When it Comes to Cyber Insurance, Common Sense is Not So Common

This interview is an excerpt of a longer podcast that you can find at Riding the Wave: Project Management for Emergency Managers

Andrew Boyarsky

My guest today on the podcast is Celia Siegerman-Levit, who is the vice president of risk management at Olive Tree Holdings. Prior to Olive Tree, Celia worked at a range of different companies, and she’s a seasoned risk professional with experience across a range of industries with expertise in traditional risk transfer, alternative risk finance captives, as well as lost control and claims management. She’s best known for helping organizations determine their risk appetite and then design a program utilizing risk management tools to help mitigate their exposure to losses.

Andrew Boyarsky

We are going talk today about cybersecurity and cyber insurance. Specifically, cybersecurity is an ever-present risk and danger to companies, and I want to start off our conversation by citing a couple of statistics for our listening audience. According to the FBI, the number of reported cyber crimes are up 400% since the start of the pandemic. According to H1 2020 Cyber Insurance Claims report from Cyber Insurance and Security Firms Coalition, there is an increase in the volume and severity of cyberattacks since the beginning of the pandemic, with payment demands increasing by 100%.

So with that in mind, it should be clear, as to why cyber insurance is so important for companies, but I would like to begin with asking you what are the potential damages that companies face from a cyber breach, especially if they’re not covered through cyber insurance?

Celia Seigerman-Levit

The number of risks that they face are too many. But the top are, one, reputational risk by a lot of their information being out there and not being able to control or fix or offer a remedy if third party information is shared. The second is financial loss, the cost of repairing that and fixing that is really quite high. And third, by not having insurance, you don’t have any ability to transfer a portion of that risk. The third parties who not only will make you whole indemnify you based on the coverage but also will provide you with value-added resources that most people don’t associate with insurance.

I would say that cyber insurance and cyber insurers are unique in that they are truly a partner when it comes to reducing risk and handling risk and reacting to risk. They don’t hold it against you when you bring them into a claim or into a situation. In fact, they encourage it.

Andrew Boyarsky

Is this type of insurance product for all sizes of companies, perhaps just not for large corporations? And are there types of companies that absolutely need to have cyber insurance?

Celia Seigerman-Levit

I think every company, every business needs to have cyber insurance, and cyber insurance relative to the amount of damage that you could sustain. The premiums are relatively low. Banking or anything with finance, anything where you have third party information, any situation where you are using an outside firm who has the ability to interface with your systems, anything in the situation if you’re like outsourcing your IT, and they have that ability to access your computer. That suddenly gives you a whole different level of exposure that you might not even think of. I can’t think of any business whatsoever that should not carry cyber insurance.

Andrew Boyarsky

Now, just as a point of reference for individuals who may have existing insurance policies, CGL commercial general liability insurance, that does not cover cyber as well. Or is that incorporated?

Celia Seigerman-Levit

It doesn’t cover it at all. It absolutely excludes cyber. So, the cyber liability insurance, I want to say, probably came into the everyday insurance vernacular shortly after we went from the ’90s to the 2000s when you had the Y2K exclusion because there was that big fear that when we went to this new year of 2000 that all sorts of computer glitches and things were gonna happen. And so you started seeing on every insurance policy, even those that really didn’t have an impact, it was going to be a Y2K exclusion. And there are a lot of jokes about why that exclusion was called the Y2K exclusion, but that’s a whole other conversation.

So that gave rise, probably to the everyday usage of cyber insurance and the need for it, and as we became more and more dependent on technology; like with email being an everyday tool, the portability of email, and, I mean I’m really dating myself, but going back to Blackberries, which was revolutionary. All of that really increased everyone’s exposure without everyone understanding the increase in exposure.

Andrew Boyarsky

What are the gaps that you see in cyber exposures or policy coverages? So, for example, third party risk?

Celia Seigerman-Levit

I always say to people, whether I work for them, whether I’m advising them, or whether I’m having a glass of wine with them: not everything is cured by insurance. Insurance is just one tool in the risk management toolbox. There are gaps. The first gap is that you would always have a policy that has some sort of deductible, so you’re gonna have to retain some of that risk. The second thing is that your biggest way to fill those gaps, and this is not always possible, and it all depends on how much money you are spending with the third party, is that very often contracts will limit their liability on certain exposures, including cyber, to a multiple or a fraction of what you’re paying. So they limit their liability across liabilities, versus three years or annual fee. If you’re paying a consultant $5,000 a year, and it’s three years annual fee, they’re limiting their liability to $15,000. I mean, that doesn’t get you all that far. 

So that’s probably one of the biggest gaps. And the other gap, of course, is what you have to pay yourself. And the third thing is that you have to be able to understand that your best defense is a good offense. You have to really look at your practices and what you yourselves can do to mitigate risk. Believe it or not, it’s often common sense. My favorite saying is “common sense, not so common”. Things that you could do on an everyday basis so that everyone in your organization is always thinking and mindful about what they do. The biggest insurance claims, or the most frequent claims, deal with hacked emails and wire transfers that are a result of a hacked email where wire transfer instructions are changed and money gets diverted to the wrong party due to a deliberate hack. Those are probably the most common.

Andrew Boyarsky

You mentioned some of the additional benefits of securing cyber insurance. I think, certainly looking at vulnerabilities is one of them. How can cyber insurance enhance the value of a company?

Celia Seigerman-Levit

So when you become a partner with a cyber insurer, you get a whole bunch of value-added skills and expertise either into your policy or maybe for a small additional amount, but less than you would have to pay if you were buying it on your own retail. First of all, the ability for someone to come in and do a stress test on your system and see where your vulnerabilities are. Secondly, for someone to look at your best practices and maybe help you create processes and protocols that will help mitigate your risk. Three, investigation and this is really, really key.

When there is a cyber breach, there has to be an investigation, and one of the best things that you could do is get the top investigative firms like Kroll or Crowdstrike at a wholesale rate because they do this for the insurance companies. And while you have to pay them, you’re able to get those skills at a discounted rate. And that’s a really, really big part of it because that investigation impacts the coverage and whether or not there’s a claim helps you determine vulnerabilities for other times. And also, gives you a nice idea of where vulnerabilities that you didn’t know exist. It’s a constantly evolving exposure; it doesn’t stay the same because there are nefarious players out there and people who don’t think like the rest of us and things that you never thought were possible, suddenly happen and become possible.

Andrew Boyarsky

Has there been a specific example where you’ve looked at an exposure, a cyber hack, and you said, “Well, this is really where the due diligence and cyber insurance really would have remedied this.”? In other words, that ounce of prevention would have been worth the pound of cure.

Celia Seigerman-Levit

I’ve been fortunate that in every organization where I’ve been a risk manager that if they didn’t already have cyber insurance, it was one of the first things I put in place. That’s number one. I’ve had situations where there have been cyber breaches or situations where for some reason, that doesn’t quite make sense. General counsel or, in some cases you have organizations that have departments that do nothing but cybersecurity, have not been transparent, have decided not to share that with their insurer and where it’s really bit them in the (behind), is that ultimately it gets brought up, and they (senior managers) ask (cybersecurity staff) “why didn’t you tell us?”

And then we have situations where people had a cyber situation, and they don’t recognize it. So my favorite is the fruit fly incident. We had a situation where in a particular office they literally had fruit flies because they kept apples on their desk and they got a letter from a law enforcement agency saying that, “We’re aware of this fruit fly situation and you need to contact us.” But they thought it was a joke. They didn’t take it seriously until the FBI stormed their offices and said, we have tracked down this situation to an IP address having to do with one of your computers.

Now, had they taken the first warning seriously, it would have been a whole different ball game. But suddenly, not only did they have to deal with law enforcement, but then they had to go back to their insurer and say, “We have this incident and didn’t pay attention to it”. And fortunately, their insurer was somewhat benevolent to them and said, “Let us step in now and help” That’s not always going to be the case.

Andrew Boyarsky

Interesting. How can companies prepare for obtaining cyber insurance if they haven’t obtained it before?

Celia Seigerman-Levit

Well, if you don’t already have it, you should contact your broker, and ask them to provide you with a quote which requires that you fill out an application. I would say all the large brokers, Marsh, the AON, Willis, Lockton, they all have areas and practice expertise of a cyber practice that’s going to be able to help. If you’re dealing with a smaller local broker, you can ask them as well, but then you wanna ask them how they’re going to access the market, and if they tell you that they’re going to a specialty market, that’s great. I would encourage you to be on the phone with the person who is actually going to be placing the insurance. 

The other thing I would encourage you to do, is to understand from your own providers, whether it’s in house or a third party is what they bring to the table. It should be a very collaborative effort in how you go about responding to this. The second thing is, I would say, either through your insurance, sure or separate is to engage in tabletop exercises and training, especially having to do with recognizing email hacks, because phishing is the largest source of claims across businesses. The other thing that you really want to make sure that you have coverage for is if you have third party information. Whether you’re taking credit card information or if you’re in the healthcare industry, HIPPA information, if you’re in education FERPA, is that understanding that your coverage should include the ability to do the necessary tracking of information for a period of time afterwards. The credit checking, like when you think about the breaches that Target and other large retailers had, they had to provide credit checking for anyone whose information was compromised for a number of years.

And I also believe that being transparent and owning up to something, if it involves your customers is to say, “This is what happened. This is what we’re doing.” And, if necessary, if it’s a really big deal, making sure you have the right crisis management team in place to help foster those communications in an effective way.