EPISODE 113
Self-Insuring for Cyber Risks

EP 113: Self-Insuring for Cyber Risks

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

August 30, 2022

Cybersecurity is intertwining with D&O litigation and more companies are self-insuring for cyber risks. Why? Our guest is Rachel Jenkins, the Managing Director for Customer Success at Founder Shield. Your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle Virtual Chief information Security Officer at Cyber Risk Opportunities and Jake Bernstein partner at the law firm of K&L Gates, visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today on episode 113 of the Cyber Risk Management podcast?

Kip Boyle: Jake, thank you for kicking off this episode. Appreciate it. Today, we're going to look at a couple of important trends with respect to cyber risk management. The first one is that cybersecurity is starting to intertwine with D&O litigation. We'll explain what that is. And then the other thing we want to look at is this new practice, it's actually a really old practice, that's just sort of coming back around again in a new way of self-insuring for cyber risks. And this is organizations that can't or choose not to get a cyber reliability insurance policy, but we're going to take a look at these trends with our guest, her name's Rachel Jenkins, and Rachel is the Managing Director for Customer Success at an Organization called Founder Shield, and she's actually an expert in this area because she's previously worked for insurance broker Marsh, which is a very big organization, and AIG, which I'm sure most everybody's heard of at this point. So yeah, let's do it.

Jake Bernstein: Rachel, welcome to our podcast.

Rachel Jenkins: Awesome. Thank you, Jake. Hi everyone. I'm Rachel, as Kip said, I'm the Managing Director at Founder Shield. We're a full service brokerage that really specializes in high growth VC back companies from friends and family all the way through IPO, looking at industries from telemedicine, fintech, all the fun tech background industries. And we really specialize in explaining where the insurance market is, where the pricing is, in a way that our customers and our clients can understand, and being able to take what they do and explain that in a way that an underwriter can understand and hopefully price super competitively.

Kip Boyle: So Founder Shield, you really do mean an entrepreneur, right? The founder of a venture, that's great. Now Rachel, we've had many people from the insurance industry on our podcast before. We've had brokers, we've had underwriters and most of them have been from the bigger firms like AIG or a big broker like Hub International, but you are really different in the sense that you're focused on founders and pre-revenue companies. So I really appreciate the opportunity to speak with you. Thank you.

Rachel Jenkins: Of course, of course. Happy to be here. And it's an area of business that really needs a lot of support. So.

Jake Bernstein: So let's start by just unpacking D&O litigation. First, when we're saying that we are saying D and O just for so people can understand that. And what does that mean, Rachel?

Rachel Jenkins: Yeah. So D&O stands for Directors and Officers. So Directors and Officers liability insurance basically is ensuring those people who are in those senior management positions as a director or an officer for their management decisions in terms of operating the company, right? So those goals, those strategy, implementation where the company is going, those individuals are liable, right? Their fiduciarily liable, their personal assets can be on the line when it comes to litigation from a shareholder, from a regulator, from a competitor, from a client. So the D&O insurance is one of the most important coverages that come into play.

Jake Bernstein: And in the cybersecurity world, D&O litigation is, I would say probably, I mean, it's new-ish, right. D&O litigation of course is very old, but in the cybersecurity realm, it would be new-ish and maybe explain what you've seen around D&O litigation with respect to cybersecurity, what does that actually look like?

Rachel Jenkins: Yeah. And you're right in the sense that it's a relatively newer kind of, I'll say avenue to try and get coverage, right? When you have a claim, you'll do this thing where you throw the spaghetti at the wall. And obviously if it's a cyber claim, you really try to push that cyber policy, but not all parts of a cyber claim are always covered under a cyber policy. So a lot of brokers, a lot of clients and whatnot are now turning to the D&O policy as well to help support reimbursement. And that's coming into play because five, 10 years ago, you could get away with not knowing about cyber security or putting it down on the lower list of priorities from a senior management standpoint. But now you see cyber attacks, cyber breaches in the news as often as you do see a bankruptcy, right? So now it's becoming a leadership liability to not have had a plan or be prepared to respond to a cyber breach, right. So that's how they're combining.

Jake Bernstein: So let's, and I think this is super important. And I think that for us who are living in this, at least for me, and you probably, living in the world of litigation and insurance, this stuff is commonplace, but a lot of our audience is really on the cybersecurity technical side or they may be. And so I want to break down what we're really saying here is, and tell me if I'm correct, but basically the idea is that directors and officers being, as you said, they have fiduciary duties to the organization that they work for, and that means that they have to do their best to keep the company profitable. Well, basically shareholder value is the key for all of this, but that's obviously a broad requirement. And one of those things that they have to do is keep the company safe from cyber attack. And so are we saying that directors and officers who are completely unprepared for cyber attacks are somehow liable or create extra risk to their organization, and that's what the D&O insurance is for?

Rachel Jenkins: Exactly. Exactly. So D&O insurance in itself is meant to be broad in the sense that it's meant to protect these people from the decisions that they're making, right. At a certain point over the last couple of years, decisions around cyber came into that arena. Right. And that's where I go back to five, 10 years ago, it was okay to have it lower down on the totem pole, but now it's a part of oversight. Right? So as the director, as an officer, making sure that you have the proper employees, team, CISO, CTO, whoever you need in place, to make sure that there's a plan, to make sure that there's proper controls, is just as important as making sure that you have a chief medical officer if you're running a hospital at this point.

Jake Bernstein: Right. And let me ask one thing else, because I'm actually confused on this. The D&O insurance, who does it protect? Who does it cover? Does the company buy it and it protects the company from its directors and officers who screw up? Or does the company buy it for the directors and officers who are the ones that it actually protects. I'm just a little unclear. I've always been a little unclear about D&O insurance.

Rachel Jenkins: Yeah, no, of course. Great question. So a D&O insurance is comprised of several different sides, that's what we'll call it. Side A is going to be your individual director indemnification, right? So that's that fiduciary liability. That's that personal assets that are on the line. That's the insurance company paying that individual directly, paying their defense costs directly. Now there's also side B. Side B is when the company is agreeing to indemnify the individual. So the insurance company will pay the company or the insured company for their defense costs that they incurred for representing and defending that individual. Right. And then there's side C and that's where the entity coverage comes into play.

So a lot of times in these claims, the company themselves are named, not just the individual. So they'll be a portion of the loss that's attributable to the company itself. Now there's further carve-outs that will allow for situations, if an insured person, an insured director or officer wants to bring litigation against the board itself or another director on the board. But for the most part, it really focuses on the side A, side B, side C. So the company buys it, but it's to protect the company and the individual.

Kip Boyle: Okay. Multifaceted. That's good. So you can tell why I'm confused sometimes about D&O insurance.

Rachel Jenkins: Yeah. And you could tell, I go through it a lot, so I have it down to a T.

Kip Boyle: So you're the perfect guest to talk about this. And I want to explore another angle to this if I may. So I'm not involved in litigation, but as a Chief Information Security Officer, the thing that pops into my mind is would I be exposed to these kinds of lawsuits, breach of fiduciary responsibility, just because my title is Chief Information Security Officer, or do I have to be designated as an officer as such in the corporate roles? What are you seeing there, Rachel?

Rachel Jenkins: So these policies are written really broadly because if you look at a board or if you look at officers, people are getting promoted all the time. People leave the board, people join the board. So most policies broadly define a director or officer and sometimes include employees blanketly, right, as an insured person. It covers people who are potentially going to be, right. Because sometimes you could be named as someone who could potentially be a director or an officer and get pulled into something. People who are actually directors and officers, and then past people who were in that position. So it does follow what your bylaws are, right, in the sense that if you're in an officer position at your company, then you would be considered an officer as far as the policies connect.

Kip Boyle: Okay. But a lawsuit could try to loop me in if I wasn't named as an officer in the bylaws, but it was the data breach and I'm the CISO. Then they might try to bring me in because the presumption might be that I was derelict in my duty as CISO or something like that. Is that a possible issue?

Rachel Jenkins: So if you are the CISO, for the all intents and purposes on the policy, they're going to consider that an officer. They're going to consider a CTO an officer position. Even when I was at Marsh, once you were an AVP, you were technically an officer of the company.

Kip Boyle: Okay. See, this is important. This is important for our audience, because if you've never been a CISO before, or even if you have, maybe you are now, maybe you'd like to be one day, guess what? This is relevant to you. This conversation, you might think, oh, insurance, blah, blah, blah, whatever. No. If you are part of an organization that had a data breach, even if you've left that organization, but the data breach, the trail of breadcrumbs goes back to when you were there, you are potentially exposed to this kind of litigation liability. And so you're going to want to make sure that your organization has a robust D&O policy. Is that right, Rachel?

Rachel Jenkins: Yeah, for sure. We always tell our founders, like I said, we work with people all the way from friends and family to IPO, and that's one of the things that we always tell our founders. You should really focus and prioritize this D&O policy, because it could be used as leverage to bring in the right talent, to say that you can be protected by this policy for the decisions that you make.

Kip Boyle: Yeah. Yeah. It's sort of like giving individual employees health insurance, right. It's just like, if you work here, we're going to take care of you, as part of our compensation package is making sure that we have insurance to pay these what no doubt are extraordinary expenses of litigating. And then of course, if you lose, right? So I was looking, I was preparing for the episode today and I was looking at Yahoo's record, right? So in 2014 they had this huge data breach, 500 million user accounts, but it was hidden. It was not disclosed until 2016 when Verizon did its due diligence on the acquisition. And then downstream from that, they ended up doing a settlement with the SEC, $35 million from Altaba, which is the Yahoo successor, and $29 million from Yahoo itself. So, I mean, this stuff can, obviously these aren't founders, right? These aren't pre-revenue companies, but I really thought this was an interesting case in point because the numbers are really huge and this was a very high profile thing. So am I comparing apples to apples here?

Rachel Jenkins: I mean, I think at the end of the day when we look at a cyber breach and a cyber claim, being prepared is so important. And if you're not prepared to respond quickly and within regulatory framework, costs can snowball. And even for someone who is a founder, a cyber breach can be an extinction event, an extinction event for your company.

Kip Boyle: Yeah. It can extinguish your company and then it can actually imperil your financial future. So, yeah, there's a lot going on here. Okay. And so I guess the takeaway from this first topic that we're looking at here, is that cyber incidents are starting to creep into the D&O space. And so you need to make sure that you have great D&O coverage and you need to anticipate this, right?

Rachel Jenkins: Yes. Yes. It's very important. Check the l inaudible policy, understand just how far the D&O will cover cyber related names and whatnot. Right? That's going to be the caveat, right. Because carriers are catching on as well and adding things to their policy, right. So the biggest takeaway is make sure you do have that D&O policy in place and make sure that you just truly understand the extent of where coverage lies for cyber related.

Kip Boyle: Okay. And if you have any, what do I want to say? Not exemptions, but...

Rachel Jenkins: Exclusions.

Kip Boyle: Exclusions. That's the word I was looking for. Thank you. A guest assist to the host. I really appreciate that. Let's move on. I want to talk now about this second area, which is this idea of self-insuring, right. That organizations are starting to choose to self-insure for cyber rather than to buy or renew a cyber insurance policy. And we actually are working with a customer right now that came to us. They were in exactly this situation, they had purchased cyber liability insurance for 10 years, went to do a renewal and found that it was not economic. So the premium had quadrupled, the coverage had been cut in half, the retention went up. I mean, it was just, it didn't make sense for them to buy it. And so they said, well, we're going to self-insure for cyber.

And when I first heard them say that, I thought self-insure for cyber, what is that? And then after a couple more minutes, I was like, oh, you mean what we used to do back before cyber insurance was a thing. We're just calling it something else now, and a different person's making the decision, because this is actually the risk manager, right? The corporate risk manager is making that decision, not the CISO, right. Not the VP of IT, not the CIO. So I thought that was really interesting, but what's going on here? Why are people doing this, Rachel?

Rachel Jenkins: Yeah. I mean five years ago, it was the opposite. The risk transfer on insurance to cyber risk was so profitable. Cyber policies were like a thousand dollars. You know what I mean? You could get a million dollars of coverage for a thousand dollars. We're in a really hard market. And that is so far from the reality of today. And there are a lot of clients who have improved their controls or have best in class controls, no changes in revenue, whatnot, and they're going into their renewals and they're getting hit with hard, hard renewal pricing. I've seen some other brokers reports and they've been showing a hundred percent, a hundred plus percent increases in renewals.

Now I'll say this as a broker, as someone who's a risk management advisor, I can never tell you to self-insure. I can only help try and advise you as best as possible, considering that at Founder Shield we really try to think of ourselves as an extension of your internal risk management team. Now what insurance adds is, especially on the cyber side, is it adds preparedness. And the sense of when you have a cyber breach, there are a lot of different vendors that need to be activated quickly. And when you have a cyber policy, they have that organized for you, right?

Kip Boyle: Right. Jake and I have responded to several incidents where there wasn't cyber insurance and we've done it with organizations that had cyber insurance. And there was a very different, it was a very different experience, right. Because of what you're saying.

Rachel Jenkins: Yeah. Yeah. So I think that's the biggest thing that you have to face, right. If you're going to self-insure basically what you need to do is create your own version of an insurance policy, right. You need to go out, find those vendors, already established breach response plans and put those in place with them. Because I tell even my client with the best controls and I, in my background, I've seen billion plus companies say, okay, my cyber controls are so great that I don't need cyber policies. Now this was a couple years ago. And I hope those companies have bought cyber now, considering that the environment has changed, but it's not an if, it's a when. And the key is to try and have as many secure controls as you can have in place as possible to mitigate and minimize that once in a lifetime event, because it might happen with all the controls.

Kip Boyle: So that's the operational side, which I agree with you and fully appreciate. Do you think that organizations that are choosing to self-insure may also need to financially set aside money in reserves to cover, because a lot of the costs of a data breach comes in the form of regulatory fines, litigation costs, right. These are things that are not strictly speaking part of the response, the technical, operational side of it. So there's a whole other dimension here that I'm looking at and I'm wondering, okay, well, how do you self-insure for the sometimes extraordinary expenses that happen in these other dimensions?

Rachel Jenkins: Yeah. I mean you would have to literally just set aside a sum of money, right? After you do your business continuity plan and identify the vendors, right. You would have to do loss analysis and predictive... And there's vendors out there that you can work with that will help you try and generate an idea of what a 50% frequency claim will look like versus a 99% claim in terms of what is a reserve amount that's appropriate to set aside. But it's the same case on the D&O side for companies that don't purchase D&O insurance, you should bet that they have reserves set aside for litigation, and that could tie up a lot of your capital, right? So that's what we end up talking about is if you are a company that's in a growth mode, and I get having to consider the budget versus the coverage, but at a certain extent, can you really tie up that much capital, when you could risk transfer, I'll bet at not the best interest rate, quote unquote, that you used to get, but you have to set aside a certain amount of reserves, right?

And you have to spend the money to meet with the vendors to be able to do the predictive analysis, to even figure out how much money you should be setting aside. Now, with that being said, I think a lot of the claims reports that you can read in terms of frequency is going to put a claim, right between that 500K million range, right. In terms of a frequent style event. So you have to be prepared to have at least a portion of that set aside.

Kip Boyle: Right, right.

Jake Bernstein: Problem though, is that the risk of a much higher claim isn't as low as people may think in this space. And that's the issue here. I think what's fascinating here is, you mentioned a moment ago about the hard market, right? The hard market in cyber insurance. And I was realizing just now that, how does that interact with the D&O market? Because we were talking earlier about how companies will start to turn to their D&O insurance to deal with aspects of a cyber attack. Is that tightening up? Is it becoming harder to get anything out of a D&O policy that's related to a cyber insurance or a cyber claim?

Rachel Jenkins: For sure. For sure. I mean, the D&O markets are responding as well, and it's that spaghetti on the wall scenario. And with COVID and the last, I would say three or so years, we had a hard D&O market and a lot of the cyber stuff was spilling over, trying to be reported. And this is how you have the creation of new policies and this is how you create extensions and tech E&O didn't exist until E&O professional liability carriers push back or whatnot. So that's what we're seeing right now is D&O carriers and cyber carriers saying, I don't want that portion. You take it, you take that portion.

Kip Boyle: Now E&O, you mentioned that, I just want to make sure everybody knows E&O is Errors and Omissions insurance, correct?

Rachel Jenkins: Yes.

Kip Boyle: And that's different from professional liability and that's different from general liability, correct?

Rachel Jenkins: It's the same as professional liability.

Kip Boyle: Ah, it's a synonym. Okay.

Rachel Jenkins: Yes. Professional liability and errors and omissions are going to be the same. And if you have a tech company and you have a cyber policy, you're usually going to want to see a tech E&O extension on your cyber policy as opposed to getting a full professional liability policy. And what happened is, what we're seeing now, is the claims were occurring and they were being pushed to the cyber policy because they were failures and technology claims, they weren't professional services claims. And so the cyber market reacted by starting to provide true coverage for that, right. So that's what we want to see now, where is true coverage for these D&O related cyber claims going to really fall at the end of the day.

Kip Boyle: Okay. So one of the takeaways I think for our audience is, if you are listening to this podcast and you are a risk manager, well, I think this is going to directly inform how you should be thinking about the purchase of cyber insurance and whether you should recommend, probably to the CFOs maybe who you report to, whether you should even recommend a self-insurance approach. Now, if you are a Chief Information Security Officer or director of IT or something like that, and you've heard somebody say, Hey, we're going to self-insure for cyber. You need to go find your risk manager and you need to ask them, what does that mean? What are we doing about that? What's my role in that, because if you're going to self-insure, as Rachel just said, you need great controls. Well, which controls do you need? And what I tell my customers is, well, you know that huge list of controls that the insurance company was telling you that you needed? Yeah. Those are the ones you need.

So even if you don't buy the policy, you should still implement the controls that they were recommending. The reason they're recommending them is because they know that those particular controls decrease the risk of a claim, which is what you want. And so yeah. So if you're in charge of operational cyber security in any way, shape or form, you need to go talk to your risk manager and say what are the controls that we need in order to prevent or greatly decrease the risk that we're going to have an event, but without insurance. So yeah. So that's the takeaway for our audience. What do you think, Jake, if there's somebody who's listening and their role is general counsel, inside general counsel, is there something that they should be doing?

Jake Bernstein: Well, I mean, I think that GCs have for a while been plugged into the cyber insurance world. And I think a lot of them are experiencing that harder market right now. I mean, it really just flipped. And I know we talked about this and have talked about it in the relatively recent past, but it's a point that is so critical to understand is that we are talking about a reversal in this market over relatively short, actually really, almost overnight. I mean, it feels like, oh, everyone could get cyber insurance.

Kip Boyle: Oh, nobody can.

Jake Bernstein: And then now it's like almost nobody can. And so we talk about choosing to self-insure and I'm not sure that that's necessarily accurate. There's going to be a lot of companies that don't have a choice. They're going to be self-insured by default because they won't be able to get coverage.

Kip Boyle: Yeah. Some of them can't. Some of them are getting quotes that they don't think are economical. They could still purchase, even though they don't think they're getting good value for the money, but you're right. There's some out there that can't get, they they can't even get quoted.

Jake Bernstein: Yeah. That's the thing, is that there are somewhere that you can't even get a quote. And I think what's going to be really interesting is, I'm guessing that some of these, whether it's professional liability, E&O, or D&O, some customers are probably trying to indirectly get cyber insurance. And I think what we've learned today is that that is increasingly not going to work either. The D&O underwriters and insurance companies, and even the brokers that are working with them, know that that's not happening as much anymore. A lot of this stuff is being excluded, at least with respect to a standard coverage, just coverage of the company. I do have one last question though, for you, Rachel, which is how would things interplay if, let's say that a company wants to sue its own officers or directors for failure to adequately prepare for a cyber attack? What does the D&O cover there? And how does that...

Kip Boyle: When an organization sues itself?

Jake Bernstein: Well, but remember, the legal entity is distinct from the directors and officers. I mean, it's part of the whole... Corporations are a legal...

Kip Boyle: But that would be a great internal schism though, right? I mean, because typically they move in concert.

Rachel Jenkins: Yes.

Jake Bernstein: Well, I mean it happens quite a bit. I mean, usually it's a shareholder derivative suit, where the shareholders on behalf of the company are suing the directors and officers for some kind of major.... Usually, it's almost always a loss. I mean they have to show a loss of shareholder value due to a breach of fiduciary duty. And so...

Rachel Jenkins: No, Jake, you hit the nail on the head. That's what it is. It's a shareholder derivative demand coverage. Most D&Os policies have it. And if you want the D&O policy to respond, it's going to, for the most part, have to come through a shareholder derivative demand suit.

Jake Bernstein: So that is the situation that we're talking about here. And it's an interesting thing, right? Because we're in this, I mean, I don't think it's going to be too long before it's just a standard matter of fact, everyone understands that just like directors and officers are responsible for general management of their companies, they are responsible for general management of the cyber risks. And I think why this is so important from our perspective as this works its way through the insurance system and the courts and the law, is that one of the things we often talk about, Kip, is cyber security has to start at the top. Right? You can't really have bottom up, you can't have effective bottom up cybersecurity would be my argument.

Kip Boyle: No it's exhausting. Let me tell you.

Jake Bernstein: It's exhausting. Right. It has to, you have to have plenty of support and it has to start at the top. And this whole discussion is really about the recognition that it has to start at the top. And that's why directors and officers are even concerned about this now is that they have to be.

Kip Boyle: Right. Right. Right. So let me ask another question please. And this is for you, Jake, is it reasonable to not buy cyber insurance when you're offered a quote?

Jake Bernstein: I mean I, well, I think the answer is it depends, Kip, and I mean...

Kip Boyle: What does it depend on, Jake?

Jake Bernstein: Well, I mean, it depends on, I mean, there's easy ways, right? If I'm going to charge you a million dollars a year for a million dollars in coverage, that's not reasonable. That's not reasonable, right? But what if I charge, what if I'm saying, okay, I'll ensure you at $250,000 premium for a million dollars of coverage. That's not a great deal, but I don't know that it's per se unreasonable. I also don't know that it's necessarily reasonable to buy that. So it really depends.

Kip Boyle: I just think it's really interesting, isn't it? Right? Because you might get accused of practicing unreasonable cybersecurity because you didn't purchase insurance and then you go and respond and say, well the quote was outrageous and then the counter claim could be, it was outrageous compared to what you've paid in the past, but you could have still bought it.

Rachel Jenkins: And I want to say, I want to connect something too on that is usually when you see a premium like that, unless it's like a billion dollar plus tech company, they usually don't have the controls in place, right? That's usually what's driving the premium outside of the end class of business in the industry. Right. So it's a double edged sword. I was just talking to a client the other day. I said, I know you've put all these controls in place and now you have like a 99% score, but the carriers are expecting you to have 99% score. They only want business with a 90-95% score. So while you thinking that you're an A plus risk for having controls, they're just saying, well, we'll just consider writing you now.

Jake Bernstein: No, and that is such, that is so, well, one that's such a change, but it's also like, I mean, in a way, it really, it's going to be an adjustment for the cybersecurity insurance purchasing market, right. The people that are used to buying it, and tell me if you've heard this before, Rachel. Oh, I don't, we're just going to buy insurance for cyber, we're not going to really worry too much about it internally. We'll just buy a policy, right?

Kip Boyle: Instead of controls.

Jake Bernstein: Instead of controls, or instead of doing it like oh, it's going to be really expensive to hire a CISO and a whole team and get cybersecurity in order. We'll just ensure. And I think what the insurance companies are saying now is, well, hold on. We're not even going to consider writing you a policy unless you have controls in place.

Kip Boyle: Yeah. And you know what, people shouldn't be too shocked at that because do you think you could get a fire insurance policy if you had a building that had no interior sprinkler system?

Rachel Jenkins: Exactly.

Jake Bernstein: Right, you couldn't.

Kip Boyle: You couldn't, I mean, you would probably say, but I don't want to build a building with interior sprinklers because that's expensive. I don't want all those controls. It's just too much money, right. And the water, but it's like, no. This market is maturing. This is part of the maturation process.

Jake Bernstein: That's a good way of putting it.

Kip Boyle: And you have to keep up with this.

Rachel Jenkins: Yep. It's hard for them because three years ago you could get a very cheap cyber quote with your URL, your revenues, and your industry. You know what I mean? But those days are gone and I'm constantly having to explain to people, it's like, why are they asking so many questions? Why are they asking so many questions? Well they spent 10 years building a book of business that they didn't know anything about. And now it's on fire. So all the questions. They're asking every single person all the questions.

Kip Boyle: Yeah. I mean, to me, it's also similar to the construction industry that 20 years ago or whatever, it's like hard hats, eh, optional. Gloves? If you want. And now it's like, no, you can't build skyscrapers without all this security paraphernalia and the boards on the job sites, right. X number of days without an accident or whatnot. Right. That's a massive cultural change from where they used to be for millennia, probably, we're going through the same thing.

Rachel Jenkins: Exactly. And it's all for the good. It's all for the better. It's better for the consumer. Because you would want to work with a company that is treating your data with respect, honestly.

Kip Boyle: Yeah. Yeah. For sure. It's true. Well, Rachel, thanks for being on our show. If people want to connect with you, how would they do that? Where would they go to find out more about Rachel and maybe send you a note?

Rachel Jenkins: Of course. Well, you can find me on LinkedIn, follow Founder Shield. I do a lot of informational articles, different things with Founder Shield and other partners. If you have a direct question that you think I would be able to help you with, you can email me directly. I'm happy to talk to people directly. That's rachel@foundershield.com. Otherwise, if you do need insurance assistance, you can reach out to one of our lovely brokers via our website at foundershield.com.

Kip Boyle: And you're based in New York City, is that right?

Rachel Jenkins: I am based in New York City. I am. Love it.

Kip Boyle: Excellent. Excellent. Okay. Eastern Time Zone. All right. Well, thank you, that wraps up this episode of the Cyber Risk Management Podcast. Today, we looked at two important trends with respect to cyber risk management. The first was that cybersecurity is starting to intertwine with D&O litigation and therefore affecting your insurance policy in that area. And the second important trend is the new, but really old, practice of self-insuring for cyber risks. And we did that with our guest, Rachel Jenkins. Thanks so much. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cyber security hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.