Webinar Replay: Navigating Cyber Insurance - Protecting Small Business in a Connected World

Navigating Cyber Insurance--Protecting Small Business in a Connected World

Presenters: Michael Secrist - techrug The Technology Risk Underwriting Group and Tony Lesirge, CEO, EXP Technical.
Thursday, May 23rd Noon - 1:00 PM Pacific Time

There is a tight link between cyber insurance and cybersecurity.

Whether you realize it or not, every day you are engaged in a battle against organized crime. Attackers are poised to exploit any vulnerability. They are ready to inflict maximum damage.

One day your organization's survival may depend on the combination of cybersecurity measures, planned recovery strategies, and smart cyber insurance policies.  

On May 23rd, 2024, Michael Secrist from techrug, Technology Risk Underwriting Group, joined EXP Technical CEO, Tony Lesirge to discuss a contemporary approach to risk management.

The presentation offered expert perspectives on cyber-risk, cybersecurity, and cyber insurance.

A video recording and transcript appear below.

Navigating Cyber Insurance - Agenda

KELLY PALETTA (KP): Hey, good afternoon, everyone. Welcome to our webinar. This is "Navigating Cyber Insurance: Protecting Small Business in a Connected World." We have a lot of important information to share with you today. We've got two great speakers: one you are probably familiar with, and the other you may not be. In fact, Tony and Michael, why don't I let you guys introduce yourselves here if you don't mind coming off mute and activating your video. Tony, would you mind going first?

TONY LESIRGE (TL):Yeah, sure. Thanks, Kelly. Good afternoon, everyone. I'm Tony Lesirge, CEO of EXP Technical. I've been working in IT for over 25 years, and for at least 18 of those, I've been doing IT consulting for small and medium-sized organizations.

MICHAEL SECRIST (MS): Hi, I'm Michael Secrist. Welcome, everyone. Kelly and Tony, thank you both for having me and for the opportunity to educate people on cyber insurance and cyber security. Hopefully, at least one person will learn something.

I've been with techrug for about two and a half years now, trying to learn everything I can and educate our clients and their clients on navigating cyber insurance. I come from an insurance background. Right out of college, I started on more of the personal lines—homes, autos, bakeries, that type of thing. Then, we have another side of the house, techrug, where we started to dive into cybersecurity and cyber insurance. That's when I really fell in love with it. It's such a niche field that changes constantly, with things to watch out for year after year. These bad actors change constantly, and that’s what gets me out of bed every day—coming to work and educating people. Anyone who wants to listen to me talk about cyber insurance, I'm there.

KP: Awesome. Thank you so much, Michael. Often, in these events, we avoid PowerPoint, but today we have a lot of detail to go over and some terminology, so we have a PowerPoint presentation that will guide us through some of the discussion.

Just so you know what to expect today: when I'm done with my announcements, which will be brief, I'll hand things back to Michael.

He has some prepared information for you about cyber insurance coverage, things that are new in 2024, industries that are impacted, and the extent of that impact.

From there, Tony will jump in and speak to high-reward projects that may either enhance cybersecurity in your organization or potentially put you in a position to qualify for cyber insurance, get reduced premiums, or extended coverage.

Then, perhaps it gets even more interesting. We'll have a roundtable discussion. I'm sure I'll have some questions by then for both of our panelists, but we want to hear from you too. You're welcome to present your questions. The easiest ways are through the chat or the Q&A features in Zoom. The difference, in case you're curious: if you post something in chat, everybody in the webinar can see it. There are about 50 of us here, so it's not a huge group, but just know that there may be privacy concerns. Whereas, if you use the Q&A button, I think only the moderator, myself, and our two presenters can see your question. If you're concerned about privacy or confidentiality, use the Q&A. Otherwise, you can use the chat too. I will try to moderate those questions when we get to that portion of our discussion.

One question that always comes up is, "Is this presentation being recorded?" It is. I'll send an email to you, hopefully before the end of next week, with a link to the recording. Usually, I like to edit the transcript and annotate it with links, and it takes me a few days to get through that. Be on the lookout for that. You are welcome to share it with others in your organization or social circle who you think might benefit from this material.

I have just one more announcement to make, but it's a really important one that I want to share with you.

Preview of Our Next Event

I want to tease our next event. Usually, we don't host these webinars in such close succession. Our next one comes on the heels of this event. It will be on June 20th, less than a month from today. It's a Thursday afternoon, much like this one.

We have a really special guest speaker for that event, Barrett Adam Simmons. She is the Deputy Director for CISA Region 10.

For those of you that don't know, CISA is the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. CISA was established in 2018, and they are America's cyber defense agency. She will have a lot of important information on things you can do to protect your organization.

Many of you have attended our events in the past, and we try to do something like this every year. In the past, we've had FBI agents speak to our audience. The FBI is more focused on law enforcement, so they speak about capturing bad guys and what happens after an event.

I've spoken briefly with Barrett, and her information will be more about resources available to you now to protect your organization and level up your cybersecurity posture. I can't stress this enough: it's difficult to get speakers of this caliber to this series. They want as large an audience as possible. Often, when they're giving a presentation, it's a keynote speech at an industry event where people have traveled thousands of miles to attend and paid a lot of money to be part of some professional organization. My point here is that I'll be sharing an invitation. Please, I encourage you to attend and share that invitation with others who might be interested as well. Again, that happens on June 20th at noon, less than a month away.

Poll Question

Now, we're about to dive into our presentation. I have a poll question. Let me find it here in my Zoom features.

Oh, I may have to stop sharing for a second to launch the poll. Bear with me.

The poll question is: There's no right or wrong answer, but just imagine you were hit with a ransomware attack on a Sunday afternoon, a weekend when you're not open for normal business hours. Who do you call first in that event?

MS: Yeah, that's the million-dollar question, Kelly. I'll give everyone a second to answer.

When doomsday happens, who do I call? Who do I get in touch with? A lot of people think it's the managed service provider (MSP), their IT people, but the reality is that the first person you need to call is your insurance company. On your cyber insurance policy's declarations page, it will say who you contact. It's going to be a 24x7 email or a group of people that you contact. They will guide you on what to do and get their own people involved.

It looks like 83% of you said the MSP.

In reality, it's the insurance carrier, the insurance agent, that's who you need to contact to figure out what the IT person can and can't do.

Michael Secrist - techrug

Kelly, if you want to pull the slides back up, that leads us into cyber insurance. As the managed service provider, you're doing what you can, but then what do we have to do? I see a question in the Q&A about a cyber policy. Someone is asking if it's good and what to look for.

What is Included in Cyber Liability Insurance?

A lot of your local agents might not fully understand the cyber space because it is niche and unregulated. No policies look the same, so getting with someone that specializes in cyber insurance is key. These are the key things on this slide that you will want to look for. Network security is obvious. I've seen policies include cyber extortion, where someone gets into your network and holds your data encrypted, demanding a ransom payment.

You have clients that are HIPAA-compliant, like a medical society with multiple physicians. In the event of a breach, HIPAA fines and regulatory issues arise. Multimedia liability, slander, and business interruption are critical components. For instance, a manufacturer we worked with partnered with an apartment complex and was shut down for three weeks, losing 22% of their business because they didn't have a proper insurance policy and didn't have MFA turned on. They had to hire a PR team to notify clients, which was costly.

Clients often ask why they need cyber insurance. My response is, "Go unplug your network at 8 o'clock in the morning and call me at 5 PM to let me know how things are going." Cyber insurance is becoming increasingly important. Clients need to understand that the cyber universe requires protection, and it's not entirely the MSP's responsibility.

The cyber insurance policy includes key components, but there are minimum requirements you must meet to get the insurance. Kelly, if you want to go on to the next slide.

KP: Can I interrupt for a second? You touched on something briefly about PR and reputational harm. Are those costs typically covered as part of a cyber insurance policy? Will it deal with restoring your damaged reputation or compensating you for that loss?

MS: I would say that, in general, Kelly, most of your policies should cover it. But, as I mentioned, all of these policies are unregulated. It's not like car insurance, which includes certain things, or workers' comp, which includes certain things, because those are regulated spaces with regulatory bodies that mandate certain minimum coverages. PR costs should be included, but unfortunately, they aren't included in all policies. These are things you need to watch out for as a consumer or someone looking to purchase cyber insurance. You need to ask, "Am I getting what I'm paying for?" If you're paying $500 a year or less for cyber insurance, it's probably not going to cover a whole lot.

I see a couple of questions in the chat. One of them is, "Why is it unregulated?" So far, there hasn't been a government entity or body that has mandated specific minimum requirements for cyber insurance policies. We haven't seen requirements like, "It must include cyber extortion, PCI and regulatory fines, network security, or multimedia liability." Could that change in the next two, three, or five years? Of course. I think that's where we're headed, especially with the increasing number of claims in the industry. This is true not just at techrug but across the entire insurance industry.

To answer your question, Kelly, and the questions in the chat, there is no one-size-fits-all for this yet. Could that change? I hope so. When it does, you'll see carriers starting to get out of this space. They don't understand it, they don't want to deal with it, and their loss ratios take a huge hit when they write a bunch of $500 policies and then have to pay out a full $10 million claim. Their loss ratios can hit 80%, and they get killed financially, so they exit the space entirely.

What are Common Cyber Insurance Requirements?

Moving to the next slide: what's required to get cyber insurance? MFA (multi-factor authentication) is a huge one. We need to have MFA turned on everywhere we can—whether that's email, remote access into the network, or access to backups. We want it everywhere. Endpoint detection and response (EDR), SOC (security operations center), and SIM (security information and event management) are other solutions that should be on the network. Data encryption is essential, as are secure backups. Are we looking at a 3-2-1 segregated backup strategy? If we have to restore from backup, can we do it quickly to get someone out of the network?

The last component, which I saw mentioned in the video too, is cybersecurity awareness training. I've done a couple of these sessions with FBI agents, and they say the number one thing is to know what a phishing email looks like. When someone calls and says they're from one of your vendors, how do you validate that person? Maybe it's not really them. They might say, "I'm from First Bank of America. I need you to verify your account information and send me money." You'd be surprised how many clients just comply. Then they start losing money from their accounts. It happens constantly. We want to ensure cyber insurance stays affordable and available to everyone, so we need to meet these minimum requirements. This includes MFA, some sort of EDR, backup data encryption, and a cybersecurity awareness training tool.

Cyber Insurance Changes in 2024

Now, let's talk about what's changed from 2023 to 2024 and beyond. We're starting to see co-insurance on ransomware and cyber extortion. It’s similar to the health insurance approach where you have a deductible, and then you're responsible for a percentage of the costs. For example, if you visit the doctor and pay a $25 deductible [co-pay], and the doctor says you need an MRI or a CAT scan, which costs $2,000, you might be responsible for 20%, while your insurance covers the remaining 80%. So, your visit could cost $225 instead of just your deductible.

So that's what they're starting to do with ransomware and cyber extortion. They'll say, "Hey, the ransomware demand is $200,000." You're going to be responsible for whatever the co-insurance is. Now, all of a sudden, you're paying your $5,000 deductible plus 20% on the cyber extortion or ransomware.

It creates a headache of, "Oh, well, I didn't know this. We haven't budgeted for this." OK, well, now the claim's going to get delayed until it gets paid. You have to pay your co-insurance, and it can get really, really bad.

Or you'll see sublimits where you're paying for a million-dollar policy or a $500,000 policy or a $2 million policy. On page 198 of your 200-page policy, it says, "Oh yeah, there's a sublimit for ransomware that's $50,000." The bad actor in your network wants Bitcoin, which is $70,000 per Bitcoin. We're limited to $50,000, or $150,000, or whatever that number looks like. So, that's something else to be careful of. I see it all the time. I see hundreds of these policies where something is not the same as the other. Occasionally, you'll see a policy that's very comprehensive, but it costs $15,000, $20,000, or $25,000, and it just becomes unaffordable for a lot of clients.

In our programs and things, we try to address these problems by ensuring that if you're meeting the criteria on the insurance requirements slide, we can keep the cost down to $5,000 instead of $10,000, or $2,500 instead of $5,000.

The last two components here are the definition of a computer system. Is coverage for data held in the cloud with your third-party providers included? In a lot of policies, they say, "No, it's not going to be a covered cause of loss. We're not going to pick this up. It's not within the definition of the policy. Sorry, there's no coverage for it."

Or, cyber terrorism. Cyber terrorism and war in terrorism, like what's going on in Russia and Ukraine, or if China chose to attack, we have bigger problems. But, if somebody attacks the U.S. with a cyber component, like shutting down our managed service providers or targeting law firms, doctor's offices, or manufacturers, is that going to be covered within the policy? Some policies include it, some don't. It's another thing to think about and get the brain working on: "What does my policy actually cover? What am I paying for?"

Going back to local agents, a lot of them are an inch deep but a mile wide. They know a little about a lot of stuff. Working with a cyber-specific provider, we're more of an inch wide but a mile deep. We want to make sure we're up to date on what's changed in the space and how we can best protect our clients. I'll never tell anyone they're 100% covered for anything and everything, but if we can get as close as possible to 99% by constantly adapting and changing our policies, that's what we're going to try to do until this becomes regulated. When that happens, we'll see how the policies change. Until then, this is what we have to do and be aware of.

What Industries are Most Often Targeted?

As we continue to look at what industries are most targeted, that's the next slide, Kelly. A lot of people think it’s going to be financial and healthcare. In reality, these numbers from the NetDiligence report show that professional services, like accountants and insurance agents, are hit the most. This is just for the first quarter of 2024. We've seen $34 million in claims on the professional services side, with around 1,200 claims. It’s not that one industry is targeted more than the other. Bad actors use a buckshot approach to get into networks, regardless of the industry. They might target larger companies, but also one-person operations. They’ll sit on a network for a day or a week, figure out the company size, and then demand 10 Bitcoin or $50 million.

When it comes to the limit of coverage you need, I never want to overinsure or underinsure my clients. While my wallet would be happy selling everyone a $10 million or $20 million policy, that's not the goal. The goal is to best protect clients looking for cyber insurance. The average cost of incidents, including business interruption and recovery, is over a million dollars. So, I think a $2 million policy is a good starting point. If you have a policy for less than that, reconsider and reevaluate your risk and security posture. Taking a security-focused approach to cyber insurance will best protect everyone.

KP: Thank you so much, Michael. There's a lot to consider, and I made notes as you were speaking. We have some questions in our Q&A as well, so be prepared for that.

All right, to stay on schedule, let's segue to Tony Lesirge, the CEO of EXP Technical. Tony has information about high-rewards projects. Let me advance your slide, Tony. When you're ready, feel free to speak up.

High-Rewards Projects

TL: Thanks, Kelly, and thank you, Michael. So, high-rewards projects. What do we mean by that? In this context, cybersecurity projects can deliver value in multiple ways. We also use the term "right-sized."

We work almost exclusively with small and midsize organizations that don't have large IT teams or multi-million-dollar IT budgets. We scope and deliver projects appropriately for smaller organizations.

The "high reward" comes from delivering a project that provides value in more than one way. First, a cybersecurity project will improve your security posture, making your organization better protected. Additionally, as Kelly mentioned earlier, you could meet the requirements for a cyber insurance policy or even reduce the premium by checking off more of the required boxes. We will discuss some of the top things you can do to meet these requirements.

Another benefit that people don't often think about is meeting requirements from regulators or vendors. You might be subject to CMMC, HIPAA, or ITAR. Even if you're not subject to these regulations, large organizations like Microsoft, Boeing, and Amazon are requiring their vendors to meet similar requirements.

Microsoft has their SSPA, the Supplier Security and Privacy Assurance program. We work with a number of clients who have to comply with that to do business, and often it's a large part of their business with Microsoft. So that's what we mean by high-reward projects. What are some of the key security controls or projects you can implement to check those boxes and meet those requirements? I've got a list of six here, but this could easily be 20, 30, or 40 items.

You'll notice these match up closely with the list Michael had on his slide. There was a question about what some of these acronyms mean, so I'll cover that quickly and answer the question.

We have six items here, not necessarily in priority order, apart from number one. The biggest attacks we see are on identities, meaning your logins: your email login with Microsoft or Google, your Zoom login, your accounting system login, and your 15 other online services. These are your identities, and people are looking to compromise them. The biggest way you can protect those is with MFA, multi-factor authentication, often referred to as 2FA (two-factor authentication). Most of you probably know this, but it involves logging in with two things: something you know (your password) and something you have (like your mobile phone for a text message or an authenticator app) or something you are (your fingerprint, face, or retina).

Michael mentioned MFA everywhere, which can be difficult. You need MFA on every system: backups, remote access, and all your applications. One way to make that easier is through single sign-on (SSO). We set up multi-factor authentication on your Microsoft account, then tell Zoom or your accounting system to use Microsoft authentication. Now you have MFA for that system and one less password to remember, making you more secure.

The rest of these are not in priority order. EDR, endpoint detection and response, is basically the new antivirus. Ten years ago, everyone needed antivirus; now, everyone should have EDR. Antivirus was signature-based, recognizing bad files. EDR is behavior-based, recognizing bad behavior by a file, application, or website. It uses AI and the cloud to do this.

MDR (managed detection and response) and XDR (extended detection and response) are extensions of these systems. They are hooked up to other systems that can monitor and respond to alerts or incidents. SIEM (security information and event management) systems ingest and aggregate logs from EDR, firewalls, Microsoft 365, Google Workspace, and other security systems. These systems use AI and machine learning to generate alerts. The final piece of the puzzle is the SOC (Security Operation Center), which monitors these alerts. Depending on your service level, they might take action on your behalf, notify your IT department, or contact your managed service provider.

Email protection is still the number one attack vector. Most attacks come through email, whether it be phishing, bad links, or malicious attachments. You need a filtering system for your email that looks at inbound email, filters it, and inspects links and attachments.

Device management and encryption are becoming technically viable for protecting people. If your identity is compromised, someone with your login details might log in from a different location on a different device. By configuring systems to only accept logins from known devices, you can mitigate this risk. Devices should be encrypted so that if they fall into the wrong hands, the data remains inaccessible.

Overall, these layers of defense, from MFA and EDR to device management and encryption, are crucial for a strong cybersecurity posture, especially for small and midsize organizations that need affordable, effective protection.

Michael mentioned backups and some acronyms common in the industry. Basically, you need backups, multiple copies, an off-site or cloud backup, and an offline or air-gapped backup. If your network gets compromised, the attacker can't delete or encrypt the backups, making them unavailable to you. While the prior controls and projects aim to prevent incidents, we must be able to recover with untampered data we can restore.

Finally, people are the weak link. Security awareness training helps mitigate this risk. Despite all controls and millions spent on technology, if one person unwittingly clicks a link, runs a file, or gives up their username and password, all the security controls won't help. You can subscribe to a security awareness training platform, which often includes testing or simulated phishing to identify who clicks on links. You can then provide additional training to those individuals.

EXP Technical has developed security awareness training, which we make freely available, especially to the Pacific Northwest community. You can find it at academy.exptechnical.com. Beyond that, there are subscriptions and platforms offering more advanced simulated phishing training.

This list includes six out of many possible measures. Now, I think we're ready for questions.

Roundtable Discussion on Cyber Insurance

KP: Yes, and I want to jump in first. Michael mentioned coverage and high-reward projects, relating to a Q&A comment. Someone is working hard to get SSO across their apps. Suppose Tony is working with a client who has MFA and is considering implementing SSO. There's a cost associated with that. Michael, is there a way to determine if there will be savings on premiums? How do we explain the cost-benefit of such a project?

MS: It's a great question. Often, people wonder if implementing certain services is worth the cost, considering the insurance policy's cost. I usually get two quotes: one based on current security and one based on recommended enhancements, such as MFA or SSO. For instance, without MFA or SSO, your current security stack might cost $10,000 a year. With the recommended improvements, it might be $5,000 a year. This demonstrates potential savings.

A real-world example: a home designer and remodeler paid about $25,000-$26,000 for cyber insurance. After learning about our recommendations, they looked at their current policy and security. By implementing MFA and segregated backups, their policy cost dropped to about $13,500, saving them $10,000. The MSP's cost was about $3 per inbox, making it worthwhile. Savings will differ among organizations, but getting two quotes can illustrate the financial benefits of improved security measures.

KP: A comment in the Q&A mentioned additional costs like licensing or upgrading to an enterprise version of a product. EXP can help outline these costs and necessary tools, while Michael prepares two pro forma proposals: one with current security and one with recommended improvements.

Sorry, Tony, we didn't give you a chance to chime in. Let's go back to the scenario from the poll question and discuss incident response. It's important to consider this now, while everything is calm. What happens if an event occurs on a weekend? How does the incident response plan roll out in such scenarios?

TL: Michael rightly said to call your insurer’s 24/7 number. We can take limited actions, like shutting down systems, to prevent further damage. However, we cannot begin the incident response, which involves mitigating, resolving, and restoring systems, without the carrier's approval. Calling your 24/7 IT number, even on a weekend, helps prevent the situation from worsening before moving into a full incident response procedure.

MS: Yeah, and you know, it goes back to the poll question, like you alluded to. You need to contact the insurance carrier first before your MSP and let them tell you what to do. God forbid it's a Sunday at 2 o'clock, and we're going into Memorial Day weekend, where many people have off on Monday, and most will take off on Friday. Knock on wood, but this is when people get hit—during long weekends, when everyone is rushing out of the office. Something happens, and you need to act.

Tony, as you mentioned, once your MSP is certified through a program like techrug, your clients don't have to wait for the insurance carrier to respond before taking action. This shifts the poll response from 83-85% who want to contact their MSP first to actually being able to do so. Before certification, MSPs can only shut down machines and change passwords, as insurance carriers prefer to get their own people involved. Clients in this webinar want their MSPs to get involved immediately, but often they can't.

Here at techrug, we've addressed this by creating a solution where MSPs, like EXP, get certified. This means their clients don't have to sit around waiting to contact the insurance company, hoping someone responds on a Sunday. Instead, they can reach out to their MSP immediately, any time of day. This shifts the approach, allowing clients to contact Tony, Kelly, or anyone at EXP, and get help right away, rather than waiting until Monday or Tuesday when the insurance company's office reopens.

Kelly and Tony will tell you that without authorization, touching the compromised system could open them up to litigation issues or void claims for their clients. The last thing we want is for policies to clash. By creating a true incident response plan for every EXP client and offering discounted cyber insurance rates through collaboration, we can avoid this.

So, if I'm hearing correctly, let me summarize and speak to the big picture. Everyone wants their IT department, whether it's an outsourced IT support provider, in-house staff, or someone like EXP, to work closely with their insurance provider. This involves going through incident response plans and tabletop exercises. One component is ensuring your IT provider can do more than basic remediation, thanks to pre-certification through techrug. This validation assures the insurance company that your MSP won't do anything inefficient or ineffective during an incident.

Kelly and Tony can attest that techrug’s process is thorough. Every year, they fill out a 200-point assessment to ensure they are a best-in-breed MSP. Techrug works with MSPs adhering to high standards and following certain frameworks to best protect clients.

If you're not working with EXP, talk to your insurance company. Figure out what your service provider can and cannot do for you. Insurance companies often prefer to use their own teams, so having a certified MSP helps address this problem.

KP: There might be cross-purposes between IT staff and forensic teams. This became evident to me while watching a documentary about the Ashley Madison breach. IT staff wanted to wipe and reload compromised computers, but the forensic team needed those computers as evidence. Everyone wants to get back on their feet, but the path to recovery must follow the correct order to avoid upsetting the insurance carrier, who will ultimately compensate the injured party.

I see heads nodding from Michael and Tony, so I assume we’re on the right track.

MS: Absolutely.

KP: Okay, well, I want to go into another kind of uncomfortable area, and one of our comments spoke to this a little bit. I'm going to summarize, but there are instances where claims get denied for reasons. Maybe, Michael, you could speak to reasons why a claim might get denied. You mentioned before sub-limits, and I hope everyone paid attention to that. A $250,000 sub-limit on ransomware sounds like a lot, but an average claim is in the millions, right?

So, I'm getting off track or too far into the details. Can you speak a little bit about reasons why a claim might get denied after the fact, aside from there not being an agreed-upon remediation plan?

MS: Right, so the number one reason is going to be misrepresentation on an insurance application. If you're not consulting with your managed service provider, your technical team, whoever it is, when you fill out a cyber insurance application, and you check boxes like "Yes, we have MFA," "Yes, we have some sort of endpoint detection response," or EDR that Tony talked about, and then when you go to file a claim, they say, "Hold on, wait a minute. When we were doing our forensic research, we found that MFA was never turned on, it was never implemented." Now we get into an issue where they deny the claim and say, "Hey, you told us one thing, but you're doing another. Why are we going to pay out on this claim?" Claim denied.

So, it's beneficial for everyone, and sure, it may take longer, to get the IT company to say, "Hey, can you help me answer this? Let's work together and go through this insurance application and make sure that we're answering those as truthfully as we can. If we have to implement additional things, then we do that." But misrepresentation, Kelly, is the number one reason for denying a claim. You're telling us one thing, but you're doing another.

And it might not be intentional, it might not be fraudulent. It could be based on ignorance or just not quite understanding what the survey or the questionnaire is truly asking.

Correct, you got it. Tony, can you speak to that too? For most of our clients, when they get these surveys, they hand them over to their consultant from EXP Technical, right?

Yeah, our consultants often get asked to help or just to fill out the cyber insurance survey. We see it all the time, and we are very clear with our team: answer it honestly. Often, we may go back to the insurer or the broker and say, "Hey, if we do XYZ, how much will that help?" Obviously, now we're partnered with techrug, so that would be our first port of call. But yes, it happens often. We try to be honest and make recommendations. We use it as a good segue to say, "Hey, we should be doing some of these things," and try to act in the best interest of our clients.

Ultimately, though, it's our client that's responsible, right? I'm not trying to pass the buck, but if our client is communicating to the insurance carrier that certain things were done, it's not EXP that is certifying; we're helping in good faith and answering to the best of our ability, correct?

Yeah, in the same way that when we talk about maybe an information security officer in an organization, our advice is clear: the information security officer is not the IT person or shouldn't necessarily be the IT person, at least the decision maker. It should be the person who's fiscally responsible for the organization and can make that call. So yes, the IT folks are responsible for the security controls and for filling out the data, but ultimately, the ownership or the executives or the people financially responsible for the organization are the ones who are responsible.

KP: Got it. There’s a quick question, maybe Tony, you can address that came in the Q&A. It's a bit of a cybersecurity best practices question, which is: Do you have any advice on whether to accept cookies while browsing on the web?

TL: It depends. Sometimes you have to in order for the site to function. But my general default, unless I'm in a real hurry, is to accept minimal cookies only. Usually, there’s an option to accept only the ones that allow the website to function. That’s the option I recommend. The other cookies are typically for ads, marketing, and tracking. If you can, choose to decline all those but allow the functional ones to work. That’s what I would do. Often, though, we're in a hurry, and we just want to get to the website and make that popup about cookies go away by clicking "Accept All." It takes a little discipline to review your options and accept only the functional ones. That's probably more of an answer than you wanted, but thanks.

KP: Well, I want to start wrapping up and summarizing before I turn it back to each of you two gentlemen for a last word. But if I'm summarizing what I'm hearing, especially in the last few comments, it's like this is really a three-way partnership—or ideally, it should be, from what I'm hearing. Tony mentioned the NIST controls, which is a list of 110 cybersecurity controls that protect sensitive data. There’s the IT support provider or an IT department that's one member of this partnership, implementing these controls and layers of security to protect sensitive data and your business. There is an insurance carrier or insurance agent, an insurance provider that is protecting you, restoring, and providing some remedy if the worst happens. And then there are all the people in attendance, business leaders who need to assess the level of risk they’re comfortable with, what’s justified, and what isn’t in terms of what they want to spend on.

It’s really important to have these conversations now, rather than after the fact. One reason we host these events is because we believe in sharing knowledge and success. We want to bring people together to plan for these things. Some say it’s not a matter of if, but when. I prefer to say if we all come together in a partnership, we can delay that so that it’s not today, hopefully not tomorrow, and not the next day. But if it is, we have insurance and other things in place that minimize the impact.

We’re almost to the end here. Why don’t we ask for last words from each of you? Tony, why don’t you go first, and we'll let Michael have the final word here?

TL: You pretty much summed it up, Kelly. It’s really about building a partnership between your IT, your carrier, and your executive decision-making team. I would encourage people to look at that list of control requirements, be proactive, and start making a plan. Start chipping away at them one by one so that when your policy renewal comes up in 2025 and there are seven extra things that they now require, you’re ahead of the game.

MS: Yeah, Kelly, Tony, thanks again for setting this up and including us. Everyone listening, thanks for listening to us talk about cyber insurance and cybersecurity for the last hour. It really is a three-pronged approach. Let's get a security-focused company, make sure we have the necessary securities in place, and get a cyber insurance policy as the last line of defense. The third component is creating a true incident response plan. Working with EXP Tech and techrug, we can resolve issues faster and more smoothly, getting everyone back up and running quickly.

I'll leave it there. I see our information here. If anyone wants to send policies or has more questions afterward, shoot me an email. I'm happy to connect with any of you. Please.

KP: Yeah, I've listed our emails. Thanks, everyone, for attending. If you want to connect, my email is here, Michael's is as well. You can speak to us independently or bring us all together, and we'd be happy to talk with you. Thanks again, everyone, for attending.

MS: Thank you.

Related Posts