Recording: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, CEO of Cyber Risk Opportunities and Jake Bernstein, cybersecurity council at the law firm of Newman DuWors. Visit them at cyberriskopportunities.com and newmanlaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Jake, today, we're going to take a closer look at how cyber liability insurance works as part of an overall cyber risk management plan. And we're going to do that with the help of a guest.

Jake Bernstein: A guest? So who's our guest today?

Kip Boyle: All right. Our guest is Chris Brumfield. And Chris helps companies understand how cyber insurance and managing risk are part of an overall plan. He's a consulting broker, an insurance specialist and a public speaker. And he's with the firm Brown & Brown of Washington State. Chris, welcome to our podcast.

Chris Brumfield: Thanks. It's great to be here.

Jake Bernstein: So Chris, on this show, Kip and I have been saying that companies need to include cyber insurance as part of their approach to overall cyber risk management. Do you agree with that?

Chris Brumfield: Yeah, definitely. And not just because I'm in insurance sales.

Kip Boyle: Yeah. I'll bet.

Chris Brumfield: Well, no. So cyber insurance, basically it transfers the financial risk that a company's going to have, and it transfers out to an insurer. You pay the money and they take on that risk. There's over 140 cyber insurers that we look through to choose the best fit. And when it comes down to it, not all insurance carriers are equal. So it just really allowed-

Kip Boyle: 140, I had no idea that the number was that high. I would've guessed maybe 40.

Chris Brumfield: That would be a pretty good guess. No, everyone and their mother is excited to offer cyber insurance at this point. And also just for the uninitiated, as a broker, we're a middle man, essentially. So we work for our clients, not for an insurance company.

Jake Bernstein: So Chris, as a broker, and given the 140 plus cyber insurers, what trends are you seeing for example, in coverage or claims?

Chris Brumfield: Well, the most recent is going to be, I try to stay away from acronyms. But there's the GDPR, which is called the General Data Privacy Regulation. That's for the European Union. And then the CCPA, which is the California Consumer Privacy Act.

And those are some of the newer regulations in Europe, revolves around data privacy. And then the California Consumer Privacy Act is a statutory damages of $100 to $700 without proving a loss.

And the trends we're seeing is, some insurers are not paying attention to that or not making changes. But other insurers are being very proactive and they're already writing that into their policy. So these new emerging threats to the financial risk of a company, based on their cyber risk, is being written into coverage as we speak.

Jake Bernstein: Interesting. So one thing that we've been curious about is cyber claims being denied due to war exclusion clauses. So how does that come up?

Well, I think a good example is back in October of last year, 2018. The international food and beverage company, Mondelez International, sued it's insurer, Zurich, American Insurance Company, for about 100 million dollars, for declining coverage to Mondelez International, following the NotPetya cyber attack.

Now they had an all risk property insurance policy and Zurich decided to deny that claim by invoking the hostile or war-like act exclusion. So even though this case is before the court still, what are you seeing about that?

And then secondly, the very public DLA Piper Law Firm, their multinational are huge. They were also hit by NotPetya, and they were closed down for almost five days, I believe. And they're now in a dispute with its insurer Hiscox.

And what we're seeing is that the insurance company is declining to cover for NotPetya. And that insurer is citing the war exclusion as reason for non-payment. What do you think about these tracks?

Kip Boyle: Yeah, what's going on?

Chris Brumfield: Well, with those headlines coming out, the first thing that drew my attention in right away, saying, "How are they justifying excluding coverage if it should be there."

But when I dug a little deeper, because of course we stay abreast of these developments and trends, found that these are property forms. And so you can get insurance for just about anything. Beyonce ensures her legs and her voice. You have insurance for your auto, you have insurance for your home, you have life insurance for your own life.

Each of these coverages, each of these insurance forms, are specifically tailored for the risks that they're ensuring. Just like your home policy, covers your home in case there's a fire. Property policies cover business in case there's a fire, there's one water damage.

And they typically will exclude the coverages that you can purchase elsewhere. They don't want to double down and provide extra insurance when it was never intended for that in the first place.

And both of those, the Mondelez, as well as the DLA Piper claims, those were on property, if I'm recalling right. Both were on property forms. So those are meant to cover your building and your operations from slip and falls, from fires, from water damage, for explosions. Real physical damages. They're not meant to cover for cyber.

And occasionally, some small cyber coverage will be thrown in, but it's not something that is designed for that. That's why they have cyber policies. They're specifically designed for the risks that you're going to have in this digital age.

Kip Boyle: So I'm sure that these companies, we know they're large. We suspect they're sophisticated. How in the world could they have overlooked this? This seems like a major mess up in terms of risk management.

Chris Brumfield: I can tell you, I would not want to be the person having to explain why I didn't want to purchase a cyber policy and justify that to the other shareholders or stockholders. That's not a conversation I'd want to have.

It's something that's seen almost a bury your head in the sand. Or sort of ignore the problem and hope it goes away. Which we're seeing is at least not the case in terms of the trends we're seeing.

It's not just the large companies anymore, it's also the mid to small companies that are being targeted by more sophisticated cyber criminals. And they do so because, the organizations are less sophisticated. And they're more likely to pay a ransom or to give away information, that would otherwise come back to haunt them.

Kip Boyle: Yeah. So Chris, one of the reasons why Jake and I invited you to come on the program is because of these kinds of headlines right now. Where, as a risk manager in an organization, whether I'm the chief risk officer or whether I'm just another executive in the C-suite.

I might be thinking, based on reading these headlines, "Cyber insurance, what an unnecessary expense. Because look, it's not covering the things that it claims to cover. And I don't even know where to go to purchase a policy. I have no idea if I'm going to be spending the right amount of money for the coverages I get. And all these exclusions."

And it can seem super daunting. And for our customers, we've been recommending, "Hey, you should go work with a broker. Don't go directly to the carriers, because the policies are so non-standard."

It's really, really difficult to compare. It's not buying automobile insurance, because that fairly standardized. Once you select the right coverages, then you can shop on price. But our perception has been that buying a cyber liability policy is actually really, really hard.

Is that still what you guys are seeing Chris?

Chris Brumfield: Yeah, it is. It's hard to see through the jungle out there. The 140 cyber insurers, there's no real substitute for just taking the time and the attention to detail. We go through it line by line. And of course, we suggest finding a good broker, of course we'd love to help people.

But finding a broker who's actually going to take the time, to go through each policy, line by line, to determine what coverages are there, what aren't, like war exclusions. Every policy that I've encountered in the cyber realm, does have a war exclusion. But you have to know the insurer that you're working with and their dedication and their commitment to their space. As well as their claims handling and what they're going to do when a claim actually occurs.

Because, let's say the WannaCry or the NotPetya, both of those, they could try to exclude them based on war. "Well, this was act of a nation state. This was an act of war."

However, the insurers, the short list we've come down to out of that 140, well, they do have cyber extortion coverage. And that is cyber extortion. So with a gray area, if an insurer's doing things right, a gray area is going to be something that they use for the insured's favor.

And that's where your broker is really going to be able to get in there and get into the weeds. And understand the reputation, understand the policy, the forms and all of the coverages line by line. To be able to articulate to you as a client, exactly what you're getting.

And are you spending too much money or not enough money? Well, they should also be able to go out to the market and find those verifiable, reputable insurers.

And be able to say, "Well, we're going to benchmark. And we can tell you, this is where the highest came in and this is where the lowest came in. And this is right in the middle. And these are the reasons we think this firm is a better firm than the others."

Kip Boyle: Now that's another point in your favor. Which is the idea that you guys are not just looking at the for the coverage, but you actually have insight into the way that these different carriers process claims. So you can actually bring that into the picture for somebody to help them evaluate between two coverages.

I think that's really, really helpful. Chris, this is so interesting. I want to ask you a completely different question. But how did you get to this point in your career? What an interesting job you have?

Chris Brumfield: Well, I don't know if a lot of people would describe insurance as interesting. But thank you, that's very gracious.

Kip Boyle: Well, it's interesting because it's a mashup of insurance and computers. Right?

Chris Brumfield: Mm-hmm (affirmative).

Kip Boyle: I mean that's what you do. You live at that intersection, don't you?

Chris Brumfield: Yeah. I think it all started, if I have to go back to my origin story. Middle school, I was building my own computers from scratch.

Kip Boyle: Wait, is there a radioactive spider somewhere in this school?

Chris Brumfield: I wish. That would be fantastic. And just imagine cleaning those upper windows for my wife when she asked me to clean around the house. Not trying to date myself, but the first computer I built was pretty sweet, at 333 MHz processor. My first build, which was just screaming fast at the time.

But over the course of the last 11 years, I just really became sort of, not enamored, but just very interested with insurance and started just learning everything I could learn. Everything I get my hands on. And working toward designations to do that. And nearly non-stop over the last 11 years.

And my last count, I sort of lost count. It's like alphabet soup, after my name. But seven designations. And my wife would definitely agree. I'm an insurance geek. So basically I'm not allowed to talk at parties anymore.

Kip Boyle: Well, you're in good company, because you've got two other nerds here as well. A legal nerd and a cyber nerd. So welcome to the club. Happy to have you.

Chris Brumfield: It's good to be here. Good to be part of the club.

Jake Bernstein: Yeah. And some of us are legal and cyber nerds.

Kip Boyle: That's true. That's true. And then you get weirdos me, where I stand at the intersection between cyber and business. So we're all standing at a crossroad here and being very nerdy. And letting everybody hear.

Chris Brumfield: Well I think you guys actually might have me trumped. Which is hard to find in my every day.

Kip Boyle: Okay. So you started out working with computers and actually building computers, which is great. And then you got bit by the insurance bug, not radioactive spider.

So now, I love your story because it just says a lot about your intense focus on what you do. And when you were describing earlier about, "Hey, we have to read these policies line by line."

Well now I'm sure that you do that, you're not just saying that you do that.

Chris Brumfield: No, I've spent more time reading insurance policies and contracts, I mean, I would say at this point hundreds. Which if you've ever tried to read through an insurance policy, you will understand the pain that goes into that.

But, it just sort of goes back to the view that I take in honing, you have to hone your craft. Whatever you do, you need to do it well. You need to do it at the top of your ability. And that's whether it's getting an associate re-insurance. Or claims management. Or my CPCU, which is a Chartered Property Casualty Underwriter. It's sort of like a Masters for insurance.

Kip Boyle: Well, God bless you. Because, we lived in a controlled economy and somebody told me that this was going to be my job, I would really struggle with that.

Chris Brumfield: Yeah. I was just lucky, happenstance.

Kip Boyle: Yeah. Well, it sounds it's a good fit for you. And I think it's great. So thanks for giving us a little bit of peak into your background.

Chris Brumfield: Absolutely.

Jake Bernstein: Yeah. So I want to make sure that we're all on the same page here in terms of the cost of a cyber breach of some kind. And, if you start adding up the hours of digital forensics, network downtime, notification cost, recovery operations, staff hours, lost productivity time in the case of DLA Piper.

Let's take a look at this. And there was this 2018, NetDiligence Cyber Claims Study. And that study showed that 49%, so we're talking half really, were filed by companies under 50 million in annual revenue. Now-

Kip Boyle: I think that's going to shock some of our listeners.

Jake Bernstein: It shocks me and I'm listening. So there you go. It does, it's shocking. Now what's also interesting is that, the average claim by a large company across all industries was $8.8 million.

So right away, you see that the cost can get astronomic. And then I think what's really interesting is to break down the average amount spent on three different types of services. Crisis services, $307,000. Legal defense, $106,000. And then legal settlement, $224,000. So Chris, what is the link between insurance and managing these costs?

Chris Brumfield: Well, insurance policies are going to be designed to cover those costs. I mean, when it gets down to it, it gets down to it the crisis services, the legal defense and legal settlement. If you look at the average amount, typically cyber policy is going to have a $1 million limit. A $1 million per claim, with a $1 million aggregate.

And the aggregate means, that's all you have in your bucket, maybe for the year. And all of those are covered under this. Because it's designed to key up, as soon as you call to report a claim. To let them know what's happening.

They're going to send their crisis response team, or digitally send them. You're going to have asset restoration. You're going to have even a PR to help with your public relations. To get your company's name out of the dirt. All the notifications. As well as all the legal costs, and then the digital forensics to get you up and running again after that. And that can include new hardware, if your hardware has been bricked. Where you would have fancy paper weights, for your hardware now. And it-

Kip Boyle: So bricked means they don't work anymore? You can't turn them on?

Chris Brumfield: Yeah. You can't turn them on. Or you turn them on and you're locked out permanently. So, brick. So you basically just have a very expensive paper weight.

Kip Boyle: And usually many of them.

Chris Brumfield: Yeah. Many of them. And if you have a larger network or any computer that's affected on all your-

Kip Boyle: I remember reading about the Maersk debacle. And I believe they had to replace 35,000 bricked works stations, and something like 3000 or 4000 bricked servers. All at once.

Chris Brumfield: Mm-hmm (affirmative).

Jake Bernstein: That's a lot of bricks.

Chris Brumfield: It is.

Kip Boyle: Let's build a cathedral.

Chris Brumfield: Yeah. You could with that many. So in that case, you had the bricks, it, you have to figure out what to do with them. But no, it covers all of that. As well as any part of your system that's still up and running.

You will have hackers that it will gain access to a system, whether that's through social engineering or they are able to infiltrate by hacking. And they'll sit and they'll just watch and wait. And it could be a month, it can be five months.

We've had a client. It was a year and they've been sitting in their system and sort of spreading their chemicals. Well, when they first had a claim, they went in and they were able to fix what was wrong. But then they had the cyber policy covered for cyber forensics.

And so they actually went in and they said, "Well, it's not just part one of your system, it's part two, three and four." So if they only addressed the first part that was damaged or incapacitated, you'd still have that hacker lurking in these three other parts of the system.

Kip Boyle: I can't help but to think about termites in my home. That conceptually, this is so similar. So you get termites entering your home and they start munching away and you have no idea they're there. So they can do that for quite some time before you, as the homeowner, start to get the first idea that you've got a termite infestation.

And then once you realize, you see the saw dust and you're like, "My gosh." Well, you have no idea as a homeowner, how much these termites have spread through your building. I mean, you've got to get a professional termite exterminator to come in, completely check out your building and then figure out what's the game plan for getting rid of these termites. Does that sound similar to you, Chris?

Chris Brumfield: That's, great analogy. It's going with the house analogy. So not only do you have to figure out what to do with the termites, but guess what, now you have to replace some of the main joist. Some of the foundational pieces of lumber in that home. So, you might have to take a whole wall out to rebuild it to what you had before.

Kip Boyle: And you may have to live someplace temporary while they tend to your house and bomb the hell out of it, to get rid of all the termites, right?

Chris Brumfield: Yes.

Kip Boyle: So you're looking at a massive disruption. It's just as bad as anything you've probably seen on TV or in the movies.

Chris Brumfield: Absolutely. Imagine if you had to take your business today, what you're doing today, and you had to completely rebuild that or have it rebuilt. So you're off site, maybe you have to be offsite. You have to have all new software, all new hardware. You have to try to get back some of the data, maybe a proprietary data, maybe you don't. You have to get back all that data that was lost. Those emails, you have to get all that back to be up and running.

Well, what's that going to do to your business? What do you make? And sort of a really easy back of the napkin calculation is, what do you make a year and divide that by 365 days. And then that's your per day cost and what just the business interruption, that's what you could lose if you're down for a day.

Well, then take the that, and assume it's probably going to be around two weeks. Really, that you're going to have diminished output. Well, okay, you just lost that income. You still have payroll to make. And on top of that, you have the extra expenses of having to rent or use a different space, as well as all different hardware and software solutions.

Kip Boyle: And you can bet you're going to have overtime labor costs. I read that DLA Piper had something like 15,000 hours of overtime that they had to pay its IT staff, as they scrambled every hour of the day to try to do the restoration. I mean, so just that cost alone was enormous.

Chris Brumfield: Yeah. You have some forensic specialists, they're billing out $250, $300 up to $400 an hour. So, depending on the size of the policy you get, the limits, it's all variable. But let's say even at $10,000 annually or $5,000. You're going to blow through that. That's that's a full day at work.

Kip Boyle: Yeah, for sure. So, that's sort of what's at stake. I mean, you've done a nice job of helping us understand, if you have the need for data or for cyber liability coverage, this is the disruption. This is what it might cost. Are the premiums for cyber liability policies really steep? Because that's a lot of coverage.

Chris Brumfield: It's a lot of coverage. They are, if I'm being frank, I think they're just silly.

Jake Bernstein: Silly expensive or silly inexpensive?

Chris Brumfield: Silly inexpensive. I mean, if you look at any of the large losses that have happened in the last year to two years, The Home Depot, the Alaska Airlines, Target, Experian, any of those, you look at the costs associated with that, they far outweigh the expense.

If you're spending, and typically sort of our rule of thumb, you're going to look at between 1% to 3% of your firm's annual sales. That's what it's going to cost you to have that insurance.

So let's say it's $5,000 or $10,000. You're getting a million dollars of coverage. You are transferring over a million dollars of risk over to that insurer. And they're saying, "Well, maybe just give me $5,000, give $10,000, and I'll go ahead and take on all that risk and all the headache that comes along with that."

Jake Bernstein: Wow. That's impressive.

Kip Boyle: It seems pretty good. Do you think the premium costs are going to stay the same? Go up or go down in the future?

Chris Brumfield: If I was a betting man, I would say that they're going to go up. There's a lot of competition right now, which is really good for you as the consumer. Because, you're able to go out there and have your pick, they're all trying to compete. They all are trying to compete on both the forms and the coverages as well as the price.

And so that definitely it's a buyer's market right now. But there's only so long that all those insurers are going to have an appetite for this. After the losses start coming in, that's when they start looking at it and saying, "Well."
They are in a business. "So, is this going to make sense as a business when we're losing 100 million dollars, and we're only bringing in 90 million in revenue. We're losing 10 million a year." These are just made up numbers, but I mean, it illustrates the point.

Kip Boyle: Yeah. Because I think from my perspective, I see the cyber risks getting more intense. Some of the projections from different forecasting and research firms, 6 trillion dollars of global cost to cyber failures and cyber breaches by the year 2021.

So, the estimates of the damages are going up. I can't see any reason why the cost of insurance wouldn't go up, because the claims volume I would think would go up. I mean doesn't that pencil for?

Chris Brumfield: Yeah. It's a pretty simple math. As there are more claims, so the volume increases, as well as the overall cost increases. You're going to see the rates go up. And Why that benefits clients or insureds, at this point, to purchase a policy. If you have a track record with an insurer, you're going to have a much easier time negotiating a lower rate at the renewal, than you're going to have coming.

And say, "Well, I'd like to get a policy." And well they just increased their rates. They don't have a track record. You don't have a relationship. They're going to say, "Well this is our current rates. If you don't like it with us, you can find someone else."

Kip Boyle: Yeah.

Jake Bernstein: And there's 139 others who will insure you.

Kip Boyle: Yeah. Well, and depending on whether they'll actually process your claim when you file it too. Because that's the other thing is, you could buy insurance as a box checking exercise, just to prove to a major customer something, "Yeah, yeah. We are covered." And you buy a bargain basement bottom of the barrel cheapest insurance policy you can find. But if you ever have to actually file a claim, I mean, Chris, would you be worried?

Chris Brumfield: Yeah. Not all insurers are created equal. So there are some insurers I just personally would not recommend or suggest. Of course, I won't get into that here. But some insurers are just prone to dragging their feet a little more than others.

And to whether they deny the claim outright or they try to negotiate it down. And they say, "Well, we don't believe this expense is covered." I mean, there are all sorts of tactics that some insurers, the less reputable ones, will use to artificially deflate or lower what should be paid in a claim.

And I'll use one, I'll try to stay away from fancy insurance jargon, but indemnification is the word. And it means to make whole again. So the damage that you had from a claim that you're paying insurance premium in advance for, you should be made whole. They should pay you exactly what it takes, to get you back to where you were. And not all insurers have, we'll say, as generous a view on that, as others.

Kip Boyle: Okay. So that's something to watch out for. And we've talked about reputation is something that a broker can help you ascertain. So as we come to the close of our episode, I was hoping Chris, that you could break down cyber insurance coverages. I mean, what should you be looking for as a buyer? Just broad strokes. What coverages should you be sure that you are considering?

Chris Brumfield: Well, it breaks down to this, first party and third party coverage. So third party is everyone else. They're going to have a hard time proving damage was done to them because of your company. So, that's great to have.

But really the first party coverage is where it's all at. Because that's what's covering you and your business. So most business income, the insurer provides assistance in getting you back up, system restoration.

As well as, a lot of the insurers, they're really invested and they have benefits to help your IT department, both identify risks in your current setup, as well as training them to become even more proficient.

And it's really in everyone's best interest to do that, because, they have less claims and you have a more sophisticated-

Kip Boyle: So, that's kind of a preventative benefit.

Chris Brumfield: Exactly. Yeah. And it all comes down to an ounce of prevention, versus a pound of carry. If you sleep on this or wait for it to happen, we're seeing it more and more. And it's trickling down out from the big guys, down to the middle and the smaller firms.

It's not a question anymore of if it's going to happen. It's not a question of if, it's a question of when. When is it going to happen? Because it's going to happen at some point and you want to be prepared for it.

You want to have a plan. Whether you're spending the money on insurance. Or you're spending that same amount of money on hiring the appropriate specialists and services to harden your system. You need to pay attention and actually do something about it.

Kip Boyle: Thank you Chris for the summary.

Jake Bernstein: Yeah. I agree very much so.

Chris Brumfield: My pleasure.

Jake Bernstein: So Chris, thank you so much for being our guest today. Where can people learn more about you and your company and what you do for them?

Chris Brumfield: Well, thanks for asking. You can find me link on LinkedIn, Chris Brumfield. C-H-R-I-S B-R-U-M-F-I-E-L-D. Or you can also email me at cbrumfield, B-R-U-M-F-I-E-L-D, @bbseattle.com. And I'll be happy to answer questions and just make sure you're taken care of.

Kip Boyle: I'm really happy you were here today on this episode, Chris. And that wraps up this episode of the Cyber Risk Management Podcast. Today, we took a closer look at how cyber liability insurance works as part your overall cyber risk management plan. And again, our guest was Chris Brumfield. Thanks. We'll see you next time.

Jake Bernstein: See you next time.

Chris Brumfield: Thanks.

Recording: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport and should incorporate management, your legal department, HR and IT, for full effectiveness.

Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee.

So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our Cyber Risk Business Strategy Program.

Find out more by visiting us at cyberriskopportunities.com and newmanlaw.com.

Thanks for tuning in. See you next time.