re:Inforce 2023: A Look at the Cyber Insurance With AWS Ryan Orsi
Cyber attacks are on the rise, generating trillions of dollars in harm each year. The cybersecurity industry has an opportunity to stand up and grasp it.
Tech behemoth AWS and cyber insurance firms are combining forces, creating a unique blend of technical proficiency and risk management expertise. “It’s a supernova moment,” as Ryan Orsi, the Senior Manager of AWS’s Cloud Foundations Partner Service Acceleration, so poignantly phrased it in our recent chat during the annual re:Inforce event in Anaheim, California. A bold, paradigm-shifting moment that promises to make cyber insurance accessible to even the smallest of businesses. But can this seemingly indomitable duo truly redefine the cyber insurance industry? The answer, as it turns out, may just surprise you.
Redefining Cyber Insurance: An Industry in Flux
In the nascent stages of cyber insurance, it was the corporate Goliaths who reaped the benefits. In Ryan’s own words, the insurance acted as a protective barrier that was “popular” among larger enterprises, and it seemed for a while, that they had managed to obtain a silver bullet to guard against the looming spectre of cyber threats.
However, as the years wore on, this ‘solution’ began to trickle down to smaller businesses. The allure of cyber protection had broad appeal, and by 2017-2018, cyber insurance was becoming increasingly sought-after by smaller companies. It seemed, at least on the surface, to be a win-win situation. But beneath the veneer lay a harsh reality.
These smaller businesses, many of which lacked the in-house security personnel and staff of their larger counterparts, found themselves ill-equipped to deal with the complex world of cyber threats. According to Ryan, “The only issue there was smaller companies just maybe don’t have all the in-house security personnel and security staff.” Consequently, they became a veritable hunting ground for ransomware campaigns, particularly popular in 2018-2019.
This surge in cyber attacks led to an equally significant influx of insurance claims. And as the number of claims mounted, the insurance industry found itself at a crossroads. The fallout was predictable: insurers were forced to increase prices and decrease coverage limits. At the same time, they had to expand their questionnaires to assess the security posture of a company’s IT assets more comprehensively.
This burgeoning flux in the cyber insurance industry indicated a desperate need for a new, innovative approach. As Ryan points out, “And when we took a look at it in our partner organisation, we thought this is a moment where the industry needs a protocol, a framework.” The wheels for a significant industry overhaul were set in motion.
Bridging the Gap: The Need for a Protocol
The process of securing cyber insurance had become a burdensome endeavour, much like navigating a labyrinth of bureaucratic red tape. For businesses, it meant an arduous journey of dealing with an exhaustive list of forms and questionnaires, engaging in extensive self-attestations, and enduring a waiting period that often spanned weeks or even months.
“The typical way that cyber insurance works with our mutual customers is they have to assess the risk,” Ryan explained. This meant a deluge of questions ranging from firewall existence to endpoint antivirus and vulnerability management. For smaller companies, understanding and responding to these queries was nothing short of a Herculean task.
The cherry on the cake was the final outcome – after all the back-and-forth, the coverage often fell far short of their needs. As a result, businesses were forced to repeat this taxing process multiple times to cobble together the full coverage limit they desired.
This dire scenario didn’t escape the notice of AWS, a company known for its relentless customer obsession and innovative solutions. Seeing the need for a radical change, Ryan’s team at AWS drew an interesting parallel. They likened the lack of a common language in the cyber insurance industry to the pre-Internet era – a time before the TCP/IP protocol allowed for seamless networking.
Ryan elucidates, “This is a moment where the industry needs a protocol, a framework. It’s like before the internet existed before TCP/IP was a protocol. How would you network computers together without a common language, a technical language?” This was the spark that ignited the idea of a technical framework – a ‘protocol’ of sorts, aimed at bridging the gap between customers, AWS, and cyber insurance providers.
The AWS Framework: Making Waves in Cyber Insurance
The recent launch of the AWS Cyber Insurance Partners initiative signifies a landmark shift in the landscape of cyber insurance. Central to this new approach is a ground-breaking technical framework, designed with the explicit purpose of revolutionising the way risk is assessed.
This framework leverages the AWS security hub’s foundational security best practices standard, a comprehensive compilation of AWS security recommendations. “They’ve all been trained by those insurance partners on how to assess risk based off of the AWS security hub’s foundational security best practices standard,” says Ryan, underlining the enhanced effectiveness of risk evaluation.
The process is as simple as it is transformative. Customers can extract their security posture information into a file and present this to their cyber insurance partners – Resilience, Marsh, and Cowbell. The advent of a standardised framework for risk assessment has infused a newfound confidence among insurers, eliminating the ambiguity and doubt that once pervaded the process. “The insurance companies have a sense of higher confidence that the risk that they’re assessing based off of this standardised framework is accurate,” shares Ryan.
The result is nothing short of miraculous for businesses: instead of languishing for weeks or even months for a quote, they can now obtain one in just two business days.
A Supernova Moment: The Ripple Effect
Ryan’s vision of a supernova moment for the cyber insurance industry is being realised. The advent of the AWS Framework has created a ripple effect, setting off a chain of transformative changes.
It has paved the way for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) to step in and extend their expertise. These service providers can help businesses understand their security vulnerabilities and work towards addressing them effectively.
Ryan illustrates this with an example, “One of the security checks is about encryption of data at rest or data in motion. If the customer doesn’t have an encryption policy in place, that’s a great way for the insurance company… to help facilitate that.” Thus, the insurers can now point out areas of weakness, such as a lack of encryption policy, and businesses can lean on MSPs and MSSPs to implement the necessary improvements.
The supernova moment signals not just a transformation, but a broadening of horizons for the cyber insurance industry. This renewed synergy between AWS, insurers, businesses, and MSPs/MSSPs presents a more effective, streamlined approach to cyber risk management and insurance, ushering in a new era of collaboration and security.
