I'm excited to have Brian Mahon, a certified insurance counselor, joining me on the Gone Phishing boat today to discuss my favorite topic... cyber insurance. Together, we'll explore how policies have evolved in recent years, particularly in response to the COVID-19 pandemic, and how companies now need to view cyber risk as being just as significant as risks associated with floods and hurricanes.
Watch the full episode below or listen on Apple/Spotify Podcasts. (Check out more episodes on our Gone Phishing page!)
Episode 16: Listen on Apple
Full Episode 016 Transcript:
00:00:00:12 - 00:00:31:08
Connor Swalm
Welcome to Gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Sloan, CEO, Phin security, and welcome to Gone phishing, everyone, and welcome back to Gone phishing.
00:00:31:08 - 00:00:52:12
Connor Swalm
I'm your host, honored CEO at Security. And today we have a friend of mine, Brian Mahoney is worked for three different cyber insurance agencies in the last seven years. One was a startup, one was private equity backed and one was privately owned. I don't think there's any other kind of ownership that a company could have. So it looks like you've worked in every single type.
00:00:52:12 - 00:01:12:14
Kyle Spooner
Brian No worries. Yeah, thanks for having me. Connor We've probably had what we're going to discuss today on, on this episode of future episodes. You know, just between the two of us, like 80% of this content's been rehearsed or discussed. So happy to finally get it out into the airwaves.
00:01:12:14 - 00:01:38:16
Connor Swalm
Oh, absolutely. I've had an incredible amount of conversations about cybersecurity insurance, not only with you, with some other guests that we've had on the podcast and I guess if people knew how much I talked about cyber insurance, they probably think my life was incredibly boring. So I guess we'll just leave it at that. One thing I definitely chatted about a ton just because of the impact it can have on cyber insurance policies is sublimates.
00:01:39:00 - 00:01:46:19
Connor Swalm
So can you explain to us for me, because I'm not licensed at all in the insurance world what is a covered and what is a common supplement?
00:01:47:21 - 00:02:31:13
Kyle Spooner
Yeah, I mean, generally speaking, cyber insurance is designed for financial loss coverage for users of technology. Right. So any MSPs client would be a candidate for cyber insurance, really, because they're utilizing the services of an MSP and there's a ton of different coverages, but a few we see coming up regularly that either aren't in the policy and should be, or maybe you think you have $1,000,000 in coverage and you really don't maybe have 100,000 or 250,000 things like breaking which insurance people get confused about because that's an I.T. word.
00:02:31:13 - 00:02:53:20
Kyle Spooner
And part of the problem with cyber insurance is just the language barrier. You have to know, you know, the insurance lingo and the information technology lingo. So breaking refers to at least when it comes to a cyber insurance policy, a breach is so bad that that your server, your hardware, your endpoints, your laptop, your phone, whatever is damaged so bad that it's as useless as a brick.
00:02:54:00 - 00:03:24:17
Kyle Spooner
Right. So a lot of insurance carriers will supplement, you know, hardware replacement or breaking coverage. So that's that's one common something that to watch out for. Another one is cyber crime. You know, we're on the Go phishing podcast. phishing is often sub limited on a cyber policy to maybe $100,000 of coverage, $250,000 in coverage. So that's concerning because, you know, that's something that's happens more frequently from a claim perspective.
00:03:25:04 - 00:03:57:05
Kyle Spooner
But also business owners might think they have $1,000,000 coverage for things like that. So the kind of that cyber crime, phishing, social engineering funds, transfer fraud, a lot of carriers have different different language. They're another and I'll kind of move on. But one supplement I like mentioning too, is this concept of betterment, right? You ever heard of Moore's Law Corner where, you know, it doubles every six months or something crazy?
00:03:57:22 - 00:04:05:16
Connor Swalm
Oh, you their capacity for storage doubles every I think it was like eight months or something a while ago, but I'm very familiar with it and I have heard that.
00:04:06:02 - 00:04:38:22
Kyle Spooner
Yeah. So you know in an insurance policy or it's insuring, you know, data and computers and coverage time if you need to replace some of that hardware, you can't get your server from ten years ago. You know, it's not manufactured anymore. So insurance carriers kind of include supplements referred to as a betterment. Like, you know, they cap, they're capping the sub limit, they're using supplement to cap the coverage there.
00:04:38:22 - 00:05:00:16
Kyle Spooner
So you're not going to get you know, or you might not depending on how bad the claim is, but you obviously can't, you know, the whole point of I guess let me go back to the point of insurance is you have you're you're buying coverage to put you in the same place you were before an incident happened. So when it comes to betterment, that's not really possible.
00:05:00:16 - 00:05:17:16
Kyle Spooner
You can't get a ten year old server. So you have to get, you know, the latest and greatest computer or server, which costs more. Right. So so carriers are capping coverage. They're expensive, obviously, to get all new i.t equipment.
00:05:19:06 - 00:05:40:16
Connor Swalm
So it sounds like supplements are a way for insurance policies to kind of split out the unique risks that just throw out a really popular fact ransomware might pose to an organization as opposed to something you and I talk about a lot. Phishing emails and compromised accounts that come from that and the like.
00:05:41:06 - 00:06:10:06
Kyle Spooner
Yeah, ransomware and extortion is another one that, you know, some carriers are adding supplements, coinsurance, higher deductibles. There's all sorts of you know, I always say the devil is in the details with these things. So in a saying, oh, you know, I've got this carrier at this price and, you know, it went up and I'm unhappy. I mean, you really have to look at, you know, what endorsements or changes to that policy were thrown in, what supplements there are when exclusions are carved backs.
00:06:11:13 - 00:06:32:11
Kyle Spooner
So it takes somebody who actually reads these things for a living to understand them. It's very difficult for someone who might come across their policy once a year or an MSP, you know, maybe a couple, couple dozen times or more where versus an agent or broker that, you know, they're doing it all the time.
00:06:33:10 - 00:06:55:20
Connor Swalm
And for the folks that are listening, that's why I have always recommended, if you have to ever understand cyber insurance policies or your client puts a renewal in front of you and you need to attest to certain things which, you know, can get pretty squirrely sometimes, that they should always reach out to an expert like you experts like fifth while other experts at cyber insurance groups.
00:06:55:20 - 00:06:59:06
Connor Swalm
I don't even know the right terminology broker is not the right word, but someone.
00:06:59:06 - 00:07:24:15
Kyle Spooner
Yeah. Yeah. Insurance agent difference broker. Someone who understands cyber liability insurance and yeah yeah I agree with Connor on that. And quickly that that application that, you know, these MSPs clients are saying, hey, you know, my cyber intervention is in 30 days. Can you help me? We need this questionnaire. I MSPs certainly should help. They shouldn't be signing those.
00:07:26:10 - 00:07:56:13
Kyle Spooner
A lot of it folks come to me and they're frustrated because there's a lot of yes or no questions on those applications. You have to understand, you know, some legal underwriting insurance person created that form not entirely. And so I always encourage folks to, you know, if it's a yes no question, treat it like fill in the blank markup that that document as much as possible to give a clear, honest representation of what it controls are actually in place at that time.
00:07:56:13 - 00:08:17:17
Kyle Spooner
Because when the CFO or the business owner or whoever finally does sign off on that application, that application becomes part of the policy and a policy is a legally binding contract. Come claim time. You better bet if you said you had x, y, z control and come clean time you didn't. Yeah, carrier can and will deny your claim.
00:08:18:15 - 00:08:42:18
Connor Swalm
Yeah, I remember talking with West Spencer about that where there was a I believe this was the right scenario, where there was a policy where phishing had allowed a malicious individual to get into the company, whether it was through a breached account or just sending attachments and having them download them. And then the the insurer found out that they weren't doing that.
00:08:42:23 - 00:09:03:20
Connor Swalm
That company wasn't doing the proper security awareness training. It's sort of like, hey, you know, your account was compromised. You didn't put the right measures in place that we had stipulated in the supplement. Therefore, if I were not paying out, which was like a huge shock for these two folks. So if supplements have a big impact.
00:09:04:09 - 00:09:10:23
Kyle Spooner
They do, especially for small business owners. I mean, good luck, you know, suing your insurance company if they deny claim.
00:09:11:19 - 00:09:32:23
Connor Swalm
Right? Right. And I think a statement that I want to talk with you and I talked to other experts just like cyber insurance policies went from like maybe eight or nine pages as of five years ago to like 30, 40, 50 pages of are you doing this? How are you doing it? How often do you do this? You regularly audit X, Y and Z.
00:09:33:13 - 00:09:58:13
Kyle Spooner
Yes. Yeah. I mean, the coverage, I guess, originated and started kind of in the dot com boom or bubble. Yeah, it was kind of an extension of of like media liability and you know, five, five, seven plus years ago, it was, you know, what's your name, what's your revenue? What do you do? Okay, here's a quote. And now it's you.
00:09:58:13 - 00:10:17:04
Kyle Spooner
You have a method, you have EDR, do you do security awareness training? Have you had a claim before? If so, tell us a very long story and give us the instant report. So it's, you know, covered, dead, completely changed the cyber insurance industry. And really, I think a lot of it had to do with they were giving it away for a long time.
00:10:17:04 - 00:10:50:08
Kyle Spooner
I mean, very little underwriting, very low premiums. Okay, coverage and everybody wants to go work from home. We're all much more vulnerable from like an I.T. defense perspective. And, you know, the carriers are in business to make money and they started losing a lot of money over COVID. And I think, yeah, the top ten, maybe the top three of the top ten cyber insurance carriers believe in like 2021 were were losing money pretty severely.
00:10:50:17 - 00:11:08:05
Kyle Spooner
And so they had to kind of correct course. And the outcome of that has been an increased and increased push and mandate for for IT controls and increased premiums. And a lot of the industry's really just getting left behind.
00:11:09:10 - 00:11:31:09
Connor Swalm
You mentioned it briefly there, but how has it changed cyber insurance? You know, I know it's changed the working environment. A lot of companies are now have at least a hybrid opportunity for their employees, if not fully remote. You know, commercial office space is left on rented because, well, now we have a huge amount of people that would continue to enjoy that freedom.
00:11:31:09 - 00:11:33:06
Connor Swalm
But how does it change cyber insurance?
00:11:34:14 - 00:12:06:18
Kyle Spooner
Yeah, I guess to add a little bit to that, I mean, cyber insurance has has evolved. It's time there's a carrier out there called Evolve. And that's kind of where they got their name from. And just like all of us, I mean, humans are adaptable. So, you know, work from home, they don't even ask anymore. They assume a, you know, pay much more attention to, you know, good backups, NDR, EDR, phishing, security awareness training.
00:12:06:18 - 00:12:09:23
Kyle Spooner
I mean, it's no longer, you know, who you are and what do you do, but.
00:12:10:03 - 00:12:11:09
Connor Swalm
What's your heartbeat? Here's your.
00:12:11:09 - 00:12:41:11
Kyle Spooner
Problem. Yeah, yeah, yeah. It's what do you have inside going on? And underwriters are getting more sophisticated. I mean, they're using tools like like this site to do kind of external scans. They use that in conjunction with the cyber insurance application. So it's it's really just matured and I think for the better. Yeah, we're we're seeing, you know, premiums start to kind of flatten a bit now that these i.t controls really have been implemented.
00:12:41:11 - 00:12:47:13
Kyle Spooner
Everybody is isn't a better standpoint from a risk perspective.
00:12:48:05 - 00:13:11:08
Connor Swalm
Yeah this like cyber insurance is catching up to other insurance industries. And I'll give a real pedantic sample which floodplains like having to buy flood insurance for your own. Why do you have to do that? Well, it's like, well, the cost of your flood insurance policy is directly correlated with what is the likelihood of a flood happening in this area over 20 years, 50 years, 100 years, 500?
00:13:11:11 - 00:13:23:00
Connor Swalm
I forget the amount of time frame for flood policies, but there was no data for cyber insurance policies until recently. Now that companies view it as incredibly important, they're collecting it. Is that accurate?
00:13:23:19 - 00:13:54:14
Kyle Spooner
Yes. Yeah. What you're getting out there is. Yes, the systemic or catastrophic cyber risk. I mean, we're starting to think about, you know, the the long for Jay and the Colonial Pipeline type of attacks like SolarWinds. I mean, there's going to be another one. It's a matter of if and when and how, right. So so there are a lot of parallels from cyber insurance to either either catastrophic flood or catastrophic property risks, like, you know, the Hurricane Katrina, so to speak.
00:13:54:14 - 00:14:16:05
Kyle Spooner
So so carriers are starting to kind of use some predictive analytics and model out what what they think might happen and how that it'll be. And then obviously, they've been collecting claims data now for almost 25 years or so. So that's extremely helpful where, you know, the property and other insurance marketplaces, they've been collecting data for way longer than that.
00:14:17:06 - 00:14:37:01
Connor Swalm
I would guess if we could get one takeaway for everyone that's listening, it's that cyber insurance is now catching up to actually using the data to properly transfer risk. That's insurance transferring risk to the people who review the policy. Now it's getting accurate, which should be a good thing, right?
00:14:38:21 - 00:14:59:16
Kyle Spooner
You would think. Yeah. I mean, what we're were definitely over the covered days of 200% premium increases and last minute you know it control updates. So it's it's definitely a more sustained bull market place and products you know I'll say 2023 looking forward.
00:15:00:14 - 00:15:10:04
Connor Swalm
Awesome. Well folks if you have any questions about cyber insurance or I guess if you're looking for a policy, can they reach out to you? Your information will be in the show notes or your company's. Well.
00:15:11:00 - 00:15:30:00
Kyle Spooner
Yeah, yeah, my information will be in the show notes. Happy to help whoever I yeah. Work at an independent insurance agency licensed in all 50 states insurance. And then also Amazon website Brian in the Uncommon and Insurance for MSP Scott Oliver Awesome.
00:15:30:07 - 00:15:48:07
Connor Swalm
Well we will definitely put that information out in the in the notes for anyone who's listening in and some questions and I am definitely going to have you back on so we can talk about my favorite topics like insurance, but more importantly, how, what, what are some problems with cyber insurance? And I know you and I can talk about that forever, so we'll try to condense it down.
00:15:48:15 - 00:16:18:23
Connor Swalm
But everybody make sure you're going to listen next time to be if Ryan or anyone else we have. Thanks so much for tuning in to going phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits. Then check us out in security at phinsec.io that's in that I am or click all of the wonderful links in our show notes.
00:16:19:09 - 00:16:23:13
Connor Swalm
Thanks for phishing with me today and we'll see you next time.
