Skip to content
 
Episode 26

Cyber Insurance with the Experts: Michael Phillips and Kevin McGowan

EPISODE SUMMARY

Today, Joe and Mike talk to the folks at Resilience Insurance - Michael Phillips, Head of Claims, and Kevin McGowan, VP of Cyber Underwriting. As companies are getting hit by smarter and more costly cyberattacks, we find out how to offset the risk with cyber insurance. We examine what cyber insurance covers, how it works, and what to consider when choosing the right policy to get your company the protection you need in case of an incident.

Once you've listened to the podcast, read Joe's blog post on cyber insurance here.

Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio

mike-gruen-150x150
Mike Gruen

Mike is the Cybrary VP of Engineering / CISO. He manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture.


Joseph Carson:
Hello, everyone. Welcome back to another episode of 401 Access Denied. We've got a really exciting, really interesting topic today to discuss. And I think for many companies out there, it's really going to be something that you're either in the middle of doing or it's something you're going to have to do in the near future, so exciting topic. I'm one of your co-host, Joe Carson, chief security scientist at Thycotic and also advisory CISO for Thycotic and in many companies around the world, I'm like almost a ear to many CISOs in their thought process. It's a pleasure to be here. And again, I'm joined with Mike, my co-host. Mike, do you want to give us an update about what the topic is going to be about?

Mike Gruen:
Yeah. Mike Gruen, VP of engineering and CISO here at Cybrary. Today's topic is about cyber security insurance, and we're joined by two great guests, Kevin and Michael. I'll let them introduce themselves and maybe one of them will tell you a little bit about their company and what they do. Kevin, why don't you go first?

Kevin McGowan:
Sure. Thanks guys. Hi, Kevin McGowan. I am the Vice President of underwriting with Resilience. I sit in Chicago. So here at Resilience, we are underwriting cyber insurance on a daily basis, and we also have some pretty interesting security offerings that we're bringing to the table. And with that, I will pass it to my colleague, Michael to introduce himself.

Michael Phillips:
Thanks Kevin. My name is Michael Phillips and I'm Resilience's as head of claims. So I'm an insurance lawyer. So hold your booze. They only make me stronger. But what I do is I make sure that Kevin's promises are fulfilled when a cyber crisis hits. And I try to help companies respond to the incidents that happen and maximize their insurance on the other side.

Mike Gruen:
Great. Well, thank you so much for joining us.

Joseph Carson:
Absolutely. So it's a pleasure to have you here and really excited about today's conversation. I think it's an important topic for many companies because it's one of the several ways to offset risk, which is important for organizations. I'd like to get some of your input. I've been touching the insurance industry for quite some time. I went to 2008, 2009. I get heavily involved in the maritime sector. It was a time when in maritime, they were getting, I guess, the old type of real-world ransomware type of thing when pirates were attacking vessels. And what was interesting at the time was insurance was a big discussion for the shipping industry. And they had lots of different insurance policies.

Joseph Carson:
And one of the things was that we started to see ship management companies and the industry being targeted by cyber attacks at that point in time. But interestingly enough, the cyber insurance portion actually was under the terrorism portion of the insurance law. And it actually excluded them from getting insurance for cyber side. And then, of course, in the years after that, we saw a lot of major attacks. And I started seeing the likes of cyber captives in being a shortcut because there was nothing really to cover that cyber side of things. So just interested to get your feedback into how has cyber insurance progressed since those times where companies couldn't get it, wasn't available, and then companies moved to doing cyber captives. What's the current situation today with cyber insurance? What's the offerings and how has it progressed over the years?

Michael Phillips:
That's a great question. What is cyber insurance? Even in 2021, we're still having to address that question. If you rewind the clock 30 years or so, the initial cyber-ish insurance policies where liability policies sold to tech companies. If you were breached and you lost data or your technology failed to protect your client firm, you may be sued and you may have liability and you might want insurance to transfer some of that risk. But over the years, this policy, this side of the industry has iterated to expand to a lot more coverages. One thing that I think is really important to highlight, and your question gives me the opportunity to do so is, what truly is cyber insurance versus other types of insurance that might try to address some aspect of computer-based risk is a really important one and it's one the industry wrestles with every day.

Michael Phillips:
So at Resilience, and then I'll tee it up for Kevin to comment on, we are champions of the standalone and affirmative cyber insurance marketplace. That's the most technical version of what I mean to say, which is we develop products that are cyber only, that have cyber on the tin, that everything they say is about the perils of computer security and the like. So a lot of the public reporting to this day about cyber insurance tends to reflect these other markets, these traditional markets. And there is no market more traditional to insurance than Marine risk, trying to address computer-based risks for their spaces as compared to where Kevin and I try to develop expertise, which is this standalone space where everything we do has to do with this risk.

Mike Gruen:
On that real quick, I'm curious because there is a point where physical stuff and cyber overlap, and how do you draw those lines? If I have a physical data center and there's a physical breach, is that covered by cyber insurance? Where are those boundaries and how do you guys think about that?

Michael Phillips:
Well, that's great. I'm going to take that one too. I'm going to take all the tough ones because you're asking all the tough ones right way. That question also speaks to another thing that the cyber insurance industry or the industry at large is talking about every day. We call it the silent cyber problem. So most of the physical, tangible property risks in the world sit with property policies and with other types of commercial insurance policies that say, "If physical property is stolen or destroyed, we're going to replace it." Meanwhile, cyber insurance, our sector, we've always focused on intangible risks.

Michael Phillips:
And now you are seeing just as the technology is moving in this direction where internet-connected things are manipulating physical objects or have the ability to do so, cyber insurers trying to figure out what more can they cover, how do they underwrite to it, while property underwriters are saying, "You know what? I'm getting burned. I don't know cybersecurity well enough. I don't know about data privacy well enough and the consequences of these events. So I don't want to cover that anymore." And so that's where we're seeing a bit of intersection and divergence. And so different underwriters are taking different strategies on that.

Joseph Carson:
This will be interesting, because from your point, one of the things I'm used to from insurance policy, looking at in the past, it was almost about let's say they had a leak or a fault in the data center which caused physical damage to the servers. And the insurance policy would have covered them for the cost of the equipment but the data itself, they would not cover it. That data itself was basically not considered a tangible value asset. What's really interesting from your coming from the opposite side, is that looking at it from the data perspective and really focusing on organizations, so really giving that gap of what they couldn't do in the past.

Joseph Carson:
So they can have the traditional types of policies that would cover them for the physical assets to be able to restore and get back up and running. But for many businesses, they rely on the data. So how would this work in, for example, what I see from a data tangible perspective that most organizations get faced with is the likes of ransomware. And we had a recent episode discussing about organizations who do become victims of ransomware because that really targets the availability of that data. It stops the business from providing services in many cases. If it impacts their backups, they're in a situation where they struggle to even recover. So was that your type of customer base you're focusing on purely on the data perspective?

Kevin McGowan:
Yeah. That's exactly right. That ties together some of the topics you guys were just talking about in terms of where are the lines, what is the intent of a standalone cyber insurance product and the difference between tangible versus intangible, property versus data. And if you think about how insurance policies work, it all goes back to the triggers. On a property policy, you're talking about physical events like fires and hurricanes and on a cyber policy in what we offer at Resilience, you're talking about what we'll broadly call security breaches, security events, data breaches, privacy events. So ransomware, as you guys probably know, is what folks like Michael and me and others in the cyber insurance community are talking about every day. And you talk about how the policies have evolved over time. As Michael was describing earlier with that liability concept, cyber insurance came out of professional liability, in a way.

Kevin McGowan:
So a lot of us, myself included, have a background in both cyber insurance as well as professional liability, particularly for technology companies. You had that concept of perhaps software failing and that leads to a security event, what does that look like over time? Cyber insurance policies, with the help of the broader market, became much broader in scope in terms of what they cover. Fast forward to today, the most common threat vector, broadly speaking, being ransomware. So you get hit with ransomware and think about all of the different things that can implicate and the different costs associated with it, and a well-designed cyber insurance policy is going to address a lot of those. There's going to be a frontend investigation where someone like Michael is going to coordinate with you to bring in a law firm, potentially an additional forensics firm that is going to specifically work around ransom negotiation.

Kevin McGowan:
And there's also insurance coverage for the actual payment itself. There's then backend business interruption loss for, "Okay. We were down for three days and we lost X amount of revenue." And then the last item, which we were alluding to earlier, having to do with a data recovery concept, if you had a full corruption of data and you lost certain important datasets that needs to be rebuilt in some way, shape or form. So all of those things right now are the true spirit of a cyber insurance policy. And that's where insureds right now, I think, are generally glad that they have the policies because they seem to be working quite well, which is then presenting a new set of challenges for the insurance carriers that are providing the coverage as the losses from ransomware have certainly increased over the past couple of years.

Mike Gruen:
I'm curious, because you mentioned the loss of business and stuff like that. And there was so much to unpack in what you were talking about. I think it hits on so many different things. I was listening to our friends, over at Shift Five, have a podcast, and they were talking about a recent incident with a train line where they got hit with a cyber attack and it basically shut down their ability to move and use use their trains in transit. And I'm curious, at that point, are you working with the other parts of the insurance... That company, assuming they have a cyber insurance policy, there was certainly a cyber event but it starts to have all this real physical world impact. Is it you guys 100% are on that or are you also working in tandem with the other insurance company on some of the ripple effects of that incident?

Kevin McGowan:
So I have a quick comment there, and then I think it'd be really helpful to hear Michael jump in from the claims perspective, because that's where folks like him really get involved. And so to your point, depending on the nature of the loss, sometimes there can be overlap and coordination between multiple insurance policies. I think what's interesting about the example you gave and something Michael can touch on because it's a challenge in the market right now is...

Kevin McGowan:
So we talk about downtime, that rail line, they can't operate. Now, you start to get into essentially, forensic accounting. And this also ties back to the property insurance market as well in terms of business interruption coverage. So you have, okay, the trigger might've been a cyber attack. So you look towards cyber insurance. And then you start getting into, "Because of it, we were down and could not operate for X number of days. Well, we typically generate Y amount of revenue over that period of time." That does bring in some different and older insurance principles that the cyber market is now grappling with. With that, I'll let Michael give a little more color on that.

Michael Phillips:
Well, again, these are the hardest questions. I appreciate. I'll speak broadly for the philosophy of the affirmative cyber market. We sell a product that is typically designed to respond as "primary" for a cyber-based event. But as you've just described, events such as your rail line example, they may have other policies that consider themselves to be primary or substantially responsible for any loss that manifests itself in the physical world. And that gets into a quite the exercise, to line up the language of the policies, to find out what the policy holder wants, what the insured wants, what did they expect and how does it all line up to the four corners of these contracts that they've negotiated? It can be complicated. From our point of view at Resilience, we're trying to offer something more than just attention to the data breach element and the intangible risks that we've been discussing to help firms become more operationally resilient, both preventatively and proactively, and then in the event that they need to recover.

Michael Phillips:
Certainly, we want to get our shovels and help firms get back up and running and be service-oriented. But when you're a buyer of insurance and you're thinking about this peril and how it can manifest in all these different ways... This gets back to my comment about the standalone and affirmative market. You don't get all of those coverages that Kevin was outlining if you just bolt on a little bit of cyber onto your property policy. You do need to go to a specialty market of which we are one to get access to the data recovery coverage, a fulsome cyber extortion coverage as well as these business interruption coverages. Otherwise, you might just get a little something that says, "If you need a privacy lawyer to evaluate your your data breach notice obligations, you might get coverage for that." But you wouldn't have everything. It's important to grapple with that with a broker typically to figure out exactly what your perils are that you need insurance for.

Mike Gruen:
Sorry, let's take a huge step back. What advice would you have for a company looking for insurance? What should I be concerned with as I enter into this? I think cyber is an area that every company, regardless of what you do, it's actually a real risk.

Joseph Carson:
And it's very different as well.

Mike Gruen:
And it's very different by industry and...

Joseph Carson:
Yeah, the different types of attacks as well. You've got so many different types. You've got service attacks that stops you from delivering business. You've got the likes of DDoS. You've got reservoir attacks that destroys your data. You've got data breach where your data gets stolen. There's so many different aspects here. Depending on the company and business that they're offering, the impact can be very different. So to Mike's point, is if you're a company, what's the assessment look like to really determine what is the right policy to get? And what's the types of requirements you would have to meet? Is it just filling in a form or do I actually have to implement something? Is there some regulatory type of compliance I had to to get to in order to become eligible.

Mike Gruen:
Kevin, you want to take it home?

Kevin McGowan:
I can jump from there. That is a good to set of questions. And there's a lot there. I guess I'll start with, if you're a company out there, at this point, regardless of industry, because as we're all hitting on, unlike certain types of specialty insurance, cyber insurance is essentially industry-agnostic. Everyone has the exposure in one way, shape or form given all the different types of attacks we just touched on. First and foremost, typically a company is going to talk to their broker, ideally who can have some specialty and expertise in cyber insurance because it is very much a niche product. And particularly compared to certain other lines of commercial insurance, cyber moves really fast and it changes and there's a lack of standardization. So what one carrier says on their policy or what they call a certain type of coverage might vary from them to the next person and not every policy is going to give all the same coverages.

Kevin McGowan:
So, first and foremost, you're going to be talking to your broker, ideally working with risk management, information security, finance, HR, legal, all these people that are different stakeholders at the insured, talk to your broker and assess the risk. And then your broker is going to go out to markets like Resilience and others and try to procure different quotes. And this is where it gets interesting because, as you were saying, what's required? What are we going to ask? And that is really interesting because again, the market is moving fast. And as I alluded to earlier, and as Michael can attest, the loss environment has increased quite a bit to put it simply particularly around ransomware. And so just a few years ago, you might've been able to get a fairly robust product from a cyber insurance carrier by simply filling out a few page application and answering some relatively basic security questions.

Kevin McGowan:
Initially, any underwriter is going to want to know, "What do you do? What is your business? What industry are you in? And how big are you from a revenue standpoint?" And then you go downstream into, "Have you had any claims or cyber incidents before?" And what I will say now, most importantly, is, "What security controls and risk management do you have in place?" Fast forward to today's world. Now, where for a long time carriers were adding more and more coverages to policies which brokers and insurers were helping push. Now, things are actually starting to almost go the other way. Certain of our competitors that have taken a lot of losses, they're now pulling back. They're adding co-insurance, they're adding sub-limits and reducing the amount of coverages they're giving, particularly on ransomware. So you really do need to have your ducks in a row. And so at Resilience, what we're doing is we have experienced underwriters like myself who know the questions to ask around phishing cadence and patching protocols and point detection and response tools and offline backups. We could go on and on.

Kevin McGowan:
We're working with Michael, from a claims leadership standpoint and security experts that we have in-house, because the insurance industry is realizing, "This is a big ticket item. It's a big problem. And it seems like insurance professionals like myself and security professionals maybe can't solve it just by themselves." So you need to bring the two together, which is what we're attempting to do at Resilience. And that's where that much more robust assessment is coming in right now. And so we're looking at all kinds of different controls across the environment to see what insureds are doing, because that's going to dictate the outcome that they're going to get, how viable the coverage is, what it costs. So that's what insurers and potential insurance need to be thinking about is really being able to tell a good story about how they're managing the risk and that's going to produce a better outcome on the insurance side.

Mike Gruen:
I talked to another company a long time ago... Actually, not even a company. It was just some mathematicians that were trying to build analytic models to try and assess risk and so on and so forth. And they had some interesting findings. And I'm curious, I fill out questionnaires all the time when I'm selling... We have prospects that want us to make sure that we're doing this, this, this, this. I promise there's a question coming. A lot of times, those questionnaires have antiquated check boxes I have to check. And I know if I don't check this box that it's going to get denied. But at the same time, I'm actually going well beyond what this questionnaire is asking me to do. I can think of any number of regulatory things that just can't keep pace with the ever-changing environment of technology and security and so on, so forth.

Mike Gruen:
With that in mind, how do you capture... Because I would imagine, if you just talk to the security team, if you just talk to the company and found out what's their mentality towards security, you'd be like, "Oh, these guys know their shit and we feel pretty good about it." But I feel like there's no way to get that in a questionnaire. But there's probably some models, there's probably some things you can do that tease that out of how a company operates. I'm just curious how you guys are approaching it?

Kevin McGowan:
I guess my first question is, were you an underwriter before? I'm impressed. I come from a world where I have historically managed books of business of large accounts, large companies, fortune 1000 buying cyber. And to your exact point, all of us in the insurance world, we still get applications and questionnaires a lot of which are yes, no every day. And that is part of the picture. But to your point, it is hard to tell a story and to glean any information that falls into a gray area or, "can you elaborate on that?" just from a yes, no application. So you're spot on. Historically, I mentioned the larger accounts because those companies were more likely to have, pre-COVID, in-person underwriting meetings or over the past year or so, Zoom meetings where folks like me were asking them lots of questions, they were giving presentations and you could get a bit more of a qualitative feel.

Kevin McGowan:
So in addition to a bunch of, yes, no answers, you could get that sense exactly like you described of, "This organization is impressive. They're really committed to security and risk management." Or perhaps they're not. They're viewing this just as a financial instrument and some risk transfer, which is less of what you're looking for in the cyber insurance world. So that absolutely is a big part of it. As the scrutiny and underwriting has increased given the threat vectors over the past couple of years, that has come more downstream where middle-market organizations now are needing to do those calls meetings and present a broader picture beyond what's on paper because that does help everyone.

Kevin McGowan:
It does help me as an underwriter. But it also helps the insured, again, tell their story, give more context around what they're doing and ideally get a more optimized result. So that is certainly a big part of it. And then the other item you mentioned just about actuary and modeling the data, it's really interesting too, because again, compared to, especially something like property insurance which has been around for hundreds of years, cyber insurance, it's debatable, but it's really only been around in earnest for 10 to 15 years, realistically. And so with that, from an actuarial data standpoint, yes, we have some but that is not a great amount.

Mike Gruen:
15 years of data compared to hundreds of years worth of data?

Kevin McGowan:
Yeah. Again, if you think about Resilience and what we're doing, what's a little more interesting not being a traditional large insurance company is we have a whole data science team in-house. So you're trying to do, bring all this together. We have a security team that can gather tons of data externally, you have underwriters who are getting data from applications and meetings and you have a data science team, and you're trying to leverage all that as best as possible. And you're trying to look at different items and track it and correlate it back to loss trends. Do you have an open RDP port? Does that make you more likely to have a ransomware event? More than likely, yes, things like that. So we're trying our best with lots and lots of different data sources to paint a clearer picture, correlate that to actuarial data and drive better results. Scalability.

Mike Gruen:
Which I imagine would help with scalability. If every company needs to get cyber insurance, not every company can have a face-to-face or virtual meeting with them to go through that whole process. So, yeah.

Joseph Carson:
So on that point, I think that's really interesting because it gets really, from a data analytics perspective, you'll have those companies who have met certain requirements and security controls that don't become victims and you've got the other set who do become victims. Potentially, if you could get to the point where you could actually use the data of those who actually are better protected in order to actually give suggestions to those who become victims of how to do better. It's an interesting aspect where you actually start looking at since you've covering all of the models and doing those data analytics, it would be quite interesting to offer recommendations for those to prevent themselves from becoming a victim. So it'll be interesting to see how that trending and predictability model will actually start picking up, such a really interesting aspect.

Mike Gruen:
I was just going to say, I think one of the challenges you guys probably face on the reporting side, there's probably only a small percentage of events that actually get reported in a way that you guys can actually use in an analytic model. My guess is there's a lot of events that happen where just you pay the guys off under the table, you can do whatever you're going to do. And t's not really out there. If I remember correctly, on the cyber side, there's only a handful of places where you actually have to report. I think state of Maryland is one of the places. It's very hard to get that reporting information, I imagine.

Joseph Carson:
I think it depends on the impact really. If you're a victim of ransomware, it's going to be noisy. If you're basically, data stolen, you might be trying to do it under the covers because it's just not the visibly very interesting.

Michael Phillips:
So Joe was reading our VC deck with being able to take what we learn and use it to make superior recommendations. That's certainly true. At Resilience, it's our thesis that you can't just look backward because technology is always changing. The cyber criminals are always changing their strategies. And also the law is changing. Each state does have a data breach notice law but it's very specific to Social Security numbers, Driver's license numbers, personally identifiable information. And what you have to report, whether to the attorney general or to the impacted individuals, doesn't go into a cause of loss analysis. What was the intrusion pathway? What security did you have that didn't work? Or which employee clicked the link they shouldn't have clicked?

Michael Phillips:
It's hard for us. And in our claims investigation, we want to be comprehensive but also user-friendly. Policy holders want to know that they're getting a recovery out of their insurance and not necessarily an audit out of it. For me, one of my challenges in my role, and again, no one needs to weep for the insurance lawyer, but is to get enough information to help educate my underwriters so that way they are selecting risks appropriately, pricing them appropriately and we're managing those risks appropriately before anything bad happens.

Mike Gruen:
As an industry, are you guys collaborating? You all have the same problem. Are you guys trying to work together to create some one-stop shop, collaborating in any way to share this information in useful ways, not in blame-y ways?

Michael Phillips:
Well, I'll take that one first and then I'll kick it to Kevin. The history of Lloyd's of London is a coffee shop. It's a gossip-filled atrium in central London. But at the same time, we're all competitors. And claims data is the data that we've invested the most money in because it's not just the investments on the underwriting and analytical side but then it's the money out the door and our losses. And so sharing data in the insurance market has always been both quite common and also fraught with a competitive peril. We also work with insurers and reinsurers who, of course, each of them aggregates data that they receive from other insurance players that they may insure or reinsurer or support in some other way, as do the brokers.

Michael Phillips:
So we all have great datasets or we all think we have one. We just think ours is a little better than the next. At Resilience, we are quite supportive of efforts to increase data sharing especially around ransomware, which as Joe was describing, too often exists in a shroud of mystery, isn't reported to law enforcement or has a stigma around it such that firms just want to sweep it under the rug and not discuss it. If we're going to bend the curve on that trend line, we need more information. So that's my take on it, Kevin.

Kevin McGowan:
I would just echo a lot of what you said. I don't have a whole lot else new to add there. I think there are a lot of conversations happening at very high levels. You even start to think about government implications, especially around ransomware in terms of yes, can there be more information sharing to solve the problem? But then you juxtapose that against the fact that it is a for-profit industry in a very competitive environment and carriers that have big datasets and lots of claims information, they're trying to leverage that themselves to produce better results for them as a company. It is an interesting situation because as Michael alluded to, there are dozens of different carriers that have datasets.

Kevin McGowan:
There are brokers that have their own datasets based on who their clients are. And then what's really interesting, particularly ransomware is now some of the forensics vendors and some of the vendors that are doing ransomware negotiation, they've got their own interesting data sets because they're getting pulled into lots of different ransomware incidents, regardless of who the insurance carrier might be if there is one or who the insurance broker is or what industry they're in. So there's lots of different competing data that we're all trying to leverage. And the last thing I'd mentioned, going back a bit to the prior topic and tying it together is Joe, to your point, it does speak to cyber insurance in particular being different than some other lines whereby we're trying to understand, "Okay, here's an assessment of your risk and here's maybe a couple of key controls that you don't have in place." There are lines there where we at Resilience, we might say, "Right now, you're not in the right position for us to insure you if you're really lacking a lot of maturity."

Kevin McGowan:
But there's definitely a middle ground, which is different than other lines where we're trying to really partner together and bring a lot of resources and value to the table in addition to financial risk transfer and say, "We really recommend you implement X, Y, and Z from a controls perspective." And you're even now starting to see in the market, there are different levers you can pull, because again, we all know, broadly speaking, depending on your risk profile, it's going to affect the limit and the price that you get but there's even more specific targeted tweaks like, "If you implement multi-factor authentication for admin accounts, perhaps this sub-limit for a ransomware loss will go away." So you're seeing more things like that where particularly at Resilience, with the different teams we have in-house, we're trying to drive behavioral change.

Joseph Carson:
I have a question probably more for Michael. So when you get into the claims process, one of the things I'm really interested in, and this goes back to the experience I have in the maritime side. One of the things that they always wanted to do was find human fault because if they find a human at fault, then their processes and their liability favors the company. First is if they find it was, let's say, a maintenance issue that they didn't check the engine and that was an issue. Then that becomes changed as the liability. So one of the things I've started seeing when we hear about data breaches and security incidents in the cyberspace, I've started seeing the same trend. I've started seeing, looking for human fault, because if you find a human fault then it means that your compliance or your policies or your procedures, they weren't the cause of it.

Joseph Carson:
It was a human who clicked on the link. It was a human who abused their access. So are we seeing the same trend in cyber when it comes down to... And does that change the liability, whether it was a failure and the IT not deploying multi-factor authentication or a human clicking a link? Is there a difference between liability when you get into claim side?

Michael Phillips:
Sure. Well, that's a great question. And I think it's too early to tell. Most data breach litigation resolves at a settlement fairly early on in the pace of litigation. Typically, there's a dispute as to article three standing. It's, "Are you even really harmed?" Okay. Yeah, if there was a data breach, and your Social Security number may be out but have you been the victim of any identity theft? Is it just a fear that one day something bad might happen happen to you? How certain are you even that any of your personal data was truly lost?

Michael Phillips:
That's the first question of most data breach litigation, especially of course, on the personally identifiable information side. A lot of cases can be resolved right there. In many circuits, the judge comes to the decision that, "Well, no, you don't have a concrete harm under the article three. So this case is over." If the judge doesn't make that ruling, then the case is, of course, going to continue to more fact-based inquiries and discovery around what the harm looks like, who's been harmed and how much have they been harmed, what was the cause and where was the negligence or the the breach of contract actual duty.

Michael Phillips:
There, I think that your hypothesis makes a lot of sense. If you're a business and you're being sued for being the victim of a data breach or some other security event, you might like to say, "Look, we had all the people, processes and technology in place but still Jimmy in the mail room can't be stopped. He can't stop clicking that link. He's going to do it every time. What do you want me to do? Fire Jimmy? I can't do that." I think that hypothesis does make some sense. And I'm sure that there are some litigators who would say, "We're going to position this as a human error, an unfortunate..." And it is, oftentimes, truly. But I don't think I can say with confidence yet that the cases are really turning as a valuation perspective on that. One final thing, which is I get this a lot from the claims investigation side which is the coverage question.

Michael Phillips:
Am I going to pay this claim on the other side of it? Am I looking to find out that the IT leader didn't configure something properly or or they didn't deploy technology that might've come up during the underwriting process? And that's not how cyber claims work. The coverage is not designed to say, only a sophisticated cyber criminal-led data breach, deploying technologies that here to for were for the National Security Agency, that's the only scenario we're going to cover. No, the triggers are usually quite broader than that and encompass all forms of human error, whether it's IT, legal or a misplaced briefcase used to be the most popular cyber plan.

Joseph Carson:
You leave a laptop in a taxi at the airport.

Michael Phillips:
Exactly, that's right.

Joseph Carson:
Thanks Michael for your question from the awareness side, from the people perspective, how they, I guess, quantify that side.

Mike Gruen:
Yeah. I guess, getting into training and things like that. Get back to Jimmy in the mail room. If you don't have some security awareness training, doesn't that put you at greater risk, potentially? I don't know. I go back and forth on how effective security awareness training is because you can't be vigilant all the time, but certainly doing some things, I think it's more about training for reporting than it is training for not clicking the link. What do you do if you do do this thing? Not punish people. Don't fire Jimmy because he keeps clicking the link. Make sure that if he clicks the link, he tells somebody.

Joseph Carson:
Nothing happens.

Mike Gruen:
Exactly. Or even better, put systems in place to prevent where he just sees a webpage that says, "You clicked a really questionable link. Do you want to continue?" Those types of things. So, yeah. I'm just curious, where does training fit in? Is that one of those recommendations that you would make? What other recommendations, without getting into too much detail, would you say... What other advice would you have for companies to reduce their risks that you guys are looking at?

Kevin McGowan:
Sure. I can chime in from the underwriting side. You're absolutely right. And especially thinking about the lens of ransomware and the chain of how it happens and the kill chain and correlating that against controls, that first line of defense and often, unfortunately, the weakest link is the human error concept, which isn't just about, "Oh, I have this security tool, so I'm not worried about it." It doesn't work that way. So yes, as underwriters, myself, others at Resilience and others that other carriers are certainly asking about security awareness training. And that goes back to that qualitative conversation earlier of what's your culture around, in this case, security awareness, or more broadly risk management?

Kevin McGowan:
And we certainly ask questions around phishing testing in particular, because we're trying to tie it back to threat vectors. We know we're seeing lots of losses because Jimmy in the mail room clicked the link for the seventh time. So we're asking, "How often are you doing phishing testing?" Ideally, more often. And then, "Are you tracking click rates? What does that look like? Are they going down? Because yeah, do you have follow-up training, as you alluded to, if you do click it?" And really trying to get through to people. That is the big area around security awareness training, again, specifically the phishing testing and trying to just reduce the likelihood of that occurring.

Kevin McGowan:
And then from there you do start to transition back to the technical security side. Because then you start to think about, "Well, I can do so much but what if someone like Jimmy still does click?" So then you get into items like web content filtering and you start to think about, well, do you have multi-factor authentication in place for access to email or your Office 365 environment, or do people have admin credentials on their workstations, and trying to limit the damage that can be done if someone does click on the link.

Mike Gruen:
I feel remiss if I didn't at least, at Cybrary, we're a cyber security career development platform. We have a lot of training that's really geared toward... It's not security awareness training. It's geared towards the cyber security professional, trying to keep them up to date. Are those the types of programs you also were looking for within... And I'm not fishing. I'm just curious if that's something else that plays a role when you're talking to these organizations about their general culture towards security, having these programs and making those types of investments in their security team?

Michael Phillips:
Yeah. I'll take that one. And the answer is yes. So for traditional cyber insurers, and I'll differentiate us from traditional, we have done a poor job of pushing that education and of assessing the in-house security apparatus, if you will. Despite some efforts to promote, "Hey, this is a great resource. This is a great program. This is a great platform for you to develop and continue to mature your organization." Traditionally, there are a couple of touch points where we can influence the insured client to improve themselves. One is in the underwriting process when Kevin is talking to them and asking all these questions and saying, "Hey, have you thought about Cybrary? Have you thought about this tool? Have you thought about this training?"

Michael Phillips:
And for us at Resilience, we're trying to really invest also after that transaction has to happen. That's another time when we sit down and we say, "Hey, we've assessed you with all these different ways with our scans, our technology, our data modeling, and also through assessment of your security team. And we want to put in front of you then tools and educational materials that help them become better." But historically, cyber insurers have had a real tough time with that because we're always talking to the insurance people at an organization. So we're really interested in breaking down those silos, so that way, the CFO is buying a cyber insurance policy that is empowering the security team at the organization and not one that the security team doesn't know how it works, and then when the crisis happens, there's this moment of friction. We want that to be ironed out.

Mike Gruen:
That's actually interesting. One of the things that I struggle with as Head of Security here at Cybrary is trying to make some business cases for some of the things that we want to do. We're deploying DLP. It's hard for me in my seat to actually quantify what value I can put on something like data loss prevention. I can try and do my best, but I just don't have access to all of the data or all of the information. Would the opportunity for me to talk to you guys or a broker or somebody to help me to get our company to understand, "Okay, we can do this to help me build that business case with our CFO." It's not that our business is against it. It's just that you have to be able to quantify that risk and you have to be able to quantify it in a way that you then know how much to invest in it. Is that a partnership that you guys can see between the security team and the insurer?

Michael Phillips:
Yes. We have that problem too. Insurance has that problem too, because if you don't have a claim that year, then you say, "What was my return on investment?" We're always coming to bat to say, "Look, this is what could happen." And so for us at Resilience, when we partner with a client or a broker, we're trying to lay out as best we can from our data sets and our claims experience, "This is what it really could look like." So we try to present a series of peer events. "They didn't have DLP on this one. And really, dollar for dollar, this is exactly what happened." And this is a near competitor, a similar sector, similar peer, so that way, you can steer that conversation and be empowered to make the best case for that investment.

Joseph Carson:
It reminds me of a case because I did the pen test at a park station five years ago now. And it was always a one experience that can changed my perspective and my job and actually what I'm doing. And what it got down to was the CFO and CEO who really turned around... They changed the whole perspective because when we were doing security, it was all about fear and risk and putting it into, "If you don't do this, this is the bad things that could potentially happen." And there was not something that they really could quantify. And interestingly, the CFO said, "What is our cyber gap? What is the cost of our business not operating per day or per hour? And if we don't do this, what is the risk? What's the gap? What's the cost of that?" This is really what I'm curious for both Michael and Kevin is that, who you're speaking to in the board the most often? Who is the people that you're actually interacting with? Is that the CISO, the Head of Security?

Joseph Carson:
Because the ones that I find was it was the CFO and the risk officer. It was their safety officer. But really, they were the ones who made the decision. And when they looked at insurance, they said, they're willing to spend around 10% of that potential cost, maybe depending on if it was a million or 2 million, but it was even up to a hundred million that they were even exposed of a financial risk of a hundred million. They would even be interested in increasing that even 20% to offset the risk. So I'm just curious of your perspective of who you're speaking to in the organizations and how you're actually doing that, because it's all about risk. And it was about the cost of doing nothing and the cost of doing something and how much you're willing to spend to make sure that that cost of doing nothing doesn't happen.

Kevin McGowan:
Yeah. I'll speak to it from the underwriting side. And it's a great question. And it's actually something I feel really positive about because over the last few years, it's been one of the best changes I've seen in cyber insurance. Because if you go back five, six years even, cyber insurance, it was still a little bit newer and younger, even then uptake rate was lower. And to your point, back then it was still an insurance policy. And so it fell under the purview of risk management finance. So it was CFOs, treasurers, risk managers. And then folks like me might ask them some security questions. They might go try and find someone internally who they thought knew the answer and at the end of the day, there was a disconnect there because you weren't always speaking the same language. And one of the really interesting challenges as cyber insurance was newer and maybe the loss environment wasn't as severe.

Kevin McGowan:
There were certain IT and IS professionals who would get a little defensive and not like the idea of cyber insurance because they were saying, "Well, look, we have this great security operation. We have really good controls. We have the best firewalls, et cetera." And over time, I think the broader insurance community, with the help of insureds, was able to break down some of those barriers and hesitations. And now, as I said, I've been on underwriting meetings and calls weekly for a few years now with lots of different organizations of different sizes and industries. And very often, we are now talking to the CISOs, which is great because like you guys, they have that expertise even more than someone like me does, and they can answer the questions and they're buying into it from a risk management perspective. So the philosophy of managing risk and then how that correlates to insurance is there.

Kevin McGowan:
Certainly, the CFOs and the risk managers, legal departments, they're all still involved because they should be with insurance. But it's been a really great and positive and productive transition where CISOs in particular have gotten much more involved. It goes back to data. We're getting better data because before, if you ask a risk manager to fill out a questionnaire about cyber security, that's a tough ask. And then tying it back to underwriting and results, perhaps you're now relying on answers that aren't even correct. So that's been a big improvement, I would say.

Mike Gruen:
Yeah, I imagine, like that partnership... I look at it, it's a very positive thing. I I look at it as, I have a budget. I have to spend it in the right places. I need to assess my risk. And knowing where I need to invest is important and knowing where cyber insurance covers and what it doesn't cover and how I can reduce that cost of the cyber insurance or doing whatever, it all ties together and lets me know like, "Yes, this investment in DLP is the right investment, as opposed to maybe investing in some other security apparatus or whatever process or technology that may be, "Oh, I'd love to do that."" But there's only so much that I can do.

Mike Gruen:
I have a small team. I have a small budget. And so I think looking at it from that perspective of how does insurance augment my ability to spread my technology and my resources to be most effective, I think is the best way to look at it. And I'm glad that that's the shift that's happening.

Michael Phillips:
That's positive.

Mike Gruen:
Yep.

Michael Phillips:
Nothing brings friends together like a crisis. Unfortunately, the losses are more severe. Where one cyber security professionals and cyber insurance professionals might say, "What is this?" Or, "These guys are getting in my way or they're intervening in my plan and program." Now, we're all incentivized to really address what is a much more comprehensive problem than it was 5, 10 years ago where Kevin was really just focused on, "Are your payment cards secure? The target breach is right here. I need to know those payment cards are secure." But now it's operational. It's privacy. It's data protection. And it's the health of the enterprise. We all have an incentive to get this right.

Joseph Carson:
A question on that, how early in the process, let's say, a company does become a victim of a security incident? How early in the process do they get you involved? Because my experience is that it's a complete organization response. You've got the legal response, you've got instant responders, you've got third party assistants coming in, you've got digital forensics, you might have a PR communications handling media requests and journalists, you might have press statements ready. You might be basically working with law enforcement from those perspectives.

Joseph Carson:
Do you fit in the instant response area? And do you help coordinate any of that at all? Or is it something you've been mostly focusing on the claim itself? So how much involved are you in that instant response piece?

Michael Phillips:
Sure. For us, and from what I'd say is probably most leading markets, we want to meet our clients where they are but we're ready to help quarterback from the outset. At Resilience, we maintain an in-house response emergency hotline and a network of partners. I will say generally, for cybersecurity professionals who may be listening, a lot of cyber insurance policies are prescriptive about the service providers that are used, whether that's the law firm, the technical forensic firm, the communications firm, et cetera.

Michael Phillips:
My recommendation always is to notice your insurance relationships as soon as possible, even if you believe you've got it under control, even if you understand your policy to be more flexible, because you always want to preserve the maximum amount of rights. That's the insurance lawyer in me. But for us, it's extraordinarily important to be empowering the incident response from the get-go, be able to offer the benefit of our expertise. And I've worked on thousands of events, obviously, not with the cybersecurity expertise that a lot of my clients will have in-house but as a cross-section of that expertise with the lawyers as well. So being able to flag some tripwires.

Joseph Carson:
Because the quicker you respond, the less financial impact it has on you. And time in responding to this is so critical. I've got another question related. So this is something that I've really attained. A few years ago, I did an instant response. Are you starting to see even fraudulent claims at all in cyber area as well? There was an interesting case a few years ago. I, on occasion, I'm a certain expertise and I get called by certain governments and I say, "Well, I work in these forensics cases." And it was particular case, and this one led me to Ukraine. And it was at the height of ransomware cases. And doing a digital forensics, when we were looking at basically the case itself, it didn't follow the normal steps and evidence gathering that you would typically find in all the other cases that I'd dealt with.

Joseph Carson:
So we decided to look into a bit more detail. And we started uncovering things that just didn't feel that this was a typical case. Ultimately, it led to that the company themselves actually infected themselves a ransomware. And they were hiding a financial crime. And if they were able to get through the claims process, they were going to get money from the government as a victim of a ransomware case. It was a interesting case, and really changed my onset that nothing is always as it seems. And it really changed my perspective on ransomware cases. Are you starting to see cases like that where people might want to cover other crimes, and ransomware is the best thing, it destroys all evidence. It destroys everything. It's a very destructive piece of software. And it gives companies an opportunity to hide other types of crimes under the realm of ransomware. Are you starting to see any types of those cases or is that something that's...

Michael Phillips:
Well, Joe, Joseph don't inspire anybody to-

Mike Gruen:
That's my exit strategy, thanks for spoiling it.

Michael Phillips:
Boom. I'm out of here. I'm in Cayman Island. So as a general matter, cyber insurance has had a very low rate of insurance fraud, although we're always vigilant, especially claims lawyers like me. We can suss that stuff out. And part of that is by using these third-party vendors who are very experienced. CrowdStrike is going to find it and they're going to tell it. They're not beholden to the insured who's doing it all in-house and saying exclusively, "Hey, look, here's the only evidence I've got," and it points way away from where the fraud lies. I have seen a couple of instances, either in the ransomware context or in a social engineering where they were essentially, "Oh, I got phished. I wired a million dollars out this bank account." Sure enough, it was their own bank account. And that has happened on a rare occasion. And always, we've caught them all. But as a general matter, we're fortunate to have insureds who don't pursue that route.

Joseph Carson:
That's good. It's something that I've seen it in certain places being on the increase. But it's not so common. It's just something I think as we see this being effective increase that we just have to be having the right tools and right people that had that independence in place, that had the ability to do the digital forensics without influence of whoever they're doing it for.

Mike Gruen:
I think that's probably a great place to wrap things up. I know you have a hard stop. And I appreciate our guests coming on. Maybe, we can have you come back and talk some more because I think this is a topic that... yeah, I've got like five more questions...

Joseph Carson:
I'm really interested in the future side of things. I'm just guessing, what next? Definitely, we should do this as another episode as well, and get into a lot of the direction. One thing, as I've talked in the past about the P&L approach of cyber insurance, where it's the collective economy of sharing. And I'm just interested if that's something you're going down the path or seeing. Its where multiple companies come together and it's still no longer just an offset of risk, it actually becomes an investment. It's something that basically, multiple companies will invest into.

Joseph Carson:
And if you don't have a claims in a year or two, whatever it might be, you'll get reward payback from that P&L-type insurance pool. I've seen it in other types of industries where you get those no claims, and it's an investment. You get a profit back as a result of the money that's going in there. And you'll have enough pool as well in that collective investment to the companies that do become victims that there's enough to actually offset that risk. Is that something that we're seeing moving towards, the economy of sharing of insurance? I guess.

Michael Phillips:
Kevin, do you want to take it or do you want me to take a swing at it?

Kevin McGowan:
You can take a swing at it.

Michael Phillips:
All right. Well, so I don't think I've seen much move towards mutualisation on cyber insurance risk. That said, at Resilience, we have a security credit program where we basically do similar to what you've described. If they don't have a claim and they want to steer that savings into an additional cyber security investment, we want to support it too. So we put some of our spin of the game too.

Kevin McGowan:
Incentivization for the good behavior.

Joseph Carson:
Correct. That's the idea is that for doing the right things, you actually get incentivized for doing it. It becomes an easier business case and justification, and just what Mike was saying, is that, "Here's the money back, at the end of the year, to actually invest in new security solutions that will actually help you offset the risk and get a better insurance policy."

Mike Gruen:
I think it would be great to wrap it up. And I'd love to have you guys come back and talk some more.

Joseph Carson:
Absolutely. This has been interesting. For me, it's a really educative because it's something I've been involved in since 2008 when the whole maritime and shipping thing and it's been really interesting to see how the progress, because I've been involved in numerous conversations over the year. And it's great listening to that we've moved along. And I think the audience, if they're interested in getting an idea, I guess reach out to your websites and check in Resilience to see what cyber insurance possibilities they have. Basically, it's been pleasure having you on the show. For the audience stay safe, make sure you offset the risk. Make sure that whatever you do, that you do the right things. You do the basic hygiene, you offset your risk.

Joseph Carson:
And if you do become a victim that you can recover, you have people out there who you can connect with and get back to operational business as quick as possible, because the more resilient you are, the quicker you can get back to operations, the less financial impact you have to your organization, that sort of thing. Our goal is to make sure your businesses stay safe out there. So to having the guests on the show, Kevin, Michael. Awesome. Mike, it's great having a chat with you and I'm really looking forward to more. And for the audience, tune into 401 Access Denied every two weeks. And if you're listening to this episode and you haven't listened to previous ones, definitely go back and subscribe and listen to the episodes. Every two weeks, we'll have new conversations, new guests, and stay safe. And we look forward to speaking to, and you listen to the episode again. So thank you, all the best. Take care.