Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, Partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: Hi everyone. This is the last of three episodes without Kip, and today on episode 139 of the Cyber Risk Management Podcast, we're going to be discussing cybersecurity insurance, but we'll be taking a different focus than we have in the past with our guest and my colleague Jane Petoskey. Jane, welcome to the podcast.

Jane Petoskey: Hi. Thank you very much.

Jake Bernstein: So why don't you go ahead and introduce yourself to our listeners. Let them know who you are, I'll just spoil that and say you're an associate at K&L Gates. But what about your background makes you particularly well-suited to discussing cybersecurity insurance?

Jane Petoskey: Hi everyone, I'm Jane Petoskey. I've been practicing as an attorney for nearly eight years where I've worked at three different law firms. I work with Jake at K&L Gates where I'm an associate attorney in our technology transactions practice group, and I primarily assist clients under our data protection, privacy and security focus area. I work primarily on a lot of proactive compliance matters that relate to data privacy and security issues. I started my practice in 2016 where I primarily worked as coverage counsel for insurers that issued cyber and privacy insurance policies to US insureds. And I also helped write some of the policy endorsements and parts of policies. In 2019, I became incident response counsel where I primarily dealt with data incidents and breaches in the low thousands. So I was working on an average of 5 to 10 a day-

Jake Bernstein: That's a lot of breaches. And real quick, when you said coverage counsel, what does that mean exactly?

Jane Petoskey: So coverage counsel, I was primarily helping through the Lloyd's of London Insurance market, evaluate claims that were submitted under privacy and cyber insurance policies. So seeing if there was coverage for a given incident or breach.

Jake Bernstein: And that was before you were incident response counsel. So that's pretty good preparation for being incident response counsel.

Jane Petoskey: Absolutely, yeah, understanding the underwriting process and risk evaluation really helped in terms of being breach counsel and moving from coverage council.

Jake Bernstein: Great. So we're going to definitely dive into, I think that experience, like I mentioned, it's different perspective than many of our previous insurance related guests have brought. But let's go ahead and start with this question. Why is insurance only just a part of cyber and privacy risk management rather than the end all be all? As for a time, I think all too many entities, both public and private kind of thought that it was.

Jane Petoskey: And I love starting with this question because for most listeners, I'm sure this seems like a simple question and it is, but the answer is unique to each organization that asks and discusses this question. And in our current year, if an organization is not discussing this question, it likely needs to take a closer look at its cyber and privacy risk management program. So apart from insurance and a risk management program, an organization should also understand at a high level its cyber and privacy risks to its business. And that can even take into account whether it's worthwhile to have a cyber and privacy insurance policy.

Jake Bernstein: And by the way, I'm going to interrupt you a lot because that tends to be how I go on this podcast. I think it's worth highlighting for a moment how much that has changed over the last few years. It used to be that everyone automatically should buy cybersecurity insurance policy, basically no matter what. But that has changed and we'll get into why later on, I don't want to preempt the whole script. But I think it's a really important point for people to understand to the extent they haven't already run into that themselves.

Jane Petoskey: I completely agree. And there's difficulty for a lot of organizations in not having a cyber or privacy insurance liability policy because a lot of their contracts may require it. And so there's this balance between being contractually required to have one with is it just too expensive and you've been more so focusing on your security measures and potentially going without a policy.

Jake Bernstein: And if you have a limited budget, what is better? Is it better to be so called self insured? And that's kind of this bang for your buck concept. There's a lot of costs with insurance policies that people don't necessarily look at. Obviously you have the premium, but that really is just a piece. One of the things that I think sometimes people are surprised about is the retention or what we would call a deductible in the private industry. What kind of trends have you seen regarding retentions and cyber policies over the years?

Jane Petoskey: Yeah, so we'll get into this in a little bit further, but in terms of trends, the more time goes on, the more information underwriters have and understand risk, even though risk changes constantly. So with that time and understanding and better information to underwrite policies, we're seeing things like a much lower limit on wire fraud claims and that would differ from the rest of the policy typically where you'd see a higher limit for direct data breach costs. So you're seeing kind of changes in numbers, in policies, in reaction to just a better understanding of the landscape.

Jake Bernstein: And I think that's worth a discussion of underwriting. And I don't honestly remember, I'm sure Kip would correct me if I was wrong, maybe he'll put a link in the show notes. But I don't remember if we've talked about the underwriting process before on this show, and part of the reason for that is as recently as two or three years ago, maybe there wasn't all that much of a major underwriting process. Can you just kind of tell us what is underwriting, why is it important and how can it affect the type of insurance that you're going to be able to buy as a company?

Jane Petoskey: So underwriting at a high level is not per se hyper-focused on a specific insured, but really underwriters understanding how to write a policy for industries, and that's certainly evolved over time, but underwriters will assess the risk landscape to have a better, more accurate policy that reflects the correct limit they should be offering in retention as well as the premium to kind of best fit both parties. And as we've seen over the last five years or so with ransomware, I mean even this year with ransomware hitting specific industries, underwriters take a closer look at those industries and have more information to assess how to best write the policy for both parties.

Jake Bernstein: My understanding is that the goal of underwriting is to match risk with the premium being charged and everything there. So essentially, so the insurance company makes a profit, isn't that's the goal, right?

Jane Petoskey: Yes.

Jake Bernstein: And I think with the underwriting and the policy language itself, there's a very careful, and I think difficult to define lines sometimes between what are people going to buy versus how much are we going to pay out? And I think up until relatively recently, it was out of whack. I mean, insurance companies were paying way more in policy in coverages than they were bringing in premiums, and that's not a good recipe. So I think all of this kind of goes to insurance and the availability of it. But let's take one step back and look more at a, what does a typical cyber and privacy insurance policy even look like these days? And maybe how has it changed over time? What should people keep an eye out for and what's going on that they should know about at this point?

Jane Petoskey: So for additional context, cyber and privacy policies were quite new back in 2010 and I started my practice in 2016, assessing coverage under cyber and privacy policies and providing coverage opinions. So back then and today you'll typically see both first and third party coverage agreements and first party coverage agreements typically cover direct loss or damage to the insured, whereas third party coverage agreements typically cover claims made against an insured. So that might be where you had a data breach and personal information belonging to a customer or client who's the data owner of that information that you're storing or processing was involved.

So there might be a third party claim made against you by that customer or client. And back in 2010 and a little bit after that, I mean there was much less clarity for the underwriters as well as insureds. And I like to talk about silent cyber when I talk about insurance 5 to 10 years ago in terms of cyber and privacy liability insurance because back 5 to 10 years ago, and wire fraud's, really a great example of silent cyber where insurers under different lines were confused and trying to push away from coverage of certain incidents that only partially touched them.

So crime policies, cyber policies, some professional liability policies, back 5 to 10 years ago seemed to provide partial coverage for a given wire fraud incident for the loss of funds. Maybe there was a data breach involved and personal information was affected, or it was just spoofing or social engineering. So there was this big push about five years ago to make policies clear and get rid of silent cyber so the insurers and insurers understand what's actually being covered. So I just think that's a really important thing when you think about the evolution of insurance.

Jake Bernstein: And do you think silent cyber is kind of dead? I think given the evolution in annual renewal cycles, I don't think I've seen silent cyber as an issue recently.

Jane Petoskey: I agree with that. I would say that inherently there's always going to be silent aspects of insurance and especially cyber and privacy insurance because the risks are constantly changing. Threat actors are constantly changing how they are attacking different companies. And so with our technology also constantly changing and security measures changing, I think while the intent is to not have it, and insurance companies have been good to clarify the policies, I think there's just an inherent nature of cyber and privacy that there will be some silent issues.

Jake Bernstein: And I wonder if we can think of an example of, I mean one example is the war exclusion definitely, basically... and by the way, when you say silent cyber, what does that refer to? Does that mean that the policy is silent on cyber, so it applies if by its language it would otherwise apply? Where did that phrase come from?

Jane Petoskey: Yeah, I agree with where you're going with that. So silent cyber came from really multiple lines of insurance potentially being triggered and none of them being explicitly clear on full coverage of an incident.

Jake Bernstein: So nothing said cyber, but they still applied.

Jane Petoskey: Yeah.

Jake Bernstein: Interesting. Okay. So let's go ahead and talk a bit more about the claims process. What are we seeing these days? What kind of claims did you used to see? And then how has the process evolved over time?

Jane Petoskey: Yeah, so I think we've touched a lot on how making a claim back in 2016 is much different than making a claim today. Underwriters had a lot less information and a lot of claims were... when I was coverage counsel, we tried to find ways to cover things if they were mostly seeming to be covered and not kind of test the litigation waters because there was not as much coverage litigation and it was pretty scary as an insurance company wanting to avoid litigation for not covering something that relates to the silent cyber issue again. Oh, go ahead.

Jake Bernstein: So let me just unpack that because I think that's really useful for people to understand. The insurance companies had a choice, really they always have a choice, back then in particular. And the choice is do I provide coverage under this policy or do I not? Do I try to deny the claim? And what you're saying is that at the beginning of the cyber insurance marketplace place, the policies weren't necessarily written tightly enough because they didn't know, they couldn't have written them tighter because they had no data.

And what that meant was is they simply were doing the typical litigation risk analysis where they were feeling like, even if there's a 50/50 chance that we win this across a ton of different coverages, they probably just felt that it was cheaper in the long run or maybe reputationally cheaper to just pay the claim. And at some point, boy did that sure change. I don't think we've seen an avalanche or a flood, whatever metaphor you prefer of coverage disputes in cyber, but they definitely happen more often now than they used to.

Jane Petoskey: I agree. I agree with that and I feel a sense of less fear and I think that comes from, I mean, we're seeing insurers not renew certain insureds. We're seeing them getting kicked off of their policy when they've made a big ransomware claim that year year that's cost the insurance company up to the limit. So I think there's just less fear given the evolution that just has occurred with time passing and more information being learned in this area. A broker recently said to me that she views cyber and privacy insurance now as similar to e and o insurance 25 to 30 years ago. So it's just the time and information that underwriters have to honestly write more accurate policies for the risk.

Jake Bernstein: Got it. One of the things we've, as far as I know, again, never really done, is talked about the claims process itself. What are some risks that a company should be aware of when they're considering making a claim? And just to kind of set this up, many people, I don't want to say everyone has had the experience of a tiny fender bender or a scratch on your car. And you have this question, do I submit a claim for this little tiny car accident? And we all kind of know that if we submit a claim, our rates might go up. But on the other hand, it doesn't seem like in that context there's a ton of risk other than just paying out of pocket for not making a claim. Is it the same in corporate cyber policies or are there other things to consider and what would those things be?

Jane Petoskey: Yeah, and again, I would say 5 to 10 years ago it was not a big deal to submit a notice of a potential claim or actual claim, but now I'm finding myself way more frequently discussing with clients the risks in submitting even a potential claim or actual claim. And this all relates to what we were just talking about of their premium may spike the next year, they might not be renewed at all. So assessing and practically speaking, if they have a bigger policy, is the incident even worth submitting as a notice of claim because they might not even hit their deductible or retention to trigger the policy. But that doesn't mean that they're probably going to have to report that on the renewal application.

So it's really a balance of what does this incident or breach entail? What is your coverage and what are the potential ramifications of submitting a claim? Well, you ultimately have to still disclose it on your renewal application, considering all of those things. So it's a lot more risk analysis than it used to be.

Jake Bernstein: Actually sounds pretty complicated. And what's even more so is that one of the reasons to keep such a close eye on your retention is again, analogous to a car insurance, you may not even hit your deductible, which means that you're making a claim that may affect your coverage in the future or your premium or your deductible for that matter without actually getting any benefit from the insurance.

Now to be clear, if a company has suffered a major breach, usually it's a no-brainer, right? You're going to report, you're going to make the claim. But I think one of the things that's been interesting, and maybe even more so for you, and we'll talk about this in a bit, but moving from incident response counsel to K&L Gates and doing your much more of a compliance risk management role with clients, there's a lot of gray area in incidents and the question of is it a breach? Is it something that we would even need to report for renewal? Obviously a ransomware attack, anything like that you'd have to report.

But there are plenty of examples of situations that might be as simple as we were involved in a business email compromise, but it was not on our side at all, right? We just didn't pay any money. It was just involved our customer. Is that a claim that you should make? Do you even have any expenses? And I think that kind of stuff comes up a lot more often now than it did when it was just, oh yes, it's something related to cyber, I'm going to just report it. And I didn't realize, I just kind of rambled there, but do you have any thoughts on what kinds of situations these days really should require a more thought as to whether or not you're going to make a claim?

Jane Petoskey: Your example probably includes contractual obligations between the parties and there's a lot of things that go into, and that's often why lawyers are brought in to analyze. It's not just a simple broker question of do you think I should submit this? It's more like it's really necessary. I'm finding to bring in counsel to assess if it should be reported and what information should be reported and how it should be reported. And to your point, if it's just an incident and no evidence of compromise, that's on the lower risk scale of needing to report that.

But in your situation where there was a business interruption of a third party, if they host your personal information, you're likely impacted in some way by that. And so insurers might also push for indemnification or subrogation if you had some kind of loss that was really caused by that third party, the insurance company would be obviously hoping they should be on the hook for.

Jake Bernstein: And you just used a word subrogation that I'm not sure we've used before. What does that mean?

Jane Petoskey: This is subrogation, I mean in practicality it's often not actually sought out, but subrogation indemnification is typically in that example of a third party that has caused some damage or loss that should be responsible for the client who had an impact to them should be responsible for those costs because they caused the loss for damage.

Jake Bernstein: Got it. So then the subrogation is when your insurance company tries to recover its costs by going after the party that caused the damage. It gets very complicated.

Jane Petoskey: It does. And again, in practicality, I may have referenced the subrogation indemnification obligations in a coverage letter, but I never saw that actually play out because it was a point where insureds insurers really align for the most part. They both don't want that loss. And so I never really saw that play out.

Jake Bernstein: Got it. Okay. So with our remaining time, let's turn to the renewal process. And we've talked about this on the podcast before, but with kind of other focuses, and I'm just kind of curious, what should we know about renewing insurance coverage today in the current climate?

Jane Petoskey: So today, what you're more likely to see, depending on the size of the organization and how big of a policy they have, when they're going through the renewal process, it's become really burdensome. And I would say it's become more difficult to answer questions. But for two reasons, because they're sophisticated questions or because they're vague questions and-

Jake Bernstein: Those are opposites. But yet I totally know what you mean. They both are hard.

Jane Petoskey: Yes. And again, that's why I recommend, you typically did not need to bring in counsel to help you with a two page or even half page renewal application 5 to 10 years ago. But today you're seeing 10 to 15 page renewal applications and obviously you want to avoid misrepresentation, but when you have those vague questions, that's when I really recommend counsel be brought in to review your responses to make sure they're accurate to possibly impossible questions to answer because they're so vague. And how do you actually answer that.

Jake Bernstein: And the risk, I think we have talked about the risks of answering questions incorrectly is that the insurance company can just deny coverage and say that you committed essentially insurance fraud during the application process. And even-

Jane Petoskey: I haven't seen misrepresentation play out either.

Jake Bernstein: No, I haven't either.

Jane Petoskey: I think more realistically they're going to find a way to legitimately deny a claim and not renew you the following year. It doesn't mean it can't happen, but I haven't seen a misrepresentation or fraud claim leading to an insurance company immediately kicking off an insured.

Jake Bernstein: Yeah. One of the things that you and I have seen recently that I think we've never talked about is something called the period of restoration. And we see this more and more, it relates to business continuity policies and things like that, but what does it mean and why is it important to pay attention to that, particularly when you're renewing a policy and you're already distracted because your limit went down, your premium went up, your retention went up, coverage seems less. And there's this other thing, and it's not always called period of restoration. I've seen other names for it.

Jane Petoskey: I was going to say waiting period.

Jake Bernstein: Waiting period. Yes. What does that mean? What does a waiting period or why does it matter?

Jane Petoskey: So I was going to bring this up as well. So, let's just walk through an example to fully understand this. So let's say in your renewal, in your new insurance policy for the next year, the insurance company changes your waiting period from two hours to six hours. And maybe you don't catch that or don't think that's a big deal, but that period is used in business interruption scenarios and that is the waiting period literally from when the business interruption starts to that amount of time. And then that is when the claim starts going. So those two or six hours would be excluded from coverage for the loss that you incur during that time, and then it starts ticking away at your deductible or retention and going up to your limit. But for a client where time is of the essence, and maybe it's an event and the majority of that event occurs in two hours, changing two to six could be worth losing millions of dollars that aren't covered at all under the policy.

Jake Bernstein: I mean that is such an important point because it seems like such a minor change. Like you might not even notice it. And it does depend, right? For some businesses and some industries, the change might be from two days to four days. But what we're really talking about is to pay attention to these waiting periods because whether it's two hours to four hours or two hours to six hours or one day to three days, even though they don't look like big changes, they truly can have immense consequences down the line.

I think a simple one might be a DDoS attack that takes a website down for a few hours. And when the website is down because of the attack, you're losing revenue. If you're a busy website, a couple of hours could be a lot of money, and if the waiting period was increased from two to six hours, you may never hit six hours down, which means that that policy is never going to cover one of the perhaps most likely events. That's really something to pay attention to. It's a way for coverage to be lowered in, I don't know, I guess a non-obvious way.

Jane Petoskey: In circling back to the start of our conversation, just as a part of risk management, if you haven't prepared any type of assessment of financials of what would two or six hours look like, and if you haven't taken that into account as a part of your total risk management package, that's where you're missing out on understanding your coverage, paying probably too much for your premium and not putting in enough time of assessing your risks and having a stronger risk management plan.

Jake Bernstein: And to make that concrete, we are saying make a spreadsheet, put numbers into the spreadsheet that calculate maybe to the hour, maybe to the day. It really depends on your industry, what your revenues and costs are. And what you then can do with that is quickly be able to evaluate a large number of things, but in particular the value of a cyber insurance policy with these waiting periods.

Jane Petoskey: And you're even more prepared to respond to how burdensome, time consuming and frustrating a business interruption claim making one is, it's very difficult and forensic accountants are brought in and if you have no understanding of that, it's going to be such an uphill battle.

Jake Bernstein: And that's a good point. It reminds me that I was working an incident that happened at this point two years ago. The claims process, specifically the business interruption claims process is still going on. And yes, that client is not happy with their insurance company, but that's what happens. And I think, again, as part of the overall, you have to understand the nuts and bolts of the insurance and how it works before you can really understand how it fits into your risk management plan. Because if you think that, "Oh, I'm just going to get all my money back within a month," let me tell you that is not the case. And it might be that your plan was to get that back, even say within three or four months and two years later and you're still waiting. That could be the difference between having an operational business and going out of business. So these things are really important and it's really worth understanding.

Jane Petoskey: Especially in today's environment. Absolutely.

Jake Bernstein: Yeah, I completely agree. So what about enhancing security measures? This is something that you and I have talked about, and Kip and I have talked about it and we've talked about it with other guests, but are insurance companies, and this is perhaps pure speculation, but what role do you think enhanced security measures are going to play in the coverage, premium, retention, negotiations?

Jane Petoskey: Yeah, I'll start with the statement that having MFA implemented is no longer an aspiration, it's a requirement. Like you're seeing that's going to turn from what may have been no question or a broad question on an insurance renewal application of what security measures do you have in place to a check mark box of yes or no? Do you have MFA on every system that hosts personal information? So there's definitely more onus on security measures in place. So insurers are actually taking steps to avoid having to submit an incident or breach.

Jake Bernstein: No, I think that's it. I think that that is the big shift, and I think what is a good argument for is, one, making sure that you're getting help to fill out an insurance renewal application. Two, making sure that you understand your business continuity risks when you're dealing with business continuity insurance, which by the way, that is what cyber insurance often is. When you suffer a ransomware attack, people focus on the ransom. But if you think about it, it's also a business continuity claim because more likely than not, you're not functional as a business during the days or even weeks that it takes to recover from that attack. And sometimes the loss of business opportunity is worse than the ransom payment, which is why people pay. That is why people pay.

Jane Petoskey: And I think we've given listeners a lot to digest, but one positive I think you can take away is that when you're working on just one component of your full list of your risk mitigation plan and you're looking at... if you're enhancing your security, for example, you are likely improving every other component of your risk management plan. So when you're working on security measures, maybe you're doing a pen test, maybe you're assessing vulnerabilities and trying to patch and take care of those proactively, you're also preparing yourself to have stronger answers to your insurance renewal application and you have a better understanding. And teams are probably talking across the organization, IT, legal, et cetera, and actually communicating and understanding risk and fixing that and being able to communicate again on the renewal application. So all of the components of your risk management plan really overlap with each other. So I think a good thing to take away is when you're working on one of those, you're likely improving and strengthening all of them.

Jake Bernstein: Which I think is a good argument. It can be difficult to measure return on investment in cybersecurity, but it is getting easier, if for no other reason that having stronger security measures in the first place may actually decrease your premium, whereas that frankly wasn't true in the past. So Jane, we need to wrap it up. I want to thank you for being on our show and having a great discussion about cyber insurance from a legal risk management perspective. If listeners want to find out more about you, where can they go?

Jane Petoskey: They can go to my profile on klgates.com or they can go to LinkedIn and search Jane Petoskey.

Jake Bernstein: Thank you very much. Okay, that wraps up this episode of the Cyber Risk Management Podcast. Today we learn more about the claims and renewal processes for cyber insurance. Got a little bit of a history lesson and discussed how all of this fits into the larger cyber risk management picture. And we did that with our guest, Jane Petoskey, who is an associate in the data protection, privacy and Security practice group at the K&L Gates Seattle office. We'll see you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.