Search
Close this search box.
EPISODE 110
Thriving in this Crazy Cyber Insurance Market

EP 110: Thriving in this Crazy Cyber Insurance Market

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

July 19, 2022

Cyber insurance, once so easy to get, is now scarce and expensive. Why did this happen? How long will it last? What can you do until sanity returns? Find out with our guest Jennifer Cohen, the Cyber & Governance Director at HUB International. Your hosts are Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein partner at the law firm of K&L Gates, visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today on episode 110 of the Cyber Risk Management Podcast.

Kip Boyle: Hey Jake today, we're gonna figure out something that a lot of people are struggling with and that's how do you “Survive this Crazy Cyber Insurance Market” and this is not a topic I would take on by myself. So we have a guest that's going to help us do that. Her name is Jennifer Cohen and Jennifer is the Cyber & Governance Director inside of the Executive Liability Practice at HUB International, which is one of the world's largest insurance brokerages.

Jake Bernstein: That's great kip. Is this a sponsored episode or is this a guest appearance only just to be clear because you know, we recently did our first sponsored episode and and I like my disclosures and my disclaimers and I just want to be clear on this.

Kip Boyle: I'm so glad I have you as a co host because you always keep me honest about this stuff. It's not a sponsored episode. So I'm glad you clarified that. But listen everybody, if we do another sponsored episode, we promise, we'll clearly tell you up front, hey, this is a sponsored episode so that, you know, you'll know that we're not gonna try to sneak anything by you.

Jake Bernstein: Yeah it'll be conspicuous to clear and conspicuous. That's the legal standard.

Kip Boyle: Yes, that's right.That's what we're going to practice reasonable marketing.

Jake Bernstein: Okay so let's meet our guest Jennifer Cohen. Jennifer, it is great to meet you. Why don't you introduce yourself for our audience?

Jennifer Cohen: Hey guys, I'm so happy to be here today. I've actually listened to some of your podcasts and I love the way that you attack these issues and you know you attack them in a way that makes I hate to say that cyber risk as fun as it possibly could be. So I'm delighted to be here with you guys today and and talk about the cyber insurance market.

Jake Bernstein: Yeah, it's pretty crazy. We have seen I mean Kip and I in our practice as kind of you know practitioners and you know, cyber risk managers in the real world, there's no question that things have just turned upside down and I think you know Kip and I have really been interacting with the cyber insurance market, you know, almost as long as we've been doing the podcast and working together maybe even the same amount of time and you know it used to be that yeah if you had a pulse and some dollars. You could get yourself a cyber insurance policy and you know what, it was pretty darn good cyber insurance policy. Like it didn't cost a whole lot. It gave you a lot of protection. Didn't have a high deductible or retention and yeah, So things have changed, haven't they?

Jennifer Cohen: Yeah, things have changed substantially and you know, people don't realize this, but insurance is actually a very innovative industry. So if they see something that they can offer insurance on, they're going to try to formulate a policy around that right. They're always looking to expand their business just as anyone else's. So when the rise of the internet and all of our transactions taking place in e-commerce and companies, you know, relying on the internet and on, you know, digital tools more than ever, You know, someone was smart enough to say, hey, we should put some insurance around that because you know, what could go wrong, something could go wrong and we could charge some premium dollars for that. We could create a policy to ensure the risk of something going wrong in the cyberspace. So that's exactly what happened. And they rushed in to fill that space. And now, as you so keenly pointed out, things have changed.

Jake Bernstein: They sure have. And maybe just give us an overview of, you know, how things have changed and then after that, maybe, you know, why do you, why you think things have changed?

Jennifer Cohen: Right. So you know, the market starts out as any market and it grows organically. We, you know, we sell a bunch of policies, everybody gets a lot of insurance, but there was no real data, there were no claims, there were no cyber claims for insurance underwriters to look at in order to match rate to risk, right? That's what we talk about in the insurance industry. You have to match the rate to the risk and hopefully you're right, and you charge enough rate to cover the risk and then you end up with a little bit of profit at the end of the day. And what happened was initially we didn't have any of that information. Well now we do, you know, the last three years have been really, really tough and we are currently in what's called a hard market and a hard market is similar to a seller's market, right?

That's another way to think about it. So capacity is low and premiums are high. So you look at the housing market, it's the same thing. The housing market is a hard market. Well, the cyber insurance market is a hard market and that's because all of these claims have come in the frequency and the severity of them are there. They're very frequent and they're very severe. I'm sure you guys know about that. And we've had to change underwriting standards, insurance have to jump through a lot more hoops, fill out a lot of applications be very transparent about all of their cyber controls and if the cyber controls aren't adequate for the underwriters to feel good about the risk. They'll simply pass on it because there's 17 other applications behind yours.

Kip Boyle: Yeah, there's a lot of demand for cyber insurance. So they so the, so the insurers can afford to be choosy. Now I wanted to unpack a term that you use, Jennifer that some people in our audience may not be familiar with. You talked about capacity. Could you, would you like to find that term a little bit, make it, make it more understandable?

Jennifer Cohen: Sure. Using the housing analogy again, capacity as supply. Right. So capacity in the housing market, how many houses are there available for prospective buyers to obtain? Well, how many cyber insurance policies are available for prospective cyber insurers to obtain?

Kip Boyle: Okay. And now I've worked in insurance and so I think what you're saying is the number of policies available, well, that sort of translates into how much money has the insurance company allocated for writing policies? Is that is that a fair way of of also saying that?

Jennifer Cohen: Sure. How much how invested do they want to be in this market?

Jake Bernstein: Okay, that's I think that's the answer that I think is is helpful for me because I'm thinking, you know, houses is like, okay, I get it like its physical space, there's only so much physical space and there's only so many houses that are available. But you know, what's the limit that there is clearly a limit on policies that can be written.

Kip Boyle: But the insurer gets to decide that.

Jake Bernstein: I like that concept of its capacity is the level of, of investment that any given insurance company wants to be in a given insurance marketplace. That's really interesting. And I think that's something that we haven't really ever touched on before when talking about insurance. And I think that's because, you know, and not to overly blame the insurance industry itself, but it sure seemed like there was an unlimited capacity at the beginning.

Kip Boyle: Yeah.

Jennifer Cohen: Yeah.

Jake Bernstein: One could not be faulted for having that impression. So it's interesting to kind of see how that itself has changed.

Kip Boyle: Yeah. And it's interesting that I was just looking at a report the other day from sequoia about, you know, their investments in new ventures, right? In their capacity as venture capitalists. And they talked about the market getting hard, the cost of capital going up. And so that's another thing that I'm thinking of here as, as we just sort of introduced this, you know, start to unpack this topic about, you know, what's going on, You know, the idea of a hard market and a limitation of capacity. Okay, so..

Jennifer Cohen: You know, just to throw one other, another thing we talked about, in terms of capacity. Another word we can use is called appetite. And I have conversations with underwriters at carriers all the time. What's your appetite? Right? What's your appetite to write this type of risk? Do you want a manufacturing and you know, manufacturing company or a technology company or will you write a casino or will you not write a hospital? So we talk a lot about appetite as well.

Kip Boyle: That's interesting. So I mean as consumers, right, we're used to buying automobile insurance and like, I don't think the automobile insurance market has ever hardened in my lifetime. So this is really interesting and I don't think I've ever had the case where buying automobile insurance, somebody said to me, well, I don't really know if I want to ensure your Honda.

Jake Bernstein: And I'm not sure that it can and because there's, I mean, you know, there is insurance, there are pieces of the insurance industry that are highly regulated and then there are pieces that are not. And I think that when we talk about auto insurance and consumer grade insurance that tends to be very heavily regulated. Whereas, you know, business type insurance, including cyber insurance is just not as regulated. The regulators say that at least the theory is that the market will self regulate in a way. And I think it kind of has in this industry.

Kip Boyle: I think it's useful to bring this up though because people listening to this podcast, you know, you think about um what what experience base do they have in order to understand this issue that we're talking about. And I think most people are just, you know, they're used to buying, you know, consumer facing policies and it's just such a very different experience than what it's like to you know, to purchase a cyber policy. And so I just wanted to just explore that for a moment. But now I want to, I want to keep moving here in the episode because we know the market is now hard, there's restricted capacity. But Jennifer can tell us what's the best way to tackle this issue. So if you want cyber insurance and you're finding it difficult to get. Jennifer tell us what should we be doing?

Jennifer Cohen: Yes. Well, this is how I spend most of my day talking to organizations um about either obtaining cyber insurance for the first time or renewing in this very difficult market because as Jake pointed out, you know, super easy to get a cyber policy a few years ago. And then as these claims increased in this, this market, right? We talked about insurances markets this market matured and we got a lot more data in, the form of claims, underwriters have had to kind of mitigate those losses because these insurance companies are now paying a lot more claims than they had anticipated. So their profits, their loss ratios if you will have declined in this space. So they're hitting people with very, very large premium increases on renewal.

Jake Bernstein: You know, I can't help it. But the absolute nerd in me wants to point out something or an interesting question about this is, is that it feels like this, what happened to the insurance market here is like the quintessential example of like the quantum observer effect, like by getting into because here's the thing is right, it's like, and you know, obviously Kip wrote a book, Fire Doesn't Innovate. We like, I love the fire analogy and it's like when insurance companies write more fire policies, fire insurance policies, it's not like fire is aware of it and like, oh, I'm gonna burn more stuff. Right?

That doesn't have, that doesn't make any sense. But conversely, I think, and I think this is undoubtedly the case when insurance companies started offering cyber insurance and you see this in the amount of ransom demands as insurance money became available, the demands went up. So in a very real sense, the insurance market cause its own hardening, right? Would you agree? Is that, would you agree with that?

Jennifer Cohen: Yeah, that's, we hate to talk about that. It's why you never want to tell people to come to your house for dinner, what, you know what your umbrella policy is in case they fall down your step, right? You know, you just don't want to..

Jake Bernstein: Actually actually, no, that, that's actually, that's actually a really, really good point because I didn't, I didn't think of that in that you generally don't tell. I mean in general, like, I mean, imagine if people drove around with like their insurance, their car insurance and injury premium or like limits, like flashing above their cars, like, you know, there might be a little bit of like, how can I get that person to hit me, right? You know, that would be a little, would be a little, yeah, I'd be a little crazy.

But like it's actually a really, it's actually a really important point going forward too, I think because you know, and this is perhaps very specific to the ransomware market. Like this is a fairly unique thing. I don't know that. I don't know that historically insurance companies have insured risks that can respond to their own ensuring activities. Right? I just, I'm thinking back Lloyd's of London, you know, the oldest most classic concept of insurance was, you know, transatlantic shipping when who knows your ship might just get destroyed in a storm, right? That's why insurance, you know.

Kip Boyle: Or sea monsters.

Jake Bernstein: Sea monsters, right? I mean, you're talking, you know, renaissance era concept, right? But that was all, if you think about it was all, it was all natural kind of disaster type risk. Whereas I don't know, it's an interesting question. I don't want to derail the conversation further, but I don't know how much insurance historically has operated on a adaptive risk.

Kip Boyle: Yeah a dynamic risk.

Jennifer Cohen: Yeah, that's interesting. And all you have to have me come back and then we'll talk about parametric insurance and all of that. But getting back to Kip's vision, what do you do?

Jake Bernstein: Now I'm really curious because that,

Jennifer Cohen: Going back for that and making you guys bring me back.

Jake Bernstein: He just got me absolutely hooked. I just got hooked. Like I have no idea what that could mean. But I am absolutely interested and want to know more.

Jennifer Cohen: That's great. So my job here is done. I've got a repeat performance. So what can you do if you need this cyber insurance. So the first thing you have to do, but you have to take a really good look at your, at your cybersecurity controls because what underwriters have now decided is okay, we've seen these claims enough and, and we know, you know, put very simply, we've got to shut as many doors that let the bad guys in. Right?

So I'm not going to get into a technical discussion here. I can't match wits with Kip on this topic. But all of those things, you know, multifactor authentication, endpoint detection and response, making sure you know, just limiting access. So you've got to dig deep into what your switch, your cybersecurity strategy is and practice the best cyber hygiene that you can, so prevent the loss. That's what the underwriters want. They want this loss prevented.

Kip Boyle: Just music to my ears, music to my ears.

Jennifer Cohen: Kip is going to be employed all day long, all day long.

Jake Bernstein: And one thing that I think is super important here to point out is that this is an instance where again, because of the nature of cyber risk, The interests of the insured and the insurer are like 100% aligned. And I think like it's, I mean I kind of view this and maybe we can talk about this, but I think one of the things that kind of bothered Kip and I initially is that it seemed like you could get insurance no matter what you were doing.

And I kind of liken it to, you know, life insurance right? Like if you want to buy life insurance any at any significant premium, somebody comes and like draws your blood and take your blood pressure and ways you and yeah, they like, you know, they want to know your health history. Like this is, this is very rational because you're going to be ensuring against the risk. But it just seems like at the beginning of the cyber insurance market, like nobody cared.

Kip Boyle: Yeah, it was almost sanctioning disregard for controls. It was almost like saying don't worry about your controls, if something bad happens, just file a claim and everything's gonna be alright. That's definitely the tenor of the, you know, in the beginning.

Jake Bernstein: It was and I think one of the things that's great about this change is that we both know customers and clients who would say I could invest, but I'm just going to pay for insurance and like that's, that is um, I mean, that turned out that attitude. I don't want to blame the insurance market for for everything here. It's not there. I mean, who who, who could, It's only obvious in retrospect in a lot of ways. But like..

Kip Boyle: I saw it coming.

Jake Bernstein: Okay fine Kip, you saw it coming.

Jennifer Cohen: Well he wrote the book, Fire Doesn't Innovate.

Jake Bernstein: He did write the book.

Jennifer Cohen: The same thing happened, right? We're gonna, we seek fires. We should ensure fires. We're not really sure how fires happen. And then, I mean, we do know basically, right. But what does it take to? It takes a minute for the insurance industry to say, okay, hang on, what's going to prevent this claim? And then when did they figure out what's going to prevent this claim? Then you start underwriting to that.

Kip Boyle: And this was particularly bad because not only were they not realizing what prevents claims, but they were accidentally feeding a beast because every time they paid a ransom, they were actually emboldening the criminals and giving them more fuel to attack us with.

Jake Bernstein: But you know what's great about the insurance market? It is probably one of the most efficient marketplaces that has ever existed. I mean, you think about like everything that we've talked about has happened within five years, like it is adaptive like it moves, it moves quick and I think.

Kip Boyle: Although I have to say that's that, you know, insurance in my worldview had, I've seen it, it's very staid and you know, not changing very much because I was, and now I realize this because I was working with highly mature products and here this is a very immature product, right? And so it's, it has been encouraging to see things change. And now I'm actually telling my colleagues in the cybersecurity career field. I'm like, you need to watch the carriers because they're going to take a national leadership position on what is considered to be good cyber hygiene and today we look at standards like, you know, payment card industry, data security standard or whatever, but I don't think that's what we're gonna be looking at in a few years. We're going to be, you know, primarily looking at what the insurance companies are saying really makes a difference. And I love that.

Jake Bernstein: So which brings us to the actual question, what should, what should, you know, what should companies and potential customers of cyber insurance be doing? And maybe as part of that answer. And you can tell Kip and I get way too excited about cyber insurance on this podcast.

Jennifer Cohen: And I love it. I'm a perfect person too, you know, be with you guys today, I get it, I'm an insurance nerd.

Jake Bernstein: And you know what's really, you know, I have to admit like it isn't just on the podcast that we nerd out about cyber insurance and stuff like.

Kip Boyle: Jake, don't tell everybody. My God.

Jake Bernstein: I know, I know, but we just, we just always do this. So my added question or my little bonus concept here is, you know, years again, a few years ago we would say. As a matter of course, cyber insurance is 100% part of someone's cyber risk management program and strategy, toolkit right? It's part of the toolkit. And you know, Just to be honest, for some, for some companies that has changed because it's expensive, right? Or you just can't get it. So I'm really curious if you could address that and I promise, I will try not to interrupt for at least 30 seconds on this, this question because I think it's super important.

Jennifer Cohen: Absolutely. So first of all, I think it's important to look at your insurance purchase as an entire purchase. So cyber insurance is expensive because it's a hard market, but there are other coverages right now that are in a soft market. So for instance, directors and officers is in a soft market. And, and we, I mean, look, I know they're very different purchases, you know, your health insurance for your employees is, you know, whatever, 30%, it's it's a huge number. So your coverages are different, you're, you know, you're you're trying to assess different risk, but if you can step back as a company and look at your entire insurance purchase.

Then I think that that can soften the blow. So this year cyber is expensive, but that's not always going to be the case. We're going to figure this out and the market is going to level out. And then, and I want to draw an interesting intersection between directors and officers what what is happening and Kip and I have talked about this. Companies are getting sued. Directors and officers are getting sued for poor cyber hygiene. So you get breached, your customer data gets, gets released, everybody's privacy, you know, has been impacted and all of a sudden you have a shareholder litigation suit because there were basic things just as there are basic things that you can do to your home to fireproof it.

There are basic things you can do to your company's security system to protect it. And if you're not doing that these days, you're opening yourself up to an even bigger risk. So you know, first of all, try to ease the budget in your mind by looking at your entire purchase because some premiums are going to be higher and some are going to be lower. Secondly, really bring somebody and if you don't, if you don't have the best cyber hygiene that you possibly can, you've got to get that nail down, you've got to, you know, you've got to protect these risks because it's not just a question of buying cyber insurance, it's your brand, it's your reputation. No one waits, wants to, you know, get the phone call in the middle of the night or stay there, you know, see the headline news the next day about, you know, some huge breach and everybody's data is out there. So that's the other thing. And then I think that you just, we kind of have to wait this market out and and that will happen.

Kip Boyle: So I want to ask you, I think those are great suggestions. I want to ask you about another another thing which is filling out the applications, let know what what I'm seeing is that the applications are difficult for people to understand. The words are a little vague. And you know, they ask you this question and they give you like a two inch, you know, open line to to write in an answer. And a lot of people are struggling because they're like, we're a big enterprise. And the answer your question is complicated. And I have to explain, right? Or the word is overloaded, right? And in the question being asked and people are like, well, what do you mean by that? Right? What, like, what do you mean? Do I have EDR because no, I stopped using EDR. Now I'm using XDR or whatever. So there's a lot of difficulty in navigating the applications, what would you say? people should be doing about that.

Jake Bernstein: Yeah. And, and while you answer that, just maybe remind people of the difference between an insurance brokerage and a broker, like yourself versus a carrier. Just so people are aware that like there's different functions in the market and I think it's not, I think sometimes we gloss over that and I just want to make sure that everyone is on the same page.

Jennifer Cohen: Right. Thank you. Thank you for that reminder. Right, so I work for an insurance brokerage HUB International and we represent the client. So, you know, Kip's company would come to me and say Jennifer, I need a package of insurance and I would go out to the insurance companies and secure those coverages. So the broker is the conduit between the client and the insurance companies to secure the various coverages that, that client needs.

Kip Boyle: And just like I was going to buy a house, right? I could go get in a real estate broker, right? And they would help me find a house.

Jennifer Cohen: Similar. Yes. And our interest is always aligned with the client. We're always advocating for the client. But you know, as we're pointing out here, some of these, some of these insurance policies are complicated and their or their new or nobody knows their way around them and it's our job as the insurance broker to be able to advise and counsel the client about how do you fill out this application? What is the limit that you need? We don't want you by two little insurance, but we don't want you buy too much insurance. So the broker is really this trusted advisor in the insurance transaction. Does that answer that portion of the question?

Jake Bernstein: It does, Yeah. The key there too, for people to remember is that the broker, the brokers loyalty is to the their brokerages clients. Right? The and you're not just a tool of the insurance carriers. Quite the opposite. I mean, your it's all a very important, it's all very interconnected, you know, industry, but that I just..

Kip Boyle: Well you could buy, you could buy insurance from an agent of a carrier in which the interests are aligned to the carrier.

Jake Bernstein: And that's what gets confusing. Is that typical consumer great insurance? You tend to just buy it from the carrier, or through through an agent of the carrier. But businesses particularly larger ones tend to go through brokerages. And even though this is something that Kip and I have become very used to. I it's a good reminder, particularly for cyber risk managers who just may not like they don't live in the insurance world and they may just, they may wonder.

Kip Boyle: And that's why we're doing this episode right to help people get a leg up on something that they may or may not know much about. They don't do very often, right? And so it's a bit of a disadvantage. So broker is a great person to go to because they're going to be on your side. And I think another thing that I would want to be clear on is brokers don't make the rules right Jennifer?

Jennifer Cohen: Right.

Kip Boyle: Because I'm going to get mad if I, if the rules are not in my favor, but I shouldn't get mad at Jennifer because she didn't make them.

Jennifer Cohen: Well, But we were also very good at helping our clients comply with those rules, having the hard conversations with the insurance companies about why those rules should apply in this particular instance. And just going quickly back to your question about applications. You know, I spend a lot of time going through applications with our clients explaining exactly what you said and Jake, you know, as a fellow attorney, I'm a lawyer too. I look at all these questions in in two ways, one of which is, you know, let's answer this question.

But the other question, but the other part of it is what happens if we misinterpret this? We answer it wrong and a claim is filed and the carrier comes back and said, oh, you said no when it was yes. And we said, well, your question did say to what extent is yes or to what extent is no. So we have to really work hand in hand with our clients. And oftentimes we add, you know, explanations, we had lots of pages of explanations to these applications and the underwriters appreciate that.

Jake Bernstein: Which and and that brings up, that brings up another just clarification point that again, it's kind of like insurance 101, but I want people to hear it from, you know, someone in the industry. Why is it a bad idea to just like not be honest on my application? Like I really need cyber insurance and yeah, we totally use MFA, but like in reality.

Kip Boyle: And whose gonna know?

Jake Bernstein: In reality like we're in the like it's a good, like I'm not saying like just lives, it's like a good faith exaggeration but maybe explain like why is that a terrible idea, what happens if you do that? And they find out. And I think this is a critical peace to understand because you know, a lot of the times businesses are used to like I mean this happens a lot in the sales process with like between businesses where it's like, oh you know, I like the IT Wants you to fill out this questionnaire. Can you just, can you just do it? Like, and and then it goes through, but like an insurance application isn't like that and maybe just really quickly say yes why we should not do that?

Jennifer Cohen: Right, well, first of all that's my job to make sure you're not doing that. Which is another reason you should use a broker. But number two, you said good faith if you if you complete this application in good faith than the contract will be construed in your favor as the insured. Right, That's insurance. But it's a terrible idea not to answer completely and truthfully because if a breach happens and you have to file a claim, the insurance company will investigate. They're not just going to cut you a check, they're going to investigate and they're going to dig deep into what into into your application and into your answers and into the, you know, and make sure that your controls were really were at the level that you said they were and you could have a problem in obtaining coverage at that point.

Jake Bernstein: Yeah. And the reason I keep hitting on this is that I've, there's a really interesting kind of phenomenon I've noticed in, particularly in the tech world, a lot of, a lot of business, a lot of business decision makers who have come up through a coding background or programming or a logic based background tend to forget that, you know, people can dig deeper. I see this a lot in. I see this a lot with clients who are used to kind of solving problems with code and like meet little tricks and things like that and they tend to, and they get really kind of squarely about, you know? Well, what do you mean? A judge can just say that was wrong? Like what do they want to know the rules and like the parameters as if the legal system Is this predict 100% predictable.

Kip Boyle: It's an algorithm.

Jake Bernstein: Exactly an algorithm. And I want people to understand that like you know in a certain sense the insurance and insurance company is kind of like that. They have investigators, they have judges, right? And it's gonna be the same type of thing. Like you can't just algorithmically, like manipulate the insurance company like it's their it's in their interest to not let you do that. And I think people forget that. Like look I'll tell you this when I was at the Attorney General's office, you know the AG office, AG's offices hire a lot of investigators. Well, where do you think most of the most Attorney general government investigators come from an insurance background? They investigate people they investigate and they will dig deep because they have to.

Jennifer Cohen: Right? Because most of these insurance companies are owned by shareholders and the companies have a duty to the shareholders. And if you're if you're not investigating, if you're not being rigorous and your claims processes and you're paying lots of money out, then your shareholders are going to be upset with you. So you're absolutely right Jake.

Jake Bernstein: Yeah, it's this is an arm's length business transaction, right? The insurance company is not does not exist to pay out every claim that is made like that would result in the lack of insurance industry very quickly.

Kip Boyle: Yeah, exactly. Okay. So I just, as we come to the end of the episode, there's just a couple of more things that I would like to touch on.

Jake Bernstein: Kip, it's already been 30 minutes. We clearly have another 15 at least on such an exciting topic.

Kip Boyle: Listen to me, it's going to take us 15 minutes from the time I say that. So just give me a break here, okay?

Jake Bernstein: I get really excited about insurance for some reason.

Kip Boyle: I noticed. Yes, yes, yes.

Jake Bernstein: Maybe I have, maybe if I get sick of practicing law, I will totally go join Jennifer like and be like, yey, insurance. It's just so interesting.

Jennifer Cohen: That's what I did, that's what I did.

Jake Bernstein: See that's what you did. See that's what happened.

Kip Boyle: And that's one of the things I wanted to ask. So Jennifer.

Jake Bernstein: My partners are going to kill me now. Hopefully they won't hear this episode.

Kip Boyle: No, they gotta listen to this episode. So Jennifer graduated from law school and now works in insurance. Does your law school, you know, skills and experience, How does it help you, Jennifer do your work?

Jennifer Cohen: Okay, so first of all, I graduated law school 25 years ago and I did start my career as an insurance regulatory attorney and so I represented agents and brokers in a variety of, of transaction. So I even had clients that I was writing policies for. I represented them in regulatory matters. Spent a lot of time. Jake will appreciate this, doing 50 state surveys on various different, this great stuff and then, and then I had a lot of other, a lot of other opportunities after that.

I was chief of staff to the state treasurer of North Carolina for a number of years. I was insurance lobbyist for a number of years, but I can tell you that the legal background, working in an insurance brokerage and specifically in cyber insurance, it translates very, very well because the policies are contracts, there are terms that need to be interpreted and negotiated. As we discussed earlier, the applications can be nuanced. You have to constantly look at, you know what's, you know what if, what's coming down the bend. And I think that that type of, of consultation and that type of focus that you bring to the table as an attorney is a natural, a natural behavior and it's really helpful to our clients.

Kip Boyle: Oh that's great.

Jake Bernstein: This adds to my, my argument that lawyers are fundamentally risk managers, which is why I think lawyers can be great at a cybersecurity career, but also clearly, I mean if insurance isn't, I mean insurance, like it's literally risk management, that's what it is. And so it's a great fit.

Kip Boyle: Yeah. Okay. So one other thing I wanted to ask you Jennifer when I'm helping my customers fill out their cyber insurance applications. One of the things that I tell them is as I said, look, you don't volunteer so much information. They like to explain stuff. they like to volunteer information constantly. And I'm like, don't do that. This is more like an IRS. Audit. Just say the least you can say and get out right? So stop over sharing upfront. And they kind of look at me weird, but I don't know Jennifer, what do you think? Am I steering them in the right direction when I say that?

Jennifer Cohen: So I'm going to give the standard attorney answer, which is it depends.

Jake Bernstein: Yes! I'm so excited. I was just waiting. I was like, I was like, please say, I was like, please say it depends. Please say it depends. And I was not disappointed.

Jennifer Cohen It's nuanced kip. You are not wrong. But that's not always the best answer. So, and that's again why bringing someone like an insurance broker in or someone that understands what the carriers are looking for is helpful. So I think there's, there's many times when you say yes or no, you just can't check the box and move on and and wait to see if that, you know, if you get questions back. But if you know and Kip do know this that underwriters absolutely have to see MFA across an organization, right? Or zero service accounts if you know that. And that question isn't leading you to the best answer, then you should add.

Kip Boyle: There you go. There you go. Thank you. Thank you. Yes. That that's right. but I do like them to start out with this idea. Don't overshare unless you have a reason to share. Right? I think maybe that's the modified guidance. One other thing that I wanted to ask you before we wrap up and that's the federal government's role, what should they be doing? I mean, is there something that we need them to do to help, you know, stabilize this market? Make it not so hard. I don't know. I'm wondering, you know, what should government be doing? Maybe they should stay out of it. Maybe they should get in. I don't know. Jake. What do you think?

Jake Bernstein: Oh, I'm, I mean, also a former regulator. I think that..

Kip Boyle: Which is why I asked you.

Jake Bernstein: I mean, in general, I think lighter touches, lighter touches are better. I mean, think of it this way, right. The insurance market, like I said earlier is super adaptive. It's very quick. Absolutely 100% without reservation guarantee. You that if it was as heavily regulated as other insurance markets are, we would be looking at dysfunction for decades. That's not, it's, it's just the nature of regulation, it slows things down on purpose.

Kip Boyle: Sometimes you want that. Sometimes you don't.

Jake Bernstein: Sometimes you do want that. Sometimes you want that. Sometimes you want a highly adaptive marketplace and so I don't think, I think the role for the federal government as it, as it relates to cyber insurance is more going to be setting and frankly, I think they're doing it to some degree is setting standards that people should follow for cyber hygiene and cyber best practices, I mean you know..

Kip Boyle: So the NIST cybersecurity framework.

Jake Bernstein: Yes, the NIST cybersecurity framework, 800 you know, all the whole 800 series, you know, CISA their publications, their alerts, you know, just creating standards that people can align themselves to.

Kip Boyle: Okay, so they should keep doing what they're doing.

Jake Bernstein: They should keep doing what they're doing. And I think it's critical that we, that you look at that and say that's probably the best way for the government to help here rather than coming in and trying to regulate premiums or coverages or things like that, we just don't know enough.

Kip Boyle: Okay, so the market is so immature that we shouldn't, we should let it kind of ring its own problems out at this point, Jennifer, you're nodding your head. So did you want to add anything?

Jennifer Cohen: I absolutely agree with the two of you. I think the government's role in this situation would be, you know, simply a public safety role. You look at Log4J look at solar winds, you know, things that if they get into your system, they can, they can move laterally and shut us all down, you know, colonial pipeline type of things. So setting out standards right, making people aware, the Ukraine situation, there were warnings coming out each day we were forwarding them to our insurance about this is what you need to do if there was a time to start preventing risk now is the time. So you know, trying to keep us safe as a country from a huge cyber attack is a great role.

Kip Boyle: Okay, national defense. And I think the idea of standards is kind of interesting because I agree Jake that they should be setting standards. But I actually think they haven't been doing that well enough because the insurance companies are starting to take a more active role in the setting of standards of actually declaring what really works rather than, oh well here's a bunch of nice to have stuff or here's a catalog you choose.

Jake Bernstein: But I, so the issue there is that just comes down to in general, people's suck at risk management like unless unless forced. Right? And I mean I've been saying this, I've been saying this for half a decade, right? Which is like cyber risk management will improve in direct proportion to liability for failure to manage cyber risk. And one of the things that suppressed that for a while was the over abundance and easy availability of cyber insurance, right? Because you could kick the can down the road. That's what people did in the insurance industry is like whoa, hold on now. Like we don't want to, we don't want to ensure your own negligence right? And that's what's changing and it's good.

Kip Boyle: So the hardening of the market, one of the things that it's telling us is that the market is maturing, is that right? Is that fair?

Jennifer Cohen: Absolutely.

Kip Boyle: Okay, so the market is maturing so that and that's good. That's good because then we're gonna have a more stable market, a more predictable market where the rules are more clear, people will know what to do. The chaos that we're in right now possibly is a transitory experience and it's going to shake out at some point. Okay, cool. Well this is it, this brings us to the end of the episode. So I'm gonna ask you Jake for final words, I'm gonna give our guest the last shot at final words. Anything Jake you want to add?

Jake Bernstein: Yeah, I think, I think I want to just finish up by by asking Jennifer as she kind of concludes to to talk about you know, how should how should the, how should clients, customers, companies be looking at their own cyber risk investment given the change in the insurance market? And I think that's a good way to conclude the episode.

Jennifer Cohen: Right, so I would say that very simply and I'm gonna, I'm stealing it from Kip, this is a business risk, not a technology risk, it should be part of your business strategy and you need to devote time and resources to it.

Kip Boyle: Great and get help if you need it right? Get a broker, get an attorney, get somebody of Virtual Chief Information Security Officer, whatever you need. It's like something you could get all three.

Jake Bernstein: Why not all three Kip?

Kip Boyle: But it's like a CFO recently said to me, he goes Kip, I'm so sick of diamonds and carpets, I don't want to do this again. And I said, what in the world are you talking about? And he said, he said I've had to spend money on diamonds and carpets and I didn't want to get ripped off. So I actually took the time to learn how to buy those things. He goes, I don't want to learn how to buy cyber you know, cyber controls and and which ones are good. He said, I just want you to tell me and I just want to get back to what I'm doing, you know like you know, I just wanna get back to my job and I was like this is great, happy to help you, right? No diamonds, no carpets were good, so..

Jennifer Cohen: I think that can be said about almost any business insurance transaction. You don't need to be the expert. There are people out there that can be your diamond on your carpet buyer for you.

Kip Boyle: That's right, That's right, okay, Alright. So I'm going to take this opportunity to wrap up this episode of the Cyber Risk Management Podcast. This is too much. Today, we figured out how to “Survive this Crazy Cyber Insurance Market” and why the market is so crazy. And we did that with our guest, Jennifer Cohen, who was with HUB International, major brokerage. Who can help you if you need help. But we're going to see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle, that's keeping you from growing your business profitably. Then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.