The Expert Podcast

So what the heck is going on with cyber liability insurance If you're a small business or medium sized business You may have seen a lot of changes In the market for cyber insurance maybe even Inquiring for the first time you saw it's very different from buying other types of insurance The rates are higher There's restricted access You can't just buy any policy you want There's a lot more underwriting involved There's not just one person that asked you a few questions about your company There may be multiple Underwriters that scrutinize your business Maybe they want Actual reports and data investigation of your company Either way getting cyber insurance is a lot harder than it used to be in LA harder than other types of insurance
Why is that What can you do about it First if you're the type of insured or policy holder That works with your insurer To get more understanding of what exposure they're trying reduce You have some good opportunities to match the coverage with your company
Everything was cyber right now is more scrutiny All the insurance companies are scrutinizing their insureds and their markets a lot heavier Because it's such a wild west of risk that they want to make sure that they're writing coverage properly One of the things that you'll find it's a benefit to you is the companies will be more involved with your risk control Unlike your fire insurance or your general liability or business premises insurance They do give you some suggestions and requirements to reduce risk You'll find that cyber they're going to be all over you To help you and require you to reduce risk Not participating in their risk reduction might even cost you coverage So it's a good thing and a bad thing If you work with them you'll get good coverage and you'll be less likely to be a target If you don't work with them You might not have coverage at all The underwriters are getting involved early They're talking to your security officers your IT people and a lot of these quotes never get written because the insurer doesn't follow through on these things
A lot of times when you go for renewal the underwriting will happen again And maybe even more than it did the last time It's the opposite of other types of insurance other insurance lines you have more underwriting when you first write the policy and maybe a little less on renewal You'll find with cyber insurance policies You get under you get underwriting scrutiny when you write it but you might get more underwriting The next time you renew And in many cases the agent or the broker Doesn't have binding authority It's restricted You have to have certain documentation more internal external Conversations With maybe your vendors maybe your clients and you have to make sure that all your documentation matches what you're representing To that insurer and they're going to want to see Your hard data they're going to want to see what your internal controls are Not just verbal or written on a contract They're going to want to see actual proof that you have these controls in place maybe even print outs from your servers that these Inquiries and these observations are being made The detection suite is operating properly More importantly keep this in mind your insurer Is writing your policy and quoting your policy based on more specific risk of you They're not writing it for an industry They're not writing it for a demographic of a business You know maybe zip code and revenue and employee census count
Most businesses And business policies are written which is those three data points zip code industry SIC code maybe revenue employee count and that's it That's all they need With cyber they're writing that policy And quoting that policy specific to your company based on the information and data you give them What controls do you have What data do you give them What security measures you have in place that can be documented not just what you promise but what's documented Put yourself in their shoes The biggest problem with cyber is that the risk is changing week by week month by month The cyber attacks Are different 30 days From the last one So they're wanting to make sure that your protection is more holistic It's more systemic So that you're not a victim of something they've not seen before Because you're protected against everything but at the same time cyber policies also either implied or directly cover Regulatory problems So if you have a breach and data is released on clients or consumers There may be regulatory costs involved with that regulatory cost in notifying mitigating damages maybe even fines and penalties And your policy may cover that So they're going to want to know what the regulatory environment is and what might look like During the policy period Many of these regulations are at the state level Some are federal but at the state level some are more severe You know states like California Connecticut Illinois have some very very intense Cyber breach regulatory requirements and penalties for companies that have these types of events
Some of them Are a little bit less severe but here's what they're looking at When a breach happens whether it's ransomware or lock up or exfiltration of data
There's a payload of the hack There's a payload of the virus that comes in through some vector either email direct social engineering Sometimes files that are transferred And once they're in you may not even know That the hackers in your system once they're in they go lateral So if they get in through an admin login or some high-level login Now they go lateral and they start to monitor emails and attach themselves Two Nodes That are lateral to where they got in So if they get in through let's say a CFO or a sales manager through their email Now they're in and they can attach themselves to other hierarchy of the same level within your company Then they moved their way up And they may not take any action for days weeks sometimes months while they're in their system extracting your data extracting information Deploying more virus payload To your company Putting in back doors So if you do find them they have another way in They may spend a lot of time Inside your system virtually setting up Their attack before they even make a move Then when they do make a move there's three ways they do it One is they lock up your system And they say okay your data is locked down It's encrypted Your system doesn't boot up Your cloud is restricted And we'll give you the key to unlock it If you pay us X amount of dollars Right now the average is about 300,000 there's payments that have been in the millions there's payments made in five figures So you pay that Let's say and they unlock it but what is that Guarantee that they're not still in there And they could ask for more money or do another Round later
The other thing they can do is they they have data that they've expropriated from your company all your customer files maybe your accounts payable accounts receivable banking information product information Manufacturing information could be intellectual property that they've extracted from your system And they have it saved Separate from ransomware They could say look we're going to release this If you don't pay us We're going to release it to the dark web all your customer data their names addresses Date of birth social security number If you have ID copies They're going to release it all and say it came from you And now you're in trouble Unless you pay us They're going to release maybe all your production or client information to a competitor They'll say look we found your competitor is XYZ marketing That's in the same business As you trying to get the same customers we're just going to sell your customer list to them unless you pay us Another way they could I make money from the deal These co these companies are vertically vertically integrated They have outsourced companies that get the payload in and then it's a referral to the hacker that charges the money They run like any other business sales departments operations accounting Programming They're big operations
So you want to be prepared against that Obviously the best practices you have all your data backed up in places that is firewalled away You have another copy in the cloud with a different login You have a physical copy on a disc maybe in your premise
But that's not enough If they're going to export it you have to detect this very quickly If somebody gets in before they start scraping all your data out which can take days or weeks if you know that they're in you can shut them down And you can know what's been extracted
If you have all this in place best practices with a cyber protection Plan And you can find out more about it on our website When it comes time to talk to your insurer About getting coverage You can tell them look here's what we got Here's our manual security all our policies all our procedures is how we do it They're not going to have to teach you how to do this You'll already be doing 90% of it They may add a few things based on Hey you know what This is good but here's some other types of risks that we see in other companies But at least if you have your ducks in a row you'll find first you'll have access to more markets Second Your price and your policies will be low Your premiums will be low and third most important You'll be less likely to have an event because even if you do have an event that's paid for by your insurer It's still going to be a bad day
The money's only going to be part of it You have a reputational risk You may have regulatory risk You may have employee risk that there You know maybe skiddish about your company You may have clients that are concerned about doing doing business with you So you don't want to have a risk to begin with Or you don't have a loss to begin with
Because even if you're insurer makes you whole so to speak you still have those other durable Remaining and residual effects on your company that aren't going to be good So putting these policies in place even without insurance reduces the risk And then this of course helps you mitigate the costs Should something happen
Let us know what you think in the comments Check out our website for more information and we'll see you on the next video