Webinar

15-Minute Tech Talk:

Mistakes You’re Making on Cyber Insurance Questionnaires

As cyberattacks grow in sophistication, insurance companies are drafting newer policies that impose greater burdens and conditions upon corporate policyholders.

Watch our recorded webinar below. IT Radix will be joined on this webinar by a well-known cyber insurance expert and valued client, Javier Gonzalez of Axis Insurance Services LLC, as we walk through how to help our client, "Sitting Duck Partners," as they navigate the world of obtaining cyber insurance protection.

Watch the replay here:

Complete transcript below:

So, it's 12:10. We usually like to get started right on time. Thank you for joining us. If you have any questions throughout the session, you can ask through the chat or you can ask it interactively. If you just want to give us a little ping, we will unmute you on Zoom so you can ask your question interactively. I'm happy to welcome a few folks with us today. We have myself, I'm Cathy Coloff from IT Radix. I have Ken who is going to be impersonating Justin Case with us today, as well as Dan Parzanese, who is our Master of Ceremonies or Wizard of Oz behind the curtain keeping things running smoothly, and we have a special guest, Javier Gonzalez, who is pinch hitting for Mike Smith, as a result of some Covid complications. We're happy to have Javier joining us today. So, with no further ado, I would like to introduce our client, Justin Case, from Sitting Duck Partners LLC. So, Justin... nice to hear from you!

Cyber Insurance is Essential to Your Business

Things are quacking here at Sitting Duck Partners. Cathy, as you know, we just got a Renewal Questionnaire from our cyber insurance carrier, and you've got a lot of security things in place with us. I know we have MFA and everything, so I sent you a questionnaire. I pretty much filled it out because I kind of know what's going on, but maybe you could double check. Okay, what you can see here is sort of a typical email that we might get from one of our clients and in this case, it came from Justin. You can see that he tried to take a stab at it, and he sent us just that little, teeny snippet at the bottom there and that's it.

For us at IT Radix we are like okay, well where's the rest of it because we want to make sure that he's got the IT pieces of its components right. So, the way we knew that is we can see the number of questions. There are 27 questions, but we're only getting five of them or sometimes we'll end up with something like this where Justin said… I know we have MFA and he went ahead and answered things to the best of his ability so he could see that he checked yes to everything, but he didn't necessarily check with us. So, if you look at it and it says at the bottom there to make sure that you check with the signer, you know the signer is checking with the who's in charge with of IT Security at your organization. Now IT Radix and your broker, we are advisors, we can give you advice, we can give you tools, and we can talk to you about the risks of what's going on from an IT security standpoint, but ultimately, we're not the ones that are in charge of the IT Security at your organization or making those decisions about what you will and will not do. But at the same time, we want to make sure that when you're filling out these attestations that you're filling them out correctly with what you actually do have in place.

Don’t Go Solo… Seek Advice from a Cyber Insurance Specialist

So, our advice to you is… don't go solo, that's going to put you at risk, but we don't want you just to take our word for it. We are going to introduce Javier who I mentioned is actually pinch hitting for Mike Smith from Axis Insurance Services as well as PL Risk today. Both of them have been involved in the insurance industry for many years. Some of these are actually Mike's credentials but Javier's been with them for about 20 years, so he is well positioned to answer some of the questions that we have for him today. So, Javier I'm going to stop sharing my screen. Dan, if you want to go ahead and put the spotlight on Javier. I will go ahead and start asking him some of the questions that we get a lot from our clients. So, the first one we have is…

Question #1: What are some of the top mistakes that you see clients make when they're applying or renewing for cyber insurance?

All right, thanks everybody, I think some of the mistakes we see is just a two-around carelessness or a lack of attention to detail as it relates to what the actual question is asking for. So, for instance some of the questions in the application may say, you know, as soon as somebody sees the word MFA they just assume and they'll check yes, but there's now as many levels of MFA these days and so, some of the questions are kind of quirky and they're quick. So, some of the questions may be, do you have MFA for email and/or remote access? Well, they'll just see MFA and email and say yes and check yes, but they're not paying attention to the fact that it asks if you also have MFA in place for remote access. So, if you don't have it for both, then you have to answer no to the question and it's not a qualifier if you only have one, right? So, it's just a lack of detail as it relates to the questions and it's the lack of just stopping to question, all right, what do we really have in place and then obviously seeking some input from you as well, but most if not every organization these days should be in a position to have somebody who's in charge of their network security processes, procedures, etc. and somebody should be, designated responsible for those questions and finding out from the right resource whether it's you or otherwise what they actually have in place so that these questions are answered correctly.

Question #2: What is driving the increased security measures that are being required to obtain cyber insurance coverage?

We've been writing cyber probably for about a decade now, way before it was cool, and a lot of the claims that we saw in the past you only saw relative to large breaches like a Target and Home Depot and credit card information was very much the highest concern. And then you had breaches from other large organizations, but you weren't really hearing too much about the small middle market being impacted so much by these bad actors. There was a lot of insurance that was written for a lot of zero-to-billion-dollar revenue companies, and they were done with very little information. They would ask four questions: what do you do for a living, how much money do you make, where you're located, and basically what is your revenue, or the things of that nature. So, there wasn't much information taking into consideration and back then the exposure for the carriers wasn't very high. Your average ransomware was barely $10,000 on average and that was done strategically back then by these bad actors. They wanted to stay under the radar of the Feds and things of that nature. But now you have carriers that are paying out tens of thousands, if not hundreds of thousands, if not millions of dollars on many claims, like tens of thousands of claims and they're no longer in a position to tolerate organizations not implementing basic network security procedures and postures that would prevent these items or these breaches from happening in the first place. So, they'd rather not write your account than have you elect not to spend ten thousand dollars to update your network security posture for the sake of them having to pay three or four hundred thousand dollars in cyber loss. They're just not tolerating that anymore and if you want to be insurable you've got to be in a position to have these basic network security postures in place in order to help prevent these occurrences. These occurrences are still going to happen but they're happening a heck of a lot less of a percentage on average for an insured who is properly set themselves from a network security profile versus somebody who's just still trying to kick that can down the road because they don't want to come up with the amount that it's going to take both from a human element and a capital element is what it's actually going to take to be in a position to protect yourself, so to speak.

So, I think you were mentioning if they put some of the tools in place and some of the measures in place that there's some advantages to them for doing that. Could you talk a little bit about that? Yes, with these tens of thousands of claims, we now have a lot of data, and the data is compiled from the insurance companies and these breach response vendors to say okay, what security was in place that helped make this breach not as bad as it could have been? Or, what vendor was used for EDR or MFA that still allowed for this breach to occur? So, they're now taking statistics on the vendors that are available relative to EDR, MFA, who your backup providers are, what types of backups do you have, are they segregated, are they segregated from your network? How often are they backed up? And so even things like if you have proper backups that are installed correctly and worked correctly and have been tested, you can now go back, maybe only you lose a day or two days’ worth of data, but now you can know and not have to be in a position to pay a ransom. And so now that eight hundred-thousand-dollar average ransom demand is not paid and you're incurring tens of thousands of dollars in this loss versus hundreds of thousands, if not millions, by properly being in a better position to respond to an event.

Question #3: What are the risks of the people that will fill these forms out, they get they're just trying to cross off their “to do” list and sometimes they will incorrectly fill them out. What's the risk of that? What can happen?

So, it's twofold, one is the application becomes part of a contract and you're making material representations that are part of that contract and these carriers are agreeing to ensure your risk, or your organization based on representations you've made about your network security procedures, things of that nature. So, we now have carriers and this is, you can look this up—it's public information—we now have insurance companies that have denied claims. When a breach comes in, they'll review, there's all kinds of forensics done in these breaches if you haven't been a part of a breach, yet hopefully you don't have to be, but there's an immense amount of detail that comes into play from a data forensics investigation standpoint and they can now see you didn't really have MFA deployed at all these endpoints like you said you did. And they can go back and say in this application and the applicable supplemental applications, the ransomware supplements, you stated clearly here that you had these controls in place when in fact you actually did not, so that's a material misrepresentation and these insurance companies can deny the claim based on the material misrepresentation and pretty much put you in a position where they're going to cancel your policy from inception because of that material misrepresentation. So, if we're not careful, you can put yourself in a position where you've paid the premium, but the carrier can still find a way to not pay the claim based on those material representations. Second of all, the other side of this is, if you're careless in completing the application, you can be putting yourself in a position where you're not clearly explaining the controls you do have in place and you're making yourself not applicable, you don't qualify for some of the best terms and conditions that are out there. If you state you don't have MFA from a remote desktop access, but you actually do, you can find yourself automatically being declined to be quoted by several carriers who have some of the best terms and conditions out there from a premium perspective, a deductible perspective, who are willing to give you more limits for less. They'll just flat out deny your application because of the carelessness of completing the application and making yourself look worse than you really are. Which is again, you have to look at the details. So, if you're in a position to paint yourself in the best picture so to speak, you want to do so to make yourself to be in a position to qualify for the best options that are out there. So, it's twofold, it's 1) you don't want to deny claims based on materials misrepresentation, and 2) you want to prove to these carriers you do actually have some of these controls in place, and so we have to represent that correctly.

Question #4: What do you do when questions are blended together? Should you attach supplemental information?

Okay, thank you, so that actually brings up another question. When I was filling out the Cyber Insurance form for IT Radix, I know that some of the questions since I am a technologist, I did understand the implications of where it said do you have MFA in place or is your backup immutable, things like that, and because they often will blend to questions together, where you want to put two different answers, I was encouraged to go ahead and check yes or no but write a separate addendum and speak with you folks because you are our broker. So, I think the point is, can you talk a little bit about that because it looks very black and white when you get those applications, but it's not.

You definitely want to attach additional supplemental information as best you can to explain why you may have stated no to this question, which on the surface is scary and makes you no longer qualify, but there's a reason for it because you have another means of protection in lieu of that particular type of system control, etc. So, yes, as much as you can, add more information, these applications are very black and white they don't fit every profile of every organization or every security posture that's out there from a network security perspective, so absolutely the more information that you can provide the better and we're really in a position where you have to be ready to roll your sleeves up in order to complete these applications, provide the accurate information to these carriers, and identify where you may have some deficiencies, but it's not as bad as it appears on the surface and here's why and further explain yourself. Okay thank you.

Question #5: At what price point does insurance cease to be feasible?

I mean that depends on the organization, it depends on how much you're willing to put at risk your organization. I mean these claims are easily in the hundreds of thousands almost every single time. So, you have to be in a position that you as an organization could potentially deal with a hundred-thousand-dollar loss or five hundred thousand. It's not like taking a chance on your building that has an insurable value of X you know it takes four hundred thousand dollars to rebuild a ten thousand square foot building. You know that you know the cost of construction, you know all of those elements. With a cyber, you don't know the cost of what it's going to take to investigate the situation. You don't know what they're going to ask for, if ransom is involved either, and you don't know how long you're going to be down for. So, what's often missed here is the business Interruption element. If you are down because of a hack and you can even be down because of a hack of an electronic service provider as well, your loss of income equates to what? So, I had a conversation with a large group they have a significant increase in sales around the holidays. So, they're just taking their average income throughout the 12-month period it doesn't portray what their max out of pocket would be for the month of December to take into consideration the holidays. So, you have to look at it in a bunch of different angles and identify how much are you willing to put at risk your organization for the sake of a policy that's still in the zero to ten, fifteen, twenty-thousand-dollar range if I had a guess. But that's the scary part, you don't know what the total out-of-pocket cost could be to your organization and you may not have the balance sheet prepared to take on that risk.

Question #6: What is EDR?

EDR stands for Endpoint Detection and Response, and basically that is a technology solution that we can put in place, typically on the end user's machines, as well as on your servers or other endpoints in your network where it's watching for things to happen. It's detecting them so its endpoint is the user's device, so that's the E in EDR, the detection is watching for things to happen and detecting them, and then the R stands for response, which obviously we want to have some action happen when something is detected. It might be isolating the machine from the network. There's a bunch of different things that could happen, it could be sending an alert out to someone like ourselves. So, that's what the EDR stands for and that is what you're finding that we're seeing at least from the various cyber applications that we're being asked to help our clients fill out is being mandated and required by a lot of these carriers today.

There is a strong push from the insurance companies. They're happy you have EDR, great, but there's a strong interest in who's monitoring that. Is it in-house or is it 24/7 monitoring provided by the EDR service provider, which is what they prefer. They prefer somebody else be on watch 24/7 than Bob, Jane, or John who may not get the alert at one o'clock in the morning on a Saturday over the weekend, and then it's just you're responding to the situation or the potential threat too late, so to speak. So, yes, having EDR is great, what percentage of your network does it, taking into consideration, is it actually protecting? They want to see that number as close to 100% as possible and then who is actually monitoring those threats that may be detected at all, at any time of day or night so to speak.

That’s a wrap!

We want to keep it short and sweet. We try to be respectful of your time. I wanted to thank Javier and Axis Management for taking their time today to speak with us. I will say, the real message is to be sure to protect your assets, consult with your insurance broker, or if you're not comfortable that you're getting the information you need we strongly encourage you to reach out to Mike Smith who could not be here with us today, or Javier and the Axis Insurance team, but you want to make sure that you're really digging in and not just checking the boxes on those insurance forms, that you understand. If you're a client of ours we obviously would love it if you would keep us in the process because we do find that some of the clients have checked things that they don't actually have and as Javier explained they're putting themselves at risk and obviously it’s not really if you're going to have an incident, but a matter of when and what happens, and so that you're prepared and you're not being reactive and that you can avoid turning into an angry monster like you see here.

If you have any further questions that you didn't ask, today feel free to reach out to us. Allow for as much time as you can, get out in front of this as much time as possible. If you have a March 1st renewal, literally today is not too soon to start this process to identify any areas of concern that you can spend some time getting your hands wrapped around and actually be able to deploy. I can't tell you how many times we're within a few weeks or less of the expiration date and we've identified a vulnerability that needs to be dealt with or a procedure that needs to be implemented and you just don't have time to find a vendor to put it in place, to deploy it correctly in your network, and then you're uncovered for a short period or a long period of time in some cases, so the sooner that you can get out in front of these renewals or effective dates for your cyber if you have it in place, the better.

That's great advice! Thank you again, Javier. Justin Case, make sure you fill out that insurance form properly. That's it from Cathy and the Team here at IT Radix. Thank you!