How to Prepare, Protect, and Recover from a Cyber Attack: Webinar Recording
Cyber threats aren’t just an IT problem—they’re a business continuity crisis waiting to happen. Today’s attacks can shut down operations, compromise client data, destroy trust, and trigger costly legal and regulatory fallout. The time to prepare is before an incident happens, because once it does, the clock and your reputation are against you. Join Shawn Flippo-Core Managed, Tyler Thorson-RT ProExec, Jason Starner-Conner Insurance, and Joshua Clark-Conner Insurance to learn how to protect your business.
morning, everyone, and welcome to today's cyber liability webinar. I'm Jason Starter with Conner Insurance, and I'm excited to have you with us. We put together a great session today focused on helping you to how to prepare, understand, protect against, and recover from cyber liability incidents, and how to make the insurance strategy align with the cybersecurity efforts that your organization is taking. Today, Joining me are two fantastic partners, Sean Filippo, chief information security officer with CoreManaged, and Tyler Thorson, senior VP with RT Specialty. Together, they'll be sharing their expertise from both the technical and insurance perspectives. We thank you for joining us, and the recording from today's webinar will be automatically emailed to all those attending. Any questions you have, please put those in the comments. We will have a q and a session at the end of the at the webinar, and we'll be happy to fill all of those that we can within the time allotted. We thank you again for taking the time to join us. And to kick things off, I'd like to introduce Sean Flippo, the chief information security officer from CoreManaged. Sean brings more than twenty years of experience in cyber leadership, helping organizations design and implement comprehensive security programs. His expertise includes risk management, compliance, and performing security assessments to strengthen overall resilience. With that, Sean, take it away. Thank you, Jason. Yep. So I have a quick fifteen minute high level overview of how to prepare, protect, and recover from a cyber attack, which is my favorite subject. So let's get started. The Jason's wonderful introduction covers a lot of this. The one thing I will highlight is that I am a certified CMMC assessor, which is we get the ability to assess organizations that have DOD contracts with cybersecurity requirements. You might start to hear a lot about that as rules have just been officially placed to start those requirements. So that's becoming quite a big deal if you know anybody in the defense industrial base. The agenda for today is we're gonna talk about the current state of cybersecurity, and then we're going to move on to for prepare, how to set up a risk management program as well as the strategic value of a security assessment. For protect, I'm gonna tell you about an information security program and how you can align your ISP with a cybersecurity framework. And for recover, I'm gonna go over the basics of what a business continuity plan, incident response plan, and a disaster recovery plan is. These those three things very crucial for every organization to have. So the current state, if we look at the FBI's Internet Crime Compliance Center two or twenty twenty four report, eight hundred and fifty nine thousand total complaints for last year alone, and not every incident gets reported to the FBI. This is equals sixteen point six billion dollars in losses just last year, which is a thirty three percent increase in losses from the previous year. So this tells us that cybercrime is not going away anytime soon. It's getting a lot worse. And if you are just now thinking about starting your cybersecurity program, you have a lot of catching up to do. So I highly recommend getting with somebody, to get something like this implemented or having somebody take a look at yours to see how it holds up. And if you're wanting to do some math to try to figure out what an incident might cost you, the average is nineteen thousand dollars. So if you can take that hit and you're not worried, great. If that might be a a number you wanna budget for, I'm gonna help you today. The top three threats that organizations of all sizes need to worry about, threat number one, ransomware. This typically gets in through a phishing email or a spoofing website. Somebody clicks on something, downloads something that they shouldn't have, and then that gives a little bit of access to a threat actor that they then use to get more access until they are able to, delete your backups and then encrypt your entire infrastructure and then hold it for ransom. And then you can pay the money. You might get the recovery key. You might not. Typically, this happens if you have poor security practices or lack of cybersecurity training. Those two things will be the biggest things that will put us off to it as well as a good email filter. Number two, with cyber enabled fraud. A lot of times this happens with what we call business email compromise. Again, click on something. It asks you to log in with your email's username and password. Now you've given somebody access to your email account. See, even happens with a good amount of two of a security. It can bypass that. They're in your email, they learn how to how your business operates, who the go to person is to send an angry email. Please email or, send five million dollars to this account. Right now, it's very important or we lose this big deal. Things like that that really gets people worried, maybe skip the steps that you might normally do. Or call center scams, tech support scams. Somebody calls and says, hey. We're your tech support company. We need you to download this file and type in these numbers. That allows them to then get in and find a way to steal money. And then your poor typically, typically, happens because of poor business practices. Make sure people are aware of all the two step processes that you put in place, That way, just one person getting yelled at doesn't, end up sending money somewhere that they shouldn't have. And then number three is a data breach. If you have sensitive information or especially if you have PII, personal identifiable information, you have to keep that safe. If you don't, then you are held liable for that information getting out. Typically, this is gonna be done by public facing systems, weak stolen passwords. Or system vulnerabilities. If you're not patching your web servers or other systems that the public has access to, those vulnerabilities can be open to the public and susceptible, so make sure you get, get your pen test done, get your vulnerability scans done, and patch your systems. And how much does a date of reach cost you? Because it's not like as soon as you get hit with the virus, money's deducted from your bank account. So So you have depending on the size of your organization, could be overtime, could be hiring a third party consultant, but you're gonna need extra time for your incident response team, Possibly, if you wanna find out how the people got into your network, digital forensics, system recovery. A lot of times depending on, again, how big the event is, that can be a lot of overtime. If you have PII data, you might have to get legal counsel to show and prove that you were not negligent in the in your cybersecurity. You will oftentimes also have to face fines if you're under a regulation. And then credit monitoring. If you get ten thousand accounts stolen, you have to pay probably a year's worth of credit monitoring. That's a hundred to three hundred sixty dollars per person. So that can really add up with an immediate price tag. Indirectly, loss of productivity. If it takes your company three weeks to recover from a massive event, you're three weeks behind, and it can take a while to to catch up. And then the reputational damage. If you made promises that you'll deliver a good or a service without the your technology, you can't deliver. And that's gonna hit you. How to prepare? Organizations of any size can do a risk management program. I'll go in a little bit detail. To explain what that looks like, but you're gonna write down all the risks that you have, analyze your tolerance. The, on top of that, there is a sorry. The screen. The security assessment, I recommend doing these at least once a year. You can have your internal IT team do this, but it's going to be a lot better to have a trusted third party assessor It's because you don't want people grading their own homework. Also, people just miss things that, you know, they kinda it's easy for them to oversee because they're the ones that did the work. You should be receiving a gap analysis to identify and prioritize your weaknesses as well as a lot of things done for your assessment. It's typically expected to have a as part of your regulation requirements, like your pen test and your vulnerability scanning. Might as well have all this done. And and one. In one Assessment. Your risk register. This just as an example, but you're gonna write down your risks, a description of how that risk will affect your organization, a plan for mitigation. And as you do this, I like to use the likelihood and impact scale. What's the inherent likelihood? So today for phishing, when we wrote this one through five, we said there's probably a high likelihood four out of five chance that somebody's gonna get phished. What's the impact? We'll say three out of five, giving us a risk of twelve. We decided that our target risk is one. We don't wanna mess with, Right. Phishing affecting our business. So we put in our Microsoft Defender for Office three sixty five, security awareness training, phishing campaigns. Now our current likelihood is a one. Our current impact is a one Given our current risk of one, which meets our target risk, this is now good to go. We can close out this risk. Risk number five, We can say inherent likelihood and impact of both three is giving us a nine. Our target risk is one. So we put in some mitigation measures in place. It's still a two and a two for our current, and our current risk is four. That's still higher than one. So we made some progress, but now we can show that we still have more work to do. So having this written down, treat this as sensitive data. You don't want this to be available to everybody, but this allows your entire leadership to really coordinate and see what your current risks are and plan for the future. Next, for the protect, we're gonna talk about what an information security plan is. This will include your policies and procedures. Your policies are gonna be something like an acceptable use policy that tells people specifically what they're allowed to do on the computers, what they're not allowed to do. Uh-oh. It's gonna include your technical safeguards. So if people are not allowed to install any software they want, you will include in your ISP that you have to have administrator rights. The administrative controls are on top of not allowing people to do that. It's telling people don't install software. Sometimes you can kinda get around having admin rights. So the administrative controls is also saying, we told you Don't do this. Not just because, well, the computer let me. It did, but we're also telling you, don't do this. And then physical security, everybody knows, lock your front doors, but there are oftentimes multiple doors left in a facility. Is every door locked? Is every door locked properly? Do you have enough cameras or other signs that lets people know don't go through this door? That's all part of your information security plan. You're gonna document everything in this one document that is gonna have visuals and written for the non tech person. So that way, everybody who has access to this understands what you're doing to meet your security goals. And then with your ISP, your information security plan or program, you will want to align this with other frameworks. The NIST cybersecurity framework two point o and the CIS controls, those are free, and a lot of information is available, and they are highly customizable to organizations of every size. The, the other ones listed here, ISO SOC two. Those will give you more assurance that you have a good cybersecurity plan, but there's also a price tag to jump in there. But they do offer a certification that shows that you have met those requirements. The NIST, TypeScript framework, and CS controls do not have that. And what is the NIST cybersecurity framework? It's mostly everything on this slide. There are six functions, twenty two categories all listed here. What's not listed is the hundred and six subcategories, and that's where it's going to drill a little bit more into, like, are you doing this specific thing for risk management strategy? It's customizable because you're going to grade everything on a tier one through four. Tier one is partial. You're kinda doing the things it's asking. Three means it's repeatable. Like, you can do this consistently. And tier four is adaptive. It's you don't have to worry about it. You're doing it no matter what new features or new things that come into your business. You got that covered. But you're gonna build your organization profile, which is gonna say for are, you You know, g b dash r r or dot r r roles, responsibilities, and authorities. We want to be a three here, but maybe for oversight, GBOB, we're okay with being a two. That allows you to customize that you don't have to have the highest security system for every single organization. You get to decide what you want, what risks apply to your organization. And that's what I really like about the the NIST cybersecurity framework where it's easy to recommend that for everybody. And then the, unfortunate, how to recover because it's not gonna be a matter of if. It's a matter of when. Everybody will be hit with the cybersecurity events. The number one thing you're gonna want is your business continuity plan, and that's just going to be a detailed plan. Step one, do this. Step two, do that. These are the people that you call when this happens. How are you going to do business when you hit a security event? This This isn't necessarily How you're going to get new computers or things like that. This is how you're doing existing business. That might mean an alternative worksite. Maybe there's another site that you can have up and running within two weeks, or maybe it's a hot site. You can have it up and running in a matter of hours. Supply chain alternatives, if you have security cameras and all of a sudden they're not gonna be fixed and there's a massive flaw. Did you rely on one company, or how quickly can you get another security camera in place? You also want an incident response plan. This is gonna be a little bit different because it's going to tackle exactly how to report and recover or how to report and the mitigation efforts and documentations of the incidents. This could be by the same people doing your business continuity plan. It could be by a different team. But the biggest thing here is that you're going to do lessons learned so it doesn't happen again. And then, also, you might need to contact certain people if you're under certain regulations. You'll want everything in here, to contact, what's their contact, phone numbers, email addresses, everything listed here so you're not panicking and scrambling to put this together while you're under a security event. And then your disaster recovery plan is a little bit different than the incident response plan. This is just for how you fix your computers. So it's much more detailed in, you know, the steps that you're going to take. If it's a virus, you're gonna do this. If it's a business email compromise, how do you recover so people are able to still do business? But those are the, and I will cover the the three two one plan when talking about your backups. Have three copies of your data on two different media, and one of them needs to be off-site. So this can be the server that has the data, a local backup server that makes a backup of it, and then an off-site storage that the backup server then replicates its data to. If you do something like that, like most backup solutions offer, that's your three two one plan. And you wanna have that for any data that you don't want to lose. So that covers my portion of it. Feel Feel free to reach out with any questions, but I'll be happy to some q and a towards the end of this. Thank you, Sean. We appreciate your insight. Next, we're gonna have Tyler Thorson. He's a senior vice president with RT ProExec. They are one of the largest host wholesale brokerage teams in commercial insurance comprising of over eighty highly technical specialists. They're widely known in the industry for their innovative approach, their thought leadership, and their capabilities of placing any type of risk. Some of their areas of expertise are privacy, network security liability, technology errors and omissions, media liability, intellectual property, among many others. Tyler will be discussing the under underwriting vantage point of cyber liability and emerging issues in their space. Without further ado, like to welcome on Tyway. Thanks, Josh, and thanks to the Connor team and, you know, for all the attendees. I think taking a step back, let's just think about insurance to begin, right? I mean, we all carry a lot of different types of insurance, both from a a business stance, but also a personal stance. You know, from a personal perspective, you have home, auto, personal umbrella, etcetera. You know, from a business stance, you may have property, general liability, workers' comp, so on and so forth. There's a lot of things that we do. Right? And cyber insurance is is another policy that businesses are facing now. And so, you know, Sean went through a number of items from a a security posture stance that are great, and he even alluded to at the end of his his presentation, it's it's not if, it's when. And a lot of people have this thought. Right? It's not if, it's when. It's not if, it's how. And so for the precipice of of kind of what I'm gonna speak on today, it's kind of, you know, when prevention fails, what does cyber cover? What's the what's the intent of the policy? You know, what is it there for? Some common claims. And why is this product growing so much? And so thinking back to other lines of of of coverage that you carry, if I have, home insurance, right, just because I have a great alarm system and smoke alarms, etcetera, it doesn't mean I'm immune to a fire and a loss. Right? If I have an excellent brand new car I just bought that has all these technology sensors and all these safety measures put in place, I'm not immune to a car accident. And you're catching the the theme here. Right? If I have a brand new commercial property and they has the best sprinkler system ever, it doesn't mean that building's immune to a fire. And it's no different for your business. Right? Even if you have the best security posture in the world, whether you're a small business, middle market, large risk enterprise, even if you have a great IT staff, there there's nothing there that that says you're immune to a cyber attack. And so going into kinda the the history of the cyber product, how it started, where is it at now, the state of the market, you know, some some coverages in a typical cyber policy, what what are some common claims, and ultimately, you know, what are underwriters looking for in a risk. Right? What are some controls that, you know, an underwriter wants to see to be palatable to write? And so we'll get into some of those things right now, and I kinda just wanted to start that little broad spectrum as as we go through the slide just to get you thinking about, man, maybe this is something that we should think about pursuing. I carry all these other policies. Why don't I have a stand alone cyber policy yet? And so, Josh, thank you for the, you know, brief, you know, intro of my bio. Like Josh mentioned, I've I've kind of been in the the cyber scene for the better part of a decade here my entire professional career. So I've had the privilege to kinda see firsthand how the cyber market and the product has evolved from really twenty fifteen to now. It's changed dramatically. I think if there's one thing that I could say about that is there's constant change. Right? This product is relatively immature. Right? If you look at all the different insurance products out there in the marketplace right now, cyber is relatively new. And I'll I'll touch on that a little bit as far as, you know, know, state of the market and the history of the product later on in the presentation here. So constant change, constantly new coverages, constantly new markets, new capacity popping up, which is a good thing. Right? Like, that is a good thing that there's more than just five markets that we can select from. Competition is good, and just like anything, supply and demand. So today, talk about cyber insurance, some cyber exposures. We're gonna explain current state of the market, some common claims, emerging issues, developing litigation. Basic cyber control. Sean touched on some of the common claims and some of the basic cyber controls that y'all should see. I'm gonna reiterate some of those items because that is a very important topic as far as some common claims we're seeing right now in the marketplace, the developing litigation. And then from my perspective, what do underwriters look for from a baseline level that are table stakes for an insured to be more or less, palatable to the underwriting community, but also, know, is this risk even available to write and buy cyber insurance? So what is cyber insurance? I like to think of it as a business continuity and privacy policy. Right? You are protecting yourself from digital Internet threats, you will, stuff that wasn't around in the eighties. Right? Internet wasn't a thing, not something a business or or an entity had to, think about from an exposure stance. And so business continuity, the way to think about that is if our company has an event, the cyber policy is there in force to help your business keep going. Right? If you have a dramatic or traumatic, excuse me, cyber incident or event and your business has downtime, you have to get up and going. Right? And so I like to think of it, yes, cyber is an insurance policy. Right? Cyber insurance is there for defense costs, potential damages, etcetera. But at the end of the day, there are so many added benefits that a cyber policy is gonna bring you as a business entity should you have an event. Privacy. You're working with a lot of customers. You are storing data. Are potential legal ramifications should you have a breach, and you have to follow specific regulation and laws in notifying customers. Cyber policy is there to help for that. I think of cyber policy as an airbag. Right? Not a seat belt, not something there. Should something happen to your business, if you were to get in a car accident, this airbag is here to save your life. This cyber policy is here to save your business. Right? And so I'm gonna about to dive into some coverages as far as first party and third party items that the policy provides. But, again, having a being a policyholder with a top tier cyber market, there's so many things that this policy and the this company is gonna provide you to the to be in a business and be in a policyholder with them. Should you have an event, they have a panel of vendors that can help with a number of items, and we'll dive into that shortly here. Again, growing product, all businesses that have a cyber exposure. And one of the root causes of this is gonna be human error. So your employees, your staff, there's a number it's no one's fault. Right? We know these things can be tricky, and they're you know, part of it is just creating awareness of your employees, but it is clicking the link. It is not verifying with a phone call. It is so much more challenging for a bad actor to do a brute force attack against your business than it is to just social engineer one of your employees. So what does it cover? Again, cyber policy is first party coverages and then third party coverages. So first party coverages, think of your business has an incident. Right? You, the first party, the policyholder, is going to turn in a claim to the insurance company. Alternatively, on the third party side, you, being the policyholder, being a business, are being sued by a third party, and you are turning in that claim to the insurance company. So it's both. Right. Typically, when there is a cyber event, multiple insurance agreements are gonna be triggered. It's not like a typical policy where it's just one specific item gets triggered. Lot of different coverages, lot of different insuring agreements. Not always are all of them gonna get triggered depending on what the loss is or what the incident. But a lot of times, there's gonna be multiple levels of this policy getting triggered in different portions of the coverage. So what are some of those coverages? Breach response cost. You have an event, this policy is gonna help you get breach coaches, IT forensics, legal costs, notification costs, call center services, credit monitoring, public relations. So as I mentioned, these carriers all have panel vendors. Right? So as a policyholder, you have access to those should you have an event. You can choose and you can work with it. Carriers have selected rates with these vendors to help you get your business back up and going. And so with that, you're gonna have the best and brightest, vendors at your disposal being a policyholder to get your business back up and going and to help you with these items. I I've always felt this way. Right? I'm in this all day every day. But if I owned a small business and I didn't have, call it, a cyber policy, And let's just say we had a ransomware attack, and we had an event, and I'm locked out of my computer. I candidly would be scared. I I wouldn't really know what to do. And I'm someone who lives in this every day. I don't know how to negotiate with a bad actor. I don't really know much about the dark web. So if I did have that event, it would be pretty scary to know that I don't have professionals to lean on. Yeah. Sure. You're probably gonna notify the FBI. You're gonna reach out to a forensic firm, a notification firm, etcetera, but there's gonna be so many costs that go into that, and you may not know who to reach out to. Having a cyber policy, you instantly turn in that claim, you call a breach response hotline with the carrier that you're with. They're gonna assign coverage counsel. They're gonna connect you with their claims team, and they're gonna help you get in touch with these firms to help your business. So other items, data restoration, covers the cost to restore restore and repair data lost during a cyber event. Business interruption, huge item. Right? Your business is down. We can't operate. We're not making money. What are we gonna do? So this is gonna cover that loss of net income from that business interruption due to a cyber event on your network. It is incumbent on the policyholder to show proof of loss. Right? So that is a layer. It is very, very, regimented as far as, like, proof of documentation, showing what your revenues are, showing what your expenses are. What was that net level that we could have made had we not been down? A newer coverage, not new relatively speaking, but way back in the day, this wasn't a thing. Contingent business interruption. So covers loss of that net income as a result of a business interruption of of your of your business due to a vendor that you work with and you rely on. So different person, not your business. Right? But some a vendor that you are, you know, contracted out with, whether it's an IT vendor, and now we've even seen carriers built in non IT, business interruption, the contingent business interruption cover. You rely on a on a IT vendor to your for your mission critical day to day operations. They have some sort of event. Their event is impacting your business. The policy would respond. Few other first party coverages. Big item. Everyone knows about it. Cybercrime. Right? Social engineering, phishing attack, cyber deception, funds transfer fraud, invoice manipulation, items that everyone hears about. Right? It's it's it's one of the leading cause causes of cyber policies being triggered right now because it's easy. Right? It's easy to fall victim to some of these attacks, and people are constantly in today's day and age wiring and moving funds around. Cyber extortion, huge item. Right? Everyone knows what ransomware is. They see in the news daily. It is it is the big reason why a lot of people buy these policies. Right? So covers the cost of ransomware response and ransom demand payment. And, And, typically, again, should you have a ransomware event, should you have a cyber extortion event, it's not just gonna be this one insurance agreement. So many of these other insurance agreements are gonna get triggered because you're gonna have a business interruption. You're gonna have to notify people should, data was was breached and forensics comes in and sees that, oh, in this state and that state, you have to notify individuals. There's gonna be credit monitoring. There's gonna be dash data restoration. So having a ransomware event can significantly impact your business and trigger a lot of different policies. Another one of those insurance agreements is gonna be reputational harm. People come to your business and work with you. You just had a bad ransomware event. I don't know if I wanna wanna wanna buy from them anymore. I don't know if I wanna go work from them anymore. So this is kinda coming back into that business interruption, hiring a PR firm, working, to to remedy that that bad reputational harm that happened because of this event. Because perhaps the community and the greater outside world now views your business as I'm working with them. They're not protecting my data. I I'm not I don't have the privacy that I felt that I once had when I worked with this business. And then bricking is another one. It's it's it's it's a cost essentially to replace a bricked piece of equipment. So we call that computer hardware replacement as well. So third party coverages. Touched on the first party. Third party is a person, class action, a business that you work with, filing a lawsuit against you. And so network security, privacy liability, regulatory fines, PCI DSS liability, so payment card industry, and media liability. Right? So this is kinda where you get into your third party covers. Back in the day, you know, I I'd say years ago, it it it really felt like the majority of of of claims and losses were first party items. Right? Hefty majority of claims, call it ten years ago, were very, very focused in the first party space, and that was the hefty majority of what cyber carriers saw get turned in. Things have changed. People are more aware now. There's so many plaintiff law firms out there that are monitoring people's privacy laws from a wrongful collection stance, pixel tracking stance. You know, it's just way more prevalent and on on way more radars now. So third party claims have risen dramatically within the past, I'd say, five years, significantly more than what they were in the latter. So, again, it's not just a first party policy. It is also protecting those suits made against your business, and these are the core insurance agreements that we see from that regard. So what what what agents here like Connor and some of our other partners and and folks like myself, we hear all the time, specifically in the small business space is, you know, I don't collect sensitive data. Cyber insurance is too expensive. We we are protected. We have a great, you know, security posture, and and we're protected. We're too small to be targeted. Right? It's only the big the big entities who really have claims. Lot of this is false. Right? There's a number of of layers to each of these that is just invalid. Right? I think you have to look at again, I have never had an auto insurance loss. Right? I've never personally been in an accident. Right? I think some of the the the cost of my auto insurance, my home insurance as a personal consumer is really high. Like, I think it's silly. I've never had a loss. It's never been there. That doesn't mean I'm immune to it. Right? And so also, again, for cyber, from a first party stance and a third party stance, there's a lot of ways that that that you could be, you know, targeted from from a cyber attack, one from bad actors. But should you have an event, you're gonna have your customers coming at you from a a legal stance as well. So you better be safe than sorry. Right? It's not if, it's when. I may have never had an auto insurance claim or a loss or a home loss before in my life. It doesn't mean it's not gonna happen tomorrow or or five years or ten years from now. So planning, preparing, better protecting yourself, you know, for that rainy day, if you will, is always better be safe than sorry. So Sean shared some of these numbers. Right? I I think what I what I wanna talk about here from the current state of the cyber market is what I've seen from my own personal and professional experience and kind of the history of the cyber product. You know, the first cyber policy was placed in the late late nineties, right, kinda right as the Internet was getting going. It was like an Internet security liability policy. But but it never you know, it's brand new. I think that was nineteen ninety seven, the first one that was placed. I mean, there's been marine insurance for two hundred plus years. There's been property and and home and general liability and so many of these other covers for hundreds of years, decades. Cyber insurance has been around for about twenty five years, give or take. Right? So in the grand scheme of things, it's a very, very new and immature product. And so while that first policy may have been placed in the in the late nineties, granted I wasn't in the industry in in the thousands, but I don't believe it really grabbed hold, like, super quick. Right? Maybe some companies bought bought the policy. I came into the industry in twenty fifteen, and even at that point, it was still relatively unknown, and there were not many individual monoline cyber policyholders out there. And still today, there there's a lot that don't purchase a monoline cyber policy. So I think, you know, starting in the late nineties and the thousands, it gained some traction. There's not much data. Right? There's not much data in the underwriting community. There's really not much, info out there from a loss perspective. The product really wasn't developed. What's wording? What's covered? And so that has has has grown dramatically in the past, you know, twenty five years. And so, certainly, companies kept buying more policies in the thousands, and then you get into two thousand ten and so on and so forth. When I came into the the industry, you know, in twenty fifteen, twenty sixteen, I started my professional career. I I think some of those companies that were buying the businesses were the big businesses. Right? Were not large national enterprise accounts, middle market accounts who knew they had the exposure. I don't think many small businesses were purchasing it. And at the time, again, there's not much data. There's companies who write it. There's a lot of under you know, underwriting underwriters and carriers out there who would provide a product that had a product, but nothing like what it is today. There's way more capacity now. And so what I first saw was when I got into this industry kinda, you know and started getting into selling cyber and creating more awareness and and for consumers, but also for retail agents was a lot of people didn't buy these monoline policies. A lot of it was maybe an add on to a standard market policy where, you know, maybe it has a little sub limit for third party exposures, but really didn't have much of that first party stuff. And then as as time goes on, back then, It was very cheap. And, again, the data wasn't there, and there weren't many losses per se, on the smaller level of the clientele. So it was super easy to get a quote. It was more so just like, who's the name insured? Like, what's their address? What's their revenues? What's their operations? What's their website? No losses? Okay. Cool. Here's a quote. Has shifted dramatically in the past decade, and we've seen it firsthand because losses have happened. Part of that is, One, the the growing popularity of virtual currencies in Bitcoin and and bad actors utilizing that as a form of payment, which would have been in the late thousands. Right? And it's only gotten more and more popular, especially the value of it. Another part is just more and more businesses conduct their operations on the Internet now. Right? I still think there was a a a time in the early thousands where a lot of companies had paper files and had you know, weren't really utilizing their their operations via Internet. Now everyone does. Right? This has changed dramatically in in the past twenty years, and so the exposure level has has grown dramatically. And so now throughout the state of the market and what really shifted this dramatically was COVID, candidly. Right? So we saw in the the twenty fifteen, twenty seventeen, twenty eighteen, more and more policyholders in the cyberspace. We saw more losses, right, for all the reasons I just mentioned. As we get into twenty nineteen, the market started to harden a little bit. Right? There's more claims from a frequency stand or off stance, but also a severity stance. That puts carriers on notice. We're charging very little amount, and these losses are coming up to this much. It's not profitable. So carriers have to assess that. Right? And as we head into twenty twenty during the COVID years, what happened was remote work. Right? And so all these businesses used to go into the office. Everyone remembers this. Right? You were in five days a week, and that's how it went. Now there's the hybrid models and people back in, but there's still a lot of remote work. But if everyone here remembers, in twenty twenty, you were working from home. So all these companies, all these businesses were operating remotely. They worked off their laptops, and their security posture was just not prepared for it. Right? They were all remoting in without, call it, a hard line VPN. There was nothing there with a multifactor authentication for remote access. Email didn't have multi factor authentication. Controls like endpoint detection and response weren't really that prevalent at the time. And so at that time, we had a lot of policies. We I say that that in a very broad term for the insurance community. Lot of policies on the books with with not much premium, but a lot of potential for losses, and the community saw that. And so during twenty nineteen, twenty twenty, there was a lot of losses. In twenty twenty one and twenty twenty two, premiums rose dramatically. Carriers cut some capacity. They had to right the ship and call it, make it a correction. Well, at the same time, guess what? There's more and more people who wanna buy a policy. Right? Because either they had a loss or their friend's business had a loss, and so the the cyber market grew dramatically from twenty twenty to, let's call it, twenty twenty three. And then right around there, I'd say the market started to soften a good bit. Now there's way more awareness as far as, potential for cyber losses. There's way more, potential for having a better security posture, being more aware of what's going on, with with your business and and having you know, being better prepared, better protected, etcetera. And so now the the the community and the underwriting space, it's a soft market. Right? So what I mean by that, as as I mentioned, it was a hard market at one point where there wasn't much capacity. It was tough to get quotes. Prices were through the roof. We're far removed from that now. Right? There's so much capacity. There's a ton of good carriers out there. There's a lot of good underwriters who know what they're doing, and prices have come back down dramatically. Right? I mean, significantly to the point where I I would view cyber as as not an expensive product. Right? It it is something that if if you don't carry a policy, you can easily now go out and get a one mil policy for a very, very, reasonable cost. And so what are some common claims? You know, Sean touched on some of this, so I don't wanna, be too repetitive. But ransomware, cyber extortion, cybercrime, malware, a denial of service attack, business email compromise, supply chain vendor compromise. This is where you get that that contingent business interruption, and a data breach. Just to just to share a little bit more details on this. Right? You know, here's a little bit more verbiage for you. You know, data breaches and lawsuits, like unauthorized access from a bad actor leads to lawsuits, reg fines, reputational harm, so on and so forth. Ransomware, cyber extortion event. Encrypts your system, halts your business operation causing revenue loss, that net income figure, remember, and investigation costs. Phishing and financial fraud. Right? Random employee is tricked into altering payments resulting in financial fraud and potential legal claims. So I wanna sit on this one really quick. A lot of these, we see rush, rush, rush. Right? You see something at the end of the day on a Friday, and and it's it's it's the employees, boss's boss, the president of the company sends you a note. Hey. I really need you to send this wire, over to to to to this, link right right away because they need payment by end of day. This vendor needs it right away, and it's, you know, end of the day on a Friday. I'm trying to get to the weekend. Oh my goodness. My boss is emailing me. He never emails me. I need to send this payment right away, and it happened to be a bad actor. So there's a couple takeaways from the phishing and cybercrime. Pick up the phone and call the person. Right? I wanna make sure everyone understands that that, you know, there should always be a second layer of verification when it comes to cybercrime and and financial fraud. Pick up the phone and call. Right? And don't call the number that's in the email that reached out to you. Go back. Right? Go back to the contact. Go on the go on the company's website, if it is a vendor reaching out to you or if it is a customer reaching out to you. Go in your phone for for what that actual phone number is. Right? So verify. Right? I think that's so important to think about. And this is something that, again, if if you all don't do it, at least annually, I would recommend at least two times a year, do the phishing awareness training, cybersecurity awareness training for your employees because just being a little bit more aware. And October is, you know, cyber awareness month. It's it's opportunistic. We're doing this now. Just being aware and being more cognizant of of how to do this. You know, if you get an email with a link, there's little tips and tricks that you can do. Hover over the link. Don't click it. Make sure it looks legit, and make sure it looks real. Don't just be clicking links like crazy. Hover over it. Make sure it looks real. If any of it feels odd to you, again, pick up the phone, call the person that reached out to you. I do it all the time. I'd rather be safe than sorry. And then you have denial of service attacks, third party breaches, and then, again, back to the business interruption from suppliers, which we mentioned. This is gonna be someone that you rely on your business for pursuant to a written contract. Right? Be aware of who those people are. You know? What is their security posture? If you're engaging with a new vendor that you wanna work with, I highly recommend having them complete a questionnaire and figuring out, you know, what they look like and how they're better equipped and and what what they're doing to make sure that your business is protected. Ransomware, we've touched on. Right? A big thing, again, during COVID, that remote access. You need to make sure your ports are are are closed. They're not open to the external facing Internet so bad actors can access. You know, what I mean by that is if you were to go on vacation, you would lock your house. Right? If you just left the house unlocked, anyone can come in and do this. And that is very similar to, for your remote desktop protocol. If you have open ports and you're not aware of, any bad actor can infiltrate your system and your network. Phishing, software vulnerabilities. Right? So these CVEs, making sure you're patching regularly. Right? You should have a regular cadence to your patching, for the softwares that you use and then the applications you use. Patching Tuesday. Right? I mean, patch weekly, patch monthly. Have something in your in your fold that you know that you're gonna do this. And then I'm gonna kinda get through this pretty quickly here. But, again, just kinda showing the different, measures of the industry and and ransomware that you can see. Health care is a big one, obviously, from, you know, the amount of info they store from a protected health stance. But, you know, there's a number of industries here. Obviously, it's not just specific to one or two. Same with the size of risk. You know, I think a lot of people say, oh, I'm too small. I don't have this exposure. You know, if you look here, approximately, what would this be? About sixty eight, seventy percent of frequency here from ransomware is companies from one to a thousand, and forty is one to a hundred. That's small business. Right? And so while the big losses, big severity is gonna come from larger entities. Frequency is small businesses. Right? And we all know that a small business has more at stake from a ransomware event than a big national enterprise. They're more equipped and have have a way bigger IT team to weather the storm and get their business up and going than a small business. Same thing here. You can just kinda see how I mentioned with the with the soft and hard market. You know, as it started to harden in twenty nineteen, you can see this ransom payment by quarter go up. And then after twenty twenty and then so on and so forth, it just skyrocketed dramatically. Again, social engineering, we we spoke about number one cause is human error. Pick up the phone, verify before you send funds, and don't don't just assume that everything's legit. And two last things here that I'll touch on. Emerging issues, developing litigation, obviously, artificial intelligence and AI is is the the huge topic right now and kinda how you need to go through this. So I think I think there's pros and cons to AI. Right? What we've seen is bad actors be able to use AI, to make their phishing schemes look way more legit, right, and and scale it at a at a crazy amount and intensify cybercrime. And then right now, big thing in the cyber community, and that's a hot topic, is privacy and third party suits revolving around pixel tracking claims and wrongful collection. So the last thing I'll say before turning back over to Josh and and Jason is is basic cyber controls. Sean touched on this a lot, but All of you, just going through the cyber awareness training, MFA, EDR, having a good backup solution, a governance plan around business continuity plan, incident response, disaster recovery plan, all very important and baseline controls that all businesses should look at. So that wraps up my presentation and kind of, like, looking at a cyber insurance policy. I'll turn it back to Josh and Jason, and and, yeah, thank you for your time today, team. Thank you, Tyler. We value your knowledge and your insight. You're a huge resource to our team and for our clients, and that's why we had you on today. You're you're fantastic. So I'll just share a little bit about our role here at Conner Insurance and the entire process. Bye. Let's see here. Alright. So here at Conner, we're really kinda that that, filler of the gap between those internal controls, that internal IT team or that external IT team and, the underwriters at the end of the day. Cybersecurity, core manage, they focus on, prevention, detection, recovery. All the insurance carriers focus on the financial recovery, that risk transfer, and the compliance, and we're here to really help represent you in the marketplace to negotiate the best terms, coverage, and premium available in the marketplace. We're really that bridge between Tyler and Sean as they spoke about their different roles in the process. And then really importantly is, looking at those contractual requirements that you're gonna have. More and more frequently, we are seeing contracts come in our doors with cybersecurity being a requirement and making sure that you're compliant with those contracts and understanding what the cost to do business is is an important step in us advising you appropriately on getting on the insurance coverage that you move forward with. In terms of, assessment, you can't manage what you don't measure. And every organization has cyber exposure. The key is understanding where it exists and how it is best served. We start by assessing your operational risk, your reputational risk, your financial risk, what the cost of downtime, ransomware, or data rest or data restoration, and how that impacts your business. This process helps translate technical vulnerabilities into business terms so your leadership can make informed decisions. We truly wanna collaborate with your IT and your leadership team to help uncover where insurance can transfer risk and where those internal controls can help reduce it without an insurance product. The goal isn't just to qualify for insurance. It truly is to strengthen your overall cyber resilience and bridge the gap between those two parties. We work on alignment. So many organizations have great IT controls and solid insurance policies, but they're not always aligned. So having someone with a foot in both of those areas to understand where they can coordinate is where we play a valuable role. For example, your IT your IT team might have and assume backups or MFA meet the standards and criterias, but underwriting, could change their definition of what MFA looks like on a year to year base on a year to year basis. So we help ensure that those technical safeguards meet the insurance requirements in that insurance contract, and bridge that gap. This alignment helps identify those blind spots, like gaps between what's insured and what's actually happening happening in your business and what those future operations look like or those future contracts could entail. So our job is really to make sure both sides, IT and insurance, are speaking the same language and are there to complement each other, at the end of the day. Next is advocacy. So the story we tell to underwriting helps determine your pricing. The cyber insurance market is increasingly selective as we heard from Tyler. Underwriters reward companies that clearly demonstrate that good risk posture. We act as your advocate in the marketplace. So not just your broker, but positioning your controls, your culture, your investments in the best possible light because storytelling can really make tangible differences, in the coverage terms and premiums that you're gonna see on your bottom line. Instead of just submitting an application, like Tyler was saying, previously, we would just submit names, addresses, revenues. We wanna help present a narrative about what your business is doing in the marketplace today, what your operations are, what your end goals are, the process that you're gonna be going through to help meaningful decision making going forward. The better that we can tell your story, the more that we know about your business, the more favorable that outcome is gonna be. And then last is response coordination. In the event of a cyber attack, time and coordination are critical. Who you call, what you do first can really make or break the outcome in that scenario. So we help our clients navigate through that process. Are we engaging with your insurer? Are we, do we need to engage with IT or forensics, legal counsel, your PR or communications team? Because reacting quickly and effectively is the biggest mitigation to ballooned losses. We understand both the insurance and the operational sides of your business. So we wanna make sure that we are looking and and verifying that nothing really falls through the cracks between those two parties. And our goal is to help you respond quickly. Minimize the downtime, and protect your reputation. Even after recovery, we help review what happened and connect the dots as far as what do we do moving forward. When a cyber event hits, we become kinda your guide throughout that process, helping you recover faster and smarter moving forward. Tyler, talked about this topic and the big things that are affecting cyber premiums. You know, premiums used to be fairly inexpensive. Well, as underwriters have more data to understand what the key metrics are in determining the amount of those paid claims and what premium needs to be to adequately ensure those, types of risks, These are some of the main points that underwritings underwriters are looking at. Right? Multi factor authentication. Cyber insurers now treat MFA as really a nonnegotiable for remote access, email, and privileged accounts. Underwriters often require it for Microsoft three sixty five, VPNs, or systems with sensitive information. And MFA isn't just password plus text. It can include authentication apps, security keys, biometrics, etcetera. End Endpoint detection and response. We had a lot of great feedback from Sean as well as Tyler on making sure that, you have control mechanisms over how your computers are being used as well as regular backups, know, using that three two one method. Three copies of your data, two different, outlets, as well as having one off-site version of your data. Off-site or online means a version that can't be reached or altered through your main network, and that allows for backups to help in that cyber disaster, mitigate certain key functions of your business from being accessed. So if you get that ransomware attack, You know, you have an offline option in terms of your data to restore it without having to pay those attacks. Employee phishing and training, Your employees are your first line of defense, and over eighty percent of breaches, start with a phishing or email, and they're typically human mistakes. Cybersecurity is really a team sport. And with phishing training, your people are the defense and not necessarily just the liability. So having that proper training are things that we can help connect you with to ensure your your team members or your employees have a great, ability to identify those risks. And then also that incident response and recovery plan. Right? Insurers and underwriters, they wanna see that you have a written tested incident response plan. Those are things that, organizations like core manager, your IT team should be developing, but also testing. Right? Those should be things that you use annually and actually test it so that when something happens, you have familiarity of how that incident response and recovery plan actually works. Lastly, just wanna talk. Tyler brought it up right at the very end. The biggest questions that we're getting are how is AI impacting the future of cybersecurity? Know, a lot of my clients are asking me these questions. Generative AI has made phishing far more convincing. Attackers now use and mimic writing styles and tones and even generate realistic, voice deep freight deep fakes of company leadership. These scammers no longer have the typos and red flags that we're typically used to. They look a lot more like your organizational leadership's tone and the way they speak. So this trend really reinforces why ongoing phishing awareness and training and verification protocols are critical. And then the automated hacking tools. Machine learning now allows attackers to automate large scale attacks. They're no longer fishing with fishing poles and lures. With AI, they're allowed to use, you know, real nets in terms of phishing to go after thousands of organizations in just minutes. AI is really essentially industrializing cybercrime. So what used to take hours can now happen in a matter of seconds. Synthetic and identity fraud. You know, again, criminals are using AI to blend stolen and fabricated data, and it looks legitimate. It looks like your HR or it looks like your vendor or it looks like, one of those key people at one of your, vendor relationships. So this trend impacts any business storing personal identifiable information. Most specifically. And And then some of the key takeaways, you know, AI has really leveled the playing field. Attackers now innovate quickly, and, firewalls and antivirus alone are no longer enough. Companies need layer security combining, people, process, and technology. That means integrating MFA, online backups, having a cyber liability policy, engaging with your IT, making sure that you're up to date on all the the the the things that you can use to make sure that your business is prepared for one of these attacks to happen. So AI is really shaping the threat landscape, but with the right partners, controls, and coverage in place, businesses can really stay one step ahead. So I appreciate everyone's time today, and I believe Jason's gonna be opening it up for questions. Thanks, Josh, and thanks to Tyler and Sean as well for your time and insights today. I do have a couple of quick questions. The first one's for you, Sean. When working with clients, what organizational or cultural barriers do you often see that make it difficult to implement cybersecurity best practices? Yeah. This is a great question. I'd say there are three big ones. First off, is cybersecurity is driven from the leadership down. Without leadership support, you're not gonna get a lot of traction. So a lot of times, I have conversations with an IT manager who wants to do everything correctly, but without the support of the higher ups, it's not gonna get anywhere. Cybersecurity really needs to be involved in every aspect of the business. So make sure you know how to get your leadership on board with any changes you wanna make. Number two is doing the check the box type culture. If you say we have this product, therefore, we are secure, and you don't have to worry about it, that typically means it's not put in the correct way. So try not to get in the mindset of, well, we have this thing. We've checked the box. We're safe. Get somebody to really dive into there and make sure that you fully understand what you have and that it's implemented correctly. And then the third one is just a course, culture of cybersecurity. If everybody treats security as somebody else's job, then those are the people that are really going to those are gonna be your weakest links. So make sure you, have really good, workflows that promote and reward good behavior and get security involved with every aspect of, your company's functions and build up that security culture. Excellent. Great feedback, Sean. Tyler, next one's for you. What role do you see brokers playing in helping clients navigate the evolving requirements for cyber underwriting, beyond just filling out the typical applications that a lot of carriers wanna see? Yeah. I mean, I I think I think completing an application is a great is a great practice. Right? I mean, whether or not you have a cyber policy, I mean, even coming into just complete an application to be aware of, you know What do we have? What don't we have? You know? I I think that's a great starting point. Right? Know, I think if you're a business and you're going through this this robust cyber app or ransomware supplement and and you don't know the answers to some of the questions, it's not a good thing. If you go through it and a lot of the answers are no and you realize, like, oh my gosh. Like, we just completed this very unfavorably. Like, maybe we need to look at our security posture. So so I wanna I wanna say that first and foremost. I think it's a great practice and both if it's new business and at renewal to kinda, you know, to double check some items. And And then I think I think doing things like this, Jason. Right? I think I think being connected with the underwriting community and and consumers and businesses and and and, you know, leading specialist brokers and and law firms as well. What are the growing trends in litigation and and threats from bad actors? And I I think just being in tune and being in the trenches day to day, what brokers can do are things like this and creating more awareness for know, existing clients, but also prospects and and getting the the word out there more. Cyber is not new at this point, but it does change rapidly. So just being in tune with with growing threats and and exposures and and litigation and and kinda what the community wants to see, is changing rapidly. So just being in tune with with what, the market's doing is is just the greatest thing in my opinion. Great, Tyler. Well, we do have a few other questions and answers that we will provide, and we can email out to everybody attending. But just in the observation and respect of everybody's time, we are gonna close things down for today. But I do wanna thank our presenters, Sean and Tyler, very much for your time. And everyone who joined us on the session, we appreciate your engagement. And reaching out and just being involved and taking the time to educate yourselves in the process as well. If you do have additional questions, fire them away to Josh or myself at Conner Insurance. We will get back to you with answers either from Sean, Tyler, or whomever best it is to answer the question. And and reminder again that a recording will be sent out to everybody on the call. That should be reached out to you probably sometime later this afternoon. With that, thanks again for being here today, and have a great afternoon.
