Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Cyber Liability Insurance Myths That Can Kill Your Company
Quick Take
On this episode of Compliance Unfiltered, the CU guys go on a myth-busting adventure into the realm of Cyber Liability Insurance. Curious if you can buy enough insurance to replace your full compliance program? Wondering about common issues pertaining to the Cyber Liability Insurance application process? Concerned about those blurry lines regarding data security and responsibility?
Well the CU guys have got you covered with all these answers and more, on this week’s Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance sucks less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the tinsel around your compliance Christmas tree. Mr. Adam Goslin, how the heck are you, sir? I’m doing just fantabulous today, Todd, and yourself? I cannot complain, sir. I cannot complain. Today, we’re going to chat a little bit about cyber liability insurance myths that can really kill your company.
So Adam, why is this a topic that contains some measure of ambiguity for organizations today? Well, you know, if you just take cyber liability insurance, you go back, you know, kind of back in the day, you know, I honestly, it’s actually been entertaining to watch this all unfold, you know, it’s almost like you can see the, you know, you see the train coming from the one direction, you see the train coming from the other direction, you’re just waiting for somebody to connect the dots, if you will. You know, they didn’t know what they were getting into when they first started, you know, doing cyber liability insurance, you know, they had this, you know, everybody was starting to get concerned about, you know, what was going on. And, you know, and the breaches weren’t, you know, weren’t widely publicized, etc. So, man, they’re like, they’re rubbing their hands. hands together, right? They’re like, oh, this is great. You know, we can have all these companies and, you know, go ahead and sign up for cyber liability insurance. And yeah, it’s, you know, not a great chance that people are gonna get hit. This is just, this is the gift that keeps on giving. You know, they, you know, people are paying, you know, throwing the money, you know, not getting hit a lot, etc. And it was good, it was good for a little while. You know, in the beginning, you know, pretty much anybody could get, you know, go get approved for cyber liability policy. They, you know, they, you’d get your, your questionnaire. Like I think back about some of the questionnaires I used to get. I mean, literally it was like, oh, 10 questions, you know, and you know, you fill out your, you fill out your 10 questions and poof, you too can, you know, have a cyber liability policy. And, you know, it was, you know, it was, it was interesting because it was almost like. you really had to try hard to get turned down, you know, back in the day, you know, and highly profitable for the insurance companies.
But, you know, of course things change. And, you know, the bad guys start getting better at what they do. And, you know, the, the public notifications of, of cyber attacks start going north. And, you know, all of a sudden, you know, then the light bulb goes on with the, you know, with the insurance crew that, well, you know, the people that said that they’re doing these things really aren’t. And, you know, next thing, you know, the, you know, the cost to the companies, you know, offering the insurance was skyrocketing, but they weren’t gathering that much money, etc. And then you start to see things changing, right? You know, the changes in the, in the cyber liability insurance arena, they’ve been, they’ve been on a steady march of kind of getting things, you know, getting things, we’ll call it right sized. Yeah, I don’t know. I’m not sure right size is the right way to go. It’s almost like the needle swing, you know, the other direction. A little over-direction, if you will. Well, you know, we’re, we’re figuring it out. But, you know, there’s, you know, there’s, there’s assumptions that companies run under that are, you know, that are, they’re just at this point, the game kind of outdated.
You know, you might be, you know, you might be just relying on some, you know, some old, some old insights, some old information, you know, all that, all that fun stuff. But yeah, the, the insurance companies have definitely started, you know, started, started to dial things up. And I think it left a lot of people in the, in the dust, if you will.
No doubt. Now, a lot of companies are under the impression that they can substitute their compliance program with the purchase of enough insurance. Is that an appropriate approach? And the real short answer is, of course not. You know, you know, if somebody said to me, you know, basically, you know, we’ll call it a, we’ll call it a gun at temple moment, right? And then said, you got two choices. You can keep your cyber liability policy or you can, you know, invest and maintain a strong security compliance program. You know, you can keep one. It would take me about an eighth of a second to drop the cyber liability insurance. You know, the bottom line is, is that, is that if you’re forced to, you know, forced to pick between the two, you know, then you’re a hell of a lot better off having a strong cyber liability posture for the organization. You know, the cyber insurance policy, that’s really, that’s intended to be your, like I call it the holy moly emergency parachute. You know, the insurance company can, you know, can get you a bag of cash for helping to clean up the mess you’re going to be dealing with. And, you know, hopefully it’s enough money to keep you in business. You know, but the reality is, is that the damage of a breach, you know, in the aftermath of a cyber attack, it goes way beyond just the event, the cost directly associated with the event. Oh, absolutely. You know, the effects linger for a long freaking time. You know, I’ve said this before. You know, you talk to somebody that’s, you know, that’s working in sales and, you know, hey, how easy is it to go land somebody? And, you know, they’ll tell you it’s pretty damn hard. Well, yeah, I mean, just imagine that now I’ve got every single time I’m talking to a prospect, they go and, you know, go to look up information about the company and all they’re seeing on Google is the fact that you’ve dropped the ball on you with your responsibilities for protecting their data. Yeah, that’s not going to be a, that’s not going to be a recipe that bodes well for, you know, for landing new business, if you will, you know. And the other piece is, is that, you know, when you undergo one of these breaches, one of the biggest problems is, is that the book of business you’ve worked hard for many years to go ahead and build, etc. I mean, these customers are, they’re expecting that you’re taking this stuff seriously. And the minute that they find out that you aren’t, or you’ve had a problem, boy, do you have an uphill battle to try to even just retain who you got, you know, type of a thing.
So, you know, the security compliance program is going to provide proactive, both proactive and detective mechanisms that actively protect the business. You know, you don’t want to have an either or scenario, like we kind of started into this. You know, I’m not, I’m definitely not saying, oh no, you know, cyber liability insurance is a bad idea. You know, TCT has it, right? But what I am saying is that it does not in any way shape or form supplement the need for a strong program. You want that Holy Moly emergency parachute to be in place. There are circumstances where organizations, you get hit, right? You’re doing everything right. The one thing I brought up to people, I say something along the lines of, they refer to zero days. Zero days basically means this is a brand new vulnerability that somebody discovered that they’re now just starting to actively take advantage of. Some poor company has to be on the front end of a zero day. If you happen to be the unlucky one, then you can be doing everything right and still get nailed with some type of a breach. you know, so in that case, yeah, the cyber liability insurance comes into play, but I don’t know, I’ve seen organizations that go, well, if the security program doesn’t matter, well, then why the heck do I need to even worry about the cyber liability, you know, stuff. The thing people need to keep in mind, it is such a small portion of the businesses out there that actually get hit with these zero days. It’s not a big enough factor that it should start swaying your, kind of your fundamental decisions about, you know, kind of direction, if you will.
Now that makes sense. Now, what issues do companies run into as it relates to filling out their annual cyber insurance policy application? Well, the, you know, historically, you know, it’s weird in companies, right? You know, people have this notion that, well, the financial arena of my organization is the one that has historically interfaced with the, you know, interfaced with my insurance needs as an organization. There’s often an association between, they do financial audits, so stuff around a compliance audit, you know, kind of fits in that arena, you know, and, you know, since the finance department’s typically the one handling insurance, you know, there’s a lot of organizations that the financial arena is typically the one that’s also dealing with, you know, dealing with the cyber liability, you know, stuff. And if that’s the case, I mean, cut that practice out as an organization. You know, the reason it’s a problem is the CFO, the accountant, whoever in accounting, you know, they’ve got limited visibility into the security and compliance posture of the organization. And these questionnaires these days, I mean, I referred earlier that in the early days, it was 10 questions and poof, you too had cyber liability insurance. But anymore, the application questionnaires can be I don’t know 25 to 60 pages You know type of thing you know pages of pages of, oh my days, correct. You know, I mean anybody that’s gone through you know any form of a security and compliance engagement with a standard that’s got any form of complexity you know you’re dealing with you know hundreds if not thousands of controls, you know for the organization. Well, the insurance companies have been you know, kind of waking up to the various things that will actually help an organization stay protected and they’re taking, taking pages out of those larger more complicated standards and thereby the application processes have been increasing you know, the folks in accounting they can take their best shot at filling out that questionnaire, but I mean I’d be willing to bet dollars to donuts that they’re gonna fill that thing out wrong, you know? Even if they took the paperwork, sent it over to IT, you know, to your day by day IT people. Even those folks may not know the correct answers themselves. You know, it harkens back to a general, you know, kind of what I like to call the bad assumption that a lot of companies make that, you know, just because you have IT people doesn’t mean that they specialize in security. It means that they’re really good IT people. And the two aren’t synonymous, necessarily. You know, if your organization’s lucky enough to have somebody that really knows what they’re doing, well then, you know, kudos to you. But that would be the rare exception of organizations out there. You know. The big problem is, is that if your company has some type of a problem, whether it’s, you know, whether it happens to be the remote chance of a zero day, but more often than not, it’s the organization thought they were doing things that would help to protect the company when they weren’t. You know, if your company has an incident, needs to make a claim on that policy, one of the first things that the insurance company’s going to do, they’re bringing in the experts now, right? You know, and the experts are gonna help out with, they’re gonna do a forensic analysis to figure out, you know, what happened and where’s the problem and how much data was impacted, etc. One of the other things that they’re gonna do, which is where many companies kind of run afoul, is they’re gonna go back and look at the cyber liability questionnaire application that was filled out and confirm. The way that this, you know, the way this organization filled out the application, what they said was in place, etc, is that actually in place? You know, because if they determine the organization said, oh yeah, yeah, yeah, yeah, you know, green lights all the way down their application of all this stuff that they’re doing, but it turns out they’re not, but only doing a portion of it or hardly any of it, well, guess what? The insurance company is going to turn back around and go, hey, that’s a great novel. We’re not going to cover you because you lied on your application. When you’ve got the wrong people filling out the application and it’s not filled out accurately in accordance with what your organization is doing, in effect, the organization is basically paying for a policy they would never be able to benefit from, and you’re literally setting the organization up to be in a position of being completely unshielded from financial ruin if fit really hits the shed, you know what I mean? I really do, and that’s a terrifying thought. Now, where do the boundary lines of data and security responsibility start and end with organizations today? I feel like it’s kind of blurry. Well, you know, cyber insurance isn’t going to just, you know… cover organizations that you know that aren’t realizing you know the appropriate extent of their of their data protection, um you know if the if the company is effectively, because the way they fill things out or the way they operate is you know kind of passing the buck then you’re not going to be able to take advantage of you know of the cyber liability policy you know. There’s a lot of companies out there that they, they go under this mantra that I’ve outsourced my IT um you know to fill in the blank organization or um you know I’ve got a managed service provider or I’ve got a you know third party hosting company. The third party hosting company is a big one because a lot of times what organizations will do is I’ll go oh well, I’m hosting my stuff at an organization that is PCI, ISO 27001, SOC 2 ,HIPAA compliant whatever fill in the blank um and so they go oh well we’re hosting our stuff there so we’re good um you know. The reality is, is that there’s a there are a number of different aspects of that notion of responsibility you know and for third party vendors when especially when you got an organization that just goes well I use this company so I’m covered, um you know more often than not um you know what they’ll end up finding if they ask the right questions is these third party vendors are only sharing a portion of the responsibility. A lot of the responsibility still sits on you know on the client’s shoulders so you know it’s in the organization’s best interest um you know to go ahead and assess you know where those boundary lines fall for their particular organization, in light of the vendors that they use to you know kind of make up the way that they go about doing business um you know. I can’t tell you how many of these companies that you know that have just kind of passed the buck to the hosting provider that seems to be a pretty a pretty common one.
There’s organizations that will go into the premise that, well, I don’t store credit card data or medical records or banking information, so I don’t have anything to worry about. What these organizations are failing to understand is that there are tons of companies that got their asses handed to them publicly. The only thing that was involved in the data breach was names and addresses, emails, phone numbers. You don’t have to have the keys to the kingdom to justify taking that security seriously. It doesn’t matter. Your clients aren’t going to care. They want and expect organizations to take these responsibilities seriously, and they don’t care if it was names and addresses and emails or if it was an even worse type of deal. The other thing that companies tend to kind of forget is things like intellectual property. So we’ve got PII, personally identifiable information. We got PHI or health data. We’ve got PCI or credit card data. But you could also have intellectual property for the organization. It could be a piece of software. It could be the way you go about doing what you do. The way I look at it is that anybody that’s in business today, you have a good product, a service, whatever, that’s of value. And you’ve got competitors. And you’re better than your competitors because of that competitive edge, aka the intellectual property of how you do what you do. And so you also have that to protect as well. If you’re in business, then you’ve got to have something that’s worth protecting. And that’s the light bulb that organizations need to have go on. So this leaves some organizations thinking they’re covered when they aren’t though, right? Yeah, certainly. Organizations are under this misconception that everything in the cyber arena is just covered by their general liability policy or their professional liability insurance. And really what it comes down to, it depends on what’s covered under those policies. Unfortunately, they go with the premise of covering their butts with their general liability or professional liability insurance, but then get breached and discover too late that they aren’t completely covered. So as an organization, you want to have kind of a real in-depth discussion with the insurance agent to discover exactly what is and what isn’t covered by your existing insurance policies. a lot of organizations get a little, I don’t know, I’ll call it a little bit gun shy or whatever about having those discussions because the insurance agency, you know, they are under this impression that the insurance agency, you know, is, you know, it has an incentive to just try to sell you everything it possibly can. And while that may be the case for some of the folks out there, that’s their objective, whatever, but what I found more often than not, the insurance agents are in this arena to assist in the protection of organizations. That’s what they care about most. They just happen to make some money at it while they’re at it, right? And they’ll be real with you. They’ll have real conversations and give you a clear understanding, but don’t be shy about having that open dialogue with your insurance agent, ask questions. What if this happens? What if that happens, you know, etc? You want to you want to make sure you clearly understand, you know what exactly is and isn’t covered you know across the existing policies that you’ve got?
Now I’ve heard that some Organizations are able to get a break on the cost of their cyber policies if they’re taking things very seriously. Is that true? It, it certainly it certainly is more recently in the early days the answer was no, they really didn’t seem to be making any distinction but they I mean the cost of this cyber liability insurance because of Kind of what’s happened in the marketplace the fact that these guys were getting their butts handed to then, etc. The cost of the library cyber liability insurance it just skyrocketed across the you know The recent years and there are some companies that are finding it harder and harder to justify paying their policies. They’re also finding just because of the application process, etc we’ve seen a lot of consolidation in the you know, kind of in the cyber insurance market, there’s fewer and fewer organizations that are you know, kind of that are backing, you know This particular type of insurance and so, you know, it’s you know, while it’s been challenging to navigate the waters of getting through, getting your insurance on the giant application process, etc. You know, you, you could gain some financial benefit by taking your cyber, cyber security stance super seriously you know, I actually had a knuckle to name names or whatever it may be But when TCT proper came up for their recent, you know recent renewal you know, I had I had a good conversation with the agent. We were talking about making some changes you know in the policies and the coverage, etc and I literally said to the agent I said look if I want the underwriter to understand who they’re talking to you know this isn’t the company with an e-comm platform that you know or you know, it isn’t a company that doesn’t know security and compliance. I’ve been living it for you know multiple decades you know we’ve got a strong program we take this stuff super seriously and at an end, I made a request which was granted which was to get on the phone for half an hour to talk to the underwriter you know and kind of let them know you know, who is this company, who is this company you’re contemplating insurance for you know, what’s the nature of our program? Where’s our heads at when it comes to security and compliance? You know, how often are we meeting and talking through our, you know, kind of operational compliance mode that we run in the TCT Portal? You know, the fact that we’re meeting weekly as a leadership group to talk about elements of security and compliance. You know, if you can, if you can, you know, kind of get the backing of this really strong program and, you know, and whatnot, then I have seen both, you know, both personally as well as, you know, had discussions with others, you know, others out there. If you can prove out that you really are maintaining a strong program, then think about it, right? That your company presents less of a risk to the, you know, to the insurance agency, you know, or to the underwriter. So less risk, you know, naturally leads you toward a lower premium. So, you know, I believe these days a lot of the, you know, a lot of the underwriters for these policies, they’ve got graduated scales based on, you know, based on kind of their perception of risk. And there are a lot of factors that go into it, but the more that you can prove out to your agency and the underwriters that are working with your organization just how well you’re doing, it’s going to go, it’s going to go in your favor.
And the reality is there’s not a better way to be able to show and display, you know, kind of your capabilities when it comes to security and compliance, then to be leveraging a system that will assist you with maintaining those things, showing a clear history of your diligence as it relates to security and compliance, having something like the TCT Portal to be able to leverage for those conversations. I mean, I was ready and able to prove to the you know to these guys that we were talking with that we had you know tracks and tracks and tracks of full-scale annual compliance engagements going back years you know type of a thing and the fact that we were up to date, it was really a you know kind of a powerful tool for that conversation.
Parting thoughts and shots for the folks this week Adam. Well you know at the end of the day you know you don’t want to be caught unprepared. My biggest my biggest fear you know I’ve now started literally from ground zero and up two different organizations in the security and compliance space. You know, I realized just how effing difficult it is to do what these business owners and business leadership do. You know, in terms of getting their companies to the point that they’re at today, it’s not an easy task. And the last thing that you want is you wanna just light a match to it because you weren’t, you know, you weren’t prepared. You know, you’re a custodian of your customers and your customer’s client-sensitive information. You’ve got a responsibility to invest in your security compliance program. You know, cyber liability insurance isn’t gonna replace it. You know, but it is the last resort to keep your company alive if you do run into a problem. You know, if you’re, you know, really thinking about some of the things we’ve talked about, you know, in this arena and ask some hard questions internally. You know, I don’t wanna see organizations believing that they’ve got a policy in place that’s gonna provide coverage that turns out not to be so, that that would be devastating. So do the due diligence, ask the questions. You know, don’t shift responsibilities to others. You know, we talked earlier about the notion of, I leverage a, you know, third-party hosting organization and their compliant, so poof, I’m covered. Do yourself a favor. Go in and ask the hosting organization for their responsibility matrix, basically showing the controls of the programs and of the certifications and standards they go up against and how the roles and responsibilities, you know, are allocated, whether to the hosting company or to the hosting company client. And make damn sure that you have coverage for the things that are your responsibility. You know, ignorance is not going to get you a free pass. So do the due diligence, do the work, help to protect your company and beyond anything else, take your security and your compliance seriously. It will actually save your organization.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
