Cyber Insurance Webinar: Top Cyber Insurance ‘Gotchas’ & Ensuring the Lowest Premiums

Cyber Insurance Webinar: From Data Encryption to Employee Training, Steps that Lower Your Risk Also Save You Money

On Thursday, March 17th, we held a webinar with our friends at Johnson, Kendall & Johnson (JKJ). During the event, Alexandra Bretschneider, JKJ’s Cyber Practice Leader VP, shared valuable insights and answered questions.

With financially motivated attacks continuing to dominate the news, business leaders cannot take chances with corporate security. Many are turning to cyber insurance, but premiums are rising quickly. Fortunately, there is a way to protect your firm and keep premiums affordable.

Details

Event: “Top Cyber Insurance Gotchas & How To Ensure the Lowest Premiums”
Date: Thursday, March 17, 2022

Presenters

Alexandra H. Bretschneider, CCIC Cyber Practice Leader, Vice President Johnson, Kendall & Johnson	Ben Prorock Business Development IT Solutions

Agenda

Alexandra, in tandem with Ben, will explore three important issues:

• Coverages every business leader should consider when evaluating cyber liability insurance
• “Must have” security measures firms should implement, from patch management to a Cyber Incident Response Policy, that can lower cyber insurance premiums and keep them in check
• Value-added benefits of following this guidance

To learn more about IT Solutions or Johnson, Kendall & Johnson, call 1.866.742.5487 or click here to contact us.

Video Transcript:

Ben Prorock

Good afternoon, everyone. My name is Ben Prorock. I’m a member of the business development team here at It Solutions. And today we’ve have a really exciting opportunity. Thank you for joining us. To hear from two true industry experts in the cyber insurance space at Johnson, Kendall and Johnson, Alexandra Bretschneider and Ralph Haciski our continuing effort and It Solutions to serve not only as a technology partner, but as a true business partner in every aspect for our clients and our friends. So thank you for joining us. Really looking forward to the conversation. The format today is going to be pretty brief presentation from Alexandra and Raf, followed by a time of question and answer. So please message in any questions you have as we go. And then we’ll make sure to answer those as they go as it makes sense or directly afterward. So we’re excited to get started. And Raf, why don’t you kick us off?

Rafael Haciski

And thank you so much for having us today and appreciate you and Jim and the rest of the It Solutions team for having us on today. Really do appreciate it and happy St. Patrick’s Day to everybody. I hope everyone’s got their green on just like us. As Fenn said, my name is Rafael Haciski and I’m one of the principals at Johnson Kendall Johnson. And I’ll let Alexandra introduce herself in 1 second. I’ll just tell you a little bit about Johnson Kendall Johnson. As Ben mentioned, we are an insurance and risk management brokerage. We are based in Newtown, Pennsylvania, right outside of Philadelphia. Myself and Alexandra, we focus exclusively on the property and casualty area, which is the commercial insurance Department. And then we also have departments in employee benefits, health and wellness, as well as financial services. Little known trivia with regards to JKJ, back in the 80s, we actually had the employee who discovered the 401K loophole. And so our 401K account number is number zero zero one. Typically, what we find with other brokers out there is that they have a geographical focus. Instead, JKJ made the business decision years ago to silo their practice groups to industry settings as opposed to geography.

And so we really do well in healthcare settings. We have a retail entertainment group. We have a construction group. We have a life Sciences group. We have a real estate group. So we choose to focus in those niche industries that need a little bit more added touch from an insurance or risk management standpoint. And as doing that, we really over the last few years seen a need to invest more heavily in cyber and cyber liability and cyber risk management. And so as a result, we brought on Alexandra Bretschneider years ago, who has a substantial background in the It field. So I’ll let Alexandra introduce herself briefly before we get going.

Alexandra Bretschneider

Raph my screen sharing. Okay, right?

Rafael Haciski

Yes, it is perfect.

Alexandra Bretschneider

So thank you for the introduction. I’m Alexandra Bretschneider. I’ve been with JKJ now for just over seven years. But my background before that, as Raph had alluded to, was actually an It consulting. So I started my career with Ernst and Young and their It advisory practice, doing some big four consulting life. Then I moved on to do some telecom consulting. I did that for a number of years before I found my way into this dark world that we call the insurance world. Naturally, I’ve gravitated towards all things cyber. And as you folks know, listening on the call seven years ago, cyber truly was not remotely what it is today. I continued my education, pursued a designation from Carnegie Mellon specific to cyber risk management insurance. And then we were fortunate enough as an organization to be recognized as the top broker internationally by advising for 2021 regarding for It again in 2022. Stay tuned and more to come.

Rafael Haciski

Thanks, Alexandra. I appreciate you letting us know about that. Humble brag is what my daughters like to call it. So let’s start at the foundation, at the base. A lot of times people hear the word cyber and many things come to mind. So from a risk management insurance standpoint, what are cyber incidents? What are we talking about? And where are the trends that we are seeing in this everevolving landscape right now?

Alexandra Bretschneider

Yeah, cyber is a big word, right? It’s a little bit of a misnomer. Essentially. Cyber risk is really anything that relates to technology, anything that connects to the Internet. So what does that look like in terms of incidents? And I’m going to talk to this at a little bit of high level. And then we’ll do some statistics around this, put numbers to the things that we’re saying. So this is a slide that I’ve had now for probably four years. And each year or every couple of months, I’ve almost had to reorder to really what’s most relevant today. So ransomware four years ago was probably halfway down my list. And again, the last year or so, it’s really dominated the news. This is the one thing that I would say most lay people outside of cyber and technology industries are certainly aware of now. And we’ll get into a couple of examples of why that is. But cyber incidents are beyond just ransomware attacks right there’s. Phishing attacks, data breaches, denial of service attacks is something you may start to hear about soon, but it actually also can entail if someone were to walk into your office and steal your filing cabinet of your HR files.

It does involve Privacy beyond just technological risk. And of course, there’s the unknown. What’s next? What are we going to see? It’s estimated really more than 50 billion devices, processes, and things are connected to the Internet. That’s our exposure basis. That’s the landscape within which we’re considering cyber risk, anything connected to the Internet. And as you can imagine, with Internet of Things that just grows really almost every single day. And then what happens with this. So cybercrime activity is actually projected at this point to cost the world ten and a half trillion dollars by 2025, making it one of the world’s largest economies. When we think back to what the claim landscape has looked like, what incidents have transpired over the years I mentioned, and I’ll kind of give you from my perspective, having joined the insurance side seven years ago, back then, around 2014, you heard of the target breaches, the Home Depot, right? We heard heavy on the data breach piece. From there, we have social engineering attacks that really started. So that’s the idea that someone purports to be someone that you would know and trust and induces you into doing something you wouldn’t otherwise parting, typically with money or information.

So for example, I’ve had a client accidentally send out 3000 W two s to someone who was not who they said they were in the middle of tax season. More often than that, we see it in the form of financial. Right. So a vendor says they’ve changed their ACH instructions. Our client goes and pays, finds out they were actually paying a bad actor who was not who they said they were and that they trusted. And then of course, ransomware. Ransomware has actually existed for a really long time. I actually experienced my own ransomware attack when I was at my telecom consulting job back in 2012. This is before it was even called ransomware. That wasn’t even the name of it yet. One day we couldn’t get into our shared drive and we paid somebody $350 to get our access back. This was before people really even knew what this was. You’ve got our little covet molecule there indicating that this is really what led to the explosion of ransomware in 2020 as folks migrated to working from home. Cybersecurity controls lapsed at organizations. Right. We had people working on personal devices, not commercial great equipment, not commercial grade protections.

People lack their password, protocols and things. Everything kind of fell to the wayside because there were such bigger priorities at hand. And unfortunately, cyber criminals exploited that. And so we saw a major uptick in the number of ransomware attacks and the demands and things that occurred in 2020. A little bit more statistically, 2020 average extortion demand, as I mentioned, starts to increase. So where it used to be in the tens of thousands that the demand might be, it now is six figures. And that trend has continued. It is still in the six figures on average today and a tax increase exponentially. 2021, the average demand actually exceeded a half a million dollars per incident. That was on average. It was predicted that throughout that course of 2021, a business was hit by ransomware every 11 seconds and the average downtime as a result of those incidents was between 19 and 23 days. And my friends at It Solutions have lived this with their clients as well, right? It is not impossible that it will take you two to three weeks to recover from a ransomware attack. Depending on the severity of it, perhaps your whole network might not be down, maybe pieces of it.

But I would tell you, this average, in my experience, has honestly held true. And so that’s a legitimate concern. And we’re going to come back to the idea of why that’s important and what we need to consider around it. Other things happening in 2021, the number of zero day exploits. So think of that as really software vulnerabilities doubled compared to 2020. So the exploiting of our unpatched systems, where there’s a vulnerability doubled. And then we’ve seen every day ransomware attackers get more sophisticated. They want you to pay so where at one point in time, they just encrypted your system and said, hey, pay me the ransom, I’ll give you your keys back to your Castle. Then they started going, hey, I realize you have good backups, you’re going to failover. So I’m also going to take a copy of your data. So pay me so I don’t release your data on the dark web. And then throughout 2021, we started seeing more things, not only just encrypting your data, threatening to release it, but they’re actually contacting your clients or your employees personally to say, hey, just so you know, we’re inside of so and so business, and we’re going to continue to exploit that, take their information, use it against you, unless they pay us to add that pressure.

There is even something called print bombing. Sometimes these guys were actually hacking into your printer and printing out ransom notes inside your office just to, again, add a layer of threat, anything that was going to induce you to pay the ransom. It’s scary stuff. And so, of course, then we started to see a lot more regulatory response. The government is paying attention, and I’m going to give you examples of why. But what we’re starting to see is a lot more attention, even in the news today about what the US is doing, what internationally different governing authorities are trying to do to wrap their arms around this risk. They don’t want to hit that ten and a half billion dollar number of cybercrime that I mentioned before. So a couple of examples of things that have been in the news, right, 2021. This was in June. Jbs Meat Packing went down. This impacted all of their downstream suppliers. They paid 11 million in ransom. We’re still seeing that from a regulatory standpoint. Hospitals, especially in healthcare, are still paying out the penalties to HIPAA and other governing bodies as a result of their breaches. Blackboard was a good example.

This is actually towards the end of 2020 for any nonprofits on the phone. This is an online donor database. The database was hacked, which impacted all of the users of that database. So all of your donors information could have been compromised. So it’s kind of a downstream attack. Uhs, this was October 3 of 2020 as well. Had a ransomware attack. United Health System that impacted all of their locations at the same time. That’s a really horrible example of what cyber risk means today. Most types of risks we think of, even including catastrophic weather conditions, still have a regional component to them. Cyber risk knows no geographic bounds. It is the only type of risk that can truly impact all of your locations at the same time. If you had geographic spread and this was an example of that, this hit every location for them across the country going down. And then two unfortunate examples of how this can play out beyond just the impact to your organization, your operations, your revenue, your ability to do business. There are now people getting physically hurt as a result of cyber incidents. So we’re seeing hospitals have shut down like the one there on the left with the ransomware attack on a German hospital.

And they shut down their Er and had all ambulances rerouted elsewhere. And a woman died as a result of not being able to get the care as immediately as it was needed because she had to go 20 minutes down the road to the next hospital. Something comparable happened here. State side. A couple had chosen their hospital where they were going to give birth. When they came in on the day that she was delivering, the hospital failed to notify them that they were down with a ransomware attack. They brought them in, and their technology that was actually monitoring the heart rate of the baby failed, and the baby passed away as a result of that. So you’re seeing legitimate horrible things come out of these. And again, these types of things are starting to warrant more attention from a regulatory standpoint. Again, supply chain. Another example. And this is actually in our world, insurance company, CNA. If you’ve heard of them, many of you may have. You probably had insurance with them at some point. They went down for three weeks. And when I say down, I mean fully down, entirely disconnected their network. This is a massive company was down for three weeks as a result of this ransomware attack, paid over $40 million.

That’s real money. That’s US funding. Continued cybercrime. Excuse me, colonial Pipeline, as I’m sure many of you remember, I was down in the outer Banks that week and everyone was panicking about getting gas to be able to drive back home. They paid $4.4 million, and this was an attack on US infrastructure. So again, right after this is where we really saw an increase of attention from the US government on, okay, we have to get our hands around this. The feds actually were successful in recovering about half of that demand. And then we have a couple of technical ones. Microsoft Exchange Server, the SolarWinds attack that dominated the news for a while that actually impacted several government agencies. The one on the bottom right there is actually referencing the Cassaya attack. Many MSPs, such as It Solutions, use certain softwares to help manage their client base. And one of them is called Cassella. And the vulnerability exploited in CASAA allowed the hacker to get into CASAA and then into everyone that was using It. So it impacted 1500 businesses overnight. And then one more statistic to give you an idea of what the demands have looked like.

This is from erratic. I have a couple of pieces of information in here from two of the top It forensics firms. So those are the folks that come in and help resolve an incident and tag team that resolution with folks like It Solutions. The average demands. This was from 2021. So this is fresh data and you can kind of see how it evolves by quarter. The first half of the year was worse. We got a little bit better in the second half of the year as folks improved their cybersecurity protocols. But the green is the demand on average and the blue is actually what’s paid out. So our demands have been in the millions quarter over quarter. The payout is still in that six figures. So you can see it’s a little bit down from that 2021 early figure of 570 that started to drop. And this is just erratic’s information. But again, we’re still in that six figure base.

Thanks, Alexandra. I remember when CNA went down during probably one of the busiest renewal periods of the year and it definitely has a rippling effect beyond just their business or their company going down. I mean, it affected countless brokers, countless organizations who are waiting for changed endorsements and updated insurance policies and all that. So I think people are still wrapping head around the dollar impact as well as the intangible impact. I also bring him back to a conversation I had with the not for profit CEO years ago. And it was very funny. He said, well, I’m a small not for profit organization. I’m never going to get hacked. Right. I actually had the reaction you just had and I said, oh, contraire. So tell us a little about who is being targeted.

Yeah, I’ve heard that many times. Usually. Why would they target me, right? I’m small. They’ve got bigger fish to Fi. And this is a quote that I think really captures it perfectly. Ransomware gangs don’t care about your data. They actually don’t care about you at all. You are exactly right. But they know you care about your data. You will be willing to pay to resume your operations. That is all the ammo that they need to move forward. And that’s exactly why everyone is a target. Let’s take a look at when we kind of break it down. So Crowle is another top It forensics firm and they had just issued their 2021 report as well. And I thought this was interesting. So it shows you which sectors have actually had the most incidents. So historically, five, six, seven years ago, again, we always thought about with cyber was really health care, HIPAA compliance requirements, and financial services. But outside of that, do we really have to worry about it now? The targets are professional service organizations. Law firms make up a big chunk of that. Law firms have very sensitive data. As you can imagine. They’re going to be willing to pay for that to not be disclosed.

Healthcare and financial services still dominating manufacturing, creeping up the risk there. And same with technology and hardware. We are seeing more and more in the government sector and education sectors as well. Then specific. So that last slide was actually cyber incidents in general. This is actually more specific to ransomware. So kind of interesting here, when we get a cyber incident, could be an email compromise, all types of things. That kind of goes back to that first slide where we had all the different types of incidents. This is going to be ransomware specific, and look how the list changed. Professional services still at the top. But number two, that jumps up there is manufacturing. For years, I’ve had those conversations with manufacturers. We don’t have private information or personal information. Right. We just have our employees. We don’t have anything else. I don’t think we have a cyber Privacy risk, but you do have an operational risk. And uptime the ability to manufacture your devices is critical for manufacturers. So as you can imagine, being down is certainly going to entice you to want to pay in order to get back up and operational. Then when we go on to what were the types of attacks, when we think about who is being targeted, but what were they being targeted with?

Oftentimes. And I’ve mentioned this, the number of zero day exploits exploiting the vulnerabilities and software, which feels beyond our control in some sense. So we’re not writing the software, but we do have control over patching. It timely. And so a lot of these were due to unpatched systems that had a patch available. So this is just we didn’t do what we could have done. So 43% of the incidents were being related to exploits of vulnerabilities, the next biggest majority in the Phishing space. You still see social engineering topping the list there. And then I like this, again, giving us an idea of the ransom demands. So this is actually by industry. So financial services was getting hit with the highest demand and paying out the highest amount. So they were paying out in the seven figures on average in 2021. Manufacturers, again, we had said they were getting hit the second most and they are paying out the second most. Give you a second on this side because I think it’s a bit interesting. I know we’ve got folks from different industries on this call. You can kind of see where you might fall in.

Rafael Haciski

Yeah, that’s definitely interesting. For sure. Just because we know for a fact that the cyber criminals and all those folks are getting a little more intelligent each day, as well as the insurance market as well. They’re getting a lot more stringent with their underwriting. And I think I’ve equated you to being almost like an attorney prepping a witness for deposition. You’ve been doing that for renewals when the carriers are going to be asking tough questions with regards to It protocols, policies, procedures, infrastructure, things of that nature. So looking ahead into 22 and beyond, what predictions, expectations do you have from a cyber standpoint?

Alexandra Bretschneider

Yeah. So we’ll get into the insurance piece in a minute. But the big to be determined right now. And I know we’ve got a couple of folks listening live and a couple that are listening to the recording. And I have no doubt this is still going to be relevant in the days to come is what is going to be the fallout of this Russia Ukraine invasion. We are already seeing an uptick in cyber attack activity. Fortunately, we’ve been able to prevent a lot of these things from fully manifesting into actual situations. But there’s certainly all of these It forensics firms and the like are just seeing a lot more activity coming out of Russia targeted our way, and it’s fully anticipated we’re going to continue to see retaliatory attacks related to the sanctions that we’ve put in place. And it’s something we all need to stay vigilant and keep our eyes on outside of that era. One of those forensic firms, I thought had shared some really good projections for 2022 that I’ll share with you now when you think about how those ransomware attacks are going to be conducted, because we have a lot more scrutiny from the government on these things and potential that they want to refrain us from being able to pay ransom and looking to try to pursue the criminals, I think we’re going to see a little bit less of that public shaming right where we’re putting it out into the dark web or we’re going after clients and employees probably are hopefully less infrastructure attacks, although I think that will be determined with Russia.

But I think we’re going to continue to see new creative ways that they force ransom. So, for example, I mentioned denial of service attacks. Denial of service attacks. Think of your network as having a highway connecting it to the Internet, and it would be like sending thousands of cars down the highway all at the same time and jamming it up so that nobody can get in or out. That’s the idea of a denial of service attack. Well, how do we stop that? That’s very difficult to prevent. And so if someone starts to block up your network, you suddenly you have no connection because you’re getting an attack. You may be more willing to pay for them to stop the attack. So there could be a lot of new methods that they try to deploy to enforce ransom. Additionally, we’re going to see continued law enforcement agencies internationally working to try to get their arms around us so that could look in the form of cryptocurrency regulation. You’re starting to see some things about that and a lot more information sharing with private sector and the government sector. Again, you’re seeing new regulations passed every day.

Biden just passed one around critical infrastructure needed to to report incidents timely. So we’re going to continue to see that. But more than anything, and this is where you need the help of folks from It solutions. Threat actors are going to continue to exploit the things that have been successful for them, not patching systems timely, making sure we remove access from folks that don’t need it anymore, having really good password protocols, access controls, multifactor authentication in the right spots, and having really sophisticated software in terms of cybersecurity. And we’ll talk a little bit more about that.

Rafael Haciski

So one of the keys that we always like to focus on, generally speaking, from a risk management standpoint, is what we like to call insurance utilization. In that the insurance policies insurance program that we place for our clients, they should be the last resort, the last shield between you and the actor. So tell us a little bit about how we should be managing cyber risk, obviously using insurance, but then also other methods and protocols that we’re putting in place alongside that.

Alexandra Bretschneider

Yes. Thank you. So I used the first 20 minutes here to unfortunately be doom and gloom. Right. But it was really just to paint the landscape. What are we dealing with? What have we been dealing with? What is it looking like it’s going to be now? Let’s actually talk about how do we handle it? Cyber risk is manageable. And I know it’s an uncomfortable thing for a lot of people because it’s technology related and I don’t know and I don’t know what I don’t know, but it is actually something that can be managed. I have a couple of pieces to the puzzle here. First component, cyber risk is a blend of security, cost and convenience, and that’s going to look different for every organization on this call. So what might be the most secure thing, which would be maybe to require that before you let anybody have access to your information or your network, you make them give you a retina scan, a fingerprint, a DNA profile, and a password that would be remarkably expensive and absurdly inconvenient. So we don’t do that, right. That would be the most secure to really validate the authenticity of that person.

But we don’t do that. We do things that are more manageable, that are more convenient, that are cost effective, that actually can be within our organization’s ability to afford. But we do have that constant balance that’s happening between those things. Then, of course, we think cyber. We think tech. I mentioned having top cybersecurity softwares and technologies. It is more than just technology. Cyber risk is managed through people, processes and technology. Some examples of that. So I always use and rap hardly tell the story. Several times the Target data breach, because that’s one that everyone knew about back then. It was one of the first big name ones. So everyone remembers Target had a data breach. I’d say probably half of you may remember or be privy to the fact that the way the data breach actually occurred was through their HVAC vendor. So it wasn’t Target’s fault specifically. They didn’t get just right into Target. They went into one of their vendor partners who had access to Targets network and came in that way. The story that doesn’t get told is Target has the budget and has purchased procured all of the technology they should have.

The technology piece of the puzzle was there. They had something called intrusion detection system that was supposed to detect an intruder. And sure enough, it did. The technology piece of the puzzle worked. Where they failed was on the people and the process side of things. No one reviewed the alert. No one did anything about the alert. So cyber risk is so much more than just buying technology to solve it. There are so many things we need to do from a people and process standpoint, and I’ll get into some of those that will have much more of an effect. And then, of course, Rafael, you mentioned right, nobody loves buying insurance. But let’s make sure that if we need it, we have it and it does exactly what we thought it would do. And it covers the expenses that we need it to cover. And I will tell you, far too often I get asked to review policies for folks, and I have to deliver the unfortunate news that this is not really going to help you when you have an incident. This is woefully under insured in the areas that are actually of most importance.

And it’s not simple. Cyber policies are changing every day. It’s very difficult to understand what applies to what. And they’re really important to make sure that it actually adequately aligns your organization. At the end of the day, when it comes to managing cyber risk, the concept is not to be cyber secure. There is no such thing. We can’t go to bed at night and say we did it. We’re cybersecure. I can sleep peacefully knowing nothing bad will happen to us. But the goal is to be resilient, to be able to sustain an attack and recover from it, move on, resume operations and not be shut down. And then, of course, there’s a reasonableness standard. So when I talk about the balance of security, cost and convenience, that will also vary by industry. And so what would I reasonably expect of a peer company of mine to have in place? Would I expect that they’ve ever done a vulnerability assessment? What I expect that they’ve done employee training, but I expect they have quality password and access controls. What would I expect? Because that’s what you’re going to be held to in the court of law.

Now let’s talk a little bit more. I mentioned supply chain several times, and this is really the scary risk because what happens when one incident impacts many? So how do we manage that? It’s going to sound fairly simple, but I realize it’s a little more complicated in practice, but it is as simple as it sounds. Let’s understand our inventory of our vendors, our partners, and what information or systems do they have access to of ours? And then how are we controlling that access? And then what happens if something goes wrong? So we want to have quality contracts in place, and we want to make sure that there’s tight wording around indemnification, confidentiality, who has insurance and what the limits of liability are for, who is responsible when something goes wrong. And then we mention the insurance piece of the puzzle. So I’m going to do an insurance one on one here. Try to keep your eyes open. So number one most important part of the policy is the incident response. And this is one of those areas where I’ve seen folks not have proper coverage. So what happens when you have a cyber incident is a boatload of resources come to the table to help you, and they should be covered by your insurance policy.

Your standard off the shelf of policy should include these things. So one of the first things that’s going to happen is they’re going to bring you an attorney, a Privacy attorney called a breach coach that’s going to give you attorney client privilege and oversee the incident in quarterback. They’re going to bring in the air change and the Crows of the world that I’ve been mentioning, the statistics I’ve been using. So those are the It forensics firms. They would work hand in hand with It solutions to resolve the incident for you, reviewing logs, triaging, understanding what’s wrong, how it’s wrong, stop the bleeding, and what needs to happen to recover. And then if you’re unfortunate enough to end up being one of the news clippings I use in a presentation like this, you may need PR. You may need guidance for communication not only externally to your vendors, your clients, but how about your internal what are we saying to our employees? What are we telling them to say to others? So communication is often forgotten, but really important. And then, of course, the piece that people kind of know about when they think about cyber breaches really are notification costs.

We’ve all, at some point in time gotten that letter in the mail that says, Sorry to tell you, but your information may or may not have been breached. Here’s free credit monitoring. You can sign up here. Here’s a help desk line. You can call this number if you have any questions. It costs money to set up the call center. It costs money to send out those notifications. It costs money to provide the credit, monitoring. All of those costs are part of the incident response. Next piece is regulatory. So depending on the industry within which you work, you may have different regulatory requirements, whether it’s HIPAA, PCI being payment card industry, if you’re processing credit card transactions, GDPR and CCPA are beautiful Alphabet soup versions of Privacy laws. So how you’re supposed to govern private information? We’re seeing biometric data laws. So the laws are just going to keep on coming. Right now we have 50 States of different laws. We do not have a federal cyber security law, but it’s very possible one could be coming in the next year, and that requires different levels of compliance with each. If you have a regulatory investigation, you’re going to need defense.

So your legal fees and counsel the settlement, and then where insurer by law, the fines and penalties you may be assessed could be covered by your cyber policy. The other piece of cyber that people do think about when they think of what the insurance will cover is the ransom. And unfortunately, the insurance companies have gotten misdirected bad press around this. Cyber insurance is intended to cover ransom payments. For the most part. This is one of the areas that’s changing. But your original cyber policies of the last five years gave you full policy limits for paying a ransom. So there’s the argument nowadays as well, because the insurance companies and people keep paying all these ransoms is why this is all continuing to happen. So we should just not be allowed to pay ransoms, and certain lawmakers even called for that. But is that really effective? If we make it illegal to pay any ransom at all? What happens to all the businesses in the interim that are not allowed to pay in between now and when they stop the attacks? What recourse do we leave them? They just have to go out of business. My opinion on that, not that you ask, is why are we going to look at punishing the victim, right?

You didn’t want to be ransom attack. Nobody looks for that. No one wakes up in the morning and says, I would love to pay a ransom today. We need to find other ways. And that’s where you’re again starting to see a lot of partnerships, private sector, government sector to how to actually tackle this risk and stop it from happening or punish those that are perpetrating it rather than punishing the victims. You’re also going to see coverage for social engineering and other types of phishing attacks within this coverage part. And then I mentioned I will come back to this. I mentioned downtime. What happens while you’re down, depending on the nature of your organization, your operations. Right. So I mentioned manufacturing downtime is critical for them. Every minute of downtime is dollars lost. Certain professional services organizations. If you’re operating within the bounds of contractual agreement, a day or two of downtime may not end up resulting in financial loss. It’s going to vary, right? Like, this is where we need to right size coverage to your organization. But what does that look like? How long can you be down before you start losing money? And then how long can you be down before it impacts your reputation?

And once it impacts your reputation, what does that do to your revenue? Not only now while you’re down, but in the future? Will you lose customers? Will you lose potential new customers because you took a beating in the press for your cyber incident? So there’s really a lot to think about there.

Rafael Haciski
Sorry, I was on mute. I feel like the cyber market really over the last eight to twelve months has just been turned upside down on its head. And I mentioned this earlier, but we’re finding underwriters starting to increase scrutiny, ask a little bit more difficult questions, dive in on the risk before even considering providing a quote. A lot of times we find out that the cyber underwriter has done almost like a mock hacking of the organization to test and see if their protocols are in place. What’s happening right now in the cyber insurance world, and what should we be on the lookout for as we’re going through our renewals and considering getting that coverage placed?

Alexandra Bretschneider

Yeah, that’s honestly probably the most critical part of today’s discussion is the policy that you bought last year or didn’t buy. But if you were buying cyber insurance, historically, the policy you bought last year is going to not only look different, but it’s going to cost a lot more. This year, you may be paying more for less. It is changing on a daily basis. And that’s purely as a result of the number of incidents in the insurance world. Cyber was a gold rush. Coverage at first. All the carriers started wanting to write it because it was free money. There weren’t a lot of incidents. Everyone was making money off of it. They didn’t ask you very many questions to underwrite it, and it was truly a gold rush. So we saw a ton of purchasing of cyber. Well, now we’ve had a lot more incidents. So their profitability has been strained where they were making a lot more, they’re not making as much. So what happens in those circumstances? They raise rates. They restrict coverages to protect themselves. So things we need to think about first and foremost, do we even have adequate limits for our organization?

How do we benchmark that? There are certainly a number of resources. And in our experience, I can tell you based on your size, your operations, what’s reasonable. But even that’s a crapshoot, right? Because if we’re buying a million dollar policy and ransom demands are in the millions, what happens? Do we just use our entire policy just to pay the ransom, Where’s the coverage for the rest of it? So there’s a lot that needs to be thought about in terms of rightsizing that to your organization. There’s data breach calculators that we can kind of model out what this would look like. And you can see in this example, this was a health care example. The very bottom there ransomware demand paid out was $500,000. They suffered 1.5 million in interruption costs. So that’s revenue loss and expenses during the downtime, let alone the additional fines and penalties from the regulatory standpoint. So a $6.6 million incident is what it was projected for this organization. So if they’re buying a million dollar policy, that is probably insufficient going forward. I mentioned Extortion a few times. So unfortunately and this isn’t certainly a frustration we all share with the insurance world.

Some of the coverages we need the most are the ones they start to restrict. So they do not want to be paying out ransoms anymore. So not only are they going to require that you be better secure and we’ll get into that in a moment, but they’re going to restrict coverage. So you’re starting to see what was formally standard to have full policy limits for Extortion coverage. We’re seeing sublimits, we’re seeing really high retentions and deductibles, or we’re seeing something called coinsurance. So they might apply a coinsurance principle of 50%, which means whatever we pay, you pay half that’s. Concerning right now, they’re putting your skin in the game, your money on the line, and the insurance is no longer responding the way we thought it once would. Other things that we need to think about. A lot of the insurance companies distinguish your ability to control downtime when it comes to business interruption. So is your network, your system something you control? So it’s on premise, or is it hosted? What happens if your hosted provider goes down? The insurance company looks at it and says, well, I didn’t underwrite your hosted provider. I underwrite you and your risk.

So I may not give you the same limits for if you have interruption from a hosted provider versus if it’s on premise. So those are things we need to think about. Those are kind of the details and the nuances that people often miss when looking at their cyber coverage. Reputational harm. I’d mentioned that’s actually a separate type of business interruption coverage. So business interruption is covering that time that you’re actually down from an incident. Reputational harm is covering continued revenue loss as a result. So if you really do have an adverse public relations event as a result of that and you lose customers and you continue to lose revenue after you’re up and running again, there could be coverage for that. And as you can imagine, that could make or break whether or not a company stays in business as a result. Then we talked a little bit about I gave you the really horrible examples of some incidents where people have suffered injury or death as a result of cyber. Well, where is that covered? Depending on how your policies are written and this is why we can’t look at cyber and isolation. You need to look at the whole portfolio of insurance programs and risk is what if my other policies exclude cyber, my professional liability, my Med?

Now, what if they exclude cyber as a covered cause of loss and then someone dies? Where is that covered? Same with property damage. We buy insurance and think especially for manufacturers, we cover our own property property policies, exclude cyber. And if there’s no fire or water damage or anything like that, but someone hacks into an industrial control system at a manufacturer, just shuts off a belt or a valve and the system jams up and breaks. Where is that covered? It is not covered by your property policy. It didn’t light on fire. There was no rainstorm that came through that flooded the building. So there’s potential that you can get these types of coverage on your cyber insurance policy. And depending on the nature of your organization, these may be really important. Social engineering similar to Extortion. I mentioned social engineering attacks. We’re still seeing them far too often across our client base. Those are best protected by just really good policies and procedures internally to validate transactions and the like. But we’re seeing them often. And as a result, insurance companies don’t love covering them. You’re only going to see limits here in the tens and hundreds of thousands.

These will not be seven figure coverages anymore. Hardware coverage. What happens if one of these cyber incidents actually damages the hardware, whether it’s my servers, my laptops, et cetera, and I need to replace that? It’s a little bit different than property damage. This is going to be truly your electronic equipment and betterment. That’s the idea that would I buy the exact same 2008 server, or would I maybe upgrade now and buy the 2020 version if I actually had to replace it? Am I going to go back and buy the old version? No. Well, which one is going to cost more? So is there coverage that gives me a little bit of buffering room to buying the better, latest and greatest technology today? And of course, evolving regulations. I’ve mentioned that several times. What are we seeing in the market of insurance? Right. State of the market rate increases rate. So I’d mentioned your policy is not only going to look different, it’s certainly going to cost different. So these were a couple of examples from back in June of news articles coming out around the increase of a tax leading to the increase of rates.

So it’s just getting more expensive. We’re continuing to see. I’m sorry, wrap. Did you want to jump in there?

Rafael Haciski
No, go ahead. Sorry.

Alexandra Bretschneider

Okay. We’re again continuing to see evolving regulations around ransomware. And then this is in green here because this is a take home slide. And these are where you can connect with the folks at It Solutions to help you. There’s so much more now you need to do to be insurable. So gone are the days that I can get policies for organizations where I give them a couple of pieces of information, name, address, number of records or ballpark revenue or any of those things. We used to be able to get cyber insurance. Those days are gone now. What’s going to happen when you complete an application is if you are on the CFO or CEO side of the house, there are going to be questions you do not know the answer to and you will need it to help you. And that is by design. There are even applications that require it to sign off on it with you to say, I looked at these answers to make sure they were correct. These are the things they’re looking for, multi factor authentication and they want it in four different areas because that’s actually a very broad statement.

You can put multi factor on almost anything, any kind of access. So where do they want it? Email, remote. So a huge remote workforce that we have now. Let’s make sure before they’re tapping into our network, there’s an added layer of authentication and then privileged access. So administrator accounts, those that can make changes to your system. So potentially It solutions and then also to your backups. We want to make sure we have really good backup files. And you’ll see bullet number three there on the left. And let’s make sure they are segregated from our network so the same attack can encrypt both our live environment and our backup environment. Ralph had mentioned bullet number two. There several the insurance companies now have invested in technologies to scan your network externally. They don’t need your permission. This is something they’re doing with the public facing Internet profile of your company. It’s the same thing the bad guys can be doing. So they’re scanning it and they’re looking for vulnerabilities, open ports, outdated software, appliances on your firewalls, things like that. And they will deny coverage when they find these issues. Fourth, bullet, there employee training. I am a believer that employees are the gatekeepers to our organization.

We can go broke buying every software technology out there. But at the end of the day, we have to train our employees to be skeptical, to ask questions, to take that second before they click. They are the gatekeepers and they are the number one exploited vulnerability. And then of course, having an incident response policy, have we thought through what we would do and how we would do it and how we would communicate and who would make decisions if an incident occurs? And then a boatload of technology. It’s a little bit of Alphabet soup there on the right EDR is endpoint detection and response IDs intrusion detection system, next generation antivirus tools. Those are all things that your folks at It Solutions can assist you with. They’re going to ask about data encryption. Do you encrypt data at rest or in transit? Which really means usually over email. Are you managing patches timely? A lot of you may have heard about that log for J vulnerability that was in the news. Did you patch it? Did you address that? And I had mentioned several of those exploits are just from unpatched systems. The Equifax breach that really impacted all of us.

Unfortunately, that was from an unpatched system that had a patch available and they were just delayed and actually deploying it. Have you done penetration testing and vulnerability assessments? Those things are going to be asked not necessarily required yet, but really nice to have. And have you thought through who your vendors are, your partners and who they are and what they have access to?

Rafael Haciski

Yeah, it’s funny, I think I mentioned this before, but as we’ve been doing renewals as of late, we’re seeing the It directors, heads of It at the organization get more involved well in advance of that renewal so that they’re ready both for the discussion with the markets, but also just to fill out the applications that are needed to get it over to the finish line. So down the stretch we come obviously, there’s a lot of insurance jargon here, a lot of cyber jargon, a lot of risk management speech. If we boil it all down to the top five tips to takeaways, what is it that the folks on the call need to be aware of as they leave this call today?

Alexandra Bretschneider

That’s great. So number one, prepare to meet those insurability requirements. So everything that is in this green box here start today. We don’t want to be scrambling days before your insurance policy renews to meet the requirements of today’s insurance world. So you have to review these things, get on the phone with It Solutions and say, how do we fare? Where do we need to invest? What should we be considering? That’s absolutely critical. And so often now on a day to day basis, I’m having conversations with It and the financial side of the house to say, hey, this is how we have to do it. These are the things that are required and why, how quickly can we get this done? So you are paying more upfront to protect yourself and probably paying more for the insurance. It’s a tough time, but it’s so necessary. Tip number two, manage your access and your patches. Right? So those are the things I’ve been talking about, having really good access controls around eliminating people that no longer need it least. Privilege is a concept that you only give folks privileges within the organization to do the least amount as required for their job.

So gone are the days that the CEO had access to everything. If the CEO doesn’t need access to everything to do their job, do not give it to them because then they become a huge vulnerability. Getting access to their credentials gets you into the entire network. So gone are those days. Make sure you’re patching things timely. Then we’ve got our little comic there on the right. So in this corner, we have firewalls encryption, antivirus software, and in this corner, we have Dave employee training. At the end of the day, human error is a huge vulnerability. And I’ve mentioned this before. We have to train our employee base, review your insurance coverage. It is quickly changing. I mentioned in a lot of different ways. Coverage terms are modifying. You really need to right size it to your organization and then prepare. What does that look like? Test your backups, create a policy and procedure and print it out. Make sure because if our system is encrypted and we have it on our system, how are we accessing this beautiful policy and procedure that we just made to address the incident and table top exercises? That means get into a room and actually do a mock scenario.

What happens? How does this work? And it’ll really flush out whether or not your policy is appropriate. And I do have a bonus one. I know I said I would keep it to five Raph. I’m sorry, but there’s just one more. We talk about social engineering that is so easily controlled, we don’t have to invest any money to do it. And we could all improve our risk today. What are your policies and procedures around financial transactions? How do we set somebody up? How do we authorize it? And most importantly, what do we do to validate that? If someone tells us it’s changed, that that is legitimate?

Rafael Haciski

Well, thank you very much, Alexandra. I appreciate all the knowledge. I know my brain always hurts after I speak with you, but that’s in a good way. And also let me thank It Solutions again for allowing us the platform to share our knowledge here with regards to cyber. Ben, I’ll pass the mic back over to you and see if there are any questions that either you or any of the.

Ben Prorock

Folks on the call have additional questions. Please keep them coming in. But one is to start out, what is the difference between a cyber policy and an errors and omission policy? Are there areas they overlap? Are the folks might think they have one, but they maybe don’t need cyber. Talk through that a little bit.

Alexandra Bretschneider

Yeah, that’s a really good question. So that’s going to vary by industry. So errors and emissions is synonymous with professional liability. And it’s the idea that you would cause financial harm to someone else by nature of your professional services, whether it’s through an error or an omission, an accident. We didn’t mean to do this, but we did it or we didn’t know that we had done this. When it comes to any folks with a technology type of exposure, whether it’s e commerce or an It solutions, where technology is part of the service you’re delivering software developers, et cetera. There becomes a blend between the cyber and the tech Eno. So cyber insurance is really unique. When you think about insurance, it’s either usually first party or third party coverages. So, for example, you would buy property insurance to cover your own property, right? You don’t insure someone else’s property, you insure your own that’s first party. We by general liability insurance in case we cause bodily injury or property damage to someone else. Third party cyber has both extortion payments, damages to us, our expenses of paying forensics it, etc. Etc. But if we cause identity theft, if we damage someone else’s network, any of those things, there’s actually or if we have a regulatory obligation, we have to pay a fine or penalty.

These are all to somebody else. So there’s third party on cyber. When you’re in the technology serving space that starts to blend, how do you separate an incident from being truly just a cyber incident versus it’s as a result of your professional services? So when you’re in the technology space, it’s best to have cyber and technology ENL in the same program. That way, the entire third party component is all with the same insurance company.

Ben Prorock

Makes a lot of sense. Thanks for that. So another one, you talked a lot about insurability requirements. And another question here is, is it more or less a yes no check box? If you have all of those, you’re insurable and we move on, you don’t. You’re not? Or is there a gradient there? Is it how well you’re doing? Each of those may even further lower your rates. What can folks do? Let’s say they have everything on that list in place today. Is there still improvements they can do on the technology and the training side to put them in a better position to lower the rates?

Alexandra Bretschneider

That’s a great question. So if you ask me that two or three years ago, the answer was like, hey, it’s great you’re doing all those things. The insurance companies didn’t understand how to write the risk, so they didn’t know how to give you credit for that. Now they’re certainly crediting you or not based off what you have of those components. Some of those are a little bit more nice to have. Some of those are just ubiquitously required. So MFA, everyone’s got to have it. Now, regardless of size, operation, industry, it’s required. An example of a nice to have or potentially required is EDR Endpoint Detection Response. Most organizations on this call may not have that yet, but that’s going to be the next requirement of the future. You’re going to see that probably a year from now. That’s required. So if you have it, that’s great. Which type of technology are you using? The insurance companies love the Gartner Quadrant of top providers for all of these types of things. So they will ask, okay, do you have it to your point, Ben? It is a yes. No, do you have it? And then it’s also okay, who are you using for it?

Sometimes. And that will also impact your risks and your rating. And at the end of the day, you really just want to make sure that you have a posture of cybersecurity. There’s always a section on the application that says what else? Essentially, it’s a box you can complete. So there are more things you might be doing that weren’t asked in the application that you need to be sharing with your broker. Tell the story of how you manage cyber risk better than somebody else so that you do get credit for that. Those are things that are now resulting in better rates in terms and conditions on policies.

Ben Prorock

Really helpful. Thanks for that final question. Let’s say, thinking ahead, that you have a cyber policy. It’s a great policy. You’ve done everything you can. Everything’s been covered. They sat on this webinar, they’re in great shape. Then a cyber.

Alexandra Bretschneider

My work here is done.

Ben Prorock

That’s right, everything’s buttoned up. Let’s say then there’s a cyber incident. What happens on the other side of that? Are they insurable? If so, what sort of rate increases have you seen? What’s the other side of the cyber event?

Alexandra Bretschneider

That’s been a pendulum. And I will share my own frustrations with the insurance. Well done this. So again, a couple of years ago, they actually looked favorably on folks that had incidents because there was so much naivety around. Oh well, I’m not a target. It’s not going to happen to me that if you had one, they were like, alright, these guys know a little better. They realize they’re not invincible. They’ve learned. So we appreciate that. And we actually think they’re a better risk that’s gone out the window. Now, there are certain insurance markets that have taken this horrible stance. This is where I get frustrated that if you’ve had an incident at all or if you have an incident that’s not fully closed yet, you’re still waiting on some invoices to come through. So the claim is still open. They close the door to you and they say, sorry, we don’t write any accounts that have had incidents. That has to be a very short lived approach because eventually everyone’s going to probably have had something. So that’s just not realistic. But it is unfortunate that it does start to then limit the number of carriers that are interested.

But more importantly than that, if you do need to have a really good story around it, okay, stuff happens. That’s why we buy insurance. That’s okay. What have you done since? How did you change your policies, procedures, protocols, anything to make sure that that doesn’t happen again? That is the critical piece and they’re all asking it, what have you done from a remediation standpoint to make sure that doesn’t happen again? And that can make or break whether or not you would get coverage terms and what they look like.

Ben Prorock

Okay, that’s very interesting. Really informative. That’s all we had on the Q and a so we’ll go ahead and wrap it up there. We’re just about at the hour. So thanks again, RAF. Thanks again, Alexandra. Please reach out to them at JKJ and of course I and my team would love to have the conversation. If there’s any tools or questions around it security that you’re are still left with after this presentation. Have a great rest of your day and thanks again, everyone.

Alexandra Bretschneider

Thank you. Thanks.