Webinar: Tackling the Rising Costs of Cyber Insurance Premiums
Lliam Holmes: Good morning! At MIS Solutions, we are deeply committed to empowering our clients with the knowledge and tools they need to run better, and more secure their business. Today we are excited to kick off an educational series focusing on Cyber Insurance. Over the course of this series, our goal is to provide you with a comprehensive 360-degree understanding of what cyber insurance entails, how it’s priced, and the critical role that plays in mitigating risks in your business.
I’m Liam Holmes, the CEO of MIS Solutions, and it’s my privilege to guide this discussion. Joining me today is our distinguished guest, Chase Burnett, who is the vice president of Burnett Insurance, based here in Suwannee, Georgia. Chase brings a wealth of expertise and insights into this conversation.
Chase, Welcome. We’re thrilled to have you today.
Chase Burnette: Thank you. Thanks for having me, Liam. Happy to be here.
Lliam Holmes: Awesome. Fantastic. Let’s really jump right into this because I know that we’re all kind of excited. Let’s start right at the beginning. What is cyber insurance?
Chase Burnette: The definition of cyber insurance is a policy that helps protect you in case of a failure to secure data.
It’s split into two categories, primarily third-party and first-party. Which we may get into some more detail on later. The third-party would-be damages that you owe to another party for your failure to secure their data. The first party would be expenses that you as a company incur, because of the claim. Things like notification expenses, things like forensic investigation, things such as that, regulatory fines, and penalties.
Lliam Holmes: Okay, awesome. What do we think are some common misconceptions about insurance policies for cyber?
Chase Burnette: Well, the number one common misconception that we hear is, I don’t need it, right? I’m too small. I’m not a target, right?
Well, data shows that the companies that have the worst impact from the cyber claims are the small businesses. Because they don’t have the resources. Maybe they don’t have an I.T. Department. They don’t have the resources that help them to recover quickly in case of a claim.
They also don’t have cash on hand. A lot of times when we think of these high-profile cyber claims, we think of things like Target. We are thinking of the crowd strike issue that we had earlier this year. We think of the pipeline, what was it, Keystone, not Keystone. The pipeline issue that we had. We think of these, these huge companies that are dealing with these cyber claims. But you know what, they’ve got resources, they’ve got IT departments, they have legions of attorneys, they have millions and millions of dollars of cash on hand. But for these small businesses like yours, like ours, the impact is much greater.
Lliam Holmes: It can be devastating. And I think too a lot of people think that their general ENO or liability coverage would cover something like cyber insurance. And I think sometimes they think that it’s what they have, they’re already covered. They have a hard time figuring out one policy or one coverage from another kind of coverage.
Chase Burnette: We have that issue all the time where we have people come to us and say, I’ve got cyber insurance. And we look at them and say, no, you don’t. You just have errors and omissions, which is a completely separate coverage.
Lliam Holmes: Yeah.
Chase Burnette: Or no, you just have general liability. Or maybe you’ve got this small, $10,000 throw-in from your general liability company that’s not going to protect you. In the worst-case scenario. So yeah, absolutely.
Lliam Holmes: I think that’s really a good lead-in. How do insurance companies determine the level of company coverage that a company needs? Like if I went to the marketplace and I was going to buy cyber insurance. How do I know how much I need to buy?
Chase Burnette: There are a lot of factors that go into this. To directly deal with your first question, how does an insurer know how much we as a client should carry in our cyber liability limits? First of all, they’re not going to tell you a number, right? If you go to them and say, “Hey, tell me how much I need?” They’re not going to tell you that because that opens them up to all sorts of liability. If they tell you too low of a number, and you have a claim. What we can do is we can look at things such as your average costs of incidents. I’ve got some numbers, and I think we’re going to talk about some financial implications later. I can give some more specific numbers, but when you look at average incident costs, and you look at what the legal costs are, what the downtime costs are in those claims, it can help you kind of figure out a number and determine maybe what you will need. There are also figures out there like average, I think in 2024 one of the sources I get data from said the average cost per record that you keep.
So that would be a personally identifiable information PII record that you keep on hand. The average cost per record is like $150. They said the average claim probably includes about 30,000 records, which can be different for everybody. And so that’s really what you have to get into. You have to get into looking at all of the factors that impact your business and saying, how many records do I keep on hand? If my system goes down, how quickly am I able to get it back up? Do I have a relationship with someone like MIS who can get me back up and running quickly? In case of an extort, or cyber extortion claim, ransomware claim, that we can talk more about.
Lliam Holmes: It really almost sounds like this is a risk exercise. Where you’re not going to go to your insurance company. They don’t have a formula. They can say, here’s your revenue. Here’s your headcount. We put it in, and we tell you how much you can buy. Instead, it really sounds like a conversation that you’re having with your broker. Maybe even with your IT group, trying to understand …What’s your exposure and what’s your risk? And then how much insurance do you want to buy to try and cover what you think is going to be your exposure?
Chase Burnette: It sounds cliche, but we always say, we want you to buy as much as you’re willing to afford or how much you can afford or are willing to pay for. You have to make that decision, about balance. How much risk am I willing to take on for myself or how much do I want to put into this financially up front?
Lliam Holmes: I heard you kind of gloss over one thing a minute ago. It kind of caught my attention as a business owner because maybe it’s something that I didn’t think about. That is when you buy cyber insurance, I’m thinking about hey, we just had an incident, maybe we lost some data. We need to file a claim.
But I might not be thinking about the cost of downtime. And so obviously, we have a scenario where we may be out of business. We may have obligations, contractual obligations to our clients, certainly as an IT provider, for example, if our help desk is down and people can’t call our help desk, that’s a service that our customers are paying for.
Chase Burnette: That’s exactly right.
Lliam Holmes: It kind of enters into my mind who would pay for that liability or help our customers and make them whole. I had previously thought about the fact that that downtime would be covered in our cyber insurance.
Chase Burnette: Should be. Should be.
Lliam Holmes: That’s something to think about, too. I think you’re actually kind of bringing me to my next thought here. I know that as we’ve gotten involved with our customers, we see all kinds of different policies. And one of the things that we often say is we are not insurance agents. But we can give you advice based on what we’ve seen.
I know one of the conversations you and I had earlier was that there is no standard for cyber insurance. I’d be really curious what your thought of what your take is on that.
Chase Burnette: Every once in a while in the industry, we have a product come out that is not standardized. A new issue and it takes a while for the insurance industry to respond to it. And kind of standardize it. 20 years ago, we had it with something called employment practices liability, which is your employees suing you for employment related law or issues.
And what happened is it first came out and nobody knew what to do with it. All the policies were different, but then eventually it was standardized. So now when you get an EPLI policy, they all pretty much say similar things.
Lliam Holmes: Yeah.
Chase Burnette: But right now, we’re still kind of in the wild west of cyber insurance. What that means is no two policies are alike. You can call a 1 800 number, get a cyber policy from, some 1 800 number, from some call center or go and submit online, and you can get a cyber policy. But there can be so much missing from that cyber policy, and something that we’ve talked about, is everybody has different terms.
In preparation for this, I was sitting down and reading through all these claims, and data for 2024. What are the leading causes of claims, things like that. And you know what, even between the different groups that were identifying these leading causes of claims, they called things differently.
Social engineering, which is something we’ll get into, and I can define it here in a little bit if you want to, but social engineering also goes by a name called business email compromise. It also can go by something called fraudulent inducement, there are so many different names. It’s important that you know what you’re looking at, and that’s why it’s important to work with somebody like Burnett Insurance. That’s not a sales pitch, but just work with somebody who deals with cyber insurance so that they can go through and say, you’ve got stuff missing from here. Oh, this exclusion applies to you, and you don’t realize that you actually were losing coverage here. Things like that.
Lliam Holmes: I think there’s a really interesting point to be made here. In your words, there are no standards for cyber insurance. Everybody has their own policy.
What’s included in these policies is different from company to company. And to make it worse, they call them different things. You really need to work in a partnership just like you would with your I.T. provider to really understand what your needs might be. And if I kind of roll this right back to what we were talking about a minute ago, where we were talking about doing that risk assessment. Because not only do you need to figure out how much insurance you need to have, but now what we’re also saying is you need to figure out what’s in your policy. And the way to get that is you’re going to have to find an insurance company now that specializes in cyber insurance. I think that really kind of brings this full circle for me because I know that when I buy insurance for MIS, we typically are looking at having as few vendors as possible. Wherever we buy our ENO insurance, all the other kinds of insurance that we have, that’s probably the first person that I’m going to call when I’m thinking about cyber insurance. That makes sense. But as I’m processing this conversation what occurs to me is that might not be the best idea. Now it might be, but I’m probably going to want to double check to make sure that the insurance company that I’m working with actually specializes in cyber insurance. And I’m going to want to sit down with them, read through what that proposal is and really understand what’s included and what’s not included. Because right back to your comment, it’s not going to be a standard policy that I could get the same thing from every company. What they include, what they don’t and the terms of what they call it is going to be different and so it’s going to be really, really hard for you to compare apples to apples, company to company, particularly if they call them different things.
Chase Burnette: That’s exactly right. If you don’t know the terminology and know the differences in terminology, then you’re not going to know what you’re looking at. Someone like a collaboration between a broker and your I.T. department, because you’re also going to look at risk assessment.
One of the greatest risk management tools for cyber is completing an insurance application because every year, it’s getting more and more complex to do so. But it’s because they’re wanting to make sure that your bases are all covered. They want to make sure you’re doing the right things that you’ve got the right policies and procedures in place.
We have people come to us all the time and say, can you give me a checklist of what I need to be doing? Best practices as far as cyber security. And you know what? We hand them the application. We say, read through all these questions that the carriers are asking. That will give you an idea of whether you’re doing the things that you’re supposed to be doing because they are trying to cover all bases and they’re going through everything. And if you can say yes to all of these questions, then you’re doing pretty good. And there’s always more we can all be doing, but that will give you an idea that you’re doing a pretty good job,
Lliam Holmes: I know that that’s actually one of the things that we’ve seen over the last couple of years is our customers turn to us and ask us, “Can we help them with these questionnaires?” One of the things that we actually did earlier this year was we went to all of our customers and we said to them, “Can you tell us when your renewal date is for your cyber insurance so that we can back that up?” From a technology perspective, we can make sure that they are ready to renew by the time their renewal comes up. I think it’s very similar to what you’re saying. It’s a great checklist of everything that you really should have. That kind of brings me over to my next question, which was really about, what should businesses look for in a cyber insurance policy? What are the key things that you would say… make sure your policy has these things.
Chase Burnette: It’s evolving all the time. That’s one of the tough things about cyber. It’s not standard and it is constantly evolving. Well, the criminals are so creative. They come up with new ways to get to us at all times.
The big thing that I would bring up. If you go through an insurance application and you answer all of these policies and procedures questions, there’s a good chance that a criminal just hacking into your system is not going to be your main issue. The main thing that we are seeing, and it’s the claims leaders in the last four years. The claims leaders for cyber insurance have been what’s called cybercrime. Those are going to be things like ransomware, also called cyber extortion. Social engineering. I think we all know what ransomware is now, because that’s the one that’s in the news the most. That’s when a criminal is able to get into your system, lock down your data or delete data out of your system and then extort you to try to get it back.
That’s why it’s important to work with an MIS, make sure you have backups, high quality backups that are disconnected that you can get yourself back up and running with minimal downtime. I found a tangent but wanted to shout you guys out there for that because I know you guys do a great job for us in that, and we don’t feel like would be down very long, if something like that were to happen.
Social engineering. that might require some explanation. So social engineering would be a scenario also called business email compromise. And you’ll understand why in a second. It would be a scenario where the CFO gets an email from a CEO saying, hey, I’m about to step into a meeting, but I need you to wire her this money to XYZ company right now. You’ve got to get this paid, but I’m stepping into a meeting. You can’t come talk to me about it.
Lliam Holmes: We’ve all seen those.
Chase Burnette: Exactly. And CFO is like, oh, I really need to talk to him about it. But he said, do it now or else we’re in trouble. I’m just going to do it. He wires that money, that moneys gone.
The CEO comes to him later or your CFO comes to the CEO later and says, hey, I did that wire transfer you asked for. And the CEO says, I didn’t ask you to do anything. I don’t know what you’re talking about. This is news to me. What did you do? Social engineering is huge right now. Ransomware, social engineering, huge, invoice manipulation. That’s another huge one right now. That’s where an invoice either gets intercepted and payment info gets changed on it or just a fraudulent invoice is sent out. They get your invoice, they spoof it, send fake invoices to your clients or vendors or, or whatever, and request payments.
Those are the cybercrimes right now. They are what I would say are the biggest things you need to look out for. Because that’s where we are getting calls from our clients all the time. “Hey, just found out I wired money, and I wasn’t supposed to.” They got fooled. Or the classic one that we’ve all seen as well…I’m sure everybody watching has seen this…is the email that says, from the CEO to a lower-level employee saying, “Hey, I need you to go buy gift cards. Go buy all these gift cards and then when you get back to your desk, send me the numbers on them. This is a secret, don’t tell anybody, it’s for a, prize or a party or something like that.
Lliam Holmes: Where in my mind, where I see the difference is from a Cyber insurance perspective. There’re really two buckets. Bucket number one is if somebody breaks into my system and they forcibly take something from my system. Ransomware is probably a great example of that. Exactly. But that’s very different than in some way I convinced you to do something. And you were the one who willingly gave up the data.
Whether I convinced you on the phone, whether I sent you an email and convinced you to do it, however I did it, I convinced you to actually give me the data. From my perspective, cyber insurance covers you against the first bucket where they took something from you forcibly. But a social engineering policy is when I was convinced to do something, and I gave away the data.
Chase Burnette: And they would be included on the same policy, but it’s two different sections of the policy, if that makes sense. You got, like we mentioned earlier, we’ve got third party and we’ve got first party. And so third party is my client’s data was taken. Now I have to pay them damages. Because they’ve been exposed. Maybe their identities were stolen, things like that. Maybe they lost money. But then the first party is, That’s expenses or damages that I incur. And so cybercrime falls under the first party. Ransomware, that’s not you having to pay a third party, but you’re having to pay to get your own data back. Or pay to recover your own data or pay for your own downtime of being out of business while that’s being handled.
And I hope it’s okay. I’m just going to jump into something else here with social engineering, because you’re exactly right in that what we’ve seen it kind of evolve. Now that doesn’t mean it’s not happening, but you’re not getting cyber insurance unless you’ve got policies and procedures in place, but much less so someone just forcibly hacking into your system much more so somebody letting them in. And so, the point there is that it’s personnel driven these days.
Your personnel is your weakest link in your chain. We pay lots of money, we pay people like MIS to secure our systems and that’s great and that keeps you protected. But all it takes is one employee, not going rogue in the sense of trying to do something but going rogue and clicking something they’re not supposed to, or going in, buying something or wiring money that they’re not supposed to do things like that. Its personnel driven. And so, I know with MIS, being a client of MIS, we have this system called “Know Before” which is where it’s training us as employees of Burnett insurance to avoid these phishing scams. It’s training us to notice things in emails, training us to not click on unsafe links or open unsafe attachments, things like that. That right now is probably the biggest thing we can talk about when it comes to cyber insurance. You have to train your employees. They need to know that they can cause big issues.
We’ve had clients that have cancelled their cyber insurance because they say, I don’t think we need this anymore. We don’t want to pay this much for it. Something like that. And then one employee at the company makes a decision or clicks something or sends money and now they’ve got a huge financial implication.
Lliam Holmes: We get involved in a lot of these things from an IT perspective. Because anything that sounds like hacking or cyber, typically people are thinking, well, that’s our IT provider. That’s somebody we ought to bring in. You bring up what I think is a really important point. And that is when we talk about compliance, when we talk about how you secure something. It really falls into, into three buckets.
There’s the physical component, “how do I physically secure it?” Maybe that’s a door or a lock. Or maybe, maybe a log or something.
There are the technical controls, which tend to be all of the things that we think about as an IT company. These are things like antiviruses and firewalls and backups and all of those kinds of things.
But there’s also this other huge bucket called administrative controls. Administrative controls are something really important because these are the things that you tend to see in your employee handbook or you’re training. Things would be like what would your expectation be if somebody lost their laptop or if they clicked on an email or they got a virus. Or they got a phone call from somebody asking them to buy gift cards or to have access to their system. Do you as a company have a policy that you’re training your employees on what to do in those events.
Chase Burnette: That’s exactly right.
Lliam Holmes: And it’s these administrative controls that seem like they’re getting taken advantage of.
That’s what’s really causing this, this financial loss and this exposure.
Chase Burnette: A hundred percent. And another thing to mention there. Is you can control your technical controls. You can control your physical controls. You can even control your administrative stuff. You can train your employees, but what you can’t always secure is your clients or your vendors. And so that’s another area that we’re seeing huge numbers of claims. My vendor sent me something, or if someone got into my vendor system and sent me something. And now I’ve lost money because of that. That is also kind of training your employee to say, just because it’s coming from a vendor that we’ve worked with. One of the things. you may still get to this question or not, but one of the questions that we have here is “what are some things that policies and procedures and controls that carriers are looking for?
One thing that has come up now, like you cannot get a cyber insurance policy without multi factor authentication. It used to be, it was a suggestion. Okay. Now it’s a requirement. You say no on that application to that, they send it right back and go, let us know when they’ve got that in place, and we’ll look at writing this. Can’t get it without that.
Lliam Holmes: Can I follow on to that too? So, I know we’ve all heard about multi factor authentication. Or two factor authentication, same thing. But one of the things that we see is that people will have it on one application or one thing, but they don’t really think about having that on ALL of their systems. When these insurance questionnaires come through and the question is asked, do we have two factor authentication? They’re checking yes. But they might not be thinking about it, do we have that on Facebook? Do we have that on LinkedIn? Do we have that on our email? Do we have that on access to, to our network or our systems? Do we have that on everything that we use or touch. Maybe they only have it on a few things. And I can tell you from our perspective, we are often seeing these application providers where they don’t have two factor authentication and they’re relying on the fact that you’re doing that somewhere else. In reality, when you look at that risk profile and you’re looking at these insurance questionnaires, two factor authentication means that you have it everywhere! On all of your systems and on all of your applications.
Chase Burnette: I can still remember several years back when it was like we just, I think it was when you and I realized that because I remember we went from just having it to get into our network to then suddenly we put it on all of our applications.
And now we have it for everything. And, and it was like that was when it clicked. Oh no! We need to have it everywhere. To get into the network, but on all these applications.
Lliam Holmes: Really interesting. If I kind of asked the opposite question to that, we kind of talked about the fact that cyber insurance, it’s kind of the Wild West.
We kind of talked about the fact that no insurance policy is the same. We talked a little bit about the fact that the terminology is different. We talked about things that maybe I should look for.
My next question might be, “What are the red flags, like if I was looking at a policy and I saw certain terminology or certain exclusions or certain things, what would be a red flag that you could say people should look for?”
Chase Burnette: One of the biggest ones that we’re seeing right now that, People don’t realize yet is the requirement of dual authentication. Now that is not our authorization. It’s not multi factor authentication. What we’re talking about is you get a request to wire money and the dual authorization means I can’t as one person make a decision to wire that money. I have to approve it. And then I’ve got to have someone else approve it as well. Someone else has to get two pairs of eyes to look at that. Now that’s one big restriction that we’re seeing right now. There are some carriers out there who say, if you did not follow this, you can have the policy in place saying, I’m going to do this. But if the claim happened and you didn’t do it, then no coverage applies. And so, not all carriers are that way. There are a lot of carriers out there that still are not requiring it. But there are some that are throwing that in there, and people don’t realize it, and that can be a big issue.
Lliam Holmes: In your opinion, do you think that that is something that we’re going to see more and more of in, in all of these policies?
Chase Burnette: I mean, it could. This is where all the claims are happening. Ransomware is still number one. In 2024, 64 percent of claims on cyber insurance are ransomware. I mean, far away, ransomware is still leading the pack. Social engineering and funds transfer fraud are the next two behind it. Not close behind it because 64%, but they’re the next two behind it. And those are the ones where if you don’t have these policies and procedures in place, you’re going to get taken advantage of.
Lliam Holmes: That’s actually probably one of the biggest areas that we see, because this isn’t a technical thing. This is a, fits into those administrative controls. This is a people thing. What we’re talking about is when I get an email that says I’m a vendor and we’ve changed bank accounts. Here’s our new routing number to wire us money. That system, that policy, that procedure that says, how do I authorize that? Whereas what we’ve seen is that people will take that email at face value. They’ll go into their systems, they’ll change it, and they will willingly wire the money into a fraudster’s account.
I think if I kind of piece that together in what you’re saying, We are writing into some of these cyber insurance policies, the fact that there needs to be dual authorization that not one person has the ability to do that. I know that one of the recommendations that we’ve made for many years to our clients is pick up the phone.
Chase Burnette: That’s that I was just going to say, that’s our recommendation. Yes.
Lliam Holmes: Call your vendor and ask them, or at least verify that the email that you are getting is legitimate. Because these emails, honestly, even to a trained eye, they look absolutely legitimate.
Chase Burnette: The criminals are talented. Let me add another key to that recommendation. Call a number you already have in your system. Absolutely. Don’t call a number you see in that email because that’s how they get you as well.
Lliam Holmes: Yes, that’s a, that’s a really good point actually.
Chase Burnette: Have a number that you have independently. In your system already or go out there and find their number in a different place. Don’t call the number that’s on that email. Absolutely.
Lliam Holmes: One of the things I think we’re talking a little bit about but maybe inadvertently and I’d like to maybe directly address is What are the kinds of add-ons that I would see to a cyber insurance policy? I know we just talked about social engineering, but I’m sure that there’s lots of different kinds of add-ons. What do you think are the most common add-ons that you would see?
Chase Burnette: I would say the top ones again, I don’t want to sound like a broken record, but social engineering is one of the top ones. Make sure ransomware is on there. Make sure funds transfer fraud is on there. Now, Again, they may have different names depending on what carrier you’re working with. So, you might want to call your broker and say, Hey, these are things that I’ve heard about. Are these on our policy? I want to make sure they’re all on here. Invoice manipulation. Again, those are the big four. Now business interruption is something that we mentioned as well. That’s paying for your downtime. I just had another one in my head, but then I’m like…Oh, If you have a software or product or something that controls a process or is involved in the healthcare industry or something called contingent bodily injury and, uh, property damage would be a big one, right? And if them taking down your system that can lead to an injury or property damage, something like that as well. But again, that all comes from the carrier and your broker knowing your business. So that they can go through and say, here’s all the things that apply to you. Here’s what we need to make sure is on the policy. Carriers will do that.
We started off by saying they won’t give you a number. You can’t come to them and say, I want you to tell me how much insurance to cover. They won’t do that. But what they will do is advise on the breadth of coverage. They will say, hey, I see you’re doing this. We need to add this to the policy. And most of the carriers we work with will do that. They’re not trying to hide. The fact that it applies to your business. Now, some of these things you have to ask for, if you go through certain carriers you go to them with, for a cyber quote, they’ll give you a quote of the basics.
And then if you want things like social engineering, you have to go, hey, I want, I need that. And then they’ll add it. But they won’t add it up front. That’s something you have to be very careful about is there are some carriers who just, they seem to, the underwriters treat the money like it’s their own money and they don’t want to give away coverage for free. They’re right to ask for it and say, I want to make sure all this is on there. You know, and if they come back and say, we’re not going to add it, then you’re working with the wrong carrier, and you need to find another carrier.
Lliam Holmes: That’s a really important piece. They need to know enough about your business to help understand what add-ons make sense for you and which ones don’t.
One of the things I was actually thinking about as you were talking about that is…Let’s say, for example, that I was a food manufacturer, and I had refrigeration. Refrigeration is typically connected to the network so that you can control it. If that system gets compromised, you know, you’re going to have loss of product.
And that’s a scenario that you’re going to want to insure. But if you’re working with a broker that doesn’t know that that’s what you do, and that’s how you do it, the chances of something like that getting overlooked are probably pretty reasonable, I would think.
Chase Burnette: That’s absolutely right. And I just wrote a policy a few days ago where I went to the, and it was an E & O and cyber, (Errors Omissions and Cyber) together. Their product is on a industrial manufacturing floor and it’s a technology product, but it control helps control processes. And I came to them and I said, you need to have, you know, contingent bodily injury and property damage on your policy … meaning if your thing fails, it could lead to injury or, and they’re like, I don’t know why we do that. Finally, when I explained it to them, they’re like, Oh yeah, we do need that! Actually, we hadn’t thought about that. We definitely need that so just having somebody who understands what these coverages are and can go through and advise you and say, listen, you need this even if you don’t realize it,
That’s huge.
Lliam Holmes: Fantastic. Well, I have really just one last question before I really turn this over to, to you guys and to ask some questions because I’m sure you guys have questions just like me. I don’t want to hog Chase all to myself here. You know, the last question I was really thinking about certainly as we think about our customers and we think about this in its larger context, is, are there any industry specific policies or considerations that maybe a company should be aware of that, that these kinds of things exist?
Chase Burnette: The big things would be, not, not different policies. So again, when we talk about cyber insurance, there’s not a bunch of different cyber insurance policies out there. Everybody’s is different. There’s not a, oh, I need to buy it. You know what you will run into things industry specific. So industry specific, if you’re in healthcare, you need to make sure that you know there’s going to be a lot more stringent requirements on you because you’re protecting health information, things like that. If you are a FinTech company or a payment processor or things like that, you’re going to have much more stringent requirements on you, and you want to make sure that PCI fines and regulatory stuff is included your policy. It’s more so about making sure specific coverages are included based on the industry that you’re in, if that makes sense. As opposed to there being a separate, completely separate policy for you.
Lliam Holmes: It’s really understanding, it’s kind of what we were talking about a minute ago. It’s really just understanding what kind of business you’re in. Do you accept credit cards? Do you have healthcare information? Do you obligations to different kinds of security frameworks like CMMC or HIPAA or you’re a financial kind of a company, and really understanding what kind of data does that company have, and then almost really tailoring a cyber insurance policy to you.
Chase Burnette: That’s right.
Lliam Holmes: Which is why that that relationship with your broker is so important because. If you call a 1 800 number, they don’t know you. Exactly. The chances of you having a misunderstanding or forgetting to do something or not understanding how much insurance you have, those conversations were never had.
Chase Burnette: That type of scenario, like a 1 800 number or going online and just filling out a few questions and getting a quote, most likely what you’re getting is a boilerplate policy. Like you said, not tailored to your business. You don’t have somebody looking at it and going, you don’t realize you need this, but you do. Like what I just mentioned a minute ago.
Lliam Holmes: Yeah
Chase Burnette: awesome.
Lliam Holmes: Well, thank you Chase. So I will not hog you all to myself. And really give everyone else the opportunity to ask some questions that maybe they are thinking about. I know that one question that I’m seeing that’s coming in here is, you know, if cyber insurance space is still in the wild west,what should they be looking for when choosing a cyber insurance company, somebody like, like a Burnette Insurance?
Chase Burnette: So I’ll just jump to what you mentioned earlier and look for a company that specializes in cyber. If that’s what your concern is, if that’s what you want, to make sure my carrier knows what they’re doing. There are all the big carriers, they are doing cyber. The big ones that we work with, like Hartford Travelers, Hanover, Liberty, all of them. They all have a cyber product. But if you’re really concerned about that, I would look for who, what are carriers that specialize in cyber. There’s a lot of them out there that cyber is the main thing they do. We can help you find specific ones if you’re interested in that. But that is what I would look for.
Financial rating. Make sure they’re a solid company, but that they also specialize in Cyber.
Lliam Holmes: One of the other things I’m also thinking about is, the legal and the forensic component to this. When something happens, because this is really one of the things that you’re trying to insure against. Is not only can I put Humpty Dumpty back together again. Can I figure out how much water I’ve spilled. There really are some legal obligations and some forensic support. Do policies typically help with things like that?
Chase Burnette: Yes. And now another thing to look for in your policy. and the other thing that we’re going to talk about is the cost of the process. Whether or not all of these expenses fall inside of your limit or outside of your limit.
But now let me explain what that means. If they fall inside your limit, then any money that’s spent on legal and forensic, those type of expenses will start bringing down your total limit. Okay. It’s possible to get them outside the limit. Now, again, it depends on carriers. Some carriers will only do inside or only do outside, you know, but that’s another thing to think about. Especially if you work with a company that specializes in cyber. They’re absolutely going to provide that. But make sure to pay attention to whether that’s going to be inside my limit or outside my limit.
Lliam Holmes: Okay, that’s really interesting. Here’s another example of where not all policies are created equal,
Chase Burnette: Exactly.
Lliam Holmes: Alright, so do we have any other questions that are coming through? Oh, looks like we got one coming here.
This one’s a process question. I think the question is in the event that something happened, what’s the process of filing a claim? Like, what’s step one? If something happened, what do I do next?
Chase Burnette: Well, as a shout out to you guys, I would say call your MIS first. Make sure they are on the job. Because if something happens to us, first thing we do is we, I don’t remember what number, but zero or one. And you guys are picking up, right? Call you guys then immediately call either us or someone on your policy. You’re going to have a claims number in there and they’re going to say, in the case of a claim, call this number.
So pick up the phone, call your carrier immediately because they have specialized people. This is all they do. And I know in your Tech Exchanges in the past, you’ve had like breach coaches out there as well. But, these carriers do have specialized people, whether it’s forensics, whether it’s and they have legal counsel that they already have on retainer ready to jump in and help you. So give them a call. They’ll jump right on it and have specialized people who this is all they do, providing expertise and coaching. That’s the whole point, what do I do? None of us are the breach coach specialists. Like if something happens to me, I sell cyber insurance. If something happens to me, my first thought is going to be, what do I do first? What do I do? I need to get something going on this right away. I would call you guys, and then I would call our carrier and say, here’s what’s going on, I need help. What do I do next?
Lliam Holmes: And I think you actually bring up something, and you’ve said it a couple of times, but time is of the essence. Yes. When something happens, as quickly as possible, reach out, make that call. Because if you are right in the beginning stages, you may still have the ability to stop it. And the other piece to that too is you’re at the point where the evidence of what is happening still exists. You’re going to need to collect all of those logs. You’re going to need to, stop maybe somebody from exfiltrating data or, continuing to send emails out on your behalf or whatever it is that they’re doing. But time is of the essence. You’ve got it. This is one of those things where it’s stop, drop and roll. Like you’ve got to get on this as quickly as possible. Even to the extent that you may raise the red flag and say, I think something is happening. And it wasn’t.
Chase Burnette: Oh, you’re better off. You’d rather err on that side. Yeah.
Lliam Holmes: You’re better off raising your hand and saying, I think something happened and it turns out you’re totally fine.
Chase Burnette: Yep. You’d rather err on that side than go, I hope this means nothing and hopefully nothing’s going to come of this. Yeah. Absolutely.
Lliam Holmes: Here’s another question I see that’s coming in. It’s, you know, are there specific compliance or security standards that you need to meet to qualify for a policy? I certainly have heard business owners say, “What do we need to do to qualify before we get cyber insurance?” Is that a thing?
Chase Burnette: Oh, yeah. Well, we talked about it a minute ago that without the multi factor authentication, don’t even bother, don’t even bother trying to get a quote on cyber unless you have multi factor authentication. To the point where we have clients who got in before they had multi factor authentication, already have a cyber policy. And at renewal, our carriers that now they’ve pretty much finished the process of it because about two or three years ago is when they started doing this, but at renewal, they’re going, hey, they marked that they don’t have multi factor authentication. If they want us to renew this, they’re going to have to put that in place.
So that is a, that’s a must. You know, if you go in there and you say you don’t have anti-virus, you don’t have firewalls, you don’t have the end point protection, you know, if you go in there and mark no to all those, you’re not going to qualify.
Lliam Holmes: Yeah.
Chase Burnette: So again, go and just find a cyber application. If you don’t already have cyber coverage if you have a broker say, send me a cyber application, please. A long form one, not a three question one, but send me a thorough cyber application and then again, read through that and you’re going to know what’s important and what’s not in that.
Lliam Holmes: I kind of have a follow up question to that and that is what’s the order of precedence here? Do I, do I fix everything first and then get cyber insurance or do I apply for cyber insurance? Have them tell me what I need to fix, and then fix those and go through underwriting. If this is the first time that I’ve bought cyber insurance, what do you think? What’s the order of operation?
Chase Burnette: Well, my first comment would be if you don’t have cyber insurance, what are you doing? You need it! Everybody needs it. Okay? 100 percent of us need it. Even if the only data we have is our employees data. That’s an exposure. Okay so everybody needs it. If you don’t think you need it, contact me and I’ll tell you why. Everybody needs it. It’s that important. And we’re becoming more and more connected in the world period as businesses. I’m getting off on a little tangent here, but even businesses that had nothing to do with the internet or having software do they do now, right? There are very few businesses out there that are operating without any kind of software or network or anything of that nature.
First, I would say, go ahead and apply, right? Fill out an application at least. but start the process. Okay. Don’t say, cause if you say we need to fix everything before we even think about applying for cyber, we’re all human, right? And you’re going to get bogged down in the process. You’re going to, these are going to be feel like daunting projects.
And you’re going to, you’re going to go, I’m never going to get all this done. And I can’t even apply until I get all this done. If you don’t have some of the basics in place, you’re not going to, they’re not going to write it for you yet. But they will come back and say, here’s why we’re not writing it because of this, this, this, and this.
Lliam Holmes: Well, they kind of tell you like, hey, you know, here’s the five things you need to do. But if you do those five things, we’ll write you a policy.
Chase Burnette: That’s exactly right. And that’s what I’m saying. So they’ll give you the, here’s the reasons we’re saying no. And that tells you what the top priorities are. The things you have to fix. In order to be acceptable. But that
Lliam Holmes: But that may be bigger or smaller than whatever you thought it was. Because I think sometimes as owners, particularly when we think about cyber insurance, we’re thinking about the dozens and dozens of things that need to be done. But what you might find is that while that’s true, you do need to do these things. If you do these three things, you could at least be underwritten.
Chase Burnette: Oh that’s right. Absolutely.
Lliam Holmes: The value in applying first and then seeing what that carrier wants you to do in order to be able to write that policy you may find that it’s less onerous than what maybe you had in your mind.
Chase Burnette: Sometimes the application can seem daunting because a lot of business owners don’t know all the tech, technical questions. There’s so many times where I’m working with a CEO. And he’s like, I got to get this to my IT guy. Cause I don’t know the answers to all these, right. But as a broker, we will walk you through that application and we’ll explain things to you as we go through it.
And it won’t be too much of an onerous process. Now there may still be a question that you need to go. I got to ask my IT guy if we have that. Cause I don’t know if we have that. But we can also walk you through and go, okay, this is one of those things that’s good to have, but it won’t stop the process. So let’s move on and finish the rest of it. Things like that.
Lliam Holmes: yeah. I know certainly at MIS for our clients, we actually, you are taking the burden of filling those out for them and walking them through it from an I.T. perspective, from a technology perspective.
Chase Burnette: One of the things to understand in, in that regard is when you sign an application, a lot of times that application can become part of the policy. So anything you say in that application can either validate or invalidate coverage for you. So if you do that, and I’m sure you guys do an amazing job at it, be sure you’re walking them through it and they are checking off and confirming and know what they’re signing as opposed to … I’m sure you guys wouldn’t make the mistake, but they need to understand everything in this can become part of the policy and can determine whether or not my claim will be covered because if I am not telling the truth about it.
Lliam Holmes: Right. And so that’s a really great point, right? These insurance policies, these questionnaires, it’s almost like a, like a truth serum, right? And you want to answer it. As honestly as possible. Really not take that approach of, well, we’re going to do this. But really, it’s like, what are you actually doing right now? Because to your point, you know, this questionnaire becomes, you know, gets added to your policy as warranty statements. And you can void the warranty on your cyber coverage by not doing something you said that you were going to do.
With that, I do see another question that’s popped in, and I think it’s a really good one, which is really what are some things that you could do that a client could do to keep the cost of these cyber insurance policies down, or is there something that they can do?
Chase Burnette: And that is a tough question, because these carriers don’t publicize how they get their rates. Now, I can tell you what factors go into it. The biggest factor is what are you doing? So MIS as an MSP that makes insuring you difficult because of all the responsibility you have for your client systems and data, right? So that’s a huge factor and you can’t really change that. That’s not something you can do because you do what you do, but that’s a big factor. Your revenues are another thing that your rate is based off of. That’s also something you can’t just change to make your insurance.
The third big thing I would mention is the type of and number of records that you process or store. So that can shoot your premium way up if you’re holding on to a lot of records. So that could be something, if you can identify, hey, we don’t need to be storing these records.These are not things that we need to have. And it’s an exposure and it’s causing our insurance to be more expensive. That’s something you can do.
Otherwise it’s more of the underwriting process is more of a negotiation. Meaning, you tell me all the things you’re doing, I go to the underwriter, I tell them all the things you’re doing, and that’s how they kind of figure out where they want to come down on the rate, right?
So it’s not a “if you put it in multi factor authentication, you get 5 percent off.” That’s not really how it works. There’s no publicized rate where they’re all there. It’s not like car insurance where …
Lliam Holmes: you can take like the driver’s Ed. to lower your insurance.
Chase Burnette: But I can go to them and say, “Hey, listen, this premium’s a little high. They’re training their employees. They’re using this “Know Before” system or a similar system. They’re training their employees. They’re teaching them about all these phishing attempts and they’re taking a lot of steps. Can we get some more off of this premium?” And then that’s, like I said, it’s a negotiation. If you do a 1 800 number or something, that’s not something that you’re going to have the opportunity to do.
Lliam Holmes: Really interesting, because what that says to me as an owner is, it’s not only the relationship that I have with my broker, but it’s the relationship the broker actually has with the carrier.
Chase Burnette: Oh, absolutely. So,
Lliam Holmes: There’s really two relationships involved in not only getting good coverage, but, but getting it cost effectively.
Chase Burnette: Yeah, and what we do is we’re an advocate. You tell us. Hey, this premium is really onerous. I need help. And then we go to the carrier. And now that doesn’t mean the carrier’s going to say yes. Sometimes they’re going to say, no, that rate is where it needs to be, but sometimes we can go and make a case for you and tell a story. That’s one of the things that you always talk about in insurance. And if you go to the underwriting, you tell a story. You tell them about what this person, this company is doing and all the steps they’re taking and all the policies and procedures they have in place to make sure that these kinds of things aren’t going to happen.
Then an underwriter is much more willing to listen and may say, okay, we can probably cut some off of it because of these things they’re doing. It’s not a, oh, if you check this box, you get a certain percentage of a discount. You know, it’s more of a what kind of story are you telling about how you’re protecting yourself?
Lliam Holmes: A little kind of pointed question here that I’m thinking about is. I’m assuming then that, maybe past performance, if you’ve had a breach in the past, that must have some impact, or does that have an impact on what a renewal would cost?
Chase Burnette: You know, it’s kind of funny because it absolutely does. Underwriters look at a past claim and they think, oh no, right? This company’s had a past claim. There’s an issue. A lot of times we try to tell our underwriters, those are the ones that are least likely to have another claim. Because they’ve been burned.
They’re going to put everything in place. To make sure it doesn’t happen again. So there’s that story element. They’re going to originally just go, Ooh, that’s a big claim that they had. We want this. And we’re going to go to them and say, no, no, no. They fixed everything because they did all these things. This is all the stuff they’ve done since. And that’s what they’ll say. If they see a claim out there, what have they done since then to make sure that’s not going to happen again. We need to be able to, as your advocate, go to the carrier and say, here’s everything they’ve put in place. These guys are a good risk now because they’ve taken steps.
Lliam Holmes: Is there anything quantifiable about that? In other words, I mean, I could tell you anything I wanted to. Do they actually check? Do they do anything? Now if I had a breach two years ago, and out of that I said, hey, we did these five things, whatever those five things are, I can tell you I did those five things. Does an insurance company actually conduct any kind of an audit to be able to, ensure that you did those five things?
Chase Burnette: Not typically, typically what you say and sign to in that policy, you’re giving your word there. They’re going to take your word. If you say we have, again, multi factor authentication, they’re going to assume you do, unless they learn otherwise. Now, if there’s a claim and they get in there and learn you didn’t have it. Then you’re in trouble. Because you agreed and signed your name. And on that thing, it’ll say, I have answered all these questions to my best ability and to my knowledge, they are all accurate and correct. I know that anything… that if you’re misleading the carrier, it’s going to hurt you on the back end.
Lliam Holmes: So that’s really the thing. Just to kind of repackage exactly what you’re saying, you could be a little dishonest. And you could say, I did these things. If anything ever happens, you may find yourself in a situation where I’ve bought and paid for a policy that’s actually not going to cover me because I didn’t do the thing that I said that I did.
Chase Burnette: It’s a contract and an insurance policy is a contract between you and that carrier.
Anything in that contract, it’s going to say, if you misled or misrepresented or lied basically, knowingly or unknowingly. Then the whole contract could be invalid.
Lliam Holmes: It could be null and void.
Chase Burnette: Yeah, exactly. I mean, yeah, you could lie to get a policy, but if they get in there on the back end and realize you were lying, then it’s not going to do you any good to have it.
Lliam Holmes: Yeah, you’re paying for something that’s not going to produce any benefit in the event,
Chase Burnette: That’s right. So it’s good to be honest. Also, I’m not going to lie to my carrier. So don’t tell me. Sure, sure. Hey, say yes to this, even though I’m not going to do that, right? Because like you said earlier, I have a relationship with my clients, but I also need to keep a relationship with my carriers and have a good one and be trusted resource for them. So be honest, use that application as a risk management tool. Say, yes, I am doing this thing. No, I’m not doing this thing. That probably means I should be doing the same. If your answer is no to any of it, it means you should be. Okay, so don’t take that as oh, I need to fool them and make them think I’m doing it No, that means that’s a problem and I should be doing this.
Lliam Holmes: Yeah, they wouldn’t be asking unless it could be a potential issue. So the good news is we are getting lots and lots of questions now. We are kind of right at five minutes here before top of the hour but I’m going to ask you one last question, which I think is probably something that that everybody is thinking and that is How often do you recommend reviewing your policy? Because one of the things I think you talked about earlier was that these things are changing so fast. And so how often do you think is reasonable for a company to be reviewing their policy?
Chase Burnette: I’d say every year when it renews. So at least annually? At least annually you should be reviewing what’s on the policy going through, exclusions, right?
Carriers can make changes at renewal, but they’d have to notify you about it. They can’t just throw on exclusions and try to slip them past you. They’re going to have to send you correspondence that says, here’s things that are changing about your policy. But annually I would do it because like I said, it’s constantly evolving.
And if you’re working with someone, a broker, like a Burnette insurance, and if you have someone like an MIS, they’re going to be able to tell you, Hey, here’s some things that have really been going on this past year. This is what you need to look for at this renewal. Make sure things are Up to snuff.
Lliam Holmes: Awesome. Well, I really appreciate you answering these questions. I think that this has been really super helpful. Even for me as I think about that. Thank you, guys, for joining us today for this important discussion on cyber insurance at MIS Solutions. We do believe that knowledge is the first step towards better protecting your business. And we hope that this session has given you some valuable insights into the role of cyber insurance in mitigating those risks and safeguarding your operations. And obviously, a big thank you to Chase Burnett for really sharing his expertise and helping us understand the complexities of cyber insurance. It’s not simple. Chase, your insights have been incredibly helpful and really much appreciated.
This is just the beginning of our educational series. Stay tuned for future sessions where there’s going to be even more knowledge and a really deep dive into the world of cyber insurance and risk management.
If you have any questions or you’d like to learn more about how MIS can help support you in your business, then don’t hesitate, reach out to us. Once again, thank you for being here and we look forward to seeing you in our next sessions. Stay safe, stay secure and have a wonderful day.
Thank you, Chase.
Chase Burnette: Thank you.
Share: