Cyber Insurance: "The Scope of the Threat"
Featuring Mindy Bero
One of our client advisors, Mindy Bero, based in our Burlington office joins us for Cyber Security Awareness month to talk all things Cyber Insurance. Cyber security and the tech industry, whether you are a retailer, manufacturer, or even a construction company, has a direct effect on your exposure and how you do business. This is a highly relevant and ever-evolving subject, and Mindy is here to break it down for us!
Intro – Ryan (Host) Welcome to Got You Covered presented by Hickok and Boardman Insurance Group – the podcast where we unpack the countless ways in which insurance affects our lives. And so you can properly manage your unique risk.
Ryan: Hey, everyone, welcome to another episode of Got You Covered presented by Hickok and Boardman Insurance Group. I am your host, Ryan Lee, a client advisor with the firm. And today we are talking about one of my favorite topics, always changing, always interesting: Cyber insurance. You’ve probably seen a lot of things in the news about recent pipeline attacks or if you’re from, or you live in the Vermont or northern New York area, you’ve seen other major organizations with large cyber-attacks on their systems, and it’s, it’s mayhem, frankly. There’s a lot of craziness that comes around cyber-attacks and cyber security. And there is sophisticated insurance programs around that. And so today to talk a little bit more about that I’m bringing in my colleague, and personally, my opinion, is an expert on cyber insurance. Mindy Bero. Mindy, client advisor from Hickok. And Boardman, welcome to the podcast.
Mindy: Thank you. I’m happy to be here with you today!
Ryan: Yeah, so well, Mindy, first and foremost, I mean, big question: Why does anybody need to think about cyber insurance today? I mean, I get the I get the question all the time. Why do I even need this stuff?
Mindy: Right, no – and it’s a good question. And it is a question I used to get a lot more frequently, two, three-plus years ago, but I think in the last year, especially, I’ve actually had a lot of these clients saying, “I think I need this,” “What do you think?” “Tell me more,” “Tell me about how this could affect me. Because as you mentioned, it’s mayhem. And it’s in the news every day both on a national and local level.
So, I love this coverage, you know, my insurance nerd alert. But yeah, it started to sort of come into play right around the time I started my career. So as it was emerging, I feel like I was able to jump on that train right away and kind of learn with it. And it’s ever changing and ever evolving just as the threats out in the marketplace are, which keeps it unique and interesting and sort of fun from the insurance standpoint but certainly not fun when you are a business owner being affected by it. And so yeah, I mean really the age old statement of “it’s not a question of ‘if’ but ‘when’” comes into play for all businesses large and small. And I think a lot of people have the misconception that if they’re a small business, they don’t need to worry about it. But, in fact, as a small business, generally speaking, your I.T. capabilities are lesser than that of a large company and therefore you’re actually a larger target. And these guys are just operating on volume and the possibility of making some cash. So, small businesses really should, should really pay close attention and evaluate this coverage.
Ryan: Yeah, one of my favorite stories that I heard – a crazy situation – one of our partners, our carrier partners shared a story one time about how there’s a large hotel – and I believe it might have been Boston, but I’m not sure particularly where – had a ransomware attack. So, the classic you know, clicked-on-the-link, some employee clicked on the link, opened it up to their systems hotel-wide, and the hacker was able to hold all of their key cards for all the rooms ransom, so to speak. Ransomware right. So, they couldn’t open the rooms until the problem was resolved. And you know, luckily they had cyber liability insurance which resolved it but crazy stuff.
So here’s my question. How is cyber insurance structured? How does this whole thing work?
Mindy: Yeah, yeah. It’s, it’s a very dynamic coverage and different than most other lines of insurance, and it’s different in a couple ways: One, because it’s a newer coverage, it’s kind of the wild, wild west of coverages. So, you know, when it comes to property or liability, they’re very standard coverage forms. And that’s not the case in cyber. So, you definitely want to work with somebody that really understands the marketplace and who the players are and what the coverages are and how they function.
The other difference is this coverage contains both first- and third-party coverage. So, you know, and again, back to like your typical insurance, business insurance, you know, property is more of your first party coverages protecting you for losses you sustain. Whereas, your liability gives you coverage to a third party for bodily injury or property damage to somebody else. This form gives you all of that under one roof, basically. And as we’ve talked about in the past, there are kind of like two silos of coverage.
So, in the beginning, it was all about the third party coverage, you know, the infamous target breach, and all of the private information that got out and you know, in the mid-2010 and on, you know, the Blue Cross Blue Shield breach. There are countless – where you would get a letter in the mail and your information was compromised. And it was all about that P.I.I., that Personal Identifiable Information.
Mindy: The black market and your social security was worth X number of dollars, and your name and address. So, you know, I think we smartened up pretty quickly. The credit cards changed the way they did business with vendors, they all started requiring the chips. That was a big game changer. Also, in the early 2000s, companies used to collect all this data that they didn’t really need, but there was a value to that data, both in and on the dark web and the regular business world.
Now, I think companies have started to say, “We don’t need it. we don’t want it,” because it makes you more vulnerable and more liable than you need to be. So that has decreased. So as that liability piece has shrank a little bit, these first-party coverages have really come into play. And that’s where we started seeing losses impacting the business. You know, the cyber extortion, like you just mentioned, and that’s been in the news a lot lately with the pipeline and the beef distributor or manufacturer.
Social engineering, or fraudulent instruction is a big one, where companies are sort of duped into transferring money and or information. But at the end of the day, with these silos, typically you never have one thing without the other. And that’s what makes the coverages so great. They all end up coming into play in some shape or form. And that’s where understanding your policy and how it will come into to work with you is really important.
Ryan: Nice, yeah. So, let’s take an example here. Let’s say, I am a, I’m an owner of a beef menu, factoring, processing facility, and not quite sure what my systems would be that would get locked up, but let’s just say it happens. My systems are locked up. I’ve got cyber insurance. How is it going to work for me? What’s like I’ve, I’m made the decision, I’m going to file a claim. My systems are locked up. How does it actually work?
Mindy: Yeah, um, you know, the, the pot options or possibilities, if you will, are endless. But let’s take a look at that and just say… Okay, you know, actually manufacturing is a huge target right now, for these bad actors. Healthcare, municipalities, manufacturing, two the most, or three I should say, of the most highly targeted segments.
Ryan: Yeah, big time.
Mindy: Retail used to be really big, kind of more on the information spectrum, not so much anymore. So, you’re a manufacturing facility. You, you’re, you know, a very automated facility and that’s, that can be what happens: So, somehow they get into your systems and they shut you down and you are trying to figure your, your way out of it. So, you reach out to your agent and, or your insurance company. They deploy a full breach response team that immediately, they have a team of forensics – Forensic IT analysts – who come in, and will figure out exactly where the threat is, where did it come from, how deep in your system is it, what do they know, and kind of how bad are things?
So as I think we’ve seen in the news a little bit lately, is oftentimes, you know, then there’s a ransom. So, the carriers will pay that ransom, assuming you have a limit to pay it. But – and they have the capabilities, the knowledge to kind of know, okay, who’s asking for this? Are they? You know, are they good, bad guys? Or bad, bad guys?
Ryan: Are they the guys that are like, actually gonna’ honor their word and, okay, “You paid us, here’s your system back,” or they just, you know, some college kid or something that’s like, “Oh, sweet, I’m gonna’ take this money and bail,” and “No, I’m not unlocking it.”
Mindy: Right, disgruntled employee, who knows, you know. Yeah, um,
Ryan: But they can figure that out?
Mindy: They can figure that out. They know where it’s coming from. They, they’ve seen enough of this, and if they find out, “Okay, this is a reputable,” you know, “Villain here,” then they will make a call. They’ll negotiate on your behalf and are generally very successful in greatly reducing the initial ask.
It’s crazy. I mean, these operations that are conducting these, you know, these breaches, literally have customer service reps that, you know, answer, like an 800 number that are more than happy to coach you through the Bitcoin, or crypto currency process and how to make that transfer to them. And, and negotiate that fee.
Ryan: That’s crazy.
Mindy: Yes, it is. But in some cases, they find, okay, you know, we might pay these guys, and we don’t feel great about them, kind of, giving them, giving us the key to unlock this issue. So, if that happens, they will choose not to pay the ransom. And then, we sort of go into a whole other well of coverages within the policy.
So part of that breach response team and effort is computer restoration and rebuilding your systems. You know, whether they’re restoring or replacing the operating systems, the hardware. So, all of the time and money that, kind of, goes into that is a coverable expense. From there, they can also determine, “Okay, what sort of information did they have access to?” You know, “Beyond just the fact that you were shut down?” “Is there any sort of privacy breach there?” And if there appears to have been one, there are then a whole host of regulations and obligations you have to fulfill in terms of notifying state regulators, you know, that you may have had a breach. And, what do you have to do to now comply with that possibility?
So that would involve, you know, notifying those who have their information compromised. Could be something like, you know, two years of credit monitoring. And so even just the expense of mailing out that notification-
Mindy: – could be extensive. So- and the thing about that is, there’s no federal… National, federally mandated rule. Every state has a different set of rules to follow. So, in some cases, you need to make sure that notification is out within 45 days. Other cases it’s longer or shorter, you know. The EU and Europe, there’s is really strict. So, for any companies doing business over there, or if you have customers or you know, personal information of European citizens, that’s a whole different host of rules to abide by. So you know, the money alone for that – so that obviously involves, you know, bringing in legal.
Mindy: Then along with that, they’ll bring in a PR and crisis management team, because if it’s a large breach. The news, they get ahold of it, your customers get ahold of it. So, you really need to be smart in your messaging. And there’s whole teams that are there to, you know, make sure that that is all being handled in a way, because your brand, your goodwill, is very valuable. And if you lose the trust of the people with whom you do business, what do you have left? So, that crisis management and public relations piece is very important.
Ryan: That’s incredible.
Mindy: Yeah. And then really above all else, you know, in this case of a manufacturing facility: Business income. If you are shut down, and in this case, for example, they decide to rebuild your systems, how long is that going to take? You know, what is your daily production and or sales revenue, that isn’t happening? Because you’re shut down. And so that is also a piece of the coverage. And really, of this first-party coverage, is generally the biggest chunk, and your biggest exposure as a business owner. So, you sort of think about “All right, if we were shut down, what would that look like for us? How bad could it be?” You know, you’re an online retailer, your sales are $100,000 a day, that adds up pretty quickly. Yeah, that’s a pretty key coverage in all of this.
Ryan: Wow. This is, this is why I brought you in, because I love listening to you explain that, because it’s just such a – It is, it’s a crazy coverage. And it’s not like your run of the mill property or liability that people have been insuring themselves with, for, you know, many, many years. It’s, it’s a very new and sophisticated and ever evolving type of insurance. And speaking of ever evolving, the criminals, so to speak, are constantly evolving, right. And coming with new sophisticated ways to target their, quote-unquote, victims. What are some of the newer cyber coverages that are kind of fun and interesting?
Mindy: Yeah, this is what I love about this coverage. Because I think, you know, the carriers are unique, but they are really quick to react to seeing, or just covering what they’re seeing in the marketplace. So, for example, you know, every year when I review a renewal, there’s always some sort of new endorsement on there that I’m like, “What is this?” And it’s fascinating. So a couple that have kind of turned up in the last year to are: Something known as “bricking coverage,” which gives a sub-limit on actually restoring like the physical hardware. Sometimes, a breach can be so bad, that it deems your, you know, hardware inoperable. Then, you have to replace everything. So, that wasn’t something that was typically covered. You know, your systems were covered, but not getting actual new hardware. And we’ve seen that come into play on some local issues.
The other one is “crypto jacking,” which is an interesting one, but in this world of cryptocurrency – and it’s a quite a complex topic in terms of how these crypto currencies, Bitcoin, for example, but there’s many others – how they are mined. It uses a ton of server energy. And essentially, it’s like a race, you know, when, when one connection is trying to find another connection to make a Bitcoin transaction happen, all these hackers out there, or computer gurus are on this system, and they want to be the first one to make this happen. Because it’s become a very profitable game, the more server bandwidth you have, the more likely you are to do it, but it takes a lot of power and energy and cost. So, what some bigger companies or utilities started to find is, all of a sudden, they’re like power bills would be up like 40%. And they were like, “What is going on?” And lo-and-behold, they had these currency traders hacking into their servers to use that bandwidth to make these connections. And it uses a tremendous about like I said, power energy and –
Ryan: Oh my gosh.
Mindy: – it’s just fascinating.
Ryan: That’s crazy.
Mindy: So that was like a new thing. Like, you know, everybody’s like, “Who would have thought?” Right? Until it starts happening. So, the question is, you know, what, what’s going to be out there in the next year or two?
Ryan: That is crazy.
Mindy: I only imagine what these… I mean these guys they’re, they’re clever. They’re clever and it’s a, it’s an endless game of cat and mouse I think. So…
Ryan: Yeah. And you’re not kidding about the energy on those cryptocurrency mining, like operations you know. I mean I toured, years ago, I toured a cryptocurrency facility and it was in the middle of winter, they didn’t have to turn the heat on. And, in fact, they still had fans on to try and keep the machines cooled down enough. Crazy. Just rows and rows of computers, you know, it’s just it’s crazy. So-
Miny: 100% I know just recently, it was announced that Tesla was no longer going to take Bitcoin payments because the amount, you know, they’re – what – I would assume, I’m not a Tesla expert, but part of their mission, right is energy efficiency. And on the flip side, a currency that they were encouraging to purchase their product is one of the biggest offenders of environmental issues. And I saw a new story where they kind of dial back to a server that they were visiting and, I forget exactly how big this server room was, but it wasn’t huge. Maybe 8000 square feet, something like that. It used as much energy as 600 homes
Ryan: Crazy, crazy.
Mindy: It was like a one – it was one small building.
Ryan: Wow, yeah.
Mindy: And these things are popping up all over the place. So it’s kind of like you know, a hidden environmental disaster so, who knows? I’m sure there’s gonna be some interesting business model formed around that predicament, road… but.
Ryan: Well, Mindy, this has been awesome chatting with you. Thank you for sharing your knowledge with the listeners of the podcast. Any parting words for, for the listeners?
Mindy: Think my thought is just you know, any coverage is better than no coverage. So, you know, get something, but I think a lot of carriers have sort of thrown in little supplements and you’re sort of thinking I’ve got coverage, I’m good. But really exploring a true cyber policy with a full array of coverages. They’re not that much more expensive than what you’re paying for it at least or not right now. There is a lot of volatility in the market, so we’ll see where that goes. But get in early and you’ll be better off in the long run for sure.
Ryan: Nice. Thank you again. Everybody, this has been another episode of Got You Covered, presented by Hickok and Boardman Insurance Group. Thanks again for listening. We’ll see you next time.