The right cyber insurance policy can be your fortress against digital disasters. This episode dives deep into the ever-evolving world of cyber insurance. We asked listeners what questions they had about cyber insurance and compiled the most popular to ask special guest Mike Roman
In this era of interconnectedness, we're all vulnerable to cyberattacks, whether you're a multinational corporation or a solo entrepreneur.
In this episode we cover:
- Tips for cost-effective coverage
-Common coverage gaps and how to avoid them
-Steps to take after a breach.
Knowledge is power, and your cybersecurity journey should be an informed one. So, gear up, tune in, and become part of our ever-growing community of cyber-savvy individuals, because in this digital age, your questions are the keys to your online safety. Join us and together, let's navigate the cyber insurance landscape, one question at a time!
Will Slappey: Welcome to Technology Simplified, Tech talk Everyone Can Understand. I'm your host, Will Slappey, CEO of IT Voice. Today, we're happy to have Mike Roman back on the show. Mike serves as a vice president and the lead risk consultant for the property and casualty department at Valant Group, a southeastern risk consulting firm.
Mike's primary focus includes leading the property and casualty department in the analysis of risk and finding solutions for clients. Last time we had Mike on the show, he spoke about the importance of cyber insurance, and he made some really awesome points about all the things a cyber policy will cover, like financial protection, reputation management, regulatory compliance, risk mitigation. The list goes on. If you don't have a policy yet, chances are that you need one. So, we're not going to go into that too much this time, but I will put a link to that podcast in the description in case any of our listeners are curious and want to go back and listen to that.
We have compiled a list of the top questions our clients have when it comes to cyber insurance, and we're excited to have Michael and pick your brain, Mike.
So the first question from our clients, the ones that everybody wanted to know is this one about the bottom line. Can you get a better rate for having a robust cybersecurity posture and how can they demonstrate that to the insurance company?
Mike Roman: So the short answer is absolutely, a robust cybersecurity program, controls absolutely can get you a better rate. Beyond that, it goes to the marketability of your company's cyber insurance policy. So the better protection and protocols, procedures that you have in place, you'll get more insurers on the train, so to speak. It goes not only towards the marketability and terms or coverages that you can secure, depending on the risk.
We may have to use what we call manuscript endorsements to provide certain special coverages that aren't often or necessarily included in most cyber policies. And that doesn't happen too often, but there have been times where I had to write out an endorsement and get it approved by the insurance company, and they send it to their legal department to say, "Look, are we good with this?"
Providing this coverage or this language, and then they'll approve it and we get it put into the policy. So having your company's cybersecurity controls and procedures, having a very robust program in place contributes to all those factors. If that makes sense.
Will Slappey: Yeah, it makes a lot of sense, and I'm glad for the extra flavor you added there because it sounds like the better program you have in place, the more interest you're going to get, and from just a supply and demand perspective, the more insurance companies who want your business, the better the price will be. But then also, not only the price, but you can get access to better quality insurance that covers more.
I know we talked some last time about different sub-limits and things like that. So even if the price is the same, it might be a better value for what you're getting and who the company is that's underwriting, etc., which brings me to the next question that some of the listeners had, which is, what are some of those common gaps or oversights in cyber policies that they should be aware of?
Mike Roman: Well, the good news is that nowadays, as the cyber insurance market has evolved from 15 to 20 years ago, when I first started placing the coverage, those days were the infancy years for cyber insurance, about two decades ago. But as the years have gone by, more insurers have jumped into the space because over the last 10 years, cyber insurance was the fastest-selling line of insurance there was for new business. And probably still is. But over the years, as new insurers have jumped into the space, well, that creates competition, which is good. So everybody's had to make their form and coverage broader. They had to get better and better on breach response.
So as the policies have evolved, they've become very broad. I alluded to that in our last podcast because from my standpoint, from our world, cyber insurance is very broad. It's really good insurance pretty much across the board nowadays. From all your insurers, whether it's Beasley, CNA, Hartford or Chubb, and I'm not going to mention them all, but for most of the insurers we place with, the coverage is great.
With respect to coverage gaps, that kind of comes down to, I'll say working with your broker to discuss your company's risk. What do you do? What exposure do we have? That's an analysis standpoint. For example, I'll point out two things. Do you have protected health information, or what type of protected private information do you have? Do you have protected financial information? What type of information and how many people or records, as our world uses that phrase record? What's your record count? Are you a credit union with 100,000 members? Well, that's pretty big, or that's substantial. That's material. If we have a breach, we want to be able to pay for credit monitoring and identity theft restoration. For all our 100,000 members, the policies can be structured to say we're going to do credit monitoring for every affected individual, and it's gonna be outside, there's no money cap, which is great. So it can be structured in different ways. As far as the actual gaps, again, I go back to the fact you have to talk with your broker. Another example would be, "Okay, we're a company that provides software as a service to schedule bus routes for educational K through 12."
Okay. Bus routes. Okay. Well, do you have protected information? No, not really. Well, what can happen? Our scheduling software can theoretically cross a bus over a train track or into a bad traffic area. It can cause an accident, and children can get hurt. This has actually happened.
That's actually a true story. So guess what? If I was the broker, what I would do is I would want to add a contingent bodily injury endorsement to their cyber policy because I'm not sure, I'm not positive that their general liability would cover that. It may have a professional liability exclusion. If it does, then we need to have something on the cyber side.
If we have both, well, then it's good. I've got redundancy there. So again, the policies, as a broad statement, are extremely broad these days. And as far as gaps, you just really have to analyze the risk and make sure you got to get line by line through these policies and say, is this enough? Is this appropriate? Do I have what I need?
Will Slappey: Yeah. Yeah. No, that I hadn't even thought about the crossover between how a cyber issue can have something that can initiate as a cyber issue that could affect the real world, and now you've got bodily harm that's being caused as a result of a cyber breach. Definitely important to have a broker that can help you stitch all of that together and make sure that all of the little pieces of your insurance puzzle give you the right protection that you need for your type of business. So how can we ensure this is the next question? How can we ensure continuous coverage? Are there any actions that can void a cyber insurance policy that our listeners should be aware of?
Mike Roman: That's a good question. A couple of thoughts. Number one, in most policies, there are cancellation terms. They actually have, in the general terms and conditions, they will specify under which circumstances the insurer can cancel a policy.
Typically, it says they can cancel within 10 days for nonpayment, and that's backed up by law, but they can't cancel without providing 30 days advance notice for essentially any other reason. So if the insurer relies on the application that was sent in. Okay, so if in the application, we said, "Hey, we're a donut shop. We sell donuts. We have two locations," but then they find out they're also providing some I. T. Services, which is crazy. But I've seen crazy things.
Will Slappey: They're doing surgeries or something in the back
Mike Roman: room. Donuts in front and surgeries in the back. So come on in. So, if they find out that, hey, this is not what we were told.
This is a material change in risk that we were not aware of, and we don't want a part of it. So they would have to give 30 days advance notice, and they can say we're canceling. That is extremely rare. These days, I just don't see that very often at all.
So essentially, the first thing that we have to do is you need to fill out the application as closely as you can to representing your risk. And I also want to say that typically, those applications, insurance is a legal contract. Those applications, in most cases, become part of the legal contract.
So the application becomes a legal document. So we want to convey the truth and an accurate picture and get that to the insurance company. The way to ensure continuous coverage is by having a good application. If you have a loss or a claim, you don't necessarily need to freak out or get nervous that they're going to cancel.
Typically, they're not going to cancel you midterm for a claim. They may not renew at the end, but again, as you get with your broker and you get your applications and your exposure, your risk out to the market 90 days in advance of the renewal. Most insurers must provide at least 45 days by law to tell you they're not renewing.
So you're going to get a letter from the insurer. And so it's your broker's job to say, you know what? We're not going to be there anymore. It happens. But again, if you think about the world, if I'm an insurer, a reputation of not renewing simply because they had a Cyber insured to get a reputation like that. It doesn't happen too often. It can. But I guess within the last three or four years, about 25 percent of my clients have had cyber events. So currently, I have about, I'll say about 40 clients.
So that means at least 10 have had claims reported to the insurer. I can't think of one that, well, I only had one that was, came up for renewal. It was two years after the claim, and the insurer said, okay, we're going to come off of the primary. So it doesn't happen very often.
So with continuous coverage, get a good application, work with the insurer, work with your broker. If you have a claim, get into the insurer right away, and you should be fine.
Will Slappey: I think that's it. And I assume that all is pending on what you said earlier, which is giving the honest truth, right?
If you if you lie and say we have two-factor authentication, and you don't be on the back end. That's correct. Like you said, it's a part of the contract. It's part of the legal contract. And if you say you have all these cyber protections in place and then don't, then I assume they don't have to cover.
Mike Roman: That's correct. Yeah. Not with our, not with us or our agency, but that actually happened. I saw it on. There's so many publications and Internet sites and stuff. So that happened recently with somebody. They said that very thing they had multi-factor. They didn't, and the insurer denied the claim. So that will happen.
Will Slappey: So the next question we have here, and we're often asked to, us being the voice to be the bridge between the insurance company and the business is looking for the cyber insurance coverage. Sometimes there are technical terms or jargon that are hard to understand. Can you give a little language lesson?
Are there any terms that often your customers need help to understand or to clarify?
Mike Roman: So you're referring to insurance terms, correct? Yeah,
Will Slappey: I guess it could be insurance or even technical. Sometimes like, like we threw out two-factor authentication, which I probably most of our listeners know what that is.
But, jargon like that or insurance jargon, this just, your average business person may not know what it means. Okay, I would throw it out at you as an example, Mike, but I don't know enough to know what this would be.
Mike Roman: No, that's all right. That's all right. So jargon is we run into it quite a bit on both sides of the coin.
Let's start with actual IT. Now, I will tell everybody out there. I am not an expert. I know what I need to know in order to cover a risk. But after doing this for so long, you get a handle on the best thing that if you want, this is what we tell insurers or, prospects, companies, whatever, if they don't have cyber, or they want to know how to get a better rate or just be more secure. Look at an insurance application for a new policy, not a renewal. 'cause the renewal questionnaires are typically like three pages. But an initial application could be anywhere from seven to 15 pages. I have one from an insurance company, it's like 15 pages long.
It asks all these questions about certain protocols and procedures, whether it's endpoint detection, MFA, it asks all that stuff and it has all those terms and jargon, that jargon in there. And if I'll say a typical business isn't going to know all that stuff.
Matter of fact. Many of our clients don't run their own I. T. Program. They outsource their I. T. platform. So guess what? We have to get that application over to filled out. I'll say filled out, but we have to get the answers from that outsourced third party. IT support or company because they're the ones that have the controls in place that they're the ones that have the firewalls and updates and everything else.
I will hone in on the top ones that we run into is a virtual private network. Backups. How are, how are your backups? How is that handled? Endpoint detection, EDR, endpoint detection, monitoring and response, and then MFA multi-factor authentication. So the best, I'll say the best platforms have these things right now.
Number one, You have antivirus and firewall, okay, and we're talking commercial grade, you have an EDR system that monitors your endpoints, the actual users, what's going on, any anomalous traffic, running through you use MFA across the board, that means through some type of platform, whether it's Okta or some other system, your employees have to go through a multi-factor authentication procedure, whether probably on your phone to get you into your email, get you into the system if you're working remotely or get into backups.
And that's the one I see that a lot of companies don't have is the MFA for accessing backups. So you need the MFA for every access point that there is. And then the other one, which we're going to talk about in just a second, because we should probably mention the MGM breach. But the other one is social engineering.
We are a subsidiary of a large company and we get annual or even semi-annual training on recognizing phishing emails or phishing attempts. And that's extremely important. And we should mention that MGM here in a minute. But that's on the company side on the insurance side, there's going to be lots of terms, frankly, that at times it's going to be like, "Well, what is that?"
I don't know how far into depth I would want to go in that. All these policies from a liability perspective will be claims made and reported policies. I think that's probably the most important thing I should mention. If and when you have a breach or a claim, you have to notify the insurer during the policy period.
Okay? If you don't, or you wait so long, even if you typically the wording is you have to report it as soon as practical, but no later than within the policy period. If you don't, they can deny the claim. So if you have a breach and your policies of January 1 to January 1, if you have a breach on the 10th, you don't bother to tell the insurer till October.
You have jeopardized their ability to contain, handle and adjust that claim. There's a good chance they'll deny that claim. So we want to report it quickly. And you don't have to worry if it, if something happens on the last day of the policy period, there's a built-in extended reporting period of 30 to 60 days or so.
But reporting periods reporting to the carrier is very important.
Will Slappey: Yeah, that's good to know. So since you're talking about breaches there, and this is the next question: what should a company do after a breach? Is there, and I guess you already answered the second part of this question, is there a certain amount of time that they have to notify their insurance company?
And I think you answered that, which is as soon as practically possible. Which sounds immediate to me. Are there any other things that they should do other than notifying their insurance company immediately that the company should do after a breach?
Mike Roman: Sure. Let me start out by saying let's do something before the breach: run a tabletop drill. If you don't have it, simply by raising and. employees' awareness. Send out an email to all your employees saying, "Hey, look, phishing is a popular thing. Please, if anything looks suspicious, don't click on the links." That one email that takes 20 seconds to send out might save you millions of dollars.
But run tabletop drills, get with your head of I. T. and say, "Look, if I shut the system down right now, what are we going to do? If I turn our system off, what are we going to do? Can we run by paper? How bad is this going to be? Who's going to be calling whom?" So that's beforehand. I can't stress enough. The preparations, whether it's tabletop drills, buying insurance, communication, having quarterly meetings on cyber awareness. So, that's important. But after a breach, let's assume if you have insurance, the first thing you're going to want to do is report the breach. If that's what you want to do, report the breach to the insurance company. Now, typically, in most cyber policies, they provide a 1-800 number, which you can find, but what I found is typically I either get a text or an email and it's almost always on a weekend.
The hackers, they just love to interrupt our weekends,
Will Slappey: Especially long weekends too like, we'll see like a Labor Day or July 4th or something where there'll be a spike because they're waiting for the I. T. professionals to not be on guard and be watching the alerts. And then that's where they go after the rest of us.
Mike Roman: That's exactly right. You nailed it. It's very true. When we get notified, we talk with the insured and talk it through because you may or may not want to report the breach at that time for a variety of reasons. But we would turn it into the insurance company. And typically, even on a weekend, the insurance company and/or the breach coach will reach out to the contact at the company. To get an idea of the extent of the breach, what happened, what's happening now, they may be shut down and, they're being held ransom. So we've got to work on that. I will tell you that if you have a breach and it's, I'll just say material or substantial the breach coaches are really good.
These are law firms that this is all they really do, whether it's a Mullen Coughlin out of the Northeast. They can negotiate the ransom demand down if you want to pay it.
Getting in touch with the breach coach is probably one of the first things you want to do. Now it's internal, who you calling? Who's responding? Who's coming into the office? What are we going to do? It's that communication is probably the next major step that you have got to take.
Let's collaborate-collaborate, and take action.
Will Slappey: No, a lot of really good information there, Mike. And many of our listeners may not realize like, hey, having that breach coach who's been through this before knows what the options are and how to do it can be invaluable.
You also mentioned the security awareness training a multitude of times and. You can send out the email like you mentioned, but there's all sorts of professional versions of that will walk people through it. Even real-life tasks that you can, like, send, fake phishing.
It's like a, like, phishing a phish to the employees and even see, like, how do your employees, perform. And there's all sorts of tools on the front end to even prevent people from getting all those emails and whatnot. Definitely like your perspective of, hey, Let's try to prevent getting a breach.
First of all, but some really good thoughts if something does happen. So the next question we got here is that they want to make sure that coverage stays relevant. Obviously, the world of cyber is always changing. Is there or how often do you recommend that a client review their cyber policy?
Mike Roman: Given how often things change. Yeah, that's a good question. I'll return to one of my earlier responses in that these policies got sharp and broadened to cover most conceivable situations. I'll put it that way. That said, this is such a dynamic environment. But I will say that the cyber insurance isn't really getting worse. If anything, it typically gets better. Now over the last couple of years, the cyber insurance market. It went into a hard market. Okay. Underwriting was just brutal. If you didn't have MFA, there was a good chance you were even going to get insurance.
Okay. So we went into a hard market. Prices doubled. I had a client that went from paying 50,000 to 100,000 in one year. It was brutal. But the good news is, and that's that was a result of that all the markets just getting pounded with essentially ransomware claims and they lost their tail.
They're underwriting ratios. Profits were horrible. So they had to get rate and they took and they also play some made the coverage a little bit more restrictive. However, they regained their rate, they got back to a better place. And so pricing now is stable. Okay. If you're a, I'll say a standard company with good controls and with a decent insurer, you probably should have a near a flat renewal.
Okay. Which is good news. So pricing is good. But with respect to reviewing your policy, I think that's something you should do every year before renewal with your broker. Again, we typically start most brokerages start about 90 days out from renewal. You get an application package together. You send it to the client.
It's around that time where you probably want to, just have a conversation with your broker, because maybe you've been buying a million dollar limit, but you started buying that five years ago when your sales were eight million. Now your sales are 40. Well, you might want to hire a limit.
So it's things like that where every year go ahead and review it. Talk with your broker.
Will Slappey: Yeah, and that's a great point that it's not just about what's changing out there. It's also about what's changing in here. Where you may have exposure, like you mentioned the private records that you may have.
Maybe you didn't have private records two years ago, and now you started a new division and you did start a surgery center in the back and you need to update update what you're being covered on. I think that's both looking at external factors and internal.
The last question that we have here is are there any new risks, that you see on the horizon? Often, we're asked about, current trends and cyber threats. And there are any things that you've seen pop up recently that maybe for the first time it popped up or other things that you've heard about in the market that are coming at us that are new risks.
Mike Roman: No, I'll put it to that way. What has happened in the last year? Like, a year ago, 2 years ago the ransomware and social engineering hacking was prevalent. It was the number one approach out there by the bad actors. The actual hacks, I'll say hacks events and ransomware demands actually trailed off over the last nine, to twelve months.
But it started up again with fervor here in the start of 2023 and they're back at it. The number one thing that I've noticed within the world or our space is the hackers have realized it's getting harder to technically hack into a system. Okay. It's just that our coverage not coverages our protocols, procedures as a nation were, we, we're putting the firewalls in, we're putting the EDR in, we're putting the MFA in, and the hackers are getting irritated.
So they're now, they're really heavily focusing on social engineering. And what do I mean by that? Let's talk briefly about the MGM hack. So when I say social engineering, what the hackers did, I think they're called scattered spider. Well, scattered spider did is they went onto LinkedIn and they found the head of it for MGM and they read all about them.
Got his name. And ironically about a week before the MGM hack, Caesar's Palace got hacked by the same group. But in the MGM hack, they got all this information and they pretended to be this guy and they called into the help desk. Said, “Hey, this is John, get me Susie. I'm having a hard time logging in.” It was a 10 minute phone call. They got his login credentials, and the minute they got in, they dropped the firewalls, they dropped the backups, they dropped so many things, all the preventions because of his domain access credentials. So they were in, at the top.
I'm chuckling. It's not funny, but it's I guess I chuckle because, these hackers are just like, it's amazing what you can do. So I guess what I'm saying to the listeners out there is you've got to train your employees. We can't just give somebody, especially a head of IT their passwords to get into the system.
Just over a phone call, there's gotta be more controls from a person or a people perspective. I was a pilot in the Navy in my former career. And throughout history, our mishap rate got better and better and better. And in the 90s, the mishap rate was as low as it can get.
But mishaps, in the Navy and in aviation, most of them are human error. Well, that's what we're getting to in this space. It's human error and it's going to continue to be. If I ran a company, that's probably the number one place now that I would focus my attention is get every employee out there and figure out some way the MGM event won't happen to us.
Will Slappey: Yeah. Yeah. No, I think that's a really good point to end on, Mike. And just so our listeners know out there, there's all sorts of tools. I mentioned it before, but not only can train your people about that. And Mike, to your point, the statistics I've seen have all been 85 to 90 percent of all breaches have some sort of human error that led to the breach. And yeah, it's a huge and, of course, you've got to have all the MFA and the firewalls and all those pieces. You certainly need to have, but you're exactly right. More and more of it's coming down to the human error element. Security awareness training to train your people and then also test your people, like, be able to see, are they learning it?
And I even know one company that's in our space that there were upstream providers and they actually have a three-strike policy is how serious that they are about it. So if they have an employee that actually fails, like the cyber testing three times, then they terminate them. It's part of who they are but they're providing tools to companies like ours. And so they just take it very seriously because of the level of damage. And with that, and I'm not necessarily recommending that all the listeners out there have that, but it causes all of their employees to take it extremely seriously. You would, a lot of companies have no other similar policies. Somebody, that's something they're not supposed to do. There's consequences associated with that. So there is a lot for businesses to consider. We have in our employee handbook, all sorts of things that you can and can't do right. Because of the damage it would cause a business. And the same is true in the cyber world as well. Your employees can be your human firewall to protect you, or they can be an open door. And so I think that's a really good point to end on for everybody to take into consideration.
Well, that's all the time we have for today's episode of Technology Simplified. Mike, thank you again so much for coming on. Mike here from the Valant Group, thanks for joining us again. The importance of cyber insurance has grown significantly in today's digital age due to the increasing frequency and sophistication of cyber threats. Cyber insurance is a crucial component of a comprehensive cybersecurity strategy. Organizations should work closely with insurance providers like Mike Roman and his team to tailor policies to their specific needs and regularly review and update their cybersecurity practices to reduce those risks and vulnerabilities.
If you have any questions or topics you'd like for us to cover in future episodes, this episode obviously had a bunch of questions from our listeners, feel free to reach out to us on social media through our website. And we'd be happy to set up another conversation. We're always excited to hear from you guys out there. So please ping us and let us know. Don't forget to subscribe to Technology Simplified wherever you get your podcast so you never miss an episode. Have a great week, everyone.