In this insightful episode of On Location With Marco and Sean, recorded at InfoSecurity Europe 2024 in London, Sean Martin and Marco Ciappelli talk with Marcin Gajkowski and Michal Balwinski from Generali Poland about the evolving landscape of cyber insurance in Europe.
Guests:
Marcin Gajkowski, Head of Liability Underwriting Team, Generali Poland
On LinkedIn | https://www.linkedin.com/in/marcin-gajkowski-4a6685134/
Michal Balwinski, Senior Underwriter and Cyber Practice Leader, Generali Poland
On LinkedIn | https://www.linkedin.com/in/micha%C5%82-balwi%C5%84ski-136105197/
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
Exploring Cyber Insurance Nuances Across Europe with Generali Poland at InfoSecurity Europe 2024
Picture this: bustling conversations, gleaming booths, and thought-provoking sessions at InfoSecurity Europe 2024, held in the vibrant city of London. Amidst this atmosphere, Sean Martin and Marco Ciappelli of "On Location With Marco and Sean" invite listeners into a fascinating discussion focusing on the intricacies of cyber insurance within Europe. Joined by two brilliant minds from Generali Poland, Marcin Gajkowsky and Michal Balwinski, this episode immerses us into understanding cyber insurance and its varied landscape across the continent.
Setting the Scene: InfoSecurity Europe 2024
The episode kicks off with Marco and Sean's characteristically witty banter. They joked about their numerous travels and questioned their whereabouts, reflecting the lively and spontaneous spirit of live recording. They also introduce their esteemed guests, Marcin Gajkowsky and Michal Balwinski, from Generali Poland. The discussion's setting is none other than the renowned InfoSecurity Europe event, where cybersecurity professionals gather to forge connections and share innovative security solutions.
Understanding Cyber Insurance: Perspectives from Generali Poland
Marcin Gajkowsky, leading Generali Poland's Liability Team, opens up about his journey into cyber insurance. Despite his initial background in casualty and professional indemnity underwriting, Gajkowsky has grown passionate about the potential and challenges of cyber insurance, especially within Poland. With the deployment of their local cyber insurance policy in 2021, Generali Poland has committed to navigating and shaping this emerging market.
Michal Balwinski, a senior underwriter and cyber insurance practice leader at Generali Poland, delves further into the policies and market dynamics. He highlights the significant knowledge gap in Central and Eastern Europe, a relic of historical and geopolitical contexts. This awareness gap necessitates steps for thorough market education and awareness building, ensuring businesses understand and value the importance of cyber insurance.
Market Dynamics: Diversity Across Europe
Balwinski emphasizes the differing levels of cyber risk awareness across Europe. The UK, Western Europe, and the Mediterranean regions each present unique insurance needs and challenges based on their levels of digital sophistication and historical development. Poland's market reveals a stark contrast with larger enterprises adopting sophisticated vendor technologies akin to global banks, while smaller and mid-sized companies lag behind, often unaware of the essential benefits and protections cyber insurance provides.
Adapting to the Market: Educational and Technological Partnerships
Reflecting on the unique role of cyber insurance, the Generali Poland team outlines their approach to nurturing client relationships. They provide comprehensive risk assessments, engaging conversations, and tailored recommendations. True to their philosophy, Generali Poland extends beyond the role of mere policy provider, establishing themselves as committed partners in their clients' cybersecurity journeys.
One pivotal shift in insurance strategy involved offering additional prevention tools alongside policies, such as an anti-phishing package equipped with cutting-edge security kits. The goal is to bridge the evident gap in cyber preparedness among smaller enterprises, ensuring they have robust mitigation measures in place before a policy comes into effect.
Resilience and Ransomware: To Pay or Not to Pay?
A highlight of the discussion revolves around ransomware and the ethical and practical dilemmas associated with ransom payments. Marcin and Michal elucidate Generali Poland's firm stance against paying ransoms, except in extraordinary circumstances where lives are at stake. They stress that paying ransoms perpetuates the cycle of cybercrime funding and escalation. Instead, their approach focuses on bolstering clients' overall cyber resilience through comprehensive support, including 24/7 incident response services, business interruption coverage, and holistic risk management.
Conclusion: Building a Borderless Cyber-Aware Future
As the insightful conversation wraps up, Marco and Sean underscore the importance of cross-cultural exchange and the collective effort required to bolster cybersecurity awareness. They highlight the universal nature of cyber threats, transcending borders and demanding collaborative action.
This captivating episode serves as a testament to the power of open dialogue and education in fostering a more secure digital landscape. As we move forward, the lessons from Generali Poland's proactive approach to cyber insurance will undoubtedly resonate across the industry, setting a precedent for future advancements in the field.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our InfoSecurity Europe 2024 coverage: https://www.itspmagazine.com/infosecurity-europe-2024-infosec-london-cybersecurity-event-coverage
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTcLEF2H9r2svIRrI1P4Qkr
Be sure to share and subscribe!
____________________________
Resources
Reducing Risk and Costs in a Rapidly Changing Cyber Insurance Landscape with Phishing-Resistant MFA: https://www.infosecurityeurope.com/en-gb/conference-programme/session-details.3783.218914.reducing-risk-and-costs-in-a-rapidly-changing-cyber-insurance-landscape-with-phishing_resistant-mfa.html
Learn more about InfoSecurity Europe 2024: https://itspm.ag/iseu24reg
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Exploring Cyber Insurance Nuances Across Europe | An Infosecurity Europe 2024 Conversation with Marcin Gajkowski and Michal Balwinski from Generali Poland | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Here we are. Where? I don't know. I've lost track. I've lost track too. We were You said we were in France so many times that I feel I
[00:00:12] Marco Ciappelli: know, I have that joke. But, you know, this is not a video so I cannot make that joke. I can actually say whatever I want. People don't know where I am.
[00:00:22] Sean Martin: Do we make it to Poland this time?
[00:00:25] Marco Ciappelli: I would love to. I've never been there.
[00:00:27] Sean Martin: I've not been myself. Fun. Guess we'll bring Colin to us. Maybe our guests will have us for, uh, for a coffee and Yeah. And Poland some. I'm up for that. All right. So I'm, uh, thrilled to have, uh, Michael and Marcoff, uh, from, uh, generality Poland. Thank you guys for being here.
[00:00:42] Marcin Gajkowsky: Thank you for inviting us. Thank you for having us
[00:00:44] Sean Martin: and for, uh, and for, uh, hanging out while Marco and I be silly for a few moments. Uh, so in, in, uh, in all serious, since we're here at Info Security Europe in London. We're at the Excel and a lot of great conversations being had this week. And one stood out to me and I was grateful when the Generali team accepted the invitation to have a chat about cyber insurance.
And it's a topic that I've had conversations with folks primarily rooted in the U. S. And I'm interested to hear how things look here in Europe. So we're going to talk about the market. And the, uh, the security postures of organizations in, in the EU and how that relates to cyber insurance policies and coverage and premiums and all that stuff.
Before we do that though, mark, I, I wanna meet, uh, Marcon and Michael, so I wanna send a few words from you about your role, some of the things you've been up to.
[00:01:44] Marcin Gajkowsky: Uh, okay. So yeah, I'm marching Kovski from, uh, generally Poland. And, uh, currently, uh, I had, uh, so-called Liability Team, uh, which is. Which is a business units, uh, business units survey, uh, which covers, uh, casualty, uh, financial lines and cyber security.
I am insurance professional, actually, so I am not InfoSec, unfortunately, uh, I came from casualty and, um, uh, and professional identity. Underwriting. Uh, but, uh, I have devoted myself to cyber insurance recently, uh, because I realized, uh, that, that it is, uh, such an interesting area with, um, a lot of, um, promising opportunities in, in business, right?
So yeah, in, in 2021, uh, we, uh, we deployed our local, uh, cyber insurance policy. We branded it. Because it's a dominant color in the general e group. And yeah, we started cyber insurance there. That's great.
[00:02:56] Sean Martin: And before we move on to Michael, can I pause and maybe What's the biggest difference between indemnity insurance and cyber insurance, or other policies you've put together?
Is there something that stands out, that completely changes the game in how we look at things?
[00:03:15] Marcin Gajkowsky: Frankly speaking, there There's no, uh, huge differences. It works like any other commercial insurance for me. Uh, but, uh, the important issue, uh, is that What's especially in Polish market, which is still emerging when it comes to cyber insurance, is that if you, if you are dealing with casualty business, let's say, so our clients know what's going on with liability policy, why they need such a policy, but when we start dealing with cyber insurance, it's turned out that nobody knows what's going on.
And why they should spend some other, some, some, uh, some of money for, for the new kind of policy. Why I need that. So this is something interesting as well for me.
[00:04:05] Marco Ciappelli: Something that you cannot even touch. Right. That's, that's, that's the weirdness of cyber.
[00:04:10] Sean Martin: You can picture a flood. We're a car crash.
[00:04:14] Marco Ciappelli: Alright, let's go with Michael and then we dive in.
[00:04:18] Michael Balwinski: So, I'm Michael Balwinski. I work as senior underwriter and cyber insurance practice leader at Generali Poland. Uh, I am responsible both for the product, uh, like, uh, the policy wording or general terms and conditions, and the business side when we speak about the portfolio management, diversification, local risk, appetite, and even side projects like some additions to the policies.
Uh, we have, uh, so, um, mainly it's, um, my role to, uh, have the cyber insurance in general. I pull it working. Yeah. Yeah.
[00:04:57] Marco Ciappelli: So it's, it's a relatively new conversation. And what, what intrigues me being European myself is that when I'm in the U. S. sometimes like, yeah, you're European. It's like the same thing when You're American.
There's a lot of difference there. I mean, maybe in Europe there are more differences anyway, and, and different culture that we came together with the European community and we're still very, very different. And I would like to know from you guys what, uh, maybe what, what are the things that stand more, uh, in your mind?
When you talked about difference between certain part, like maybe the UK, where we are here now, which technically is not European anymore, but it is still Europe geographically, and another part, uh, eastern part of Europe versus maybe the Mediterranean area. So is there like some cultural that affect the way that people receive the concept of cyber risk and cyber insurance?
[00:05:59] Michael Balwinski: Yeah, I think I'll start with that, uh, because, uh, Europe is not one, uh, big united country, as, uh, you know, but we have also, uh, quite big diversification here. The UK insurance market and, um, awareness of cyber risk is different than Western continental Europe and, uh, Mediterranean area also When it comes to Central and Eastern Europe, we have much bigger knowledge gap than the Western countries because we were Just cut out from the culture and everything by the Iron Curtain so we still see the differences here and I think that Even if in whole Europe, uh, we still need to work on the market, to educate, to build the cyber awareness and cyber resilience, uh, in our region, it is, uh, even more, uh, important for, for now because we have bigger knowledge and like historical gap, yeah, in technology there.
[00:07:14] Marcin Gajkowsky: And, uh, yeah, our perspective, I mean, our as, uh, general representatives, general Poland representatives is, uh, a little bit, uh, unusual because, uh, uh, we target our, our policy to, uh, mid sized and smaller companies. So, when it comes to, let's say, big business in Poland, I believe that there is no difference between, uh, Poland, Europe, even United States, let's say banks, they have the same vendors like every one bank in the world probably when it comes to cyber security.
But when we start talking about mid sized companies or small business enterprises, yeah, so I believe that this is a huge difference.
[00:08:08] Sean Martin: Do you mean, Marcin, that they use local technologies? That may or may not be, or maybe not even local, but just different sets of technologies to protect their business?
That may or may not be as mature in their abilities?
[00:08:23] Marcin Gajkowsky: I believe this is the mental, mental, uh, as well. Or mindset. Yeah, mindset, uh, because, um, Yeah, it is, especially in insurance. More people are buying insurance in, let's say, UK, in Italy, in United States, than in Poland. So, the level of, um, how to say Insurance culture?
Yeah, not really, but, uh, not so many policies here in Poland. So, the same is in, in, um, in cyber, in cyber insurance.
[00:09:01] Sean Martin: Regulations? Or, or Standards, policies.
[00:09:05] Marcin Gajkowsky: Yeah. Uh, I, I believe that, uh, let's say the small companies don't think they need to ensure themselves.
[00:09:16] Marco Ciappelli: So it is a mindset. This is the mindset. It's a mindset.
[00:09:20] Marcin Gajkowsky: So, uh, the child, when we started with cyber insurance and started, uh, underwriting, um, okay. Alright, thanks. And, you know,
uh. The task of underwriting is to adequately evaluate the exposure companies face. Um, so we realize that, okay, those companies are not prepared enough. To have insurance, cyber insurance.
Because we treat cyber insurance as a last line of defense in effective risk management. But this is the only, this is the last line and it should not be the only line. So we expect from the companies to do something in terms of interception.
[00:10:12] Michael Balwinski: I think like on every, uh, insurance market, more or less, we have some minimal requirements that clients need to, uh, meet to just, uh, get the insurance offer, yeah.
When it comes to cyber, but sometimes we even, uh, encounter companies that don't have basic antivirus software, so it can be difficult.
[00:10:37] Marco Ciappelli: You know, it makes me What I was saying, Sean, I remember a conversation about cyber insurance at Pepperdine University, maybe, you know, six, seven years ago when the joke was Why do I need to buy cyber security?
I'll just buy the insurance right, so the last line, but That's maybe when the regulation needs to really step in
[00:11:01] Marcin Gajkowsky: We want to avoid this Exactly and so yeah, so I believe that it is a good idea to think about insurance as a proverbial cherry on the cake. Uh, so, which is, uh, yeah, the form of enhancement to already something good situation.
[00:11:18] Marco Ciappelli: Right. And it would also require, in order to cyberinsure a company, that they do have some layer. I mean, you do like an audit to see, before I give you an insurance, I need to know that you're doing at least something about it, right? Right.
[00:11:36] Michael Balwinski: Yeah, yeah. We're basing on some questionnaires we prepared. They are, uh, created with use of some international frameworks when it comes to, uh, cyber security.
Uh, and also we have some, our, uh, internal, uh, applications that help us even to check the public domain hygiene when it comes to our client and some other tools I can't speak about much but we try to see the risk that client has as a whole. As a whole picture and we think that the holistic approach to cyber risk and even giving our clients risk determined recommendations when we see a possibility to make something better, we just go that way.
We are not seeing us only as the policy provider, but a partner to our clients when we would like to openly speak about the risk. with them and just help them build better awareness and cyber resilience.
[00:12:49] Sean Martin: Yeah, and it's that, that partnership. I've seen, I've seen a lot of that in the, in the U. S. So less of a shift left, if you will.
I don't necessarily like that term, but, uh, anyway, it's not just an assessment of do you have, it's a conversation of how do we get to. Yeah, and I like the word partnership. Um, cause it helps understand, you have a conversation and helps understand where there might be gaps, where there might be a mindset, where there might be a culture difference.
And obviously all that stuff goes down to policy and control policy and actual technical controls that then lead to a posture that is insurable, right? Um, and that's just not a moment in time, so I think the partnership is interesting as well. And of course Because bad things happen, right? And you have to, uh, determine how the claim falls or, yeah, falls into place there.
So do you, do you do anything with respect to incident response preparedness and playbooks and runbooks and those types of things to help with the big picture?
[00:14:01] Marcin Gajkowsky: Yeah, actually, uh, we provide, uh, incident response to our clients, uh, because they usually don't have. Uh, they even don't think about to have some vendor or something like this.
So yeah, we, we, we have a, um, our local vendor who provides this, uh, this kind of service. So we are, yeah. Then clients will have the opportunity to call the hotline 24 7 365. They do not call to our office. The better, uh, the better way is to call to, to vendor, uh, incident response team, because it's quicker.
Uh, it might be in Friday afternoon. Right. Typically is. This is important part of our, of our, uh, of our coverage for policy.
[00:15:03] Marco Ciappelli: So, price. Why is the price of the cost, not price, the cost, even if I think by making a mistake and I said something I wanted to say, like an investment versus a cost, like in your future.
And we have this conversation many times when a small business get hit by a cyber accident, it may be the end of it, right? So to even show to your customers that you have. posture, a cyber security posture. You have cyber insurance as well. It should be a value added to, to what they do. Now, are we there when you have this conversation with, with your potential customer there, or you really have to educate from the beginning to, to even explain that there is a cyber security risk.
I
[00:15:57] Michael Balwinski: think that's the second option, especially when it comes to the smaller business. Some of mid sized companies are quite aware of the risk, uh, but when it comes to smaller business, uh, we need to build up knowledge from the beginning, yeah, from the fundaments. Uh, so, uh, also we're conducting some market trainings, not only for clients, but also for the insurance intermediaries like insurance brokers and agents that are, uh, selling, uh, this kind of, uh, insurance and consulting clients when it comes to the insurance needs.
So, um, we build up this cyber awareness from the beginning.
[00:16:41] Marco Ciappelli: So it's not that they cannot afford it. It's just data. They don't get it. They don't get the idea of it.
[00:16:49] Marcin Gajkowsky: Yeah, when we, as I mentioned, and it's still about this partnership, how to be lifetime partner, when we start with this CyberRats, and we discover what we discovered, we start discussion with me, how can we help our potential clients, and at the same time, how can we help ourselves.
So probably, for me, Um, it is uh, how to create the market actually.
[00:17:20] Sean Martin: Well you raise, you raise all the ships when you live, when you raise the water.
[00:17:24] Marcin Gajkowsky: Yeah, but uh, so uh, first we realized that maybe it would be better to offer some, uh, some other element, uh, element of prevention to our policy. Uh, not, not just only uh, insurance certificate, but something which is, which will be helpful.
And, uh, yeah, we, and we also should contribute in educating of the market, in education of the market. But, uh, the, the, the good news was that, uh, there are a lot of cyber, um, cyber security, uh, vendors, companies in Poland, and they are ready and happy to discuss with us. So we start this conversation. We start meeting with very interesting people.
So, yeah, that's why we, uh, now we, let's say, provide, uh, and it is, that's why we are here. We provide this, um, special, uh, offer to our clients who sign CyberRAT. Uh, we called it Anti Phishing Package. So the crux here is to offer, um, uh, is to provide to, to, to clients, um, Uh, cutting edge, uh, security, how security case.
Yeah. Uh, UB key. Um, yeah, at the, at the same time. Um, this, the education. So what I, what what I mentioned.
[00:18:49] Sean Martin: Yeah. So I want, in the last, uh, minute we have here, one of, one of the things that we've had a lot of conversation around this week is the idea of resiliency, right? And. The fact that ransomware is still very, very prevalent, right?
So we're trying to create a posture that's resilient, which is not just about privacy, protecting the integrity of data, but keeping systems and data available. And, and then ransomware is a kind of a thorn in the side of that, right? Where all, most controls will be in place and effective, but then there's this one place where The whole thing can blow up in the organization's face.
So I wanted your perspective on, um, I don't know if it's Poland's position or maybe the broader EU's position on whether ransom payments should be paid or not. Um, I think there's a, is there a law pending in the EU for, or is it the UK, sorry. Law pending in the UK for, for not to pay. But I don't know, any thoughts on that because.
If you look at, I don't know, maybe an ethical question as well, if you want to answer it in that regard. But, um, if it's a small business, they can go out of business unless they pay, perhaps. If it's a health issue, patient safety is in question. Is it the right thing to do to pay or not? I don't know if you have any thoughts, if Generali has a position, Poland has a position, whatever.
[00:20:29] Marcin Gajkowsky: I would say that our position is straightforward here. We are not going to pay a ransom with some small exceptions,
[00:20:39] Michael Balwinski: really small exceptions.
[00:20:42] Marcin Gajkowsky: Let's say that there is
[00:20:43] Michael Balwinski: a risk of the highest need to, uh,
[00:20:48] Marcin Gajkowsky: if somebody maybe is going to die or something like this,
[00:20:52] Marco Ciappelli: right. Risk of lives.
[00:20:53] Marcin Gajkowsky: Yeah. But, uh, we don't think it makes sense.
Uh, let's say some. Well known, uh, cases, uh, like, uh, Norsk Hydro, for instance, uh, for me, it's a very good example why companies should, uh, act when it's, uh, attacked by, by, by, by ransom. Uh, and on the other hand, we, we provide some, the part of coverage is, uh, business interruption, uh, so We deal with the same problem.
The company just, uh, stopped, is stopped, and not, uh, not working, uh, stopped working, uh, and there's, uh, uh, probably loss, uh, loss of income, uh, so, okay, we, we offer, uh, we offer
[00:21:47] Sean Martin: So regardless of cause, there's still some
[00:21:50] Michael Balwinski: Yeah, we're still helping our clients, but we are not into paying the ransom. And we also need to remember that paying the ransom just gives cyber criminals more money for more tools and more people to conduct more attacks.
[00:22:06] Marco Ciappelli: And this was the truth for any kind of ransom, even if before it was ransomware. Like, are you giving up? Are you giving the bad guys what they want and they keep doing it? It's kind of like That's, that's the same thing and I think we can go to the beginning of the conversation where we call it cyber, it is cyber, we can't touch it, but the consequences are real and and the policy, as you said before, Marcin, is you treat it as any other form of insurance.
The principle are the same. So I think that's the key. But we need to educate people, which is what we try to do all the time on ITSP magazine for the past 10 years. And I think being able to exchange this different perspective and culture it help us to educate even Even more people because I think it's important for the people listening to us in the U.
S. right now To know what's going on here as well as the people that may listening in other part of the world because in the end There is no boundaries where it comes to Cyber attack. So that's that's the big I don't know. That's what I'm getting the most from this actually this Conference
is that we need to be thinking without borders
[00:23:28] Sean Martin: Absolutely Strength in numbers.
Yep.
[00:23:32] Marcin Gajkowsky: Yeah. Alright. Very good. Let me add one thing. We also address this issue in this, uh, in this, uh, special offer because, uh, the anti phishing is, uh, as the name suggests, anti phishing and as you know, uh, ransomware very often starts from phishing, so, yeah, this is also our contribute to it. Yeah.
[00:23:56] Sean Martin: Absolutely. Alright. That's funny. I was going to ask that. Question that I was looking at the time because it's one thing to say sorry, no ransom payments allowed But without and you offered the one support for business continuity or business interruption But it all for me it all comes back to you Well, if you can't pay the ransom you better have an alternative in protection and preparedness To deal with it in a different way Backups and encryption and whatever else.
Yup. So, redundancy.
[00:24:24] Marco Ciappelli: Well, thank you so much for your time. I really enjoyed it. I learned a lot.
[00:24:28] Sean Martin: Pleasure meeting both of you.
[00:24:30] Marcin Gajkowsky: Thank you for this opportunity. It was an interesting conversation.
[00:24:34] Marco Ciappelli: Very cool. Likewise, and for everybody listening, we still have a couple of more conversations coming from InfoSecurity Europe and London.
On top of the many at this point, even more than what we thought we were going to have. So, stay tuned.
[00:24:48] Sean Martin: Maybe another recap from the sender.
[00:24:50] Marco Ciappelli: I don't think anybody wants to hear your honest anymore, but you'll get that too. Stay tuned.
[00:24:55] Sean Martin: Thanks everybody.