Why every business needs an Active approach to Cyber Security

Why every business needs an Active approach to Cyber Security

** The text within this document has been auto-generated from the original recording and therefore may contain small inaccuracies **

Marc Harris – BusinessTV
Tom, thank you. Thank you very much for joining us on business TV today. Nice to see you.

Tom Draper – Coalition
Nice to see you too, sir. Appreciate it. Thank you.

Marc Harris – BusinessTV
Tom, let’s let’s sort of dive right into it. Cybersecurity and cyber attacks, they’re terms that we’re all very familiar with. I mean, you can’t pick up the papers without without seeing some story about something like that happening, but they’re quite nebulous terms as well. So perhaps I could ask you to start by giving us some real world specific examples of what a cyber attack or a cyber breach might look like. And probably also, I think it would be helpful if you could give us sort of an idea, the sort of real impact that these attacks are having on businesses.

Tom Draper – Coalition
Certainly. Well, why don’t I give you three examples that we’re supporting customers with this week. So best example number one and most common one we see from a concerned perspective from a C-suite level concern is ransomware. Threat actors taking over your system, you are unable to trade, you’re unable to support your customers and generate revenue for your business.

We’ve been supporting a 11 million pound revenue real estate development firm who suffered a ransomware event this week and this was cyber criminals exploiting a vulnerability in one of their IT providers. So when the question asked, you know, why are they targeting me? Why are they targeting such a small firm? They’re not. They’re targeting the vulnerability and the weakness. So we’ve been supporting that firm in terms of getting back up and running, forensic vendors and team supporting that. Second incident we’ve been supporting, type of incident we’ve been supporting this week is reliance on third parties. I think we all appreciated during COVID and lockdowns that every company is a digital company. You know, no one is just reliance on physical systems. You’re relying on your IT networks and third parties. Your office anywhere is a very common payroll and service provider here in the UK for a lot of SMEs. They suffered a ransomware event two weeks ago. That’s now impacting our clients. So we’re working with them to help rebuild their financial systems, access payroll, get their teams paid at the end of this month.

So a key concern for them. And lastly is probably the one that most of the viewers are familiar with, which is cybercrime. Threats against individuals, emails to CEOs or CFOs or finance teams attempting to take money either through fake invoices, pretending to be different vendors. So we’ve been supporting a CEO of a 115 million pound UK firm, trying to reclaim and claw back over a million pounds that he personally transferred to walk from what he thought was an email from his finance director. Wow.

Marc Harris – BusinessTV
Okay, and just to take you back to the ransomware example, when the ransomware attacks are being perpetrated, it does this mean then that the cyber attackers are actually asking for a payment to restore a system that they have deliberately corrupted. Is that how we’re using the word ransom?

Tom Draper – Coalition
Exactly. So you literally come in in the morning, your systems won’t be working and what instead will pop up will be a demand for funds. And this is generally paid in a form of cryptocurrency. And as a consequence, it is disruptive to the firm, none of the systems can work. And the teams and the security teams will probably be badly impacted by this.

So the threat actors would have been in the systems for a number of weeks, which means they probably corrupted also the backups. And our roles help step in, help facilitate and restore.

Marc Harris – BusinessTV
When you were referring earlier to, for example, an individual director who’s received an email from somebody that thought an internal contact, and then they’ve erroneously transferred funds, is that not a matter for the police, Tom? Would a company director not be writing, thinking, okay, this has happened, this is a fraud against my business, I’ll call the police, and I will be insulated from this in some way, providing that there’s evidence that, of course, that a crime has been committed.

Tom Draper – Coalition
It’s a good question. And it’s a logical concern for a business to think that I think in reality, and that there isn’t the government resource here in the UK to support smaller middle sized enterprise of businesses with this type of risk and with this reaction.

It’s one of the reasons why coalition was founded back in 2018 is because we recognize in the US there was no capability from the federal government to support small businesses. And again, if you look at UK firm having event, the police really are not set up to reclaim these funds at a global level, to be honest, most of the bank struggle, because you’re asking them to do a very new process, you know, most banks are set up to transfer funds at speed, that’s what they’re focused on. So the idea of getting the funds back or stopping it is a real challenge for them. The other aspect, I think is a view that you know, if you have a ransomware event, there’ll be support from the NCSC, the GCHQ, the various entities here in the UK who are responsible for helping protect UK PLC. Again, they don’t have the bandwidth to support SMEs when it comes to this type of event. And that’s very much the role of it of us insurance companies, you know, we’re providing scale to not only internal teams, but also critical infrastructure providers and the government as well.

Marc Harris – BusinessTV
The domino effect of suppliers to the business, their business being interrupted and how that can affect and you gave the example of payroll.

But are there, are there, would there be any types of businesses that are more vulnerable to cyber attacks than others or is it a mixed bag Tom.

Tom Draper – Coalition
It’s very much a mixed bag because the way the cyber criminals focus on organizations is by attacking vulnerabilities. So these are known weaknesses in software or hardware that a firm operates, as he said, a third party of firm on their behalf operates, and they’ve simply been exploited at scale by these attackers.

So we don’t really see a, we see certain industries impacted more from a revenue perspective. Understandably, if you’re heavily reliant on your systems from generating revenue, e-trading, retail commerce, hospitality, even professional services, you will have a far bigger impact than a firm that isn’t so reliant and can do manual workarounds, but it will impact all entities.

Marc Harris – BusinessTV
Coalition of a very established cyber security provider you obviously origins in the in the States, what sort of differences have you seen materialized in across this landscape since you launched in the UK in 2022, I believe. Yes, we launched.

Tom Draper – Coalition
The US back in 2017-2018. We launched here in the UK in 2022 supporting UK SMEs and UK firms. I think the biggest change we’ve seen has been the fact that cyber crimes continue to increase. Despite the actions of a number of law enforcement agencies attacking some of these groups, the threat actors continue and the level of revenue these teams generate is rarely consistent.

They continue to attack and do so. I think the specific thing that we’ve seen about British firms compared to say our US clients we look after. British firms actually have a very good baseline level of security. It’s something people are aware of, but I think one of the challenges we do see is there’s lack of ownership. Compared to the US where individuals within an organization are put in responsibility positions for IT security, we generally don’t see that in smaller and mid-sized firms here in the UK. It all gets lumped into IT or operations. As a consequence, there’s a real challenge when an incident happens about who should take ownership, who should react, who should run. That generally then defaults back to either the managing director, the owner, the CEO, whoever is the most senior person for doing so. you

Marc Harris – BusinessTV
Perhaps there’s also a degree of reluctance for people to stick their hands up for ownership, especially when something goes wrong.

Tom Draper – Coalition
I think that’s very true. especially I think also from an education level. I think it’s something that we are seeing, especially directors become more aware of doing their own cybersecurity training and entities like the Institute of Directors run very good courses in this. But again, it’s something that’s distracting from the day job.

Marc Harris – BusinessTV
So one of the reasons, Tom, that we were so keen to speak with you is that coalition have quite a different approach to cybersecurity insurance than perhaps a lot of the other players out in the market. Your approach is very much preventative as opposed to putting a plaster over things when everything goes wrong.

And you’ve actually coined a sort of a term which you call active insurance. So can you tell us a little bit more about that and how it works and how that differs from sort of a traditional approach to cybersecurity insurance? Yes, certainly.

Tom Draper – Coalition
So our approach started from, a number of our founding members came from the cybersecurity world. And as they looked at cyber insurance, it was a real useful mechanism to help firms improve themselves, establish a baseline of maturity, bring enterprise-level security to firms who couldn’t afford it, but then also cover the downside, help protect them and get them back up and running if there was an event and if there was an incident.

The approach that we take is very similar to what the attackers do. We look at a firm, we look for their vulnerabilities and then we work with them to get them better. So when we see an account, we run it through our control platform. This is our vulnerability assessment, but also our underwriting engine. And it enables us to see what the threat act to see. It enables us to see how they would attack you, the vulnerabilities, what doors are open, those types of concerns. And then we tell a client that you’re a great risk, we’d love to write you here as a great price. Or more importantly, we’d love to write you, but actually here’s three or four things you should really do to mitigate the chance of an event happening. Because from our experience, and we run a lot of analysis on this, there are a lot of critical vulnerabilities, maybe 155,000 critical vulnerabilities on systems that exist, but not all of them being exploited by the threat actors. So instead, we’re looking around going look, what are the current attacks? What methods are they using? And therefore, how can we close the doors are most impactful? How can we help firms get more secure? So from our perspective, we’re helping making firms more secure. We alert them during the policy period, if they become unsecure or something changes, there’s a new attack vector, new group of criminals using a different method. And we then reach out and help them mitigate and stop these attacks. So for us, it’s very much a, it’s a very holistic approach to this. We’re very aligned, we’re an insurance company, which means that ultimately if there’s a loss, we’re paying, so we want to help mitigate that. So that’s the work that we do upfront, and we’re very much aligned on those goals.

Marc Harris – BusinessTV
Explain how that actually works from the perspective of maybe somebody within the company who’s bringing in your services and what they need to do to help to facilitate your you being able to do your job and just just just just the sort of nuts and bolts of it.

Tom Draper – Coalition
From an internal perspective, it’s very light because ultimately we’re looking at all the external IT, internet facing IT assets and their ecosystem and infrastructure they have. So actually we’re not really talking to the internal at that perspective.

However, what it does enable is it does enable the internal teams to see what we see. So we provide access to our control platform. We sell this as a commercial SaaS product to federal governments, large institutions but we provide it for free to our policy holders whether they’re paying six, two pounds or they’re paying full premium. And what enables the individuals to see is what we see, but also what the threat actors are seeing and what the cyber criminals are seeing. So this is a scan that we run nearly every 30 days. We pretty much map the entire internet infrastructure, every IPV4 address, which means we also get to see clients who aren’t ours. So we get to see other teams that have been impacted what the threat actors are going after and the impacts that’s having. So we’re not just seeing our own data and the information we have on our nearly a hundred thousand policy holders. We’re also seeing the information on the rest of the internet that’s been impacted as well. So from an internal perspective, very often that needs to be done. We provide that as a sort of portal that for the client to log in on and they can see what we see and what the threat actors see.

Marc Harris – BusinessTV
Essentially the system is making a recommendation to the chief information officer or the IT director whatever we want to call that person within the company and then it’s incumbent upon them to go away and do that. Is that how it works and then if they don’t do that then.

So how to how to how to get I don’t know if you could just talk us through that the purpose of it. Yeah, yes, I

Tom Draper – Coalition
So, again, I think probably one of the aspects we have is we do mirror our platform with humans. So, we make sure that we have our security support center to support prospects and clients. Most of the recommendations we’re making are recommendations the team are aware of. It’s just it needs to move out the priority list. Every IT team knows they need to be making these changes. Everyone’s got finance restrictions, everyone’s got headcount restrictions, and everyone has time restrictions.

So, where they’re going, guys, our view is that these will lead to an economic loss. This will lead to a claim, this will lead to a business impact, and as a consequence, it should be moved out your priority list. But yeah, we have our own internal security support center. They’re there to help the clients remediate. But generally, we are also engaging with the outsourced IT provider, managed service partner, managed service provider, and we very much invite them into the conversation. They’re able to see what we can see. They become a true partner of ours in this process. But yeah, we do help clients through not only before they bind and get an insurance policy with us, if here are steps you should take before you inspect with us, but also during a policy period, if we become aware of something, our team reaches out and helps them remediate.

Marc Harris – BusinessTV
How can directors ensure they maximise the use of the policies that they’re shelling out for?

Tom Draper – Coalition
A cyber insurance policy at a base level is rather broad from itself. And I talked about the previous scenarios. We also provide wider coverage to cover other events. Again, our website talks more about what coverage is available.

I think the two main things to look at when anybody is considering an insurance policy is one, what’s the intent? It is not a bad things have happened on the computer policy. And that’s an important thing for a member. If one of your team members is sexually harassing another team member via the internal emails, that is still an employment problem. If you have all your servers stolen or all your laptops stolen, that is still a property problem. So cyber insurance policy is there to pick up the three areas I kind of mentioned at the very beginning.

Ransomware, privacy claims, third party concerns, and the crime concern. But I think the number one reason why there may be a challenge with cyber insurance policies, a lot of our peers have conditions. They have security warranty conditions hidden within the policy or embedded within the policy, which say, you know, you must adhere to the following. It’s not an approach we take, but it’s definitely one that a number of the peers in the market do. And the second aspect is pretty much all the policies provide instant response assistance. There will be a hotline number, there’ll be a claims team there to support you. We run that internally 24 seven hotline with our legal team ready support, supported by forensic team. A key part of the policy is dial the number. And I’d highly suggest that you dial the number, even if you don’t know. And that’s something we always emphasize to our clients, please just talk to us. If it looks suspicious, you’re not sure what’s happened, please just talk to us and we can talk about it. It won’t cost you anything. It just enables everyone to have peace of mind. So that’s probably the main thing I’d focus on is making sure you follow the terms condition of the policy by dialing the number and talking to the team.

Marc Harris – BusinessTV
What would you say there therefore then to a company director who might be thinking to themselves which I you know I can understand why people might think this look I’m I’m just too small of a firm but nobody’s nobody’s really going to bother with me or and indeed I don’t really have any you know sort of digital assets that anybody can take from me or disrupt materially so I’m not particularly fast and therefore perhaps you know it’s not a priority for me what what would you say to company directors of that mindset because I guess it’s going to be few of those yeah certainly

Tom Draper – Coalition
And also, we’re very conscious of the fact that people buy insurance very different ways. Some people buy it directly from insurers, buy a packaged product.

So we’re a standalone cyber market that provides a cyber insurance product. But the aspect I would say is that we start very small. Our definition of zero revenue is zero revenue. The smallest policy we sell here in the UK is 60 pounds, 25K of limit. You get full access to control. You get full access to our 24-7 instant response number. And indeed, a two-man law firm bought a policy on a Friday, dialed the number on a Monday because they needed help. So I think for us when it comes to the smaller end, the aspect I’d also say is that they’re less resilient. They’ve got less team members to support the event of an incident. There’s less resource to be distracted. You are the client facing as well as the fact you’re the internal resource. So you do need help at that very beginning.

In terms of the attacks, I very much agree they’re not going to be targeting you. They said they’re targeting the vulnerabilities and they’re seeing who they hit. It’s really the equivalent of the Nigerian Prince email wanting to transfer money. It’s that type of spread approach. But one of the aspects I would say to me is the crime side. Everyone is handling client funds. Everyone is handling invoices. Everyone is making payroll. For those to go missing at certain times of the month, that is business critical. And also more importantly, severely impacts your employees and yourself as an owner. Those two aspects for me.

Marc Harris – BusinessTV
Of course, the smaller the business, the more the emphasis is on the owners of the company to sort the problem out once it occurs. And of course, then that’s downtime that is very often precious time that company directors don’t have.

As organizations get much larger than obviously the idea is, is that there’s dedicated people internally to deal with these issues and doesn’t necessarily need to impact so greatly on all management time, but as the smaller the company, the more the key people in the business have to be involved. So that’s a very costly and time-consuming process in itself. And the other thing that you said that I just wanted to quickly pick up on or ask you about was you were talking about how you’re aware that obviously people buy insurance in different ways. And what I also wanted to ask you was a lot of people, I’m sure will believe that they already have a very robust cyber insurance security policy in place because they’re working with an existing insurance provider for the directors and officers, for example, liability insurance. And they have been told probably quite convincingly that they will, that they can have cyber insurance, security insurance is already written into a policy that they’re paying for. So what would you, again, what would you say to people in that position?

Tom Draper – Coalition
I think the start point is actually for smaller entities, so for sub, probably about 50 mil revenue is actually a very large, small to medium entity. Probably about less than 2% of UK companies buy cyber insurance at that level.

And part of that is due to education. Part of that is again, due to education, not only of themselves, but also their insurance partners, their brokers and their team levels. So the chance of actually having cyber coverage, as we described, to cover ransomware, crime, loss of information and loss of third party security teams and providers, is actually probably very low. If they do have an extension, that can be quite, can be common in some package policies. It will most likely be focused on the physical aspect, losing your laptops, getting them replaced. And if there are, you know, if there is a cyber bolt on or something like that, it won’t provide the wider services that we get for free. It won’t provide the assessment platform, it won’t provide the risk reduction, and it won’t provide our clawback capability, which is where we get the funds back from the banks when the criminals steal the cash. So it is, some of these are available, but as you can expect from bolt on products, they are generally not as effective as a standalone solution.

Marc Harris – BusinessTV
Another quick question I wanted to ask, because my viewers, I’ll get flack from them if I don’t just quickly ask you this question, because it’s something that you mentioned earlier, when you were talking about the example of a two-man law firm who’ve got a policy for £62, £62 I think you said, I’ve got to ask, is that £62 a month or £62 a year? I know it doesn’t matter when we’re splitting hairs, but I just thought I will ask because that’s…

Tom Draper – Coalition
For the year, right? So yeah, so I mean, we do very well at the best of the VSM level. And, you know, we support a number of parish councils, you’re talking five volunteers. And their biggest concern is limited data, but also the crime loss, right?

And sole traders teams like that, again, while they’re not reliant on systems, they run off their inbox, they do transfer money. And that for them, you know, it is their business, it is their pension is their livelihood. And so the ability to access our teams resources was driving that. So it is a very low start point.

Marc Harris – BusinessTV
I did an interview with a provider of trade credit insurance, which is completely different product of nothing to do with this but one of the things that that company made a big play of is that not only is one getting an insurance policy to guard against worst case scenarios but this ancillary benefits to having to be to be working with them, things like market intelligence and things like that. Is that the case with cybersecurity insurance I mean, aside from the obvious reasons of having it, are there additional benefits to working with with coalition.

Tom Draper – Coalition
Sales is almost a service supported by insurance. You know, we’re there to protect the downside if it does go wrong at the final end.

But yes, also within the control platform, we provide access to discounted security vendors, teams like that, software providers that we see having a material impact on our clients, and we provide the natural discount for those entities. There’s also wider education and other additional security services that we provide. So yeah, it’s very much the start point for improving clients’ maturity.

Marc Harris – BusinessTV
With medium-sized companies, very often, people who are running the company are not IT experts, unless that’s also their business, and so they’re going to have somebody who’s their IT guy, or IT girl, as it were, who’s kind of going to be responsible for making all these decisions and probably deciding to enlist your services. What sort of support can they expect from you?

Tom Draper – Coalition
Yeah, I mean, our role is to give them more speed, give them more pace, and give them more capacity to those individuals, whether that’s internal team people, as you’ve spoken about, or external team people as well. So whether I said whether that’s a managed service provider or IT security firm that the firm relies on.

I think the main aspect is we’re showing everybody in the chain what we can see and the concerns that we have and why, and explaining it in layperson language. The second aspect is we then pair that with our security engineering team. So they are there to understand why a firm has done something. So often we do find things that we’re like, that does look odd. You know, there’s something here that could potentially lead to something, but there’s a perfectly rational business explanation for why, and here is the reason for doing so. So in doing so, we’re actually empowering the CISO or IT director or the outsourced provider because they’re able to demonstrate clear value. The flip side of that is that we’re also able to provide guidance to that IT director or the managing director, the CEO, and we’re able to actually do a sense check where they have outsourced things. If they have provided things with third-party, they’re putting everything into a vendor, we, you know, our platform provides a bit of a check. Here’s a couple of areas of concern. You should ask them to rectify this, or they’re running very well. You’ve chosen a great vendor, very supportive of it. So our aim is to help give scale and give capacity to these teams who are very restricted in what they can do.

Marc Harris – BusinessTV
Funds that have been erroneously paid out when they shouldn’t have been perhaps clawing those funds back from the from the banks etc um other things like that that you might care to care to talk us through yeah certainly

Tom Draper – Coalition
I mean, this is why we sell an insurance product, because we recognize the potential is there for all the systems to fail. People click on things, people do what they shouldn’t do, people respond to different emails, but also there’s an entire ecosystem of cyber criminals making money out of this. So it’s very much their desire to make cash. That’s what they want to do.

They will get through if they want to get through. That’s why we sell an insurance product. That’s why we pay claims. That’s why we’re very proud of the fact. We pay claims that support our clients. A key aspect we have, though, is we want to mitigate and minimize the impact of the business. Our aim is to get the client back up and running with the least possible disruption, because not only does that help their business, it helps us from a client’s perspective.

So we start with, I said the hotline, 24-7. That’s run by a team here in the UK, but then also by colleagues in the US and Australia. So we provide round-the-clock coverage, follow the sun. This team will support and triage the client. That is an internal team. So they’re able to provide immediate guidance. And then they’re able to bring the correct resource for what’s needed. Have we suffered a ransomware event? Okay, well, let’s bring in the right ransomware team to support this and reduce the value of the ransom and work out what we need to do and whether rebuild it better. Have we lost money? Has funds been stolen, sent to European banks? Okay, well, let’s engage our clawback service, get our financial lawyers involved and get that money back within 36 hours, which we saw two weeks ago with one of our clients. So it really depends on what the incident is and the support that we provide.

But that is everything I said from a breach response council advising on legal obligations. If we need to talk to the ICO or other regulators, what should we say and what? If we need to do some form of forensics, we provide that guidance as well and we provide those forensics teams.

Marc Harris – BusinessTV
So I can see that there must be quite a lot of comfort in working with an outfit like yours, who have such an international component because of course cyber by its nature is a borderless event, isn’t it and crime so I suppose if monies need to be recovered and different banking institutions need to be contacted by yourselves I mean you do need that sort of physical or that international capability in order to bring your skills to bear there.

Tom Draper – Coalition
On that international comment. It’s a really interesting comment because the other aspect we see is, you know, criminals work to a certain time zone. And as a consequence, we can see attacks starting in Australia, for example, on the East Coast of Australia. And as our teams globally wake up, we’re seeing that our clients wake up and then being hit by those attacks as well.

So very much our aim is, you know, by the time the Australians have gone to bed, we’re stopping these attacks before it hits the US East Coast, for example. So it’s a very, yeah, it’s a very interesting international world.

Marc Harris – BusinessTV
So the viewers got an idea of, do I just pick up the phone, call Tom, or how does that work?

Tom Draper – Coalition
Yeah, so I said at UKFEM, we’ve got a strategic partnership with Allianz Global Insurance Company, so we work very closely with them. In terms of dealing, please talk to your broker about cyber insurance and coalition and they can route through to us.

But again, to your comment there, we work exclusively with brokers. So if an entity would like to get in touch with us, we can put them in the direction of some expert brokers that we work with who specialise in this area, but also understand very much the business operations.

Marc Harris – BusinessTV
Viewers you will find I’m not exactly sure in which format yet but you will find underneath this video within the supporting content which take you through to lots of deep links through to Coalition’s website etc you’ll find some information about there might be a list of brokers that you can travel to or what have you and we’ll kind of decide that after the interview but there’ll be some information below that you can take advantage of and finally Tom um anybody can go to your website and tap into um a free risk assessment report or a free trial of how all this works can’t they so they can actually see it working in in real time um can you can you just tell us quickly I mean we’ll link to that below as well but yeah just tell us quickly how that works

Tom Draper – Coalition
Certainly, so control dot coalition inc dot com gives you access to our control platform. So that’s a free version.

But you can either upgrade within the product or we can convert you to a policy holder at which point you get included for free. But you better see the full aspects, talk to our security team, see what we can see, look at the areas that we’re concerned about. And again, access the vendor discounts. So, yeah, very much very straightforward.

Marc Harris – BusinessTV
And how long is that for free for that?

Tom Draper – Coalition
It’s free for as long as you like. What you just won’t get is you won’t get the continuous scanning.

So that’s something we only provide to either paid customers or policy holders. You’ll get a one-time view of what we can see.

Marc Harris – BusinessTV
Well, that sounds that sounds like a great offer. And as I said, we’ll link to that below. So please go through and check that out.

Tom, thanks very much for taking us through how you work and this approach to this active approach to insurance, which really does seem to make a lot of sense with something like cyber. So thanks very much for joining us on business TV today and sharing, sharing your insights with us. Absolutely fascinating stuff. Thank you. Thank you very much for your time.

Tom Draper – Coalition
Really appreciate it.