Placing You First Insurance Podcast by CRC Group
The Placing You First Podcast spans a diverse spectrum of insurance industry issues to keep you and your clients informed.
Placing You First Insurance Podcast by CRC Group
Cyber Insurance Remains Critical as Ransomware Attacks Rise
Learn more about navigating cyber threats and insurance with insights from Hunter Maskell, a Director with the CRC / INSUREtrust Cyber Practice Group and Professional Lines Broker Chris Zepeda. Ransomware attacks are making a sophisticated resurgence, matching the concerning levels of 2020 and 2021. Despite strides in incident response, the financial strain from business interruptions and legal battles lingers. While current market conditions may seem buyer-friendly, the looming specter of increasing claims warns of impending premium adjustments. Listen as we dissect the delicate balance between competitive pricing and sustainable risk management, ensuring you're prepared for the challenges ahead. The landscape of cyber insurance is ever-shifting, and understanding coverage nuances with the help of specialists is crucial. This episode is your guide to staying ahead in an era where cyber risks and solutions constantly evolve.
Visit REDYIndex.com for critical pricing analysis and a snapshot of the marketplace.
Do you want to take your career to the next level? Join #TeamCRC to get access to best-in-class tools, data, exclusive programs, and more! Send your resume to resumes@crcgroup.com today!
Welcome back to the Placing you First podcast. Today we're tackling the evolving ransomware threat and the critical role that cyber insurance plays. We're joined by Hunter Maskell, a director with the CRC InsureTrust Cyber Practice Group, as well as CRC Professional Lines broker, chris Zepeda. This is the Placing you First podcast from CRC Group.
Scott Gordon:This podcast features news and insights from a vast knowledge base of over 5,100 associates who write more than $35 billion in premium annually.
Amanda Knight:Plus, we give you the latest information on what's happening at CRC this this.
Hunter Maskill:this is the Placing you First podcast, and now the hosts of the podcast Amanda Knight and Scott Gordon.
Amanda Knight:Thanks for joining us, guys, Thanks for having us.
Scott Gordon:Yeah well, let's get right to it, fellas. Ransomware attacks are obviously increasingly sophisticated we're hearing this every day With double and triple extortion tactics becoming very commonplace. So what trends are we seeing as we head into 2025? Now?
Hunter Maskill:Yeah, thanks, scott. I appreciate that. You know we're hearing from a vast majority of the carrier partners we speak with is that ransomware continues to be up. So if you go back a couple of years, into 2022, there was a very significant drop off that was mostly attributed to the war in Russia and Ukraine, and then we've kind of seen it tick back up consistently over the last couple of years.
Hunter Maskill:As we enter 25, I think that's certainly on the forefront of all of our carriers' minds and just in the market in general is that claims continue to increase. We're trending back very close to the levels of 20 and 21, where we saw those all-time highs. And it's not just the individual attack, right, we're concerned with any sort of like systemic or industry impacting attacks. So we saw, you know, change healthcare in the healthcare industry and CDK, and both in 2024, that were major systemic events across a certain industry and we even saw the CrowdStrike outage across all industries for anybody that used that platform as a systemic event in 2024. That's the really keep you up at night. Most carriers are financially positioned to be able to pay a claim for any one customer. What concerns them is if there's a single event that hits 75% of their book.
Chris Zepeda:Chris, you got anything you want to add yeah, no, I would say, like Hunter mentioned, claims are on the rise, but it's not like 20 and 21, which was like the highest the cyber market had ever seen.
Amanda Knight:In regards to some widespread, like systematic events, to the point where the average person saw the effects. So, with that in mind, what can we say about the real world impacts that are hitting businesses?
Hunter Maskill:Yeah, I think there's a couple of things that we think about in the way that breaks down across our clients. There are specific aspects of a claim, whether that's breach recovery, whether that's a class action lawsuit that comes on the back of it, whether that's a business interruption claim, right, lost revenue that comes as a result of an outage. You know we've gotten really good at the very first part of that incident response right that how to hire a breach coach, how to hire a forensic vendor those costs continue to be refined, managed, when managed properly, can actually be, you know, quite reasonable for the work that's being done. I think the real world impact that we're most concerned with from a cost perspective is the rising cost of what business interruption claims are causing right. So when clients are down or out or unable to conduct their business operations because of the time that their networks are offline, those are certainly rising, those are certainly more complex. It's the most difficult portion of a claim to adjust. And then, when we get into class actions, we're seeing a significant rise in the amount of litigation or regulatory investigations that happen on the back end of a ransomware attack, or even not a ransomware attack in instances where it's just data theft. Quite often, if you have to notice any reasonable size of population that their data could have been compromised, you're seeing a class action filed within a week or two weeks after that and quite often several of those that are going to end up being consolidated into a single matter. So we're seeing all of those things fit together for our clients to say we're getting better at the incident response, but the longer the tail exposure that starts to exist, which is business interruption claims and the actual litigation that follows on the back end of this or the regulatory investigation on the back end of this, those things are driving costs up in the cost of a claim for our clients and are really becoming a little bit more tricky in terms of, okay, what's the proper amount of limit to buy? How do we ensure that we are protecting ourselves and not leaving any risk uninsured?
Hunter Maskill:I think the last thing to think about is the okay, we talked about that increase in the size of the claim. What does that mean for me in terms of real world impact on my premium? Despite all of that, the market remains relatively soft, which means it's a buyer's market. There's favorable terms and conditions for our clients out there to be had. There's a lot of competition for our business. So while we're having a rise in claim and have continued over the last couple of years to see that we're not seeing a corresponding change in pricing and a great restriction in coverage but you don't have to be a real market expert or real market savant to see that those two things can't continue in perpetuity, forever, can't have a rise in claims and a decrease in pricing forever. So there will be an inflection point and that will be a very real world impact.
Hunter Maskill:I think what we are all most concerned with is not going back to the pricing experience of 2020 and 2021, which was here's your 50% increase and it doesn't matter what you're doing, or here's your 100% increase and it doesn't matter what you're doing. I think this time around we've gotten a lot better at risk analysis, risk selection as an industry, which will allow us to be a little bit more targeted. We've already seen the first couple of those maybe an insurance company stepping out and saying we need a little bit of rate in this portion of our book, but the rest of it still performing well and we're still healthy and we're still open for competition there. So there's just different ways that this whenever the next firming of the market cycle happens.
Chris Zepeda:There's a lot of reasons to think it won't look like the last one For businesses, a way that a claim could affect them beyond what they may think that being obvious would be.
Chris Zepeda:I think forensic investigations can be a bit more expensive, especially for a slightly more complex insurer, than maybe they realize, especially if they don't have a tool like EDR share. Then maybe they realize, especially if they don't have a tool like EDR, where they can pinpoint a lot more data of how a bad actor accessed their network. It may be a land fee to try to find out if the bad actor is still involved or not, and the more complex and the larger the network, the more time and money it may take. For a smaller business maybe it would be any kind of business interruption concern, especially when margins are very thin. Or is there a large online presence where customers are unable to use the services or buy their inventory? It can be quite sizable if they don't have a fast-acting solution either through a carrier or through a vendor. It can add up pretty fast in ways that they wouldn't have imagined.
Scott Gordon:Clearly, ransomware can deal a devastating blow to any business, big or small, and I know that we've touched on this a little bit previously. But what proactive steps can businesses take to strengthen their defenses?
Hunter Maskill:proactive steps can businesses take to strengthen their defenses? There's a ton of different things that exist in the industry to help an insured become a more valuable risk in terms of insurance premiums coming down, which is something we're all very partial to, but also just what makes them more secure. I think what we've gotten again better at in this cycle of the market is saying not everything applies to every client. So our clients that sit in that SME segment of the portfolio we're going to focus on really the core essentials. Multi-factor authentication has become kind of the seminal one-stop. If you're not going to have anything else, let's start here. But we also know that it's not a silver bullet and there's been instances of people working around that. But we want to see multi-factor authentication. We want to see it enabled for remote access to a network and on an email platform. We want to see backups that are stored offline or disconnected from the network. If you have that two combinations of controls and you sit in that, really that small to medium business size, that's kind of what the insurance industry is looking at as a starting point. Then from there, all the other stuff that we do kind of ends up on the sliding scale of are we good, acceptable risk? Are we better than the average risk? Or do we sit in this best-in-class bucket at the very top and get the absolute best terms and conditions from a carrier? So there's that variation. And then, as you go upstream in terms of client size, you see things like endpoint detection and response technology, which is called EDR, or sometimes MDR or XDR, which is really about if something gets in and malware starts to run on a specific computer device, it can stop that malware, it can isolate it, it can pull that machine offline and contain it to where it doesn't spread to the rest of the network. So we have seen instances, and the technology is so good, that there are certain carriers out there that look at specific EDR providers and say, if you have this platform deployed within your network, we'll actually give you an extra 10, 15, 20% credit because we believe in it so much. So we've had clients of ours that said, hey, look, we had ransomware deployed on this server, this cluster of machines, but we were running a specific EDR product. That product contained it within these 10, these 20 machines. So instead of having a ransomware attack that takes down the whole company, you have this one little aspect of it. That is really the affected portion.
Hunter Maskill:Obviously, in that world, like Chris was just saying, you don't have the large business interruption outage. As a company and talking about day-to-day implications you're able to still function. You're able to still conduct business, generate revenue, which is all the things that we're certainly interested in. And then the larger you go, if you get into large enterprise-style clients, right, there are technologies that they want to see. They want to know that you have 24 by 7 monitoring of your network in the form of a security operations center. They want to know that you are.
Hunter Maskill:If something is going to happen, that you're going to catch it in the fastest way, in the fastest time possible.
Hunter Maskill:So we're going to happen that you're going to catch it in the fastest way, the fastest time possible. So we're going to shrink the time to response and that you've tested an incident response plan, just like we have fire drills in schools. You don't want the first time you're trying to figure out how to get out of a building is when somebody pulls the fire alarm. Same thing with an IT issue, a ransomware attack. Don't be testing that the very first time when you have a ransomware attack. So those things become more important the larger you are as a client or a customer. But insurance companies, once again, have gotten really good at discerning okay, this is this size of risk, these are our expectations and because they've been so clear in their messaging, we myself, chris when we come to a client, we can say hey, your industry class your size in terms of revenues or employee count. We can intersect those two things and say this is very clearly what the insurance industry will expect of you and we can create a better buying experience for our customers in that way.
Chris Zepeda:Yeah, to piggyback off of what Hunter said, an incident response plan can be such a great thing. A lot of business owners or CTOs have said a day of a breach has been one of the worst professional days of their career. So to have a little bit of knowledge of what to do, who to call, who to email when you have such a dramatic situation unfolding is a great piece of mind and preparation for a business, no matter the size. I'd also like to highlight, you know, backups are great. They really need to be segmented for them to work. We've had clients where they had great up-to-date backups but they were encrypted with the rest of the data in a breach. So unfortunately they did not really help them in that specific case. And MFA being implemented fully across the entire network as much as humanly possible. There's also been situations where breaches have occurred on the endpoints that didn't have MFA. It was 80%, 90% implemented and the one that didn't have it. That's how the bad actor got in. So those are all ways to use tools properly to really secure business.
Amanda Knight:So you know, MFA, edr, having a good incident response plan, I feel like those are, you know, very automated, like sort of that steel wall of defense, right. But then we also hear about the role that human error, you know, that human element can play in something like a ransomware attack. How do we guard against the people part? How do we guard against that human error piece of this?
Hunter Maskill:Yeah, you know, a long time ago, when we were, you know, when ransomware attacks were just becoming a novelty, a concept. You know, maybe almost a decade ago people were, you know, when ransomware attacks were just becoming a novelty, a concept. You know, maybe almost a decade ago people were just kind of starting to explore cyber and all the things that it can be. You know, we were sitting on a panel one day and I heard an IT security expert that I really respect in the industry said something that really stuck with me for a decade now. He said right like, your employees are your largest asset as a company by far, but they are also the most likely the person that will make the mistake that will lead to whatever IT issue that you have, whether that's clicking on a link or opening an attachment that they shouldn't or whatever it may be. So employee training is absolutely critical. It should be done, it should be one of those core controls. We do it within CRC. We have our consistent quarterly trainings and we would encourage every single one of our clients to have that sort of consistent training that they're making sure that they're doing. However and this was the part that I loved is you'll never educate your way to zero. You will never have ever have so much training that somebody won't click on that link, won't open that email, won't do what they're not supposed to do. So on the back end, it is educate, educate, educate and then make sure that if they do click that link, if they do open that email, how do we make it not matter that much? Right, and so what happens generally is when you open that email, click that link, enter those credentials where you shouldn't. Right, the bad guy now has control of you for, let's say, my computer. Right, they are now hunter-masculine within the environment. But what does that mean? Right, that means they can send some emails out. That means that they can go into some file shares, but that doesn't mean that they have the keys of the kingdom and can go in and shut down the network.
Hunter Maskill:So for them to execute a proper ransomware attack, they need to do what we call escalate privileges, which means go from that end user that you phished, that you got their credentials or that you got access to their machine and you got to get all the way up to the keys of the kingdom, what we call a domain administrator. So how do they move from point A to point B. It depends a lot on the type of the entity, the infrastructure, how many people have the keys of the kingdom. There's a lot of different technical factors that exist there, but as many technical factors that exist, there are technical controls that you can have there.
Hunter Maskill:You can have separation of duties, you can have internal MFA, so even those domain administrators have to multifactor if they're inside the network, right, we always think about external access. There's MFA for internal, for those privileged users. There's implementing the EDR technology that we've talked about, right, that can contain that there is monitoring on those super sensitive assets that exist within an organization. So, you know, we move from the IT, which is kind of this human training. We got to talk about it, we got to educate all the way through the hey, if this all goes wrong, how do we make it not matter that much?
Chris Zepeda:And that's really focused on a lot of those technical controls the separation of duty, separation of servers, and then the protections built in around there, phishing simulations can help employees, which will probably be the way in, as you can't, like Hunter said, you can't make that 0%, but what do you do when it does happen? What controls do you have in place when you do have an employee error? I think Hunter got that down pretty great for Amanda and Scott.
Amanda Knight:I know that we get fake phished all the time. To try to train all of us, I want to report that I get a gold star because I will report an email to phishing all the time. If I have any doubt I'm not clicking that.
Scott Gordon:Yeah, an email to phishing all the time. If I have any doubt I'm not clicking that. Yeah, but even like, I consider myself pretty sophisticated with that stuff. Like amanda said, I'm sending them in all the time, but they put one out one time that I forget whether it was just like absent-mindedness or force of you know, instinct or uh whatever. I hit it and they were like, uh-uh good thing, this wasn't real scott. And I was like, yeah good, yeah, good thing, because we all have a lapse in judgment sometimes.
Amanda Knight:Yeah, I think it's when it hits you, when you're super busy or distracted right and you don't really take the time to look super carefully. It can totally happen to anybody.
Scott Gordon:I mean, and we've all worked for the place where there's that one old guy who always forwards the email joke or whatever. But I'm not that guy and I still got it. So, on the flip side of things, how are insurers adjusting to these threats and what should businesses look for in their cyber policies?
Hunter Maskill:Yeah, I mean I think you know we're in a soft market cycle, as I said. So right now we are it's buyer's friendly right, so we're not seeing a lot of like new exclusions added to policies. You know there's a couple of small nuanced areas that we're seeing, things like wrongful collection, which is nothing to do with the data breach or ransomware attack, collecting or using data in violation of one of these data privacy walls out there. And then there's a class action lawsuit against the insured for their data use practices or how they're collecting data and it could be as simple as just how you're tracking cookies on your website. Those things are evolving at a very quick pace. That's probably the most active area that we see policy language changing. That's meaningful to our insured.
Hunter Maskill:We're seeing a lot of carriers also make changes around the war exclusion and that's being driven by reinsurance markets that are really moving towards language that came out of London a few years ago but in reality that hasn't overly affected a large swath of claims. So right now the good news is it's still a good time to be a buyer. We're still making sure that we're looking for full limits. There really shouldn't be anything sublimated on your policy these days outside of crime, cybercrime being part of a cyber policy. Now we see that in terms of wrongful transfers of money. But other than that, the insurance industry has responded with very good, very broad policies that we've not seen. But you're only going to get that if you're buying a true standalone policy from folks like myself and Chris. They're out there broking this every day. If you're buying a bolt-on to a GL policy or you're relying on the cyber within property form or something like that, you're going to have a very different claim experience as opposed to that standalone cyber market.
Chris Zepeda:Yeah, and you know buyers should be careful on business interruption. Sometimes they are like it's full coverage but you look in the details and it's sublimated for non-IT third-party BI or something like that. It'll have sublimits for certain types of business interruption is something to be aware of.
Amanda Knight:I mean just listening to you all talk about, you know the differences between standalone policies and add-ons, and you know you're clearly just talking out of your expertise and your knowledge, right, and it's just the information just flows right on out. So this is a complex topic and you guys are so articulate about it and you're wholesale brokers, right, obviously you're with us. So what difference does working with the right wholesaler hopefully CRC make for agents and insurers? I mean, off the top of my head, I would say you know what you're doing, you know what you're talking about, but is there anything else you'd want to highlight about the real benefits of working with the right wholesaler?
Hunter Maskill:Yeah, I think it's just how inherently unique a cyber policy is. Right, there's no ISO form. There are hundreds of different carriers, hundreds of different languages, different approaches. There's nuances that if you're not in this every day, understanding the development of both walls that govern our industry, as well as how the cyber policy is set up to respond to those, then look here I'll put this all together under one form Convenience factor through the roof. Obviously, for our retail partners. But are you truly getting that best-in-class experience? And in a soft market cycle right now, where we are pushing the boundaries and covering things that have been never covered before, it's affording our clients opportunities to have claims covered that two, three years ago we wouldn't have imagined being covered. So you know there's, there's the ability to have that push forward and I mentioned it before.
Hunter Maskill:But I'm going to double down here to say probably the single most active area of coverage that we are seeing changes in and therefore importance to understand and know, is that non breach or-attack violation of a data privacy law. So what I'm doing with the data I'm collecting for my customers violates data privacy laws and I get sued. And there's no data breach, there's no ransomware attack. How does my insurance policy respond. A good chunk of the markets out there are excluding that outright, including some of the leading cyber markets are excluding that outright, including some of the leading cyber markets. Then there's some people that do defense, some people that do a sublimit, some people that tie it to how the individual client writes their privacy policy.
Hunter Maskill:Who knew about violations internally? There's all these different nuances to it, but with the amount of class actions that are out there, it's super important to understand that nuance. And unless you're reading how these laws are structured and then how the policies are structured to respond to those laws, it's really really difficult to be in that. So that's why we really dive into the expertise level of what we do, as opposed to looking at this from a generalist state and saying, look, I know that this particular carrier has always done a really good job on my GL, my property and I'm going to give them a shot at the cyber.
Chris Zepeda:And, on top of not having any kind of ISO forms, different carriers use different names for the same coverage. So you know, having the traction and experience with the carriers really helps being able to compare the quality of coverages and the type of coverages that one policy would have from another and the type of coverages that one policy would have from another. You know there's kind of niche cyber coverages that maybe are not as common, depending on the exposure of a client, like is there a bit of, you know, biometric exposure? Do they do any pixel tracking right? Like how important is that wrongful collection of coverage for this particular client? So things like that are important that you need a specialist to kind of help highlight those exposures.
Scott Gordon:Are there any other final thoughts you guys want to add Anything on how businesses can stay ahead or any other items?
Hunter Maskill:For me, it's just a really exciting time to be in this industry. I joined the cyber world in 2006. So I'm coming up on 20 years here doing this, but it's just never been this unique instance of it, right? But it's just never been this unique instance of it, right, like it feels like we got our arms around everything that was ransomware related, got a really good policy, really good approach to responding to that, and now it's a lot of these non-breach class action claims. And then it's these okay, well, crime is fully in the cyber world now, too.
Hunter Maskill:What are we doing to make sure that our clients are covered for large transfers of money or wrongful transfers of property and not money? Can that be covered? So there's just all these interesting nuances of coverage that have come up and developed. And then we've obviously got the. We haven't talked about it on this one, this podcast as much, but the overlay of AI and how that's going to fit into everything that's going on.
Hunter Maskill:We haven't really seen any of the carriers step out and do anything from a restrictive standpoint. We've seen a couple of carriers add affirmative grants that probably didn't really make much of a difference in terms of coverage, but it's nice to see hey, we're affirmatively covering anything that was AI-driven on the policy as well. For me, the most important thing that we do for our clients is to sit down, look at a risk, make sure that the client understands what we see their exposures, as Chris and I see thousands and thousands of these a year Like. Let us help you with that level of experience, understand what your risk is from the claims that we've seen from other clients that look a lot like you, and then make sure that we're crafting a policy to get that risk insured at the best possible rate. And all of those things are very possible, very doable in today's world, which just makes it an exciting time to be in cyber.
Chris Zepeda:It would be good to keep an eye on kind of like the global level of ransomware and the news that go on with that. You know, know, the kind of unique thing with fiber is that there's always new kind of uh threats out there, new ways actors to to cause issues for businesses or or litigation issues as well, right, when new topics come up. Um, it'd be, you know, like the pixel pixel claims that weren't even a thing a decade or two ago. So it's a bit innovative for the space. You want to keep an eye on it.
Scott Gordon:When we talk about market trends it's like what's going on this year. I'm like, well, in cyber it's more like what's going on this week, because it's so quick-moving and changing. That's true. But you guys are fantastic and I always learn a lot about this stuff when we touch on this subject because it's so fast moving. But we're done with the hard part. Now we're to the fun part, a little segment that Amanda and I like to call Rapid Fire, where you guys just answer off the top of your head to a few questions. So don't think about it too much, just go with what from the hip. Our first question. Don't think about it too much, just go with what from the hip. Our first question. If you could have an unlimited supply of one thing, one thing only, what would it be?
Hunter Maskill:Pizza. Well, I'll join him and I'd say good red wine, and I think those two things could go together. There you go.
Scott Gordon:Solid answers, all right. So originally this was going to be a holiday related issue.
Amanda Knight:Yes.
Scott Gordon:Episode, rather, and the holidays are upon us, guys. They're coming up. In just 11 short months from now, the holidays will be upon us. So what's your favorite holiday though Year round? What is it that you look forward to the most?
Hunter Maskill:July 4th and it's not even close for me. You're on the other side of 7-1, and that's the biggest reason in insurance to celebrate.
Scott Gordon:I like it Very topical Fair enough.
Chris Zepeda:Maybe Thanksgiving for me, just because it's kind of like the kickoff to the real winter in the holiday season. Thanksgiving to all.
Amanda Knight:I mean, it's a holiday surrounded by food you don't have to worry about, like buying anybody presents.
Scott Gordon:I get it, I agree to worry about, like buying anybody presents. I get it, I agree. I like thanksgiving. It's usually warm and fuzzy. Uh. So and our final question, one subject you would like to learn more about, not insurance related, though not insurance related for me it's pilots and flying.
Hunter Maskill:I think just the fact that those that size of anything can fly is just mesmerizing to me.
Chris Zepeda:Always has been sure yeah, marine biology for me um just really like ocean, ocean life well, you're in the perfect place for that.
Amanda Knight:Yeah, that's true, florida right y'all have such great answers.
Scott Gordon:Mine would have been like I'd like to know more about a beer or something ridiculous, you know. So those were good answers.
Amanda Knight:What can we say? We're surrounded by really smart people.
Scott Gordon:I know they're so intelligent and they actually bring so much to CRC and the people that work with us.
Amanda Knight:Well, hunter and Chris, thank you so much for joining us today. This was a fun one. If you're a listener, don't forget to subscribe and share. There is actually also a written companion piece that you can find that came out before this podcast episode. It's on the CRC website at crcgroupcom, under tools and intel. You can also reach out to your CRC group broker for more tailored advice and guidance. Providing current insights into the marketplace is just one more way. Crc Group broker for more tailored advice and guidance Providing current insights into the marketplace is just one more way CRC Group is placing you first. We'll see you next time.
