Is Your Business Secure? Exploring Cyber Insurance
I just finished recording with Joseph Cook, who is the technology and cybersecurity practice lead for the Arizona group. And the Arizona group, Joseph actually just helped us with our insurance specific requirements from a g and l and professional liability or e and o insurance as well as a cyber insurance policy. And the course of of going through this and doing our renewal, that'd be really interesting to expand this into a longer conversation and what they're seeing from an insurance standpoint with cyber security and how cyber security both from a technology and as well as people in process controls are impacting the business landscape. I love these kind of conversations of really stepping outside of just the tech and getting into what the real business drivers are and business impacts are. I, I really enjoyed this conversation and I hope you do too.
Speaker 1:Hi. I'm Max Clark, founder and CEO of IT broker dot com. And on this hacker stack, I'm talking with Joseph Cook who is an insurance consultant and actually practice lead for technology and cyber security with the Arizona Group. And Joseph and I actually just went through an insurance review and renewal for, IT broker dot com. And in the process of doing it, I, I twisted his arm to come and and and join me on a a podcast here to talk about insurance and specifically the cyber insurance, cyber security insurance landscape and how this impacts companies and what we see, of course, as in our cyber security practice of technologies and tools and yadayada yada.
Speaker 1:So I will, say, Joseph, thank you for doing this. I've been looking forward to this for a little while because I normally it's always, like, nerd only centric conversations. So to do something a little bit outside the box is great.
Speaker 2:Glad to be here. Thank you.
Speaker 1:So just for some background, you've been in insurance for a while. Can you just, like, quick CV and, you know, what what you do from a what technology and and cybersecurity practice means for the Arizona
Speaker 2:Group? Sure. Yeah. So I I've been in the industry for just about 10 years now. I started, my career at at an Alphabet House at a very large firm right out of college.
Speaker 2:And, well, they had some excellent technical training. I realized that the the customer that I wanted to serve was a different customer than they served. Right? So they they served primarily large clients. I wanted to serve small to medium clients.
Speaker 2:And and what I realized along the way, and and what chose me to or caused me to choose that was small and medium clients are are much more dependent on, insurance protecting their balance sheet. Right? Large clients have significant cash reserves, significant cash flow. They're much more robust as it relates to potential insurance event that may not be as desirable or covered at all. Right?
Speaker 2:Whereas small to medium enterprises are are much more sensitive to that. So after after a short stint there at that that larger firm, I did move to a local firm where I felt I could serve the clients that I wanted to serve. I've been there ever since. That's the Arizona Group Insurance Brokers here in in Mesa, Arizona. Right?
Speaker 2:And, as far as what what technology and and cyber liability practice group means, so about 5 years ago, we started laying some groundwork here in the State of Arizona to to try to really be a a dedicated, knowledgeable provider of insurance for companies that are within the technology sector in any form or fashion. From a broker consultant, to a SaaS company, to an MSP, to an MSSP, and anything in between or different than that, as well as companies of any industry vertical that buy cyber liability insurance, which today that should just about be all of them. Right? So so within the last 5 years, we we've made some dedicated steps to really try to enhance the insurance community, and really the technology community as a whole for for our technology clients. So we started by joining the Arizona Technology Council 5 years ago.
Speaker 2:We helped them develop their association healthcare plan with Blue Cross Blue Shield. We are one of 4 brokers that help them do that. And today, we try to serve as many of their members, or even if you're not a member, if you're a technology client in Arizona or the greater Southwest area, with just some good consultative, insurance approach.
Speaker 1:K. And just for clarity, I'm based in Texas, business is based in Texas. Sure. Yeah. You're in Arizona, obviously, that wasn't that wasn't a problem.
Speaker 2:Right. Yeah. So we are we are capable of riding insurance, in all 50 states as well as as really anywhere in the world. As as we sit here today, I've got clients in all 50 states, I've got clients in 24 countries on 4 continents. Cool.
Speaker 1:Let's talk about alphabet soup a little bit as it relates to policy and what's included. And I think it's good to talk about the differences of what these different things do. Right? So Sure. Kinda walk me through business owners versus on on, like, the different the different pieces.
Speaker 1:That way people watching and listening can if they haven't done this before, come up to speed here hopefully.
Speaker 2:Yeah. I'm not gonna promise that in a single podcast, I will solve all the misunderstandings of insurance, but we'll do our best, Max. Yeah. So so when you say alphabet soup. Right?
Speaker 2:Part of part of the challenge of of insurance in general and and why it's important that you have a good relationship with your broker and a good understanding of the products that you're purchasing is is insurance language tends to not be particularly affirmative in most cases. Right? So what what you see is a lot of legalese with a lot of double negatives, a lot of carve backs, a lot of if, then, then that's. Right? It's it's it's confusing and in some cases, almost seems unnecessary.
Speaker 2:Right? I I think the the industry finally, within the last, let's say, 5 years or so is is really starting to understand that and is working on being more affirmative. But it's it's an oil tanker. This thing takes a little time to to make a turn. Right?
Speaker 2:So so when you when you talk about different policy types and then also different policy structures, you mentioned business owners policy, that's a policy structure. Right? So there's there's no policy type there, that's a policy structure, converse to the commercial package policy, also a policy structure. Both of them have the ability to contain some things, the commercial package policy. It's designed for more of the medium sized clients, a little more flexible, a little more a la carte.
Speaker 2:The business owner's policy as a structure can have some components that a package policy can have. It's a little less flexible, a little less a la carte, but more designed for that small business owner, and more priced for that small business owner. Right? So I think as you're as you're going through your process, however robust or not robust your insurance program may be. Right?
Speaker 2:You you may have one line. You may have 12 or 15 lines. Really the the importance of the process is to have a good and and open and and earnest conversations with your broker. And hopefully that's a it's a competent broker, with an ability to, you know, explain and and help you understand those products. So that when you when you do go to put them in place, there's a level of comfortability there.
Speaker 1:You used a line earlier there, like, about insurance protecting the balance sheet. And and then when we think about it, right, there's different types of insurance that exist to address different points of risk. Yep. So I think I think we'll talk about protection and risk really, I think, becomes core with an insurance conversation. Right?
Speaker 1:So you have general liability. Mhmm. General liability, seeing insurance include or exclude fire, property damage, errors and emissions, if you're based on ASR professional services. Right? You've got, directors and officers insurance.
Speaker 1:You've got, EPLI or employment practices liability insurance.
Speaker 2:Yeah.
Speaker 1:Right? Yeah. Did I do that right?
Speaker 2:Put that to you.
Speaker 1:That's not good. Workers' comp, product liability, like all these different classes and of course we we talk about cyber cyber and privacy being in those buckets. So quickly, shortly, briefly, however you wanna put it, kind of kind of run me through the different, like those different acronyms and what they're including and how you layer this on because what I wanna know, what I wanna talk about is is what the cyber policy then is filling the gaps are. So so Okay. Let's let's talk about the gap.
Speaker 2:Sure. Sure. So 2 things to help build that understanding. Right? 1 when I say insurance program, what I mean by that is is an assembly of different policy types that have different policy triggers that speak to different parts of risk that you have concern about.
Speaker 2:Right? So that's what I mean when I say insurance program. The the second thing is is is when we talk about protecting the balance sheet, we're playing in a in a bandwidth. Right? So there there are risks that are that are low, not only from a hazard grade perspective, but also from a financial impact perspective.
Speaker 2:Those are risks that many businesses will choose to retain. So we're not we're not looking to help you find insurance for that. There are also insurances that are significantly or or or hazards that are significantly or or maybe even impossible to insure against. Right? Significantly challenging or impossible to insure against.
Speaker 2:So I always use the Suez Canal example. The ship that blocked the Suez Canal, there's no insurance policy for that. Right? No one could have put something together that protected you from causing a $1,000,000,000,000 loss of financial income to 100 of 1,000 of companies. Right?
Speaker 2:So so we we are trying to protect your your balance sheet in the space betwixt. Right? Those medium to maybe lower high hazard grade instances which if unprotected would have significant impact on the balance sheet. So then you're talking about these different products, general liability, professional liability, employment practices liability. Those are all different types of policies that have different policy triggers.
Speaker 2:So I'll give you a couple of quick examples that'll help us understand where cyber comes into play. Right? So general liability has the intent of providing protection in the event that the 3rd party alleges that as a result of your work, you you harm their property or person. Okay? So when I say as a result of your work, I'll use a window washer as a great example.
Speaker 2:If I hire someone to wash the windows on my home, if in the course of washing those windows they damage my stucco, that's as a result of their work because their work is the window. So that would be covered by their general liability. When you when you talk about damage to my window, that's their work. That's not as a result of their work. That is not gonna be covered by their general liability.
Speaker 2:So to help this marry and see where policy triggers become important, professional liability on the other hand is as a result of your work. An error or omission in your work. And it's both bodily injury and property damage but also financial harm, right? So for that same window washer who probably would have liked to have contractors error in omissions if he damaged one of my larger windows, it's a little more expensive, right? It also plays into a business like yours where it's unlikely that someone's gonna allege that you harmed their property or person as as a result of you making an error or omission as a consultant, but they may claim that you somehow harm their finances.
Speaker 2:Right? So professional liability becomes important in that factor. Employment Practices Liability is anything to do with an EEOC complaint. So if the business is the recipient of an EEOC complaint on behalf of one of their employees, then that's what that policy is there to protect you for. That's got 3 components to it.
Speaker 2:1st party, 3rd party, and wage and hour. So first party is is 2 people inside the organization. So, an employee is upset with a manager and files that EEOC complaint. 3rd party is an employee versus someone outside the organization, so maybe the UPS driver won't stop asking out your receptionist, and your receptionist is upset about that. Right?
Speaker 2:So that would be your 3rd party trigger. Wage and hours, anything to do with you didn't pay my overtime, you didn't let me clock out for my lunch breaks, I didn't get my bonus that I was supposed to get, whatever it may be. So so those are all different policies and there's many more out there, right, that have different policy triggers, and I think your next question's probably gonna be what are the policy triggers for Cyber liability? Am I with you? Are we on it?
Speaker 2:Okay. Okay. Perfect. So Cyber liability relatively young coverage in the perspective of insurance, right? So you got to think that insurance is this just absolutely, old, old product that that really got its roots in London at these negotiating desks based on whether or not ships would complete a passage.
Speaker 2:Right? So so this is an old, old industry. So when when you think about Cyber liability being around for, industry. So when when you think about cyber liability being around for little over 30 years at this point, it's still a relatively young product. Right?
Speaker 2:But within that product there are there are 3 main components. And it's actually similar to EPLI and structure. There's a first party component, there's a third party component, there's a third party component, there's similar to EPLI and structure. There's a 1st party component, there's a 3rd party component, and then that third component is gonna be cybercrime. Okay?
Speaker 2:So first party is cost that the named insured would face. So we'll use the Arizona Group as the example. So if the Arizona Group incurred costs because of a breach event, because of a cyber liability event, the first party side of the policy is what helps protect the Arizona Group against those costs that they're incurring. The 3rd party side of the policy is protecting anybody else that's not you that you interact with that may have been affected. Right?
Speaker 2:So that's your customers, that's your vendors, that's your your your upstream, you know, vendors or or people that you work for that you subcontract with. Whatever it may be, it's protecting those outside your organizations for how they may be impacted by that breach event that you experienced. Alright? And then the the third component there is is the cybercrime. So that's your social engineering.
Speaker 2:That's your phishing. That's your, business email compromise, your funds transfer fraud, things of that nature. Your deception oriented attacks. Right? They're they're primarily centered around the movement of money, where you didn't intend to move the money to that person but you you did unknowingly.
Speaker 2:Right? The the challenge with cyber liability is very similar, actually, to auto liability. And that the the buckets, the first and third party buckets will fill up concurrently. Right? So in any breach event, it's it's almost impossible to have it isolated to one side of the house.
Speaker 2:Right? If if the Arizona group is breached, it's almost impossible that none of our clients or vendors or employees are affected. Right? So there's there's gonna be a first party component that starts to rack up, but there's also gonna be a third party component that starts to rack up. So I mentioned this to say that policy limit becomes very important because you can start to run out of limit very quickly knowing that you have 2 buckets concurrently filling up in almost any breach event.
Speaker 2:Right? I can keep going but I I think so far I I've
Speaker 1:This is great. I'm gonna ask you a couple questions and then let you ramble on. This is great. So when I think about cyber events Yeah. And and there's a lot of different terminologies for this.
Speaker 1:Right? Breaches, hacking, ransomware. Like all these different things you hear about in news. Right? Mhmm.
Speaker 1:I I look at it I simplify it down to, like, denial of resources and theft. Okay. There's and and and that's that's pretty crude, but, like, it it it simplifies just just what we're trying to protect against.
Speaker 2:Sure.
Speaker 1:And so you have theft. When you when you talk about early when you come into crime, social engineering, business email compromise, funds transfer fraud, these sorts of things. Right? There's there's different entry points into these things that cause these problems. What was the actual cause of the breach or how was the, how did the breach happen, right?
Speaker 1:But what was the result of it? The result of it is is exfiltration of something, right? Sure. So you have funds, money, intellectual property, whatever, right? So there's this exfiltration that takes place.
Speaker 1:Or there's denial of resources, right? And people know denial of resources in terms of ransomware, right? You can have, you can have different types of attacks that are also denial of resources. DDoS, the oldie and goodie. But a ransomware is a denial of resources so you can't access and work and function as a business.
Speaker 2:Yeah.
Speaker 1:And in order to function as a business, pay the ransom in order to get back access. So I I kinda I get into those two things. Now when you look at it and you think of I'm I'm now trying to wrap this into insurance. You say first party, third party, and crime. Every event is almost all of them all at the same time to me, right?
Speaker 1:Like when is a when is a denial of resource attack, style attack not have first party and third party and then crime? And and I and then how do you how do you negotiate through this as you're just crafting policy and limits? Sure. And also, more importantly, exclusions. Like you had this thing that you thought would be covered because of x y and z.
Speaker 1:Right? Wire fraud. Somebody convinced your accounting department to wire money out of your bank account. Mhmm. But that was excluded.
Speaker 1:And and you and I and you read about these horrible scenarios of like, oh, that wasn't covered by insurance policy.
Speaker 2:Yeah. Lot in there. Right? But I'll do my best to address all of it. So when when you're talking about, how how do you try to come to the the right policy design, the right policy limit.
Speaker 2:Right? There there is a matrix that should be considered there. So first off, you you have to kinda walk through what the business is going to experience in a in a loss event, and you can do that in a reasonable talking out loud way. There are benchmarking tools that you can utilize as well. But to give you some quick examples how how things can be very different, right?
Speaker 2:If you have a call center and you've got 500 people in that call center, and each of those 500 people has 2 monitors, and a thin client, and a keyboard, and a mouse, and all these different hardware components, and you're the recipient of a bricking attack, hardware restoration and having bricking included is very important to you and your limit needs to be sufficient because you've got 500 setups to do if that whole operation goes down. So even with some sort of bulk buy discount from CDW or whoever you're using, right? You're in trouble, if all 500 units need to be replaced. So bricking and hardware restoration become much more important conversation for you. As does probably business interruption, right?
Speaker 2:If you're unable to make calls, if that's your business, or field calls if that's your business, and and you're not able to generate revenue because you can't make or take calls, business interruption becomes a large part of your concern. But then you could look at a different style of business. So you could look at a business that is more in the consulting space or maybe in the software space where everybody works from home and potentially they work from their own units. You got some Windows users, some Mac users, there's no company purchase of assets or or anything like that. So your your ability to have a larger first party loss, a larger bricking loss, or hardware restoration loss is a lot lower on that side.
Speaker 2:But perhaps they're generating software for, Fortune 100 companies or Fortune 500 companies. So on that third party side, they've got a lot more to worry about because they have large clients who could be significantly aggrieved if there's delay in in the project being completed or or if they're used as an access point or a leapfrog point to get to that larger third party client or whatever it may be. So there's some common sense conversation that needs to go on first. Right?
Speaker 1:So you're you're leapfrogging. Right? We talk about this as a supply chain attack. Yep. And I I feel like this is like the 3rd myth in dealing with cyber security with most, especially in like the smaller, medium sized, mid market.
Speaker 1:Oh, we have nothing that makes us a target. It's like, well, you're connected to the internet and you have resources and you have money. Right? So those things make you a target. And then the third thing of course becomes this, what is the supply chain and and who are your customers and what do they have?
Speaker 1:Sure. How does that come? And and and the first one that was like a really, really, really big one was, of course, the Target issue with their point of sales terminals which started with a HVAC contractor. Correct. So an HVAC contractor was probably thinking we have no there's nothing that's ever a problem.
Speaker 1:And lo and behold, their network is compromised and uses a launching pad to install malware on every point of sale terminal on target Sure. Across the globe. And, of course, you're talking 8, 9 figures worth of damage, as a result of that.
Speaker 2:Yeah. Yeah. So you bring up a great point. Right? There's this kind of, A, there's this kind of belief that if you're not a professional services company or financial institution or a technology company then you don't have cyber risk and that's just not true, right?
Speaker 2:You mentioned the target con con issue with the HVAC contractor. I happen to represent, a very large landscaping contractor here in the state of Arizona. And about 95% of their work is right away clearance work for APS, which means they're always on APS land. And in many cases, the only network they can access is the APS network. And they have more than 50 vehicles on the road.
Speaker 2:Each of those vehicles has a tablet that their employees use to do work orders and communicate with the office and communicate with the client. So it would be really problematic if their tablet that's on the APS network becomes an access point to APS. Right? So they're a landscaping contractor with a significant, cyber cyber liability risk. The other thing that that that I think is funny and I I use this phrase to describe it is, security by obscurity.
Speaker 2:Right? Well I'm not I'm not you know, big deal. Nobody's coming looking for me. That that's just not a a a approach that works anymore, and and to further it a little bit, I'll I'll use a a little phishing analogy. So when I have conversations with people who are practicing security by obscurity, they're always saying, Well because I'm not big, I'm not important, I have nothing of value.
Speaker 2:No one's baiting a hook for me. And yes I agree. There's no cyber criminal that's working really hard to bait a single line hook for you. But there's plenty of cyber criminals that are net fishing. And if you're by catch, they will absolutely attempt to monetize you to the best of their ability, and that's that's the challenge.
Speaker 2:Right? Is is the bycatch challenge for those smaller enterprises.
Speaker 1:I I, I also I've realized that people don't really understand how professional cybercrime actually is and how specialized it is in the terms of there are people that all they do is cast that net and get access to whatever they can get access to. And the second they have access to something, they might just be selling that access to somebody else. And person group, whatever, a sells it to b, and then b gets in there and investigates and figures out whatever it is, and they say, oh, this is interesting. It fits these things. And then they sell it to c because c is actually interested in whatever that is, and then c can go off.
Speaker 1:I mean, and you could be you could be pretty deep down that chain of, like, how many how many how many times I've passed along before you actually get to somebody that said, okay. This is what I'm gonna do now.
Speaker 2:They're they're incredibly elegant. Right? So so I think some people have a hard time separating the fact that yes, yes they are bad actors. They are, they're committing crime, but that doesn't necessarily make them unintelligent or unsophisticated, right? Doctor.
Speaker 1:Umprofessional. Doctor.
Speaker 2:Right. Or unprofessional. It is a business model for them and some of them are very good at it and they're very intelligent people. So, there's actually a lot going on within the cyber liability world right now as it relates to, encrypting policies because there's this research that's starting to show out that Ransomware demands are eerily similar to Ransomware policy limits. That the bad actors are gonna find once they gain access.
Speaker 2:So they'll they'll gain access. They'll find that Cyber liability policy that you have that shows a $1,000,000 Ransom limit, right? Or in the case that they don't find anything, the next step that they'll take is they'll look for some sort of financials that indicate cash on hand, and then the ransomware demand becomes eerily similar to the cash on hand. Right? So yeah, I don't think people realize or sometimes are able to separate the fact that yeah, they're absolutely criminals, but they're very sophisticated, they're very professional.
Speaker 2:So when we're we start
Speaker 1:going through crime, right, the examples that you gave were bricking events and hardware restoration and then of course, business interruption. Are these is this common that this language is included with some sort of rider with a policy? So if you went out and said hey, I need a cyber insurance policy, is a cyber insurance policy just including this by default? Or are these things that you have to know to ask and say hey, and and the cons When you're talking with with a client and saying what are you guys doing and trying to go through that consultation process? You have a call center with 500 devices and these devices cost as much.
Speaker 1:So we need to add a bricking event
Speaker 2:Yeah. Rider to your cyber policy. Yeah. So what what I would say say to that is is a couple things. One, for most first and third party clauses, they they are included in some form or fashion.
Speaker 2:The strength at which they are included can be negotiable. And by strength, I mean the legalese surrounding what is considered a bricking event, for example, as well as the limit that's being offered on each line. So on 1st and third party, in most cases, you will get some limit for bricking. You will get some limit for business interruption. Whether that limit is robust enough and speaks to the to the policy triggers that you're looking for, that may be up for question.
Speaker 2:Cybercrime however is not always automatically included. As you can imagine there are certain instances or certain, business models, let's say, where they're they're off the shelf excluding it and you have to negotiate it back in. So if you think about a CPA who moves money for their clients as their business model, giving them limit of a $1,000,000 of funds transfer fraud without checking controls, is fairly irresponsible by the insurance company. Right? So off the shelf for CPAs they're going to exclude cybercrime, and then based on some sort of supplemental that shows that shows adequate controls, proxy and all those good things, then then you may be able to get that added back in.
Speaker 2:The the other thing I wanna add here, that I think is really important to understanding these policies and insurance policies in general. Every insurance policy has what's called a representations or warranty section. What that section states is essentially we the insurance carrier collected some information from you as the client. We took that information, we digested it, and we gave you a policy with a set of terms and conditions at a premium and a limit based on that information. In the event we find out that that information wasn't true or accurate at point of claim, here is how we may treat that.
Speaker 2:Okay? And and while there are much better baselines in more established types of coverage, like general liability, like professional liability. Cyber is still young enough that those representations or warranty clauses are on a wide spectrum right now. So so to give you two quick examples, you have your your best in existence which is an innocent non disclosure. So essentially they say, We will not deny any claim or seek to deny any claim unless we can prove that the misinformation was reckless or deliberate on your part.
Speaker 2:So they're actually saying there has to be a causal link. We have to find a causal link that you knew that deceiving us would would expose us to this. That's a pretty pretty favorable representations clause as a client. Especially in in such a dynamic world like cyber security where the answers of today may not be the answers of tomorrow. Right?
Speaker 2:Conversely there are representations or warranty clauses exist that say, If we find out that anybody, not only you, but potentially your insurance agent somehow gave us something that was misinformation, which that becomes challenging because you've got the telephone game, right? You may tell something to me or to a broker and they may try to summarize it and miss a critical element in that summarization, which now becomes misinformation. If that happens at any time, then we can void the policy ab initio. So at its initiation, right? And we owe you no liability or duty.
Speaker 2:And then there's ones in between that are balanced if you will, right? But that's I think more important than some of the the deck sheet oriented, policy triggers is really understanding where your representation or warranty clause sits.
Speaker 1:So so translation, for those listening or watching. Do not embellish information on your application thinking that you're gonna get a better premium because when you need it, you're gonna find out that your premium is just gonna get returned to you. The insurance company is gonna write you a check back for whatever you paid. You might not you know, you should've just not had insurance in the 1st place.
Speaker 2:Mhmm. Boy is that true. Yeah. Yeah. Boy is that true.
Speaker 2:And and the other thing here too is is if you're working with with a good brokerage firm and you're working with good carriers, the understanding is that we're all vested together in this interest of finding you that right policy that responds in your time of need. Right? And we're all vested as well in hoping that you you never have to use the insurance. Right? Yes insurance is a safeguard that many people should should have but the first step is is risk management, risk control.
Speaker 2:Right? So so we at the brokerage level, can help make introductions and even offer proprietary discounts to our clients in the Cyber Security realm. In addition to that, carriers are also engaging in master contracts with national service providers in critical areas that they can offer on in in some cases a free basis or a discounted basis to their policy holders. So you may say, I don't have white labeling or white listing right now, and they may have a tool for you that's free. And they may just make it a condition of taking the policy that you prove that you installed the tool or agent.
Speaker 2:Right? So so you're not losing, you're you're benefiting because they've now giving you something for free that mutually protects everybody. Right? So you're absolutely correct. Don't embellish.
Speaker 2:Don't answer in a in a hopeful state. Answer true and honest and we'll we'll correct what we need to correct as we go along.
Speaker 1:So from an insurance from a process of this, right, it's a it's risk and I mean risk really encompasses a couple different things. Right? So there's a let's say likelihood. There's likelihood of exposure of something And then there's, potential liability of from that exposure. Mhmm.
Speaker 1:Right? So Mhmm. Window washer. Right? Your your your first party is you you damage a $10,000 window that has to be replaced or you damage a $20,000 stucco wall that has to be replaced.
Speaker 1:So you've got what that risk exposure is. In a business, and when you start talking about cyber policy and first party and third party and cybercrime, your risk, both from a potential as well as exposure becomes very large very quickly.
Speaker 2:Right.
Speaker 1:And so how, when you read things, and when I'm reading things like major insurance carriers out of London saying that they're exiting the cyber market altogether or that they're creating, like, what do we see, exclusions for state sponsored hacking now, right? So if we decide it's a state sponsored attack, then we're not covering it, right? Well, what's a state sponsored attack at this point? Who knows? Sure.
Speaker 1:So how how is that evolving with cyber insurance policies and carriers as as you're reading more and more of these events of like, oh, this company just got breached and they had to go do x, y, and z and it was a it was a MGM. Right? They're probably self insured in this case, but, I mean, that's a multi $100,000,000 loss. And so, like, that impacts all this when when insurance when an when an insurance company's looking at this and saying, okay, if we take this policy, what's the likelihood of us writing a check and how big is that check gonna have to be?
Speaker 2:Yeah. So to give a little global foundation to this, the the primary challenge of any insurance carrier on any line of insurance is that they cannot accurately understand their cost of goods sold. Right? When you when you look at what what actuarial divisions do, they're assessing as much data as they can assess and trying to make good assumptions and come up with good algorithms that allow them to develop good rates, so that they can try to be competitive in the marketplace, and offer good coverages to their customers, but also have enough money coming in that they're not insolvent against claims. Right?
Speaker 2:So that they don't have to exit market and all these different things. So so when you look at cyber liability, part of the disruption you see right now with some carriers exiting is is that the market was fairly artificial for a while. For anybody that's been purchasing cyber insurance for longer than 5 years, it used to be, do you have a pulse, here's your $1200 policy. Right? There were there were no checks on controls, there were no real conversation about exposure to anything, they were just chucking out policies.
Speaker 2:And that ended up biting some carriers, right? Because $1200 is is not a lot of premium taken in and it's pretty easily offset by even a very small breach event or cyber event, right? So so you can see how those carriers that were playing in that artificial marketplace and trying to play in a volume perspective if nothing else, got bit pretty quickly as the world changed and cybercrime became more a lot a lot more elegant and a lot more prevalent and all these different things, right? The good news is, is that there is ways for insurance companies to write it correctly and to achieve the margins that they're looking to achieve which by the way, insurance carriers typically are operating somewhere between 6.8ยข of profit on the dollar. So it's not a high margin industry.
Speaker 2:Right? But nevertheless, because there is ways that they can be profitable and you've seen the changes. Right? You see the applications being longer and more elegant. You you see them actually asking about controls.
Speaker 2:You see them changing the level of controls they're asking for depending on the industry segment, or the size of the client. If you have more than 50 IOT devices, or if you're in financial institution, you're gonna have a different subset of controls than if you're a t shirt retailer with 10 employees, right? So they are starting to drive a deeper underwriting process that is assessing premiums in a more equitable fashion. Right? So those that have lower risk and higher control are are seeing those lower premiums still.
Speaker 2:Those that have higher risk but very high control are still seeing fairly favorable premiums. It's it's time now that those that have high risk and very low control are either uninsurable or are seeing significant premium increases because they're affecting the marketplace adversely. But long term by 2028 they anticipate that the cyber liability market will be 3 times the size it is now. So there's plenty of investment coming in from reinsurance. There's plenty of investment coming in from MGAs, MGUs, new carriers, carriers that are not in cyber now but have established presence elsewhere and would like to be in cyber.
Speaker 2:So it's not going away and it's not shrinking. You're just seeing those those artificial marketplace players finally start wearing a little egg on the face.
Speaker 1:Do you think cyber will get to a point where it's mandatory as part of the GL policy?
Speaker 2:I don't think it'll ever be a part of the GL policy, but I I I hope that it becomes something that is as considered as the GL policy. Right? I feel like the GL policy going back to earlier that as a result of your work versus an error or omission in your work, I feel like the GL policy might be the most misunderstood policy in insurance. Right? There there are probably 70 percent of customers that have a professional liability exposure somewhere in their business model, but don't carry it.
Speaker 1:Right. Because they
Speaker 2:think GL is even. It's not. It's different. Right? I do think if you're if you're an operational entity right now that's connected to the Internet, Cyber is probably a top 5 policy for you, if not a top 3 policy for you.
Speaker 2:And in some cases Yeah. Yeah. And in some Yeah. Right. That's the point.
Speaker 2:Right? So it should be top 5, top 3. And then in in some cases depending on your model and and depending on who you serve and and what your product or service is, it may be the most important policy in your insurance portfolio at this point.
Speaker 1:You've said this a couple of times so I wanna I wanna circle back to it. Controls. Yeah. Risk management and controls. High risk but high controls and have lower premiums.
Speaker 1:Now, and something else that you said that actually I wanna highlight on because I don't think this comes up as much for people when they think about it is there's a certain there is a certain baseline in terms of controls that you have to have to be insurable in the first place. And then depending on your risk and controls, right, you have the are you insurable and then how much are you gonna pay for that premium based on what your controls are. Right? So so this isn't about creating controls to lower premium. This is, could be just have controls in order to be insurable in the 1st place.
Speaker 1:Like, you may just go to try to get insurance and find out you can't get insurance because you don't have x y and z in place.
Speaker 2:Sure. Yeah. So in regards to the process, it absolutely can be binary initially whether you're insurable or not insurable. If you're if you're very small, receipts are less than a million, less than 500,000, and you're in a very vanilla industry sector. You're a retail t shirt shop.
Speaker 2:You're you're maybe not even using a POS system. Right? Perhaps it's it's still a cash register or something like that. Then you're probably not gonna be in that binary insurable non insurable realm. But for most, yes.
Speaker 2:There's there's a baseline of controls that create that binary insurable non insurable. Beyond that, then it's a spectrum of controls that attract different subsets of carriers, different premiums, different terms and conditions, different limits, all those things, right? So the best advice I can give on on what controls are gonna be important to insurance companies, is is the controls that you're seeing being manipulated or taken advantage of in all the the news stories. Right? So if you if you look at most of your attacks, it's business email compromise, it's lack of multi factor authentication, it's it's lack of, timely and and air gapped or fully segregated backups, to be able to restore after an event.
Speaker 2:So so follow the trends and and those are likely gonna be the controls that they're most concerned about.
Speaker 1:I'm I'm laughing because I I it's it is so easy to implement identity access management or strong identity controls and strong and single sign on and multifactor authentication at this point that, like and and what you get out of it in terms of actual I get into a lot of conversations, people wanna be like, oh, on a scale of 1 to 10, where are we in our cyber program, right? It's like not a linear number of like, oh, you went from like, you implemented this thing, you went from a 2 to a 3. But just just having a good identity management and multifactor authentication takes you from, like, a 0 to a 6 probably. I mean, it's just now going from a 6 to a 7 gets really hard, but or is harder. But so now controls are controls are technology and controls are are process, right, and procedures.
Speaker 1:Mhmm. Because, if we talk about what's what's a what's a common one I wanna use here? Let's use let's use wire fraud, like you've transferred money out. Right? So wire fraud, that usually comes from a breach and that breach, you could say, is an impersonation attack.
Speaker 1:So business email compromise which leads to a lateral transfer inside the organization with impersonation of a key player that then has a clerk wire a bunch of money out to some place that they shouldn't have. Right? Now that gets attacked, when I say attacked, you you can address that with a, secure email gateway and you can you can implement, technology to do impersonation management and lateral transact. By the way, Google Workspace and Office 3 65 do not include these things by default. These are things you have to go out and add on top of
Speaker 2:Oh, no. Default settings. Just be clear, if you think you're protected and you you're not. But so so there's these there's there's
Speaker 1:there but so so there's these There are providers in our portfolio that that this is what they focus on and they're really good at it, right? But so then, but you you work your way down to what you can do with technology, but then you work also from what's your actual control your process for a person to follow. Sure. And how much of that is now being tracked from insurance from a underwriting and risk management? We went through the form and I I did a video on it and it was like it was asking you which which, secure email gateway do you have in place?
Speaker 1:Do you have this tool, this tool, this tool, this tool, this tool, right? So like technology, but it didn't really get into a lot of depth about what our process was for validation of wire requests and wire confirmations.
Speaker 2:Yeah. So so the human elements, elements can be challenging, right? When you think about asking yes no questions or even potentially open ended questions, having answers that allow you to determine exposure and and determine rate can can be challenging. Right? There are questions in in relation to those where where they can be appropriate.
Speaker 2:In the event that you're asked to transfer more than $25,000 of money, do you have a proxy process? Right? It does it have to be more than one person that approves that. That's a human control. Right?
Speaker 2:So there are underwriting questions that are centered around those things. There are also depending on client size and and and things of that nature, there are also risk risk management visits that can be had, that are starting to pop up more. So these are very common on other lines of insurance, but hadn't really worked their way into cyber liability yet and they're starting to. So so you'll see for certain size clients, they'll maybe send somebody out who's an auditor or inspector and they're not really, making it clear to to the bulk of the floor staff who they are and they'll drop a USB. The USB drop.
Speaker 2:See if somebody plugs it in or they'll see if they can go find a server room unlocked. Those kind of things. Right?
Speaker 1:I mean, that that's the classic, like, red team
Speaker 2:kind of audio. Yes.
Speaker 1:You know what's so funny about the USB drive example at this point is I am paranoid to use USB drives that I bought myself and unwrapped from packaging. I mean, at this point, I just assume that all USB drives are compromised from the point of origin and I just can never use them. It's actually, no, it's turned to a thing. Like I actually have like a complex over it.
Speaker 2:Yeah. Some of the other questions that they're driving on that just so you're aware is is do you have a person or persons in your organization that is responsible for keeping an incident response plan? Maybe it's formal, maybe it's informal. Do you have persons or persons who are on an incident response team? Right?
Speaker 2:If an incident happens, do you have people that are ready to at least try to address that situation or is it gonna be an absolute free for all scramble with little to no direction, right? And you're asked to identify those people, so in our case that's gonna be our chief operating officer who's gonna lead that team, we've got in house IT and other people that are part of Right? But we we can identify that. So there are some human driven questions, but it's it's in development. Let's let's call it that.
Speaker 1:Incident response plan is on my list. So let's circle back to that. There's a lot of acronyms in the cyber security space in terms of technology. Sure. And so, I'm SSO, MFA, SAT, EDR, MDR, XDR, DLP, CAS I mean, we can go down this it it just it just is compounding.
Speaker 1:Right? Mhmm. And different techniques and people coming out with ZTNA with 0 trust and secure remote access and micro segmentation, yadayadayada, right? Now there's like a baseline table stakes of this and we talk about some which was of course, especially with the insurance world, they're gonna want security awareness training. Now you can implement a security awareness training program and still have people click on emails and have phishing attacks, right?
Speaker 1:But they're good to have. Like, this is one of those things where it's good because if you just keep one from occurring that was worth it, right? But so identity, SSO, MFA, security awareness training, EDR, of course backups, right. Like kinda table stakes. Everybody should have it.
Speaker 1:Not anti virus by the way. Endpoint detection response. Different things. So from that point, as as a cyber program is maturing beyond that and we and we start talking about things like a SIM platform with a SOC team with threat intelligence with, a secure web gateway and secure or secure internet access and secure remote access and these audit capabilities and maybe maybe you have some CASB and DLP functionality built into it, how much of that and at what stage, at what size do you have to be policy or or organization wide before you get into that level of conversation saying, hey look, we've got the EDR which is on your form but we've also got all these other things. Sure.
Speaker 1:And let's talk about what that means for a risk profile for, I mean, how big do you have to be before that becomes really relevant to an insurance carrier in terms of risk management and and policies?
Speaker 2:Yeah. It's it's it's not an exact number, that that's applicable to all. Right? But there are some things that are gonna be considered. So, so first is is revenues.
Speaker 2:Right? In most cases, whether it's the most elegant approach or not, insurance carriers are gonna use revenues as part of their algorithm for calculation of rate. And and their their thought process there is is they have a general understanding of what products and services cost. So if they can see what gross revenues are, they have a general understanding of how often your product or service is interacting with your customer base. Right?
Speaker 2:The second thing is gonna be devices. Right? So typically they'll they'll either ask for devices or maybe they'll even just ask for an employee count because these days most employees are gonna have their own device. Right? So if you've got 250 employees you've probably got at least 250 devices, right?
Speaker 2:Or 500. Doctor. Or 500 or maybe more, right? But at a minimum you've got a 1 to 1 ratio, right? In most cases these days.
Speaker 2:Things like records, is gonna be records kept is gonna be part of the conversation particularly if those are records that are subject to any sort of regulatory body like HIPAA.
Speaker 1:Yeah.
Speaker 2:Yeah. Exactly. Yeah. So those are gonna be important questions. Industry type is gonna be an important question.
Speaker 2:So I'll give you an example of one that we had that went to the point of elegance that you were describing earlier. So we were working on a $25,000,000 cyber tower. So what I mean by tower or shared and layered is there there are 5 different carriers involved who each were taking a $5,000,000 segment of the 25. They were all aware of each other. It's creating vertical continuity up to 25.
Speaker 2:So you got carrier 1 who's the first 5,000,000. Carrier 2, 5,000,000 to 10,000,000. Carrier 3, 3rd 5,000,000. So on and so forth.
Speaker 1:Okay. So for clarity, the client wanted $25,000,000 with a policy limit. Yep. And there's a carrier in first position which is up the the first 5,000,000. Correct.
Speaker 1:And after that 5,000,000's exhausted another one. Okay. And so on. Okay.
Speaker 2:Yeah. So getting 25,000,000 of what we would call primary or lead out of 1 carrier, almost impossible. Right? Most people don't even have that capacity with their reinsurers and even if they have that capacity, they're not gonna offer it to this risk. This risk was a medical technology risk with 18,000,000 unique HIPAA records.
Speaker 1:That's a lot. Okay. So now, I I know let's talk about reinsurance for a second
Speaker 2:because that's pretty critical here. Yeah.
Speaker 1:And you mentioned it again. So explain reinsurance and how that actually applies into what these insurance carriers are doing and how they're designing things.
Speaker 2:You got it. So so when we're going out to an insurance carrier, so I'll use a big name just just for ease of example, like Chubb, okay, or or Travelers, they they are a retail insurance carrier. So they are offering terms and conditions up to their capacity depending on the line, the capacity may change. For most carriers right now, cyber capacity is is a tops of capacity may change. For most carriers right now cyber capacity is a tops of 5,000,000 for any one client, right?
Speaker 2:What they can offer us from a capacity standpoint and from a premium standpoint is either in some cases a hard rule or in some cases a guideline that's provided by their reinsurance treaty. So so as silly as it sounds, insurance carriers, retail insurance carriers buy insurance on the insurance that they sell, and that's called reinsurance. So sitting behind your travelers, sitting behind your chubs of the world are Swiss Re, and Munich Re, and Hartford Steam Boiler, and other reinsurance carriers. And they offer to to pick up certain points of loss, stop loss, probable maximum loss, all these different terms you you'll hear floating around, right? Certain points of loss on behalf of chubber travelers in the event that they have a catastrophic type event on lines of coverage.
Speaker 2:So so in order to protect everybody, they have rules and some of those are hard rules, right? So those are capacity. Hey, you cannot give more than 5,000,000 a limit to any one customer. We don't care if they're the most ideal cyber posture on planet Earth. We don't give more than 5,000,000 to anybody.
Speaker 2:Right? For any reason, at any time. Some of them are guidelines. Right? So some of them will say, hey, if they have more than 3,000,000 in revenues, we'd prefer that they have MFA.
Speaker 2:But if they don't have it, you can still sell it to them if you debit their rate by 20 points. So it's more of a guideline, it's not a hard rule. Okay. Right? So a big part of of the retail broker job is is understanding what reinsurance is and also identifying underwriters who understand what reinsurance is.
Speaker 2:So am I working against hard rules here that we can't change? Right? Mhmm. That that no desk underwriter can possibly impact? Or are we working with guidelines here that we have some room for negotiation and some room to move on?
Speaker 1:Perfect. Let's talk about walk me through an instant response plan. And I'm Should have one. Everybody should have one.
Speaker 2:Yeah. If you don't have one,
Speaker 1:let's talk about what should be on an instant response plan.
Speaker 2:Yeah. I think I think obviously it's it's a large document, and I don't think we'll be able to cover all of it today but I'll cover a a few things that I think should be in there and also a kind of a few humorous things as it relates to an incident response plan. So to start with one of the humorous ones, I would have highly encouraged that everyone has a paper copy of their cyber liability policy on hand. And the reason I say that is because if you happen to be the victim of a ransomware event, and and you've been denied resources, right, denied service, and the only copy of your policy happens to be on that network, you may be in an adverse position, Right? Where time is critical.
Speaker 2:So so even though it sounds a little little stone age, a little caveman. Right? Be because of the criticality of having access to these documents.
Speaker 1:It's so amazing. Let's actually, does let's do it this way. Let's talk about I want you to answer the IR plan in in a in a better context.
Speaker 2:Okay.
Speaker 1:So, crap, something just happened
Speaker 2:to us. Mhmm.
Speaker 1:And we're gonna we're gonna engage our insurance carrier.
Speaker 2:Okay.
Speaker 1:So, this this actually is a part I wanna talk about. Like, what like, you're calling the emergency number on the on the Yeah. From the carrier. Right? Like, walk me through that process and what the what the client, what the company should know and have in place before that, like, oh, crap.
Speaker 1:We actually have to use our in policy right now. Like, what what are the what's the insurance company gonna do? What's next steps?
Speaker 2:What should
Speaker 1:we be prepared for? Like like, there's, like, a Blackhawk helicopter coming down with people, like, rappelling down the rope. Like Yeah.
Speaker 2:Yeah. So at time of claim, right? Whether it be cyber liability or anything else, timing is very important. Right? So so timeliness of information, accuracy of information are are critical components of making things go as smooth as they can.
Speaker 2:Right? So when you think about an instant response plan in that perspective that means that you need to have portions of that plan where you have dedicated people that are meant to respond so that it includes identifying a team. Right? That that includes probably regularly practicing that instance response plan, so that team comes together. Perhaps they use some of those debt games on potential incidents they have to respond to, to to test out viability of plan, to out communication, to test out roles and responsibilities.
Speaker 2:Having contact info for all the players is gonna be really important. Right?
Speaker 1:On paper.
Speaker 2:Yep. Yeah. People I need to get a hold of, can I get a hold of them? Right? And in the event that it may be something that happens after hours, do I also have the emergency claims line?
Speaker 2:Do I have the direct carrier claims line? Right? Because if you call any brokerage firm at 2 AM on their landline, you're not getting an answer you're getting a voice mail. Right? So so having access to contact information is gonna be critical.
Speaker 2:Doing whatever you can to to try to verify timeline and things of that nature that you can communicate to the insurance carrier is gonna be very important, right? So to give you an example I have a client in North Phoenix who on president's day last year had a skeleton crew in the office. Most people are taking the day off, right? And that skeleton crew starts to notice power recycles on all the devices and then the ransomware pops up. Right?
Speaker 1:So as an aside Yes. Criminals know holiday schedules.
Speaker 2:Yeah. Yeah. But they're on calendars. Right? It's not hard to find.
Speaker 2:Yeah.
Speaker 1:And they will take advantage of that.
Speaker 2:They sure will.
Speaker 1:In staffing capacity, 2 bad things.
Speaker 2:Yeah. He's he's no longer our CEO. He's he was formerly our CEO. He's our founder of the agency now in a consultancy role but every time he goes on vacation, the Amazon buy me Amazon cards things goes through the roof. So somebody's clearly sitting on his calendar because every time he leaves Right?
Speaker 2:So nevertheless, right? Right? When you think about my client in North Phoenix that has this event, thankfully they had good contact information. Thankfully they had triple redundancy on their backups including a fully segregated backup. They had enough information and enough resources and enough people and they had tested things, they had the viability that they were back online fully evicted for less than $10,000 within 24 hours, Okay?
Speaker 2:So so it those things are possible. Phenomenal. Yeah. If you can if
Speaker 1:you could result.
Speaker 2:Pull it off. Yeah. Right? But but that's that's why you practice those things. So so I I can't, you know sit here and give you all 48 pages of an incident response plan, but I can tell you conceptually it should be things that include who is responsible, can they communicate, can you contact the people that you need to contact, And have you tested the viability of it?
Speaker 2:There's a there's a great deck game. I think it's called Breeches and Backdoors. Are you familiar with this?
Speaker 1:I don't know this one.
Speaker 2:There's a cyber security company that that made a deck game. I I believe it's called Backdoors and Breeches or Breeches and Backdoors, and you you draw a random card from the deck and it has a cyber event. So you you can have your instant response team and your instant response plan, and then try to really in in all the role playing fashion, test the viability of your response and plan against that event.
Speaker 1:I love this. This is great. I've seen versions of this. I didn't I haven't seen a commercial version of this. This is probably because I've been looking for it because it scares the Jesus out of me talking about it.
Speaker 1:But Sure. Anyways. So, you call the cyber company, cyber insurance life insurance carrier, and you say we've had this event that's
Speaker 2:happening. Sure.
Speaker 1:And you provide a timeline and obviously they're gonna ask you a bunch of information and questions about what's going on. Are they mobilizing and flying people in to help you? Yeah. Are they waiting for you to say you need help? Do you have to give them the secret password that says like I need to activate, code 47 or what what's this I'm gonna I I what's the Star Wars execute or whatever.
Speaker 2:Sure.
Speaker 1:Brain just completely turned off on that one. But, what what level insurance, for most people interacting with like auto insurance. Right? Like you have a car crash and you're sure you're talking to your insurance company. Insurance company says, okay, great.
Speaker 1:Take your car to this place and it's gonna go get fixed there and we're gonna pay for it and then you go pick it up when it's done. What is that experience like for a business going through a cyber incident?
Speaker 2:Sure. So you you've turned in a claim, right? So you've called that claim event in, you've given the details to the best of the ability you have at that time. And in many cases early on your details might be light, they might be sparse, but you're doing your best to communicate what you believe is is going on and how you're being impacted. Right?
Speaker 2:So at that point, you're you're gonna have somebody, try to make a quick assessment or determination of coverage. In the event that coverage is triggered, you'll have your deductible, and that deductible will be owed to the carrier whatever it may be, but then they are going to mobilize. Right? So in in most cases if not all cases, your your first response to a breach event is forensic investigation. Right?
Speaker 2:So what happened? How'd they get in? Are they still in there? What did they take? All these different questions you're trying to answer them, right?
Speaker 2:To realize what exposure may be, particularly what exposure may be attempted to be monetized, Right?
Speaker 1:And so to connect back into acronyms of technology and right as far as risk, having an EDR and a SIEM and a SOC makes that forensics
Speaker 2:A lot easier. Easier to perform. Yes. Yes. So so to connect that, you're absolutely right.
Speaker 2:With carriers, within your policy language, within the the duty to defend section of your policy, there's going to be some illumination to whether or not they compel you to use their vendors. So they may have a forensic IT vendor. They may have a legal team. They may have a public relations team that are typically national vendors on master contracts that represent all of that carrier's clients in a breach event. So that may be spelled out, or conversely they may have something that says, we'll entertain your choice of potential vendor.
Speaker 2:However, we have some qualifications. Right? And typically those qualifications are, if you wanna hire your own attorney to represent you in a breach event, don't go hire the divorce attorney. Right? Like hire somebody that actually has experience in inside reliability law.
Speaker 2:So they're not particularly tough on constraints. They just wanna say, if we give you choice of vendor, please submit a vendor that's appropriate.
Speaker 1:And this also comes into, do you have a vendor that can do incident response for you already in place? Do you already have an incident response return Sure. In place? Sure. Because at that point, you're gonna it's not like go out and find somebody that can do incident response for you.
Speaker 1:It's we already have an incident response retainer in place. We've already activated it. It's already coming in. Insurance company's gonna go, okay. Great.
Speaker 1:Cool. They're on our approval list because know them and they're big and they're reputable. Mhmm. And off to the races we are.
Speaker 2:Yeah. So so, Coalition is a cyber carrier. One of my, clients who is an MSSP is the dedicated forensic IT for all Coalition policy holders in 7 west 7 west coast states. So if you're a coalition policy holder in those 7 states, my MSSP client will be the one that's gonna come out and do your forensic IT. Right?
Speaker 2:So you do have those national vendors and those can be very beneficial, right? Because Forensic IT specifically is typically the most expensive part of of that process. Their billable is somewhere between $350600 an hour in most cases. So when you have those master contracted rates sometimes they're better rates than you would receive if you called the open market as an individual looking for help, especially with it known that you're now on the end of a breach event and you're really in need. It's not even just rates.
Speaker 2:Right? It's just like
Speaker 1:is somebody gonna get on a plane and be at your office in a timely manner to actually start this like
Speaker 2:And that's a commitment that that they make, right? So there's a contract between coalition and my client that they have to respond to any breach event in any of those states within x amount of time. So they literally have to have people on call ready to hop a plane at any given time. Exactly. Yeah.
Speaker 1:There's a lot of people in the cybersecurity world from the practitioner side or the or the provider vendor side that approaches this from like, we need to educate the the customer on potential outcomes and just how scary this is. And when Verizon releases their data breach investigation report annually which is a fascinating and scary read and it has stats and like dwell times. Right? And dwell time's a really interesting one to follow because for a while it got really scary that dwell times were really large, like up to a year. 200 plus days of dwell time before an attack was actually launched.
Speaker 1:And then if you think about that from like, even if you knew when the when the, if you had a 200 day dwell time and you knew when the attack was launched and you could unwind your backups to 201 days previously to do your restoration, the amount of change in your dataset across 200 days for a business, I mean like what does that cost you operationally to to to deal with? Dwell times have been compressed way down which in some ways is really great because you have less you have you have a shorter look back period that you have to deal with. But it's also scary because it means people are breaching networks and and doing malicious things much faster. And then we got in and we just immediately went to town. And then of course, you you talk about, like, segment sizes of the stats around businesses failing after cyber events and what what that actually means is pretty is scary as well.
Speaker 1:But I I mean, I wonder from your your viewpoint with all this stuff as I'm rambling here a little bit, are companies starting to, I don't wanna say take this seriously. I mean, and what is the triggering event that really forces this? Because you don't have to have a cyber insurance policy in order to have a GL and and professional liability policy, right? So like you have to go and say I want a cyber insurance policy. I mean, and then maybe if they haven't asked for a cyber insurance policy there's no way that they would even wonder what a what a business email compromise or secure email gateway is or what SAD is or all these different things.
Speaker 1:So where are we in the evolution of this of awareness and, I don't wanna say accessibility, but but, interest. I'll use interest of of people actually going out and getting this. And how does this actually how do you think this impacts liability from directors and officers? Are we are we getting into that point of do we have personal responsibility for prudence within companies to be dealing with this?
Speaker 2:Yeah. So I I'm I'm chuckling because I actually authored an article on LinkedIn about this very topic about the crossover between responsibility and cyber liability exposure.
Speaker 1:So I don't know if
Speaker 2:you did your homework or not in asking me that question, but I have authored an article on this very topic. So when you're when you're talking about organizations that have pronounced cyber exposures, right? That have a board of directors and officers that cannot reasonably say out loud, I was not aware that we had a cyber exposure and thereby would need a cyber risk. That is a very active segment of tort right now. No one has pierced that veil that someone has failed their duty of care yet.
Speaker 2:As it relates to either not buying a cyber policy or not buying an adequate enough cyber policy by way of terms conditions and limit, right? Someone will. That is a very active segment of tort where attorneys are saying you as a director and officer are violating your duty of care by not having purchased a cyber liability policy at all, or not having purchased the right cyber liability policy for your enterprise organization based on the risk that you encounter by being this organization of this size in this industry. Right? So that's very active right now, and once that precedence is set, I am sure, I am absolutely confident, that attorneys will be interested in making more money off of that.
Speaker 2:So so that is a a very prominent topic and it's all centered around duty of care.
Speaker 1:Backups and disaster recovery going back to to you know, 3 decades now. Mhmm. If you're in Southern California, it's earthquake risk. If you're in Florida, it's hurricanes. If you're in Central, you know, plain states, right, it's tornadoes.
Speaker 1:And you get involved in these as an IT practitioner. You get involved in these exercises around business continuity planning. And, what I And it would be really frustrating. You could spend all this time and energy going through and building a BCDR plan and then have it submitted for budget approval and then find out like, oh, we're not gonna do it. And I'm curious because at that point, it was the duty of care was we evaluated the risk to our business and the cost to protect that risk and determined that the cost was not worth the risk and so therefore we didn't do it.
Speaker 1:So we've met Mhmm. That threshold of beauty care. Now when I when I realized that, it made my life a lot easier because I like the frustration of not actually implementing all these plans. The plan was the deliverable, right? How much of that applies into cyber?
Speaker 1:We've evaluated Mhmm. The risk of a cyber insurance policy and buying all these tools in order to mitigate that risk and we just decided not to do it because of whatever reason. And we meet we we've now met the standard of duty of care because we we looked into it. Right?
Speaker 2:Yeah. So that is the common defense that's currently being used and is currently working as it relates to this this cyber liability and duty of care issue. But as as cyber liability becomes more present, cyber risk becomes more present, and as it drifts towards enterprise risk, as you see regulatory, you know, actions continue to occur like critical infrastructure, right? And those those things, I think at some point saying we we looked into it and we we decided we didn't have to, we'll fall. Right?
Speaker 2:That that's definitely the defense that's being used and being used successfully at this point, but there's so much more attention and so much more regulation being drawn to cyber risk and cyber posture than there's ever been drawn to BCDR. Right?
Speaker 1:So if you're a pipeline operator, you can't pretend that you don't understand the risk of a net you know, of a cyber incident and what that would actually do at this point. So you probably wouldn't prevail in that action if you were saying no thanks.
Speaker 2:Right. Right. So I I think we're we're dangerously close to that that particular veil being pierced. I'm sure it'll be a a breaking news story in some circles when it does happen.
Speaker 1:I, I've I've thought about this and I've wondered about it a lot and I I view it also in the sense of like scar tissue, that the tipping point is when enough people have experienced this stuff that it becomes common. Like if you operated a internet connected website at any time during the 2000s, early 2000 tens, you had a DOS attack and more likely and and you never wanted to experience one ever again and you went out and you bought DDoS mitigation as a service. And and they were very expensive and now they're very inexpensive. It is very cheap to go out and get a a DDoS mitigation service on top of your infrastructure. And I've thought about that a lot too with the insurance world of like, and cyber cyber specifically of like what percentage of bad things have to happen.
Speaker 1:Do we have to cross like like 10% of everybody who's had some horrible cyber experience in order for everybody to be like we need to do something about it and or or or not. So I'm curious to see how that plays out too.
Speaker 2:Yeah. Unfortunately as human beings, not all of us learn from the mistakes of others. Some sometimes we have to make the mistakes ourselves, before we we choose to learn and adapt. Right? So I think there's a subset of the market that is ahead of the curve if you will or at least on the curve, and those are those that realize even if an event hasn't happened to them yet, an event can happen to them.
Speaker 2:Right? They are learning from the mistakes of others. There will be a lagging part of the market. I think it's smaller portion of the market, let's say 20, 25 percent that will probably not not realize that they need this product until they experience an event and then assume that they survive that event to go on and continue to be an operational business that's looking to buy insurance. Because in some cases they will not survive that event.
Speaker 2:Right? That that'll be the the death of the company. So, there's a there's a lagging portion that that just doesn't necessarily learn from the mistakes of others.
Speaker 1:Last question for you. Can you share any benchmarking data? Like when you're buy buying policies on a percentage of revenue, you know, you talk about insurance carriers asking for revenue. So on a percentage of revenue, what are your kind of your bands that you should be walking into or expecting? And and how much does that no controls you're gonna pay here, controls you're gonna get down here, does that really influence things?
Speaker 2:Yeah. So so I'll actually share a tool that I think is is fantastic, that anybody can access. It's a free tool. It's it's it's simple to use, it's intuitive, it's gonna give you a nice little report. So Chubb Chubb Insurance, one of the longest players in cyber liability, has 20 years of policy holder data that they have built into this this benchmarking tool.
Speaker 2:So it's called the Chubb Cyber Index. So if you just Google Chubb Cyber Index, you'll land right on that page and you'll be able to run a report on yourself. So you're gonna enter some basic metrics. That's going to be revenue. That's going to be estimated record count.
Speaker 2:That's going to be an industry segment. It's not all encompassing so you may be choosing the the most closest proximity or adjacent, right, to to your actual business model. But what it's gonna do is it's going to check 20 years of claims data for Chubb. And even today they they have the most market share in North America. They have 10% of cyber liability market share in North America.
Speaker 2:So they have significant data and significant claims history. Right? It's going to cross check 20 years of data and claims history and it's gonna give you a couple of pages. So the first page is going to show you cyber incidents growth for all industries measured against cyber industry growth or cyber instance growth in your industry. So there's gonna be a little line line chart that's gonna show you those two things.
Speaker 2:Then it's gonna give you a a couple of of pie charts. The first one's gonna show you, the likelihood of type of attack. So was it denial of resources or was it something else, right? It's gonna show you all the likelihood of type of attack for for an enterprise of your size, and then it's gonna show you the likelihood of who the actor is. Was it inside the organization?
Speaker 2:Was it outside the organization? Those types of things. The second page is gonna map 2 more things for you. It's gonna run you through what they know to be an average type claim for you. So here's your records that were exposed, here's your perceived downtime, all these things.
Speaker 2:We're gonna total out on an itemized basis business interruption, we're gonna we're gonna look at privacy liability, we're gonna look at some HIPAA fines, all these different things for you. Here's your claim amount, and then it's gonna show you 2 more things in some bar graphs. So it's gonna measure you against your peers over those 20 years. On a primary policy basis. So remember earlier we talked about shared and layered or about tower building.
Speaker 2:So this would be that primary or lead 5,000,000. It's gonna show you 20% of your peers by 1,000,000 in limit. 40% of your peers by 3,000,000 in limit. And 20% of your peers by 5,000,000 limit. The remaining 20% by nothing, right?
Speaker 2:And then it's also gonna map out what your peers are choosing from a deductible point. So 30% of your peers have a $1,000 deductible, another 30% have a $5,000 deductible, and then you got some that carry up to 25 and some that carry a 500 or a 25100. So it's really gonna help you understand what are your threat vectors? What's your incidence growth rate? What's a claim look like for you?
Speaker 2:And who committed that that act against you? And then what are your peers buying, right? From both a primary limit and a primary deductible standpoint. So I think that's a great little bench marking tool that's free to access for anyone that's ran against, one of the largest subsets of data that exists for for cyber liability insurance.
Speaker 1:That's awesome. It's, I hope somebody runs through this. It's at the tail end of a very long conversation, but we're gonna figure out how to we're gonna clip this up and make sure this gets out there because it is cybersecurity and cyber insurance are things that you wanna have in place before you need them.
Speaker 2:Yeah.
Speaker 1:Incident response plan is something you wanna wanna have in place before you need it. Having a printed copy of your of your policy is something you wanna have in place before. Yeah. Well, it's so true though. Oh, jeez.
Speaker 1:It's I I these stories all have origins and origins are pain. Right? Like somebody had this experience and they've and and the story has become this thing because because of somebody else's pain. So so just learn from other people's experience and just have a file somewhere. By the way, as a note on that, if you're actually have an office with a door access control system that is connected to a computer that is required to be working in order for the door access control system to let you into the building, that should be a consideration of what happens if that system becomes unavailable.
Speaker 1:Not theoretical. Not a theoretical issue. My cyber insurance policy is inside my office. Beep.
Speaker 2:I can't get beep beep. Star an RFID tags, not working. Beep.
Speaker 1:I laugh from from just reflection on no personal experience of just horrible things.
Speaker 2:If I could offer anything in closing, right? Just to help people, look this is a big complex dynamic topic. It is very fluid, it's very dynamic. The answers of today may not be the answers of tomorrow. Advice.
Speaker 2:1, learn how to ask good questions. Because the answers are going to change, you need to be able to formulate good questions. And you need to be able to ask those of trusted advisors. So find people out there, right? Find a cyber security specialist.
Speaker 2:Find a good insurance broker. Find a good attorney and and put them into the room with each other in cases where that's that's necessary so that the outcome that you're you're looking to achieve, if it's achievable will be achieved, right? And then the second thing, you mentioned that grading scale of of you know, 1 to 10. How compliant am I? How good is my cyber posture?
Speaker 2:Do not let perfection be the enemy of good. If you are currently a 1 and you could make some easy changes that could make you a 6, yes, a 6 is not a 10, but a 6 is a whole lot better than a 1. Right? So so just because you can't be a 10 tomorrow, don't allow that to cause you to not take action. Right?
Speaker 2:Do do not let, perfection be the enemy of good.
Speaker 1:I love that. And it's not just posture, increasing posture and protections and controls are preventative actions and measures. So you're gonna prevent more, like, percentages of occurrences from taking place. But the other side of it is detection and response windows shrink. So you're you're really fighting this from 2 angles.
Speaker 1:The first one is, can you just prevent something from happening in the first place? That's, of course, ideal. But then the second thing is can you detect and then can respond to it quickly? And can you shrink that window of time? And your story earlier of of having a ransomware attack and having a a 24 hour recovery with a very small, I mean, a $10,000 is nobody wants to write a very small, I mean, a $10,000 is nobody wants to write a check for $10,000 but a $10,000 check versus a 2 week outage and what comes along with that is is a is a phenomenal outcome for that company.
Speaker 2:So Yeah. There's a there's a good friend of mine who's a CSO for a major university and he always he always says there's 2 types of companies in existence today. Those that know they've been hacked and those that don't. Right? And and you know there's absolutely no way so he's got a team of more than 60 individuals, right?
Speaker 2:They're all highly competent. There's no way that you can prevent all things, but for those things that you cannot prevent, can you control blast radius?
Speaker 1:Mhmm.
Speaker 2:That's that's really the focus. So prevent what can be prevented, but in the event you cannot prevent it, can you control blast radius?
Speaker 1:It's a it's a it's a great way to leave it. Joseph, thank you very much. This is fantastic, fascinating. I learn something new every time I talk to you so it's great. And it's also, so many people are just stuck in the whole, like, cybersecurity bubble and what that actually means with the IT bubble and actually and and being able to talk outside of that for a little bit and and real get into risk and and how does this impact insurance and and business as a whole is was was great.
Speaker 2:I appreciate you having me, man. It was fun. Thank you.
Speaker 1:Thank you.
