Preparing Clients Against the Impact of Cyberattacks

Show Notes

Week after week, hackers and cybercriminals launch new phishing campaigns, develop creative digital extortion threats, and expand scams with the potential to negatively impact business operations in a big way. Cyberattacks can halt online operations in only minutes and take weeks to resolve. In addition, a cyberattack that involves the loss of customer data can result in expensive litigation that seriously impacts a company’s bottom line.

Featuring:

• Darren Valencia is a Vice President located in CRC’s Nashville office and active member of the ExecPro practice group and member of the Cyber Specialty Team.
• Mark Smith is a Senior Vice President in CRC’s Seattle office. He is an active member of the ExecPro practice group and member of the Cyber Specialty Team.

Subscribe to Tools & Intel (email newsletter)
Read Past Tools & Intel Articles
Follow CRC Group on LinkedIn

Visit REDYIndex.com for critical pricing analysis and a snapshot of the marketplace.

Do you want to take your career to the next level? Join #TeamCRC to get access to best-in-class tools, data, exclusive programs, and more! Send your resume to resumes@crcgroup.com today!

Chapters

• 1:35: How has the cyber landscape changed in the last five years?
• 8:14: What are the costs associated with a cyber attack?
• 12:10: Why should clients not handle these incidents on their own?
• 17:51: How has cyber coverage changed?
• 21:16: What is the current pulse in the market now?
• 25:32: Is more required of insureds now?

Transcript

Dan Wentz: 0:22

important subject today, how do you prepare your clients against the impacts of a cyber attack? It's a big problem. And not everybody's ready for it. CNBC says that only 14% of small businesses can defend against a cyber attack, and 60% of businesses that suffer a cyber attack, close their doors within six months, hackers are launching an attack every 39 seconds according to research and experts predicted cybercrime will cost $6 trillion by the year 2021. Today, we're joined by two members of bcrc cyber specialty team, Deron Valencia is from CRC Nashville, and Mark Smith is from CRC Seattle, they're both very experienced in placing these types of coverage. And they're going to get us updated. Next is the placing you first podcast. I'm Dan Wentz. And this podcast features news and insights from CRC his vast knowledge base of 2000 plus associates who right in excess of $10 billion of premium annually, and we're giving you insider access to what's happening in our company and the types of insurance we

Dave Foxx: 1:29

place. This is the placing you first podcast.

Dan Wentz: 1:35

How has the cyber landscape changed in the last five years? What do you see in Deron?

Darren Valencia: 1:40

Well, so first of all, I think we've been sort of in a in a pretty easy kind of going world with cyber I mean, you know, submission data was, you know, you only needed a certain amount of information. And you could pretty much get, you know, bind double quotes from from markets of all sorts, I mean, whether it was your standard markets as an add on to some other policy or whether you're buying standalone coverage, you know, from from a surplus lines broker in the specialty markets, you know, we were on cruise control renewed, the renewal process was fairly simple. A lot of times underwriters would just be looking for an update on, you know, on whether there's been major changes within the business. But we didn't really get into, you know, really in depth about, you know, risk management, lost control, and certainly the controls surrounding ransomware. Now, just within, it seems like almost we turn the page in the year and I know it started a little bit back in 2020, we're underwriters were starting to, you know, change their way of thinking. But we flipped the year. And all of a sudden, we were in the hardest market cycle that I've seen, probably in the since the existence of cyber and in technology, you know, and what they're they're spending a lot of time reevaluating what accounts they have on the books, whether it's if it's large accounts, they're looking at the limit, they're really looking at limit management, if they're not comfortable with the controls, they're cutting limits, and increasing premiums. They're there, virtually all carriers have created a an additional supplement or additional questions on to their existing renewal applications, looking deeper into those controls that they have for malware and ransomware attacks as well as, you know, monitoring for phishing, emails and things of that nature. underwriters have really taken a consistent approach that it's almost as if they're re underwriting every single account. And this doesn't just impact our large, you know, five, six premium, six figure premium accounts and large limit accounts. This is impacting our small SME business as well.

Mark Smith: 3:56

Well, yeah, it seems like every carrier has been coming out with a ransomware application the last month or two, and it's becoming mandatory. In from an underwriting standpoint, I just have, you know, the three initials MFA multi factor authentication, it seems like you can't get a boat now with a lot of risks, if they don't have multi factor authentication, particularly with regards to email access, which a lot of our smaller firms don't have I've been looking at. In fact, just today I had a renewal that came up. And the client said, Yeah, we're going to get an inflammation, MFA implemented, you know, in the next several months, well, those months are, you know, several months later, and we're finding out they still don't have it in force. And so my underwriter followed up. So my retentions going to go up from five to 10. I have another account, they jumped it from from five to 15. So we're seeing MFA becoming absolute mandatory. And that's not the that's the case, but really seems like with all the standard markets, so that's, that's been a real wake up call. Because a lot of firms are a little slow to respond to this. I just think the landscape overall is just remarkably different. I mean, five years ago, you know, the light kind of claims were really talked about where the great big, you know, cyber hacks, you know, the anthem attacks and target attacks. And then, lo and behold, you know, in the last 1824 months, you know, it's all been ransomware ransomware all the time. You know, and now the ransomware attacks, we're reading there, we're seeing I haven't seen these, I've had A lot of ransomware claims, but I haven't seen them where they've also, you know, threatened released her data as well as you know, a greater incentive to make the client pay up. But the amount of attacks that are coming out now are at such a pace where, like, you're probably seeing every week, we're having claims hit hit our books every week, and it's primarily ransomware attacks. But don't forget the social engineering attacks, too. I mean, those were always in the background. But those are routine, I had an account that had three separate social engineering attacks. The first one was relatively small, it was 50. Well, it was just the precursor, of course, with a big payday. So they went from 50 to basically 100. And then they came up and went over several 100,000. And all told, you know, it's almost, you know, 300 $400,000 they they've been bringing in, so, so the landscape has really changed with with the nature of the attacks on the frequency has been increasing. And as you said, you know, the underwriting has changed dramatically. And I've seen probably, you have to some of our tears now are putting lower sub limits on the ransomware. I mean, the ransomware coverage, just really extortion. But you know, they're putting some limits on that, or even coinsurance and one particular carrier that that's really well known that has three initials, so their name, you know, sublimate, coinsurance, and that's really a problem. And then we have the other issue, too, that's changed the landscape, which came out last fall was the Office of the Treasury, OFAC came out and said if you make certain payments, and these are on the OFAC list, which that basically saying you may be paying to terrorists, you know, you may be subject to jail or a fine if you pay them, well, what is the client supposed to do? You know, they got to rely upon their cyber carrier, and how sophisticated is their cyber carrier to identify, you know, some carriers are saying, Yeah, we can look at their blockchain wallet, we can kind of identify who we think maybe is on the OFAC list, and we'll have to tell you what don't pay, you know, so then you're not going to get your data back. And so that's going to lead to, you know, a major data restoration claim, business or Russian claim reputation loss claim, and potentially, you know, a breach response claim. So these ransomware claims aren't affecting just, you know, it's not about paying that that ransom, you know, it triggers so many different aspects of these policies. And I think a lot of our small SME clients just don't fully understand of the nature of how these can just morph and expand out and cause them so many different types of losses under this, this policy they're purchasing.

Dan Wentz: 7:53

So you talk about the the costs associated with a cyber attack, what are so what are those costs, right? What are what are these small clients, especially that aren't very sophisticated with when it comes to protecting their cyber landscape, so to speak, what are some of the costs they're going to experience? if they if they have a, an issue?

Mark Smith: 8:14

Well, I will say this, that net diligence came out with a report just recently, they said that the average costs of a ransomware attack, just just the payment, okay? So that's the first cost to talk about, has gone from about$15,000, up on average to$175,000. Well, for a small client $175,000 is a lot of money, okay? I don't care who you are, right? Particularly if you're, you know, if you're buying a 2015 level or cyber policy, you've got to be 175,000. Now, that's on average, okay. But we've also seen some of these claims, you know, have gone into, you know, the seven figure account, and that's not that uncommon anymore. But then you got to jump in, you know, the first thing is clients have to do is you're gonna have to do some sort of a forensic investigation, and that can run you $500, you know, five to $750 an hour to hire those forensic firms. Couple years ago, we had run into a client that had a had an event and the forensic expense, basically, by the time they were done, had jumped up to$250,000. You know, they had to get somebody there, it was in a remote location, they actually flew somebody out. And it took it took several weeks. And that's, that's an incredible amount of money for for anybody to have to bear, especially a small SME account. So you're looking at the present costs, and then of course, the business interruption expense, why your network is down. I don't even really want to quantify that, because that's so different for each client, and how long it's going to take them to get the system restored. And this applies to any kind of event really, you know, if your network is down, so that that can drive the cost through the roof. We had a client happen a couple years ago, we were looking at an event that basically cost over a million dollars of lost business income. So that was actually a combination of their loss of income and their their clients that were relying upon them because they were doing some hosting. So it was a very serious event.

Darren Valencia: 10:11

Yeah. And then I also think, too, I mean, there's the then long term costs, you know what trust is, is still with that that particular insured business and with its client base Do they have long term long term revenue loss or income loss because loss of clientele trust, you know, obviously with the the cyber liability insurance policies today we work very hard to ensure that there's reputational harm expense coverage and things related to that so that they can take so that the insurance can take advantage of that and, and do that that necessary PR work. We all know how easily information and news can spread about pretty much anybody or any business with, you know, social media and, you know, regular TV media so it can spread fast and get through, whether it's a small community or whether it's something on a national level, it can really impact the business as long term. And you know, p&l statement,

Mark Smith: 11:09

you know, with that recovery, you got to restore your data that, you know, to get back up and into operation in you know, some of the forum's actually don't really cover to recreate the data from scratch, some just come out and say, we're going to basically pay you up until the time we find out that we can't actually recreate or restore your data, and you're done. But some of the policies, you know, will actually paid a lot and, you know, physically recreate the data, the electronic data, and I'm in a situation or one right now, where it's it's becoming fairly contentious, because they have used their staff and hire outside independent contractors. And we've got all this overtime coming in right now. So they're paying their own employees some overtime, and they're using outside independent contractors. And next thing, you know, you're talking about some, well, we're on our situation, we've got some serious money right now for overtime. And then I hadn't really thought that through, because I hadn't had that situation before. So that's just one of these other things that might surprise some clients go, Wow, that that adds up quickly.

Dan Wentz: 12:10

Yeah, so why should clients not handle these incidents on their own? I mean, there's probably some clients out there, I think they can handle it right, we'll just make it go away on our own. Obviously, there's a lot of reasons that you guys have already specified. But what do you think?

Darren Valencia: 12:24

I mean, you know, one thing that I think going back to one example that mark just mentioned about, you know, what we have the issues we have with OFAC and, and how they're handling, you know, extortion payments. But again, I've actually experienced some some of my larger accounts that, you know, they they've spent a lot of money on insurance, they buy large limits, they have, they have sophisticated IT staff and support, internally, they think that an incident or attack is manageable in the beginning, once they realize that it's going to, it's going to, you're going to need, you know, a different type of engineer or forensics specialist to come in and really address the issue because it's a larger problem than originally anticipated, you might have already created more problems for yourselves, the malware is in there, the bad actors could continuously be trying to steal information, they could continuously be committing fraudulent instruction claims or invoice manipulation type events, while while the you know, IT staff is trying to address the problem. Once the case, if you have insurance, and if a carrier tries to step in you, you might have already created more of a mess. And again, it's all about, you know, expense management. The one thing is while the costs are continue to rise and evolve with cyber attacks, our industry and especially the forensic sides have become efficient. And they have learned how to deal with things a lot quicker and differently than they did say 10 years ago. So it's really important to rely on the experts who have the experience who are dealing with these that data breaches every single day. And these cyber attacks to get in there and do the work necessary to get networks back up and running to ensure that that information is safe and protected. And you know, I've had situations where a cyber attack, it turns out not to be as big of an issue that it was originally thought. And then vice versa. We've seen those attacks where we thought that wasn't really that big of a deal can probably be straightened out pretty quickly with some some quick updates or changes within the network. And it turned out it was a it was a real major problem. And it was a massive attack and it created a larger scale problem. So again, it's just like, we're insurance brokers. I would not you know, if I was a non insurance person, I would not go out and try to place my own insurance for my business. Same thing if I you know, was in got sued, I wouldn't try to defend myself in a court of law I would hire an attorney to to represent me. It's the same thing. Let the cyber liability experts the insurance carriers and the forensics people represent the business owners and get the the attacks under control quickly.

Dan Wentz: 15:11

It sounds like from what Mark said earlier, a small attack could turn into a big attack that could be just the precursor to you know, a much larger, much more sophisticated attack. They're just kind of feeling out. So if you don't respond quickly enough, it could turn into something huge.

Darren Valencia: 15:26

And it could from a regular whether it's regulatory issue, because you didn't respond quick enough. And you, you know, there was some there was a more traditional type of data breach where, you know, PII or pH I had been impacted. But also an example, I had actually turned out to be one of my agents that they had a malware attack. There, IT professionals took care of it pretty quickly that it did not lead to any ransom, or extortion threats. But about nine months later, they realize that the malware was still sort of lingering in their network, and they had a couple of social engineering type attacks. And they realized that it was actually happened to be around tax season, they realized that they were unable to access some documents that were on a hard drive, that they were important, and were needed for their CPA to do taxes. So that information was lost, and it was going to cost 1000s of dollars to have to recreate it. And so it the problem manifested further, even though they thought that it was it was taken care of.

Mark Smith: 16:29

Yeah, I have, I have a story about a non buyer. We presented the cyber coverage we wrote, we wrote the rest of their account. And we received the notice that they had midterm not renewed their policy, we thought, Oh, well, that's interesting. And, you know, you get a notice of, you know, requests, you know, last balls release council policy. And we read in the bus Regent journal, just like a couple months later, here's our insurance, we found out they went bankrupt. They had a cyber event, they didn't buy the policy, we had the quote in the file that was presented, they thought they didn't need the coverage. And here they had such a large data breach, and there's no way they could, you know, pay for for the notification, and then all the response costs, you know, and I thought about that a little bit later, while they went bankrupt. But that still doesn't excuse them from a potential regulatory claim, they weren't able to even notify. So I thought, Oh, my gosh, they probably got sued as well, particularly because they're in California thought there's a double whammy. So clients are thinking, Oh, we can handle this on our own, you know, when it gets too expensive, and they can't, it could force a lot of companies of bankruptcy. In fact, there was a few articles that came out a few years ago, that talked about the number of SME businesses that did not survive a data breach, and that should close their doors, you know, then to think about that they could have a regulatory plane. Following that situation, they're gonna be hurt.

Dan Wentz: 17:51

The first thing I was gonna say is you hear a lot about cyber attacks, you'll hear about them in the news, but you don't hear about all the companies going bankrupt, or all the results from it. So it seems like a really, really big issue, especially the way you describe it, Mark. How has coverage changed? Recently, you know, cyber is is definitely always evolving based on the attacks and the threats. And, you know, just the cadence and what's happening there. He talked a little bit about how the coverages changed?

Mark Smith: 18:19

Well, I would say that we had, we had some really, really rapid changes in the last five years, the policies were evolving, and, you know, was part of, you know, the typical stock market, the carriers were all rushing to come out with the, you know, the, the most comprehensive coverage forms, and that is certainly slowed down in the last year. But I would say that, you know, it's kind of in the details where the courage has changed is probably where the brokers you know, go and they they poke the bear a little bit saying, hey, let's look at our business interruption coverage. Now, you're only going to provide, you're only going to cover a period of restoration for six months, can we get that 12 months or with with reputational loss, some some markets only give you 30 days, others give you 12 months. So it's kind of in these these details, I think that we see some of these carries changes. And a lot of times it's incumbent upon the agent or the wholesaler to go back to the carrier and see if we can get some of these things amended, but we really haven't had much that's been earth shattering. A lot of the carriers have kind of stepped up and offered contingent bodily injury coverage with a Sullivan on the policy. The cyber crime coverage has changed. Some of the markets didn't offer invoice manipulation coverage, or other types of forms of business impersonation. So that's been changed somewhat. And then a few of the markets have refined their regulatory coverage somewhat to broaden it out a little bit. So but not nothing earth shattering But still, all these are very important for a particular risk. And I would say this, that there's no perfect policy for every risk. So there's a lot of nuances in these policies. So one one policy might be perfectly fine for one risk and another might might certainly need some some coverage enhancements or some coverage changes made.

Darren Valencia: 20:09

You know, one thing too is actually Dan I went back and looked at some old PowerPoint presentations I used to use when almost seven eight years ago when I would do cyber presentation. You know, these were things I did at agencies like a lunch and learn or even I did it on a larger platform of trade shows or in In fact, I even did some c e classes in the past. And, you know, it, there was so much focus on third party loss on, you know, 878 years ago. And today, you know, we've we've really broadened the policies to be about that first party loss and how that's impacting businesses. And I think that's especially important for the SME businesses. Because that's primarily what I think, at least in my book of business that we see most of is more of that first party loss, the ransomware attacks, the social engineering attacks and the business interruption issues. But overall, I agree with that. It's been a lot of just tweaking of wording, and just kind of getting things tightened up in that work a little bit better for some of the issues we're dealing with right now.

Dan Wentz: 21:16

So what is the current pulse on the market right now? So how are markets responding? And what is their current thinking with all this?

Darren Valencia: 21:24

Well, I mean, certainly, like I said, in the beginning, I mean, we are in a very hard market cycle. And, you know, I think that the way that they're responding is that once they've had a chance to underwrite an account, they're trying to determine is it you know, is this a high risk account? Because they have lack of controls? Do they have a longer timeline, I think Mark had mentioned earlier about, you know, timelines for businesses to implement certain changes, like getting a multifactor authentication, closing up open ports, for remote access. You know, if there's a longer timeline, the underwriters not going to be as confident on that account, a couple of scenarios, I've had underwriters suggest doing policy extensions, versus renewing the policy, even if even if we were given the opportunity to increase deductibles or, or get more premium, they would prefer to extend the policy, we are seeing on average, around 20 to 25%, increases across the board. And and then of course, like we talked about before, you know, underwriters, really looking at limit management on those larger accounts, where do they want to play? Another area that I've had some trouble in myself just in the last couple of days, is that you know, whether or not our limits are being cut on renewals, or we're getting opportunities on new business where they need higher limits. The excess pricing is not necessarily in line with where it was a year and a half, two years ago, where it'd be a certain percentage, say 65 to 75% of what the primary premium is. Now it's 100% or 110%. And it's it just isn't really it's just not, you know, working in favor of the insurance. So it's definitely not a buyers market. It's a very it's it's a it's under a hard underwriting market. And we really need to be, you know, working in talking with underwriters about their approach on accounts, especially our larger accounts, we really need to know in advance what their thinking is, so that we can be prepared, especially if we have to remarket because remarketing is not an easy process right now,

Mark Smith: 23:38

you're right, we you know, we have to start remarketing immediately, a lot of these risks, we need, you know, two to three months out, we're seeing many carriers come back and say these are specific classes we no longer want to write. So we're going to give you a heads up. So you may want to get these you know, so we don't actually have to issue a cancellation. But we want you to move the account. For example, you know, manufacturing some risks. Some carriers don't like manufacturing, others do not like contractors, some don't like real estate, I just had one got a notice on an on a large collection agency that we've had to replace. So we're at the same time all this is happening, you know, the rates are going up. Right. And you mentioned that the excess is going up to right. And I just had one this week where the rate online was about 150% on the primary. I mean, the primary was so cheap, you know, I was like what's wrong with that carry? Right? And same time, we're getting lots of requests for higher limits more than we've ever seen before. It's not it's not you know, you know, 10 million, we're getting requests for 15 we're getting requests for 20 right? So it's it's creating a lot of challenge try to get those those excess placements and you know, and plus the access markets don't necessarily, you know, like to drop down over over certain sub limits, particularly the cybercrime sub limits. I also had, you know, gotten heads up going to Qatar cybercrime. So then, you know, we're starting to look much more to the scandal and crime markets for a lot of this coverage. So I had a request where they had a contract they had to have, you know, they had to have a $5 million for computer crime and Funds Transfer fraud. You know, in my cybercrime career, it's like, nope, we're gonna cap this at 250. So, boom, you know, we're out, you know, placing standalone crime You know, as a wholesaler, we don't typically do a lot of sale on crime. But we're getting our feet wet right now. So it's creating a lot of market challenges to go forward.

Dan Wentz: 25:32

What should the insurance know? And what do they need to understand about cyber insurance? Especially right now is more required of them?

Mark Smith: 25:40

You will Yeah, that's kind of what our overall conversation is the insurance need to be educated about the fact that we were in a different world, you know, five years ago, it was like insuring a house, you just had to have windows and door locks on your Windows and locks in your doors, it was that simple. Now, you know, you need a full alarm system, just to give you a kind of a, you know, an example, you know, you need to have, you know, the MFA needs to be put in place, we've got to have some, some markets are requiring endpoint detection, off site backups, or cloud backups, they need to be tested, they need to be done routinely, or, you know, standalone devices, there's so much now on the risk management side. And I think that that's going to be our challenge. I think during my challenge, we have to probably help our retailers understand going forward, you know, the the new world we have is going to require a lot more risk match, but it risk management in place, so that our clients are going to be insurable going forward. And I think that the small, the small insured, out there is always going to be a challenge, because this is, you know, they haven't bought the coverage. You know, a couple years ago, the last year or two was a fairly expensive purchase. I mean, we were doing deals as low as$1,000. And some of those deals are now going to be three, four, or five, six, even $8,000. So it's going to be a lot different for them. And that's a big chunk, especially coming out of the financial situation, we've had this last year, where a lot of people's you know, balance sheets are impacted, the revenues are down, they're like, I can't afford this, but they can't, they cannot not afford this, they have to buy this coverage. I mean, it's just one of these coverages. Now, that is really my mind, it's a make it or break coverage, you're gonna go broke, I think if you have a major event, so I'm just getting clients to understand, like, you need to have this garbage to get a claim, you're not going to look to your GL policy, you're not going to do your DL policy, you're gonna have to have something in enforce. And we get a lot of claims that come in the door under the neath the No, because they don't have cyber saying, Hey, we want you to cover this, again, oh, policy, but you know, that's excluded. Sorry, folks. So there's a lot of education. And I think the carriers are doing a much better job educating, providing resources. And the other thing, I think the carriers are really good at good job of providing are their their cyber scoring and their scans that they're doing. We're using our cyber right tool now. Where we can offer, you know, basically a scorecard under the state of cybersecurity for free, we can provide them with benchmark tools, in terms of what peer companies are purchasing for for a limit, and potentially exposing them to how big a breach might be with some of the tools we have now. So I mean, I think our toolbox is a lot better than it was we help our brokers and their clients understand their exposures.

Darren Valencia: 28:31

Yeah, and I think also, too, I mean, you know, the value that the insurance policy brings, is really important, because, you know, the insured is spending money, and I'm sure any, my retailers that would be listening to this will all sound like a broken record to them, I always when I have the opportunity to speak to an insured or business owner in a meeting or an on a call, as I always say, look, we don't want you to buy this policy and file it away, hoping you never have to file a claim against it, you take advantage of what services the carrier does provide this, like Mark was saying all the tools in our toolbox, all the loss in risk management control services, these these e risk platforms that a lot of these carriers have, as well as what the the information that the scans provide. There, so valuable to a business owner, especially the SME accounts, you know, we know that our fortune 501,000 businesses out there spend 1000s, if not millions of dollars on risk management, and looking for vulnerability control. But you know, the average, you know, private, closely held business, you know, kind of like the local bakery or the small CPA firm, you know, they just don't have the resources for that. But they're just as vulnerable to these attacks as a large corporation is. And so it can be as we talked about earlier, it can be extremely devastating financially to them and even put them out of business if they're not prepared. And we have and we like I was saying very, very early on in this in this recording is that we have to have, we have to help business owners find ways to be proactive versus reactive and these loss control services will help get them moving on that. So I think selling that and reminding them lastly too as well as our agents Because it's just as important for agents to understand this, that, you know, there is no universal forms of cyber liability. There's no you know, isoform or anything along those lines. So, you know, every there's a lot of products out there. And there's a lot of ways to purchase the product. Having expertise involved in the buying process in the quoting and buying process is just as important as needing the insurance to protect your business.

Dan Wentz: 30:49

Well, thanks a lot, Mark. And thanks a lot, Dara for joining us today. I think it's been great. And you can find Darren and mark of course on our website at CRC group.com along with all the members of our exact pro practice group and the people who specialize in cyber, they're all up there ready for you to search on the producer search and they all you guys have a great practice group going you share a lot of information, you're interconnected and everybody is sharing what the markets are doing and what they're seeing so that you benefit you know, our retail clients benefit from all that. So, thanks a lot guys, and hopefully we talk again soon