may have experienced, and then we're going to help you go to the insurer and get that all reimbursed again. And that's kind of the rough workings on how a policy will react.

Paul Jackson: 18:03

So I think one of the biggest gaps that most companies don't realize is that actually you still need those legal protections in place. You know when you have an incident, so a lot of time is wasted, you know, during an incident, with signing, you know, those legal contracts with the various vendors, such as ourselves, who are obviously incident response providers. And it's quite frustrating when I see companies that we've talked to and said look, get that out of the way beforehand, have that as part of your incident response planning, find the vendors you want to use, get incident response retainers and sign the contract so that you don't have to waste time when your house is being burgled to use your analogy or your house is on fire and that still message is hard to get through sometimes because they just go oh, we've got cyber insurance and they'll take care of it it's.

Rory: 18:50

It's honestly a quite a big concern of mine is that you know, we're getting through this stage. We're talking about this growth of the cyber insurance market and more clients are buying and we're seeing this trend and it's not going to go. It's not going to change. I don't believe. And a concern is, you know, a client buys cyber insurance, expecting you mentioned to perform this role automatically, but they're not doing their homework and they're not doing the crisis preparedness, they're not doing any simulations, they're not engaging their senior management who, ultimately, will be making these decisions.

Rory: 19:19

And then the policy doesn't work as to how they think it would. And so you know, we emphasize that with any policy that we're helping a client purchase, we're at least doing some sort of onboarding with the insurers claims team. Typically, you know, the breach coach will be involved in that process. And then also, you know, we do also have, you know, cyber risk advisory, consulting capabilities that run these crisis simulations. I know that you know lots of companies will be doing this, and once that's's actually occurred, then we're comfortable that we know the policy will react, because the client's going to be using it well, yeah.

Paul Jackson: 19:53

So the other issue is around deductibles, because those are becoming increasingly larger, to my understanding anyway, and when we've managed incidents. Yes, there's always been major incidents which are going to cost huge amounts of money, which then the cyber insurance is important, but a lot of incidents we find if we react quickly we can actually put the fire out to use the analogy again within the cost of the deductible, so it wouldn't even touch the insurance. How are you guiding your companies in terms of having a plan B, if you like, for incidents that fall below the? Uh, I'm using the right terminology, aren't I right?

Rory: 20:30

spot on absolutely deductible self-retention. Self-retention, yeah, it's actually. It's a good point, paul, because what we're actually seeing now a bit more of a trend for insurers to be offering those types of costs for free within certain timeframes. So you know there's quite a few insurers now that as part of a standard quotation or policy they'll say, okay, well, the first 72 hours, 108 hours of an incident, any of the costs that you may spend through, you know, an IT forensic firm or a law firm, the insurer is just going to wear themselves.

Rory: 21:12

You don't have to worry about breaching that retention level. And they've got vested interests. They know that if you're a business and you've got a million dollars worth of retention, you might be concerned about picking up the phone and engaging someone, and then actually it doesn't breach the retention and then you're on the hook for costs. So the insurers sit there and they go. Actually we're incentivized to make sure that clients are using the policy, are engaging these vendors, because the more help they get in that mitigation, those early stages, then, the more the less likely it's going to be a big claim or a liability at the end of it. So so you are seeing that trend to be a lot more common these days and it's a massive benefit to clients, right? You're not having to worry about a retention or a deductible and you know you can get access to at least free advice for a certain time frame if that law firm is an incident response forensic firm, whatever it may be, which is which is positive okay, yeah, and that's good to know.

Paul Jackson: 22:02

um, so what other? What other things? So say, you're a new purchaser now for cyber insurance and you're listening to this episode and you're going. Well, I'm hearing all these sort of stories anecdotal online about, well, I had cyber insurance but it was identified as nation state or something and therefore it's a gotcha and they're not covering me anymore, or you know what? What are the kind of things I mean? Is that true, for starters, and what other kind of things should new purchasers of cyber insurance be looking out for as gotchas?

Rory: 22:34

Of course I'd love to sit here and say that there's no gotchas, but you know, a good broker always helps Paul in this kind of situation, right? But yeah, it's an interesting one, like you know, the state-backed, you know war type exclusion. That was an interesting one when it first came out because there was a lot of attention, a lot of press that was saying, oh well, if it relates to a nation state causing a cyber incident, then cyber policies won't react. And it's not true. To begin with, and I think a lot of that related to the market was trying to find its feet to define what actually a warlike act under a policy could be like. So you know this is off the back of, you know, the war in ukraine and ukraine and russia, um, and all the insurers were concerned that in that situation commercial businesses in ukraine were going to get caught up in the crossfire of a military action, and so it was quickly determined that that type of loss just simply was not sustainable to be insured by the capital markets of the cyber insurance world. And what there was determined is that certain thresholds have to be kind of met in order for that definition of war to be breached. It has to be physical war being used, it has to be breaching a certain threshold of severity. So we're talking about the whole nation state being shut down in terms of its infrastructure, hospitals, financial institutions for it to kind of be falling into the category of a war-like act. But in reality, all of the state espionage, in reality all of the state espionage, all of those kind of you know, state-backed attacks that we are seeing clients face from, you know, a commercial perspective. They've always been covered and I've never seen any issue from an insurance point of view or from a claim point of view, of those you know suspicious links to a certain country having an issue being claimed. As long as it doesn't basically relate to a genuine tanks running across the ground or infantry fighting a military battle the actual espionage side it can be covered.

Rory: 24:35

Um, but to your point, I think, yeah, look, there's a few things. Ransomware, we spoke about a little bit. It is a prevalent claim that we see today. It still makes up, I would say, the lion's share of the claims that we witness and it controls to be in place for clients who even qualify for insurance. And if you didn't get to that minimum requirement or that minimum standard, then restrictions to relate relations to ransomware would be in place. So co-insurance or sublimits if you ever read those words or hear about a broker talking about those they're basically bad. It's limiting you getting access to what could be full policy limit or you getting full access to your coverage, and that may still exist in some policies. If insurers are looking to get away with keeping their kind of exposure in relation to that loss managed from a global perspective and actually in reality today it should be pretty standard coverage.

Rory: 25:41

Things as well, I guess to kind of keep an eye out, relate to common vulnerability, timelines and patching. So some insurers will say you know a severe critical, you know CVE that is 9.0 and above it has to be fixed within 15 days and if it's not, then that will impact you getting coverage and that's something to just be aware of as a new time buyer. And the same goes for end of life software. Some insurers may say say you know unsupported software is not included. Or they might say you know, if end of life software you're not doing anything about it after 90 days when the vendor stops supporting it, then that could cause an issue.

Rory: 26:10

That's certainly something to keep to keep an eye on. And the other one would be just potentially certain infrastructure failure. So there's some insurers now that are defining a kind of major cloud service interruption or outage as a definition that they would look to potentially add restrictions into their policies as well. So if they were saying you know, if Amazon Web Services was to go down for longer than 72 hours, then we would only pay 50% of the business interruption you would experience thereafter. So those are kind of, I would say, the major points.

Paul Jackson: 26:43

Okay, all very interesting points there. What about ransomware? So you touched on it just briefly. There Are insurers still covering the cost of the ransoms. I mean, and are there any again exclusions as to that kind of coverage?

Rory: 26:57

Yes, it's definitely got friendlier. So I spoke about this friendlier market condition that we're currently in. Insurers are definitely covering ransom and, as you'll be aware, paul, there's kind of two major sections to a ransomware claim. Right, there's cost to fix it, mitigate it, remediate it, circumnavigate it, restore backups, all those types of costs. There's never going to be any argument from the insurer's point of view as to that being covered under the policy.

Rory: 27:23

And then the second part of the insurance relates to the actual payment of the ransom itself. And you know, in Asia, or certainly in Hong Kong, there is coverage for this. So we don't witness or we don't see that necessarily as a super common coverage that is paid because actually most of the claims we see are fixed or circumnavigated or mitigated through the costs that you spend through a data forensic investigation or other cyber specialists, extortion specialists, etc. That being said, if a business turned around and had no choice and they had no backups and their business was failing and they were suffering, you know business interruption costs on a day-on-day basis and it was decided and agreed by all parties, including the insurer, absolutely the ransom could be paid as well and we have had clients pay quite significant ransoms in relation to that. It's just not that rare. Sorry, it's not that common. It's quite rare.

Paul Jackson: 28:15

Okay, so what's the off the top of your head? What's the biggest ransom that you've seen paid?

Rory: 28:20

I think in Asia we've seen 5 to 6 million US dollars paid. I know elsewhere in the world it's certainly double digits high tens, 20 mils in ransom being paid Pretty punchy. It certainly is.

Paul Jackson: 28:34

Yeah, but I think, again, you made the point briefly earlier and certainly coming at it from an incident response provider perspective, negotiating uh with the uh, with the uh, you know, with the, the uh threat actors, is actually quite an important component of the investigation because, um, it delays things, it gives you breathing time, it allows us time to investigate, it allows us time to fix things without needing the payment, but it has to be done in a professional way.

Rory: 29:02

And again it comes back to the incident response planning right, that you need to have the kind of connections with those professional negotiators who are able to convincingly communicate with the threat actors and, um, you know, facilitate that delay uh, which, again, you know, is beneficial to the uh, to the victim yeah, no, I totally agree and I I think it's funny we um, you know most businesses that we speak with they'll have some sort of policy or agreement in reaction to dealing with ransomware and and they'll and they'll say to us, you know we have an absolute certain not paying a ransom policy and that's what we say.

Rory: 29:41

But when push comes to shove, we've seen the same businesses turn around and be the quickest to actually try and get the ransom pay directly and then it takes us as the broker, and certainly you know a company like yourselves to actually go okay, well, let's actually approach this logically, let's enter into the sort of negotiation stage, even if it's purely to delay. Let's get the proof of concept for the data that they're. They say they hold on you. Let's see actually if they are you know, legitimate companies in an accident and go through that process. So I don't think many organizations you know you might think something and you might, you know, have a certain policy in place, but really, until you know you are faced with it and your business is being interrupted and your back's against the wall, do you really kind of understand how much help do you need? And you are going to need that help really Definitely.

Paul Jackson: 30:30

So one last question for you around the insurance side of things and switching things around, really, because obviously, as a buyer of insurance, you want to make sure that you trust your carrier and that they are properly, you know, walking the walk, so to speak, and I know the insurance authority in Hong Kong, which is obviously where we're both based, has brought out another update to their GL20 recently, which applies to the insurance industry and their cybersecurity standards. Do you want to just briefly elaborate on what that means for the insurance carriers?

Rory: 31:03

Yeah, absolutely.

Rory: 31:04

I think the long and short of it is that the insurers that are authorized in Hong Kong are being made to align themselves much more closely with the other financial institutions and how they operate under the HKMA, which kind of makes sense, right, if you think about the way in which they operate and the premiums and money et cetera is involved.

Rory: 31:22

But the insurers at the end of last year they've basically been asked to commit to inherent maturity assessments and risk assessments and they're submitting it now to the IA and basically, with this agreed inherent risk that they face, there'll be certain obligations that these insurers will need to kind of jump through in terms of satisfying their cybersecurity maturity and that could be anything from only having to do yearly assessments internally to external audits to actual threat based simulation attacks.

Rory: 31:55

But it's a positive step. I think lots of the insurers from my perspective, they're looking to grow their market share in cyber insurance. Yet they haven't necessarily had to abide by, like you said, any of the regulations or abide by these standards the insurance authority has taken and it's funny, we're now getting quite a few inquiries from local insurers and reinsurers in Hong Kong to talk about cyber insurance for the first time. So I think the biggest shift has been these insurers are now having to put their own frameworks together and their own governance. They're concerned about the instant response and recovery. They know that cyber insurance can help with those costs all the compliance and reporting that didn't exist before.

Paul Jackson: 32:44

They're now facing that type of risk and so they're coming to us and we're kind of helping them actually buy a product, potentially for the first time well, I think that's probably going to give a lot of comfort to the chief information security officers who have to go through all the pain of providing all the information to get cyber insurance to now know that they are feeling the same sort of pain at the other side of the table.

Paul Jackson: 33:08

So that's all good, all right. So, look, if anyone listening wants to know more about cyber insurance market, there's no better person to talk to than Rory, and I'm sure you'd be very open to having chats with anybody who's listening, and you know you'd welcome any outreach to explain more or in more depth about any concerns that anybody may have about obtaining or getting better deals on cyber insurance. I always close these podcasts with a question, and it's around music, because I always love to know what the experts I get on this show are actually listening to, because it's my way of unwinding. I'm a big vinyl, I'm an old guy, right so I love vinyl records and it's my way of sort of relaxing from what is a very stressful sort of job that we have, and I always like to know what my guests are listening to currently. What are you listening to, rory?

Rory: 34:00

I'm listening to a lot of London grammar at the moment, so I don't know. They're really ticking the box in terms of certainly on the commute on the way to work. It's a bit deeper, a bit more soul. They've got a few songs that are punchier, but certainly I love that kind of female vocal over a bit of chord and that's really kind of like, yeah, satisfying my, my music needs at the moment brilliant.

Paul Jackson: 34:26

I've been listening to london grammar as well, so that took me by surprise. I was expecting you to be a kind of jay-z man or something like that, but you know dizzy rascal there you go, look or.

Paul Jackson: 34:39

It's been a real pleasure having you on the show and thank you so much for taking the time to explain about the insurance ecosystem, which I know is a huge challenge for many of our listeners out there. Thank you very much. Thank you, paul. Thank you. So. Theos cybernova was presented by myself, paul jackson, the studio engineer and editor was Roy DeMonte, the executive producer was myself and Ian Carlos, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio in Dubai.

Rory: 35:15

The Theos Cybernova Podcast.