Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Cyber Liability Insurance
Quick take
On this week’s episode of Compliance Unfiltered, Adam and Todd tackle a topic that is skyrocketing in popularity in the compliance community: Cyberliability Insurance (CLI). Adam walks through exactly what CLI is, why it’s important to every business, and how to obtain CLI for an interested organization.
Curious about what to expect to see in a CLI policy? Adam breaks down what you should make sure your policy has and DOESN’T have. The guys also chat about what NOT having insurance could mean for organization.
All this and more on this week’s episode of Compliance Unfiltered!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome into another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who has literally solved more compliance problems before you’ve woken out of bed, Adam Goslin. Adam, how the heck are you today? I am doing fantabulous. How about you, Todd? Man, I can’t complain with fantabulous. The answer coming back at me, you figure it’s going to be infectious.
So today, we are talking about something, Adam, that with everything that’s going on in the world right now, is seemingly a little bit more important than maybe it was about 18 months ago. And that is cyber liability insurance. So for the uninitiated, walk us through, what are we talking about here today? Well, cyber liability insurance is a specialty insurance that’s been on the market for quite some time. You’re right, it did start to pick up maybe three years ago, and really started to take shape. But it’s specialty insurance. It’s intended to protect businesses from internet-based risks, and more generally, risks related to IT infrastructure activities, things along those lines.
Next up, well, why is that important, especially in today’s climate? Well, it’s important to have cyber liability insurance because, it’s covering other elements that aren’t covered by your standard forms of insurance. So you can’t just go take your general liability insurance, and start swathing cyber elements underneath it, they’re probably not going to be covered. So you’ve got to get the cyber liability insurance, so that you can get the full coverage for the organization. For myself, I mean, I’ve now founded two different businesses from the ground up. And for me as a business owner, and or a business leader, I look at it as a responsibility to any of my stakeholders. So that would include a responsibility to our clients and vendors that depend on working with us. Responsibility to our staff as well. And really, I extend that out even more, right? It goes out to the family members of our staff as well. Looking at it from my perspective, it’s part of my responsibility to help protect all of these people whose livelihoods are either directly, or indirectly dependent on the success of this organization. It all falls under the umbrella of my responsibility to do what’s right to protect the organization. Well, I guess, I mean, that definitely resonates with me as somebody who’s led, and been responsible in that regard.
But I’m curious, again for the uninitiated, as they’re coming to this realization for the first time, how do they get cyber liability insurance? Well, I have a couple of different recommendations. Certainly, I mean, a lot of people are going to start with whatever’s most familiar, right? So whoever is currently serving your general liability needs, that’d be a good one to go to. The reality is that I typically recommend, go to an agency that can basically shop your needs against availability in the marketplace. There’s a couple of different things you wanna know walking in. Certainly your own organization, your own business, and the details and facts that they’re going to ask you about your business and your organization. I’ll put it this way, you’re going to wanna know a little bit more than the high level bullet point you would find on the about us section on your website, right? They’re going to wanna know certain things about the organization such as, what types of information you have and possess. They’re going to want to know generically what types of stuff your receiving, storing, processing, and transmitting to others. The bottom line is, they’re going to want to know various types of data that you’re dealing with. Also, what are you storing? How many records? Things along those lines. So they can tell how you’re set up and structured. So you’re going to wanna know a little bit more depth than just the high level about us bullet. Also, you’re going to wanna do a little bit of analysis on how much coverage for cyber liability you need. Just making numbers up, do we need a half a million dollars of coverage? 1 million? 2 million? 10 million, 40 million? You wanna walk in with an idea.
Now, that said, for those that haven’t been down this path before, just pulling a number out of the air, right? The typical drivers for that number are, and oftentimes you can coordinate this with the agency to help you get to a number that sounds like it’s going to make sense, but it’s typically driven by, what’s everything I need to protect? And then the other side of it is contractual obligations. Most of the time that includes, contracts that you’re signing off on with customers, clients, and vendors. They’ll have these little buried bullet points in there about, oh, you need to carry blah, blah, blah of insurance. And so I’d recommend to folks, it’s a two-prong approach. Look at your contracts. Do the analysis there. Get the dollar amounts out of there so you know what the bare minimums are. And then, put that in combination with the discussion you end up having with the agency to figure out what would make most sense for where you need to be in the coverage range.
That leads directly into the next question, as somebody who’d be looking into procuring a policy, what do you expect to see inside a cyber liability insurance policy? Well, it’s going to cover a bunch of different cyber events. Obviously, every policy is different, the devils in the details. But generically speaking, it’s going to cover various cyber events, things like ransomware, data breaches, theft and loss events. A lot of the line items of coverage would include things like incident response. So if you had an incident, it would be covering costs for incident response, for legal, forensic, and breach management related costs. Elements related to cyber crime, and theft of personal funds. So again, this is in the cyberspace. So Let’s say that somebody bamboozled the internal accounting person, and somehow had extracted funds from the organization. That would fall into that arena. Extortion, system damage, and rectification, as well as system business interruption and reputational harm would come into play, as well as loss assessment costs. So any time that an organization has any event, there’s an associated level of loss that comes along with it that may be covered by the details of that particular cyber liability policy.
Now, speaking of, you mentioned the devil is, in fact, in the details, as we all know. So is there anything specifically that we need to be looking out for in one of these policies? Well, I’d really kind of bring this up a level, right? I mean, right now, the listeners are going to be a combination of, I’ve never had to deal with cyber liability, and we’ve had cyber liability for the last eight years or whatever, right? So I’m going to cover a little bit of a broader spectrum, in terms of what to look out for, and kind of jump around a little bit. So for those that say, well, we don’t need to worry about it, we already have cyber liability insurance. You want to know what? I can’t emphasize this enough. Go have a conversation with whoever’s filling out the annual application for the cyber liability, and go find out everything they’re signing off on. And what I mean by that is, annually, there’s an application that you’ve got to go in and fill out. Now, if I go five years, or eight years back in time, those cyber liability applications, they were really high level, and really fluffy. Quite frankly, the folks in the insurance arena, they didn’t have the knowledge or expertise to even know what to ask. And that was evident in reading one of these applications. Nowadays, dude, it’s like they hand you this battalion, depending on who it is, this battalion list of are you doing this? Are you doing that? Do you have this in place? Do you have that in place? In some cases, these are like 200 question surveys, almost like what you do for a vendor security assessment, that’s being involved in signing up for cyber liability. So, it’s going to have detailed validation steps around practices of the organization, as to whether or not they’re in place at a generic level. Are you doing this type or that type of security testing? And what’s the scope of those items? And what policies do you have in place? Do you make the employees sign off that they’re going to follow the policies? Are you doing security awareness training, and a lot of technical requirements for the organization? Do you have file integrity monitoring? Do you have centralized logging in place?
So there’s a lot of elements on those annual applications, and the problem is the person that’s normally filling this out, right? Because the business looks at it as, oh, this is insurance. So who’s filling that out typically? More often than not, it’s like the CFO or somebody in accounting that’s going in and filling out these forms. Most of the time, they don’t know what these items are. Over time, those questions have gotten more and more detailed, and in many cases, right, wrong or indifferent, the internal personnel don’t even know what it is that they’re saying we do, or they don’t have the depth of technical background to absolutely confirm, yes, we’re doing this. So that’s why I say, go talk to whoever’s filling these things out, acquiring your annual cyber liability, and go take a look at the application form they filled out. The reason why that is astronomically important, I believe that we’re going to be covering that here in a little bit, so I’ll come back to that. For each of the policies they have, like anything in this world, they’ve got all sorts of exceptions. Well, you’re going to take advantage of this policy, but it’s not going to cover this, and it’s not going to cover that. And well, if it’s a full moon on a Tuesday, then we’re not going to cover whatever exceptions that they’ve gone and put into the explanation within the policy. We want to make sure that we understand what they are, and what they’re not going to cover.
What I would encourage the listener to do is, when you’ve initially first started out, maybe the agency can help you get it down to maybe two or three policies. Go through, and look at those exceptions. Play scenario games. What happens if this goes poof? What happens if that goes poof? You’re not covered there. So just walk in eyes wide open, buyer beware. And also just make sure, it sounds obvious, but make sure that the exceptions aren’t crossing over some fundamental coverage that’s needed for the organization. If they’re going to exclude something that is core to your business, or core to how you do what you do, or core to what you’re storing and saving, then it’s going to take on less value.
The other thing for organizations to keep in mind is, that the landscape for cyber liability over the course of, let’s say the last 18 months or so, has been swiftly and dramatically changing. So it used to be that the insurance carriers were letting anybody sign up with anything under the sun. There weren’t a lot of validation questions, and poof people would go get their coverage. But the reason why this landscape is changing so swiftly is, because of the fact that there have been a ton of companies out there that were signed up with little validation, that are now having issues. Now they are basically leaning on the insurance industry for payouts, based on the policies they had. Whenever that occurs, then two things are going to happen. Number one, the capability, affinity, and knowledge of the insurance carriers, agencies, and companies themselves is going to go up, because they’re learning about all the potholes that they stepped in. And number two, the costs are going to start to skyrocket because these insurance companies, I don’t blame them, right? They’re tired of getting their butts handed to them. So they’re going to go in and increase the cost to make up for their losses. So the cost and availability of cyber is becoming an issue.
Was that something you’ve seen? Yeah, for sure. So the reality is, is TCT went in to do its own cyber liability. Now, I don’t even think I’ve ever had to even call the insurance company. I just keep paying all the time, right? Of course, hold on a second. I’m knocking on wood here. Okay, good. So the reality is that TCT has never had an issue, ever. We’ve had insurance for years and years and years. And last year, to my latest renewal, our costs jumped 35% in that year over year. So it’s really starting to go up. I’m really hoping that the lockdown that has happened with the folks in the cyberspace, I’m hoping that they’ve locked it down fast enough that we can stop the bleeding on the cost skyrocketing, because it’s a problem. It shouldn’t be this challenging.
Well, let me ask, like, how can a cyber liability insurance carrier make a difference in the protection? Like, is it not all the same? No, I mean, it’s like anything that you go get out there, right? I mean, I could go and sign 10 different detailed contracts with carpenters to go do fill in the blank, and every single one of those is going to be different. Same thing in the insurance arena, it all comes down to, we talked about it a minute ago, but carrier by carrier their inclusions, and exclusions, they’re all going to be different. Honestly for me, it’s less about the carrier themselves, and more about the experienced agency that can assist an organization going down this path. For the listeners that are about to go get their, whatever, 30% plus increase in their cyber, they might want to go back out and double check the market. But getting an agency with a lot of experience, that can go to a number of different carriers, that’s going to be a huge help. Because now, it takes a lot of the weight off of you for trying to get it all figured out. The other thing is, like any space, there’s new carriers, and there’s carriers that have been around for a week or three. You don’t want to be client one on a brand spanking new carrier, especially if they end up having some type of a massive issue. You want to make sure you’re protected. There’s also a lot of market consolidation that I’m seeing out there as well. A lot of the small to mid size carriers are typically on a regular basis, getting gobbled up by the big players. But you don’t want to be in a position where you’re constantly worrying about your carrier switching out, what adjustments they’re going to make to inclusions and exclusions. That stability is certainly helpful if you can weather that storm, .
So I guess one question that I have to ask here, almost to play devil’s advocate is, that I’m sure there’s a chance somebody out there is listening to this going nah, do I really need cyber liability insurance? Isn’t that just something else they’re trying to build me out of some dollars for? Well, it’s definitely, for some organizations a new concept, right? I mean, the way that I would put it, I see an interplay between your insurance, your security compliance posture, and what your business does, all of those play in as factors. And if you think about it this way, every single organization out there or any person, like any person driving a car, if they’re following the rules, then they’ve got insurance for their vehicle. It’s not about you being a good driver, somebody else could just sideswipe you, things happen, things drop from bridges. So, look at in from a business side, you could just carry your general insurance and hope for the best, that type of thing. I’ve seen comments from, especially small to mid range organizations where they’re sitting there going well, we’re too small, and we’ll never be found. And it’s like, that’s just not the way that this works.
Every single machine on the internet, every single one, it’s got an address, it’s like four numbers separated by three dots, right?
I think I brought this up on one of the other podcasts. But it’s like the shock that people used to have around the fact they had an unlisted phone number, and now all of a sudden the phone rings and it’s somebody that’s basically just random dialing, right? Area code, one, one, one, one, one, one, one, one, two, one, one, one, one, one, one, three. Well, you can do the same thing from the internet perspective, and basically find any device out there that will actually respond. And the bad guys, they don’t care. They don’t give two craps if you’re some giant multinational company, or you’re a shoe repair store, they don’t care, right? In fact, they don’t even generally have any idea when they first come upon the fact that, boy, there’s a machine and it’s responding. They don’t have any idea what that device is right out of the gate. They’ve got to keep doing analysis. But That’s how they go about finding machines. It’s through random process. Anybody that’s actually looking at their logs, if they have central logging and are looking at those logs and reviewing them, and realize that the organization randomly is probably getting hit, 10 to 50 times a day from random people just finding them type of thing. Could you roll the dice and do without the insurance? I mean, yeah, life’s full of choices. All depends on whether you wanna protect the organization or not, That type of thing.
But here’s the way that I look at cyber liability in general. In general, I look, keeping in mind, I have a security and compliance background, and have been taking this stuff seriously for a long time. The way I look at this kind of interplay, is that my cyber liability insurance is literally my like break glass, holy moly emergency parachute backup plan. Things have gone horrifyingly wrong, and I’m doing everything right. And it’s not my fault. It was a zero day vulnerability. I happen to be on the unfortunate early list of who got nailed, that type of thing. So that’s the way that I look at it. And when you look at the security and compliance side of things, really that is your fundamental shield for the company, because the more seriously you take that security compliance arena, then the less risk that the organization has, and the less of a chance that you’re even going to need to invoke the cyber liability insurance. But that said, despite the fact of whatever I’m doing for TCT, yeah, those are all things that I take to heart and do. I still go ahead and pay for the cyber liability. Could I save money and roll the dice? Hey, man, I could. Am I going to do that? No. Again, it goes back to that first fundamental that we were talking about on one of the early fundamentals in this conversation, which is, I take that responsibility, my responsibility to the people that depend on TCT, I take that responsibility seriously, which is a reason why I wouldn’t roll the dice. Now, well, other organizations do. So, we’ll see.
I mean, there’s been several events that have occurred, which have underscored this notion of both taking your security and your compliance seriously, and having cyber liability insurance in play just in case. But there’s companies that will go from having some type of a breach cyber event, and are literally out of business within months. And we’re not talking like some company that, oh, well, we’re pulling in 500,000 a year and we went bust. We’re talking about companies doing tens of millions of dollars a year, going from doing fine, to all of a sudden, poof, they’re out of business. So, is it a good thing to have the insurance? Yeah, I personally would say yes. I appreciate that.
So any more pro tips that we want to give the listeners on this topic? Sure, so the last helpful piece of information, I’ve thought this for a long time. One of the biggest frustrations with me in the cyber insurance arena in general is and has been that, I’m like look, I take this stuff super seriously. We go through third party audits. We’re doing everything that we can to do a good job with this. And if I’m doing all of these things, whereas someone else that happened to pick up the same policy that really doesn’t care, that’s not taking it all that seriously, they’re looking at this as a, I don’t actually have to take my security compliance seriously, so I’m going to use the cyber as my primary shield, we’re not that company. And so, for those organizations that are taking a strong stance with their security compliance, it’s a defensible stance. So what I mean by that is, it’s backed up with something, right?
I’m using a compliance management repository. I can show that we’re actively engaged in the proactive protection of the organization. We undergo third-party assessments or audits every year. We undergo security testing this often. If you can show, and you’ve got a really defensible position for a strong stance on your security and compliance, do yourself a favor and go back to the agency slash carrier and ask them if you can get a discount.
Now, TCT, when I was faced with the whole, here’s your 30% increase. I brought this up with them. I talked with them. I showed them some of our assessment and audit documentation, and TCT was able to actually get a discount working with the underwriters. So if you haven’t had that conversation with the underwriters or the carrier, go ahead and give it a shot. I’ve found that if you’ve got your act together, and you can prove it, I found them to be pretty amenable to that conversation, especially on the backs of the fact that TCTs never had any issue, or made a claim. I think it really improved our position that we have had years of cyber coverage and never had to make any claims. I think that was probably another element that played into it strongly.
That makes a ton of sense. Till next time, Adam. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
