What happens after an organization has fallen victim to a cyberattack? In this podcast we carefully examine the benefits, value, and necessity of cyber liability insurance, including what may deny your claim.
[00:00:00.440] - Speaker 4
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity. With your host, Jason Pufahl and Steven Maresca.
[00:00:11.360] - Jason Pufahl
Welcome to the CyberSound Podcast. This week, we're being joined by Mike Cavanaugh. He's the Vice President of Insured Tech Growth at Boost Insurance. And as always, Jason Pufahl and Steve Maresca, your host here at Vancord. Mike, welcome. I appreciate you joining today.
[00:00:30.110] - Mike Cavanaugh
Yeah, thanks for having me so.
[00:00:32.740] - Jason Pufahl
Your background's insurance, my background's in security. Interestingly, over the last few years, we've seen intersection there in that cyber liability insurance as a mechanism or a tool to help businesses recover from your standard incident response at cyber threats that occur getting much more common. We have questions all the time around the value of cyber liability insurance. Frankly, whether it pays out in the event of some of these incidents, what is it?
[00:01:05.610] - Jason Pufahl
So let's spend a little time today discussing that in general terms. If you could spend a minute on really, frankly, what is cyber liability insurance? I think that'd be a great start.
[00:01:17.640] - Mike Cavanaugh
Yeah. So cyber liability is a bit of a unique insurance policy. Most people, when they think of insurance, it's, I have a slip and fall. So they'll pay the individual got hurt or somebody sues me for not performing a service. So they're demanding financial loss. They want some money back based on what their fees are.
[00:01:40.180] - Mike Cavanaugh
Cyber liability is different in that it's more of a proactive policy. It's designed to cover you, the insured of the company, for all the expenses that are incurred as a result of any number of cyber events, be it be data breach, business interruption claim, anything really that impedes your business is tied to cyber events. It's designed in a couple of different ways, especially it's really designed in response to a lot of past claims and regulatory changes. Perfect example is the target pack however, many years ago, if I can date myself as to how long I've been in the industry, I remember when that was the big claim back then.
[00:02:24.100] - Mike Cavanaugh
But the biggest concern then was notifying people and monitoring credit. Before then, it had to do with a different exposure for credit cards with the Heartland and TJ Maxx Groups. The policy is adapted over the years to cover what people are looking for. Most recently, ransomware, business interruption really responding to make the insured or make your company whole after you've suffered a breach.
[00:02:48.890] - Mike Cavanaugh
The policy is there to be there in your worst day. And unlike some other policies, it's there spontaneously. As soon as something happens, you pick up that phone and the carrier will respond to provide coverage for all the expenses that are tied to that.
[00:03:05.260] - Jason Pufahl
So one of the things, I call my limited expertise with cyber liability policies, I think one of the things that makes it feel unique to me is there's that reactive aspect, right? You've had an event and you call your carrier, but they all come with some proactive capabilities as well to improve your security program, if I recall, or at least many of them do?
[00:03:27.040] - Mike Cavanaugh
Yeah, the carriers over the years have made it really an effort to focus on education and benefits to having a policy. The idea of really an insurance, there's a couple of different ways you can have a better book of business. There's through better risk selection is really the big one, finding the better risk.
[00:03:48.930] - Mike Cavanaugh
So what they've done with cyber is try to create that book. They've tried to provide education to the insurance to make them a better risk, to really give them the resources, to better understand the exposures from social engineering, better understand in why behavioral analytics is the thing. All different aspects of cyber that people feel should be made aware of, the carriers are trying to get that information out there. They're looking to build a partnership more so on cyber than they are in other policies, because they want to make you a better risk.
[00:04:25.230] - Mike Cavanaugh
Some carriers bring that in house. They've actually gone so far as to hire to really acquire security vendors that will do everything from handsets vulnerability scans. They'll do it as a part of the underwriting process. And then we'll share the information with the insured, because it was vital information to make somebody a better risk.
[00:04:47.020] - Steven Maresca
So it's so unique in that... So on that front, what are common underwriting requirements? What steps do the insured need to take when engaging with cyber liability?
[00:04:59.890] - Jason Pufahl
Actually, maybe to follow under that, since then I think it's a segway, are there extra things a company could do to bring their policies down, the cost of the policy down at all?
[00:05:10.590] - Mike Cavanaugh
Yeah, so cyber liability, and you had score, really was built off of other types of policies. So as much as we're latched on to or it's tied to something that is apparently innovate, something new, something electronic, digital, they very much rely on old school application. It used to be like a 20 page application, now we slowed it down, but the idea of really collecting the most basic information about the insured infrastructure.
[00:05:38.570] - Mike Cavanaugh
It's one of the issues or one of the push backs we received from a lot of insured is really sharing that type of information, or how does the carrier know what's going on? How do they know that we have this level of security in place? But it all really comes back to the information provided by the insured. They're asking about things like, do you use encryption? Are you PCI compliant if you collect credit cards? All these things that really they've determined help them get a better sense of who the risk is and how secure they are.
[00:06:12.430] - Mike Cavanaugh
As of late in the last couple of years, there's been more insight or education on the carrier side. They've start to realize that you can't really get as much information as you need on an application. Whoever is filling out the application, chances are they don't have that ability to actually explain what's going on. They don't have an understanding of the network infrastructure.
[00:06:38.590] - Mike Cavanaugh
So what they've done is relied the and falling back on technology to provide the answer. It's been interesting to see how it's developed and where they've pulled the data points, everything from your basic vulnerability scan to maybe some more in depth set for a lot of larger risks. But what that's done is allow them to share information and say, let's say, in the security scan, we've identified that you have RDP, remote desktop protocol, open to the Internet. That's tied to a lot of claims. We want you to shut that down.
[00:07:14.010] - Mike Cavanaugh
What we want you to do x. We want you to do y.
[00:07:17.540] - Mike Cavanaugh
They will say that sometimes that is contingent on getting the coverage. Either you do not qualify unless you do that, or they might say, hey, you'll get a better rate if you do this. If you actually follow these recommendations, we will reward you, because now you are a better risk. Some carriers just go the root of just not wanting to write the risk at all. Others have taken that on themselves to understand that this is still a good risk. But if we work with them, we can potentially make them a better one.
[00:07:47.400] - Mike Cavanaugh
What's new is really some of these newer carriers that have jumped on the marketplace actually have that ability to make those recommendations in house. So we'll see some carriers I used to get on the phone with a couple of different carriers and would say, hey, we've noticed this about the insured. Do you think we could get on the phone with their IT team talking through? Maybe it was delivery.
[00:08:07.460] - Steven Maresca
So I'm curious if there are implications for organizations that want to pursue cyber liability insurance but have already experienced a breach, or if not a breach, an incident of some kind that maybe heightened their awareness of such services and motivated their pursuit of it. Does it harm their engagement with liability? Does it alter that premium. What's the impact?
[00:08:31.330] - Mike Cavanaugh
Yeah. So it's funny, we ultimately say that if somebody comes in with a breach, if we get an application who's had a breach, they've had an interruption event, they've had some ransomware, the idea is that they've had their event, or at least until the last year and a half, or so they've had their event. They've become a better it.
[00:08:49.710] - Steven Maresca
[00:08:50.600] - Mike Cavanaugh
Yeah, they've identified you have to realize that people are doing things in response. In a lot of cases, they're getting the insurance, because they've already had to go through. They understood how much it can actually cost. So why not invest in this insurance policy, which can help me with a lot of it, either on the front end or in response to a claim?
[00:09:09.650] - Mike Cavanaugh
People will write insurance with claims, even if they're really bad, you may have a higher premium. There might be certain requirements and saying, hey, you've got to implement two factor authentication. Things that the carriers see is a sign of having a savvier insured, if you will, or just asking questions about what you've done to improve your exposure. Have you upgraded all of your systems beyond Windows 7? Little things like that that make perfect sense to somebody who is in security.
[00:09:42.560] - Mike Cavanaugh
These carriers are now understanding that these are the questions we should be asking. And if somebody shows up and they've had an event, they're not going to fault them. Unlike a lot of other insurance policies, they understand that things are going to happen. It's how you respond, that really makes you a better risk or bad risk, what have you.
[00:10:00.210] - Jason Pufahl
So it's good to hear that because I know, I'll call it the tail of a lot of the Internet response for it that we do often is, in the improvement space, right? So you really do all that containment work and then that recovery. And then there's almost always discussions around what do we do to help prevent this from happening again? So it's interesting that the insurance companies recognize somebody who's had an incident almost as a better risk at that point because they know they've made some improvements, right?
[00:10:29.870] - Jason Pufahl
So you and I had the opportunity to meet at a insurance conference essentially, right? And the thing that might take away as a non-insurance practitioner was all the carriers were promoting the challenges they had in underwriting. And I'd say it was pretty clear that costs are expected to probably go off at times or over time here. And I'm wondering, one, do you concur with that idea that that probably the not too distant future costs will go up? But then I'm wondering, will there be ongoing requirements for a company to prove that they've got a security program in place or maybe an evolving security program?
[00:11:13.210] - Mike Cavanaugh
Yeah, I think costs are definitely going to increase. There's a lot in the insurance industry, like you mentioned, we were at that conference, and you hear a lot of people talk about how, yeah, these expenses are through the roof. It's being driven by this, it's being driven by that. It's going to have a huge impact on the marketplace. Everything was fine before.
[00:11:32.660] - Mike Cavanaugh
Well, cyber insurance has only been around for 15 years, really. And that's even a stretch. I mean, I've been in the insurance industry for the last 13 years. I was working on cyber from day one. And even then, they looked drastically different than they used to. So my perspective is how do we even know that these are not the expenses that should be occurred?
[00:11:57.750] - Mike Cavanaugh
There's a lot of battle within the industry. But what we've done is realize that these expenses are going to be more than we expected, whether or not that is just because of the nature of the environment right now, you're riding the wave of ransomware, or we underestimated the actual expenses. There's a bunch of different perspectives on it, but I think what people have become or meaning carriers on the underwriting side to boost that profit, to boost the premium so that they can cover those claims, they have become more stringent on the type of risk that they're willing to pick up, the type of company that they're looking to write.
[00:12:35.130] - Mike Cavanaugh
Some carriers will just decide not to write anything that's a little bit risky, and that's fine, and if they felt that's going to be a benefit. Others have said, we're not going to write you as a huge company for x limits because you're a big company. You're a pipeline, what have you. Still being figured out, but there's definitely been some ships in that area.
[00:13:00.680] - Steven Maresca
Right. So in the vein of controlling expenses, do you have any tips for potential customers who want to know about mechanisms for determining appropriate coverages limits and in similar?
[00:13:15.960] - Mike Cavanaugh
Yeah, I mean, I would definitely figure out like any security review. You've got to know what's on your network. The first step, figuring out what you're covering. It's not like we're covering the property damage aspect of it. So you don't necessarily need to know, hey, I've got this server, I've got this computer, but at least some understanding of what your exposure looks like. How many endpoints do you have? What type of security are you using? Is it everything in house or you're utilizing something like Carbon Black, or Palo Alto, whatever?
[00:13:52.020] - Mike Cavanaugh
Understanding your exposure and being able to explain that to an agent. There's a lot of agents out there that don't really understand cyber. They just don't get it. It's still a relatively new coverage. They're learning it as they go along. So it's incredibly important to work with someone who does understand that exposure.
[00:14:10.320] - Mike Cavanaugh
That could be an agent. If the agent doesn't now, make sure that they're working with someone who does. That could be the carrier. That could be a wholesaler who can help them access more specialty markets. What they can do in terms of figuring out how can we get to a better price? There's a lot of different levers you can phone in terms of limits, deductibles, different types of coverage, really comes down to who the insured is?
[00:14:38.550] - Mike Cavanaugh
I personally don't think there is one best carrier in the marketplace. I think there's the best carrier for that individual company. There's the best carrier for them. So working with deductibles saying, hey, I'm willing to take on this additional risk. I might need to have a a five million dollar limit by contract. Can I bear the cost of the $25,000 deductible to bring that price down? No, it really comes down to the individual companies tolerance for that.
[00:15:06.840] - Mike Cavanaugh
I will say that most people in the marketplace really buy a million dollar limit. The reason being that covers the exposure from what we've seen through cyber extortion, social engineering, business interruption, all of the exposure, because the way the policies are set up is to cover the expenses as they happen. On day one, I say, hey, I've had a breach, I think. Notify the carrier. They're going to roll out the forensics.
[00:15:32.610] - Mike Cavanaugh
Those expenses can be pretty significant just before you figure out what's going on. And then slowly but surely, you hit all the different coverages until you realize that this was a lot more expensive than we expected. It's trying to assess that exposure, what your tolerance is. And that could be premium. That could be the limit. That could be the coverage. You can decide to get rid of certain coverage that does not really matter to you based on that exposure.
[00:16:03.980] - Mike Cavanaugh
I think there's a lot most important thing is working with those agents that understand or are willing to take the time to understand what your actual risk is and what your tolerance is to premium, limits, deductibles, and everything. That will help you put together a comprehensive program that will put you in.
[00:16:20.010] - Jason Pufahl
So here's one of the things, though, that I think that you're touching on that I think is really helpful. I really want to point it out specifically, which is cyber liability insurance is not a substitute for a good security program. And I've actually had customers say to me, we don't need to make investments because I've got insurance. And I'll throw you a softball. I assume that you'll collaborate my idea here.
[00:16:48.230] - Jason Pufahl
But the reality is they're both in support of each other. You'll get better reach with insurance if you have a good program. And the reality is you're expecting clients to have at least a baseline of security, right? And the better the security program, frankly, the better the rates, the better the coverage, right?
[00:17:05.600] - Mike Cavanaugh
Yeah. I mean, I don't really see a cyber security in general. It's not a risk that can be solved. I don't care how much money you throw at it from a technology side or from an insurance side. It cannot be solved. It can only be managed.
[00:17:19.570] - Mike Cavanaugh
And really putting together the best risk management program incorporates both. If technology incorporates building out an infrastructure that's as secure as you can make it, as well as having an insurance policy, because something's going to happen, it's always going to happen. We have to be right hundred percent of the time. The [inaudible 00:17:41] attackers only have to be right once.
[00:17:43.420] - Jason Pufahl
[00:17:43.840] - Mike Cavanaugh
That's the one you need the trip you here consistently. But the really the only way to create a comprehensive risk management program just to cover that company, to make everything secure, to keep that company going on it's worse days to really have both. They complement each other.
[00:17:59.940] - Jason Pufahl
So I know we're running up against time here. There is one more question that I specifically want to get out, which is, is there anything that really could result in a denied claim? Because I know that's one of the questions that we often get is how legitimate product is this? Are they just looking to find ways not to pay? And frankly, in our experience, we've had great luck with cyber liability reimbursements.
[00:18:23.020] - Jason Pufahl
But I wonder if there's anything that you see as an obvious red flag that folks should be aware of.
[00:18:28.170] - Mike Cavanaugh
Yeah, I always hear when I would speak to insureds, when I would speak to their [inaudible 00:18:35], I don't think that cyber insurance pays. I don't know why you're here presenting this. While that's not a great way to start a meeting, it is an opportunity to explain that it's not like your typical policy. It doesn't just wait for that lawsuit to come in. There's a lot of expenses that can be incurred.
[00:18:52.800] - Mike Cavanaugh
And frankly, I mean, statistics that we're seeing in the marketplace so that 95 percent or more of these claims are being covered. The only ones you hear about are the ones that are client. People don't share that, hey, this company pays $10 million to make me whole again, for a couple of different views. One, they don't want to talk about it. Two, they may not be able to talk about it.
[00:19:15.170] - Mike Cavanaugh
But there is a lot of coverage out there. Now in terms of what can result in a denied claim, that is within the insurance control, reporting the claim. Don't be afraid. This is not auto insurance.
[00:19:28.340] - Mike Cavanaugh
The carrier wants to work with you on these claims. They want you to call that number to speak with their breach coach. It doesn't get jotted down as a potential claim. So at the renewal, they're not going to ding you for premium increase. That's a big misconception. The carriers want to work with you as soon as possible to mitigate the damage, work on those expenses, have a better understanding of the timeline of what's going on.
[00:19:56.060] - Mike Cavanaugh
So really staying in touch with the carrier, do not be afraid to reach out to them. If you think something happened. They spend a ton of money creating an infrastructure that can handle those claims. Now, the other one that is really tied to any insurance is filling out an application, not necessarily having the right information out there.
[00:20:18.400] - Mike Cavanaugh
Again, cyber is still a relatively young industry, so there's a lot of, it's gray, we pay, so to speak. But it benefits a lot of the insureds. And make sure that if you are concerned, get on the phone with the carrier. They're better than me. You are working with them. There is a partnership there. Get on the phone with the carrier. Talk it through and figure out what's going on.
[00:20:40.510] - Mike Cavanaugh
And again, that goes back to why you should have a great agent, agents that understand them at the right partnerships.
[00:20:46.490] - Jason Pufahl
That makes a ton of sense. And it's interesting the partnership aspect that you touch on here, it clearly is much more of that. The goal is the risk is reduced for both sides, the better your communication flow is, so early and often and mitigate the stuff before it becomes something serious.
[00:21:08.010] - Jason Pufahl
But I know we're up against time. Mike, personally, I really appreciate you joining today. I think it's been really informative. Honestly, every time I chat with you, I learn little something, so this is good for me, personally. I hope that everybody listening to this get some value out of as well. So I want to say thanks for joining.
[00:21:25.320] - Jason Pufahl
And if anybody is interested in hearing more about cyber liability insurance or maybe touching on some of the nuance today, feel free to reach out at Vancord Security and Twitter, and we can bring Mike back in and have a further conversation, so thanks, Mike.
[00:21:37.440] - Mike Cavanaugh
I'm a bit of a cyber insurance nerd, so I'm always at the top there.
[00:21:41.740] - Jason Pufahl
You are that, for sure, so thanks.
[00:21:43.470] - Mike Cavanaugh
[00:21:46.380] - Speaker 4
Stay vigilant. Stay resilient. This has been CyberSound.