The Expert Podcast

Whether you're an individual or corporation, everybody has some various types of insurance. You have auto insurance, health insurance, homeowners insurance. If you're a business, you probably have premises liability insurance or general liability insurance. Look, we all have several insurance policies covering various risks and losses to make sure that we're not put in harm's way financially should an unlikely event happen like a vehicle accident, damage to your property, lawsuits, that kind of thing.

But there's a type of insurance that is maybe the most important type of insurance, especially for a corporation to have, and maybe individuals, that didn't even exist several years ago. The type of insurance we're talking about is cyber liability insurance. And you may never have had a policy covering cyber liability in the past. In fact, your insurance agent that you deal with may have never written a cyber liability insurance policy. This is brand new business for both clients, insurers, and brokers.

The reason it's very important to be aware of is because the risk of damage or loss in the coming years may be higher in the cyber loss realm than in any other area. Look, you're probably more likely to have a cyber loss for your business than having a fire in your business. That being said, what is important to be aware of with cyber liability? What does it cover, what doesn't it cover, and how should you be informed in that area of coverage whether you're a business or even a high net worth individual or private client individual?

So first, some definition. Cyber liability insurance is kind of a blanket term that covers a lot of things. It could be a security breach deleting your data, it could be a ransomware attack, it could be access to your customer files that's released to third parties, it could be another type of a hack.

Now in the past there may have been endorsements on your business insurance policies which covered some of these events, but these were just endorsements and they didn't cover a whole lot. And in many cases, there were exclusions from this coverage which made it not really that primary for a type of loss. A cyber policy today can be written as a standalone policy, it can be written as an endorsement to a general liability policy, but it is a new and emerging industry.

Companies that purchase insurance today are early adopters. So if you buy cyber liability insurance, you're an early adopter of that type of coverage. The reason why it might be valuable to you to be such an early adopter is because the value of such a policy goes beyond just the coverage in the policy. The highest value for a cyber liability policy is in the access to the market.

Whatever premium you pay for that cyber policy, you'll get coverage if something happens, but the biggest benefit to your business is going to be the fact that you're in that market as an early adopter. And there's two reasons why.

First of all, this cyber liability market is what's called a hardening market, meaning it's hard to get coverage. A lot of the companies that came out with these policies two or three years ago are now withdrawing from the market. They're not taking new applications and they're raising rates.

The reason why is because it was priced based on the losses from the previous five or six years. So if you go back to let's say 2018 and you looked at what are the losses for cyber liability from 2012 to 2018, they were relatively low. So the insurance companies priced their policies based on that risk factor, that probability factor.

However, from 2019 to 2021 this cyber liability risk and losses increased dramatically. A lot of it's because the policies are written without any requirement for protection of the records, the data, or the systems. Unlike other well-established insurance underwriters of cyber liability insurance, they didn't have the data that fire insurers had. Liability insurers had — they've been doing fire insurance for 70, 80, 100 years. They've been doing liability insurance for 50, 60 years, so they have the data. They know how much these losses cost.

Some cyber policies include errors and omissions, but most are separate from other types of coverage.

How big is the market? Well, it's estimated that in 2020 the market for cyber policies was seven billion in premiums. Now they're saying next year, in 2023 or 24, it's going to be over 20 billion. So it's going to go up by a factor of three or four just in a couple years because more people are going to need it. Obviously, world events have a big impact on that.

And because of that, for the first time cyber is a hardening market. Since it became out in the market years ago, brokers and buyers had the benefit of easy placement of these policies. They were cheap, they had good coverage, and for the insurance company, the book of business was very profitable so they expanded.

But now with more risk going cyber, and a lot of it had to do with the events of the last 24 months — people being locked down, people doing remote work, less physical activity in the marketplace — people are now doing more of their crime or having more damages done in the cyber realm.

So consider this. Let's say you are a medium-sized business, and for example you are an accountant and you do the books for a hundred other small to medium businesses. As part of doing the books, you manage things like accounts receivable, accounts payable. You have banking access to do payroll. You have all of the prior tax returns for your clients.

And let's say that business on a certain day have two hypothetical scenarios:

You walk into your business on a Monday morning, you pull in the parking lot, and your building is burned to the ground. God forbid, nobody gets hurt, but your building is burnt to the ground.

If you are a modern accounting firm, you can likely be back in business in 24 hours. You go over to Walmart, you buy a bunch of folding tables, you buy a bunch of PCs, you log back into your cloud service or your server or your backups, and maybe rent some empty office space down the street. You're in business.

You're still going to have some losses but your fire insurance, your liability insurance, other insurances should cover that. And even if you're out of business for a few days or a week, you probably have business interruption insurance that helps cover that.

It would be a terrible loss but those are the types of losses that previous insurance companies contemplated when they're writing policies.

So let's take a look at scenario number two.

You pull into your office on a Monday morning and everything looks fine. The building looks good. No broken glass, nobody smashed your window, it's not burned to the ground. You go in your office, flick on the lights, sit down in front of your computers, and they're all blank.

All your complete computers are dark screens and you try to boot it up. You can't get in. You try to go on your mobile device to log into your server or your cloud device. Everything is locked up, deleted, and you get an email: "Hey, this is the dark web. We captured all your files. If you don't pay us 200,000, we're going to delete everything and we're going to release it to the public."

What's your loss? Well, either you pay the money and maybe even if you do, you might not get your stuff back or you don't pay the money.

Now, how fast could you be back in business then if you don't have access to your client files, your data, your records, your documents?

If you are a business that has a hundred clients, you have accounts receivable, you have billings that have been sent out to clients, and you know most companies, let's say you build net 30 and your average payable comes in at net 40 or 45, right?

So if you're a three million dollar business, you're collecting 250, 300,000 a month in receivables. If you don't have access to your receivable files and you go two months without having payment, that could be two or three hundred thousand that you lose.

If your clients discover that their personal information and their private information is being released to third parties, they may sue you, they may cancel contracts, they might stop any of their payments that are coming to you for their own self-interest.

If you're doing payroll from companies that have hundreds of employees, now you have all those employees' records that are vulnerable.

So how does that loss compare to just your building burning down, which sounds like a big deal? But those losses are greater.

So a cyber policy helps protect against not only a more likely type of loss but a much more severe and damaging type of loss.

How does a cyber policy protect you from losing potential income from weeks or months?

Well, there may be provisions for making the same income payments to you that you would have received during that period of time. There may be provisions for recovering losses from damaged data.

More importantly, if you buy your policy before you need it, before you have any type of losses, you can actually buy a policy for a reasonable amount.

And we'll take a look at a sample policy here in a moment to see what's covered.

And if you don't have coverage, you could be out of luck.

And if you have had breaches or other losses or even cyber intrusions to your company before you buy the policy, you either have to notify them and may be higher rated or maybe excluded from coverage, or not notify them but have your policy be void if they discover after you have a loss.

The frequency and severity of losses in the last few years have grown astronomically, so carriers are restricting new policies to new customers because they need to understand the loss ratio of existing customers.

When carriers first started selling cyber insurance, the losses were one-off incidents like somebody lost a laptop or they gave away their email password accidentally.

But now the attack vector is much more robust, meaning that there are actors out there all over the world looking to breach on an active basis.

They're not waiting to find somebody's laptop that they left at Starbucks; they're actually trying to get into your network through social engineering, phishing expeditions, other types of active breaches of your company.

So how does a cyber policy help you?

Yeah, well, if you have the loss, they'll still pay, but your biggest benefit is that that cyber liability insurance carrier is going to give you some guidelines on what to do in your business to help prevent it happening in the first place.

Now don't look at it like nanny or big brother telling you how to run your business. These are things that will make your business more efficient anyways.

These are things that you will come to see as best practices even with operations, not even technology.

More importantly, they will use the data they're seeing from their thousands or tens of thousands or millions of other clients to help you prevent losses that they see elsewhere.

You know there's an old saying: learn from your mistakes. This is the way you can learn from other people's mistakes before it happens to you.

Because even if you have a loss that you know is a hundred thousand, a hundred fifty thousand dollars, most of it's paid for by the insurance company.

It's still going to be an annoying, inconvenient event to happen and there may be a deductible involved as well.

And there may be reasons why it might not be covered.

So in the next video, we're going to take a look at actual coverages and policies and what goes into the insuring agreement.

And this would be one sample. Everyone's going to be a little bit different.

Most cyber liability policies are considered to be what's called excess and surplus lines insurance, meaning that it's not standardized insurance that's filed with your state or with brokers.

It's coverage that is a one-off from a company that specializes in that industry, and they're going to write it specifically for your business.

So let's take a look at a policy.