Recently IT Voice CEO, Will Slappey, had the opportunity to speak with Mike Roman to learn all about Cyber Insurance. Mike serves as a Vice President and the Lead Risk Consultant for the property and casualty department at Valent Group, a southeastern risk consulting firm. Mike’s primary focus includes leading the property and casualty department in the analysis of risk and finding solutions for clients. Additionally, he serves as the practice lead for Cyber Liability and Management Liability. His experience includes structuring Directors and Officers Liability and Cyber Liability insurance programs for private and public companies, including into the Fortune 1000 ranks. Additionally, he is a frequent speaker and panelist on today’s growing cyber threat exposure faced by every company. We were so excited to be able to pick his brain a little bit about Cyber Insurance.
What is Cyber Insurance?
Just like you have insurance for your automobile in case there is an accident, or insurance on your building in case there is a fire-Cyber Insurance is meant to provide a company with funds in case they are sued or experience a loss following a cyber event.
What is a Cyber Event? Here are a few examples:
1.) When a company gets its systems shut down due to Ransomware. We hear so many stories in the news about this every day, by threat actors operating in other countries. With your system shut down this leads to a loss of revenue, as you cannot work. And it can also lead to a security breach, with your client information held in the balance.
2.) A paper breach. Mike uses the example of a hospital after the tornado in Joplin, Missouri. This tragic event leveled a hospital. Patient records were found hundreds of miles away. That is a breach of protected health information, and a cyber policy would respond to help them in that case.
3.) Social engineering fraud. For instance, if someone emails the controller pretending to be the CEO and the controller gives out funds. Most Cyber Polices will offer a sublimit for social engineering fraud.
A Cyber Policy is going to come in to provide you with lots of help. Not just monetary-though that is a part of it. The money will pay the ransom. It will also defend your company in the event of a lawsuit. But it will also give you access to a breach coach to help you through that. If your company keeps client records with client information, such as name, address, account numbers and that gets out into the public and someone is harmed as a result and decides to sue. A Cyber policy will defend you.
The Cyber Policies available today are broad and cover a wide range of personal identifying information breach or cyber events. Mike mentions that over the last 3 or 4 years he has had about 1 in 5 clients that experienced a breach, and each one was covered and protected by their cyber policies.
“You are more likely to have a cyber event than you are to have a fire.”
In his experience, businesses have needed to use their cyber policies more than general liability or fire insurance. There are few people out there who are interested in setting fire to your building. The unfortunate fact is that our data is under attach every day. There are threat actors working diligently to gain access to your business data, to sell or hold for ransom.
What Happens if You Become the Victim of a Ransom Demand (Cyber Extortion)?
The biggest thing is that they will come in to pay the ransom demand. A breach coach will assist with this process. The breach coach is hired by the insurance company. They can navigate the process of paying through bitcoin with a trusted vendor. The breach coach is almost always part of a law firm, so all communications are privileged. Plus, they have dealt with thousands of similar events and are skilled at handling an extortion event, and they will negotiate with the bad actors and quite often can negotiate the amount down. The breach coach is one of the most valuable aspects of a Cyber Policy. The money is great, and knowing you have financial backup is as well.
“But when everything hits the fan and you are in panic mode, you’re going to be able to talk with somebody that has gone through this so many times. They are going to make you feel much better and they’re going to be much more efficient at it.”
What are risks that are not covered?
Most of the cyber policies today are extremely broad. However, they will not cover a broad internet or power outage. War or invasion is not covered. If you are a company and you do not have multifactor authentication on all your systems, you may not be able to get insurance at all. It is also very important that you have endpoint protection in place. The underwriting process and what controls you have in place will dictate what kinds of policies will be available to you.
What happens if you are denied?
It is common for an application to be denied. It is important to work with a broker that can submit the application with narrative that includes all the controls you have in place. The broker will work with the insurer to make sure the correct systems are in place, and present that information to the insurance company. So, It is especially important to work with a broker that understands the IT world.
What kind of information will you need to start getting coverage?
Reach out to your current agent or broker to get some quotes. They will be able to tell you where you are exposed, and if Cyber Insurance is something you need. If you have low exposure, the cost could be very low. There can be questions on the application that are not intuitive. If it is the first time you are buying cyber insurance the broker can help you with these questions, and in some cases will advise you to leave the question blank until more information can be gathered.
Ransomware is a huge global business. You can buy the software with very little technical experience. This software comes with 24/7 support and a contract. As these threats become more prevalent it is especially important that the average business takes steps to protect itself against these threats. It is a common misconception that because businesses outsource their credit card processing to a third party, they think they are not responsible. That is not the case. You are responsible for protecting data and notifying your customers. It is worth having a conversation with a professional to understand what your business needs. In some cases, if there is low exposure it might not cost very much upfront and could save your business a great deal of time and money in the long run.