Speaker 1: Welcome to the cyber risk management podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, cybersecurity council at the law firm of Newman Du Wors. Visit them at cyberriskopportunities.com, and newmanlaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Today we're going to talk about how cyber insurance actually works, and we're going to do that with the help of the guest.

Jake Bernstein: Oh, a guest. Who is it today?

Kip Boyle: All right. So I am so pleased. We have Peter Marchel with us. He's the president of Marchel And Associates, which is a risk consulting firm that he founded and leads. And you'll like this Jake, he's a former trial lawyer. So Peter, welcome to our podcast.

Peter Marchel: Thank you very much.

Kip Boyle: I think our listeners are going to really enjoy this episode because Peter has some great stories to tell us about actual claims that he's worked.

Peter Marchel: Yes, the proof is in the pudding, as they say, when you have actual payments on claims. And so we'll be talking about that today and how the policy responds.

Jake Bernstein: So, Peter, I'm curious, tell us a little bit about your background as an attorney, how you switched from being a trial lawyer to going into the insurance business.

Peter Marchel: Sure. I was hired in house as a trial attorney for Safeco Insurance company back in 1990, and was a defense attorney defending insureds for Safeco for about seven years. And then transferred into the corporate department and oversaw bad faith litigation against the company as well as several different corporate issues. In 2000 and, excuse me, 1997, I was offered a job working for Sedgwick James, and Sedgwick James was the third largest insurance brokerage firm at that time. And that's how I really got into insurance and placement of policies and working with insureds.

Jake Bernstein: Wow. Very cool.

Kip Boyle: And so you've been doing this for a long time now with insurance one way or the other then?

Peter Marchel: Yes.

Kip Boyle: Oh man. I don't think we have enough time in the episode to hear all the truly great stories you probably have to tell, but I'm glad we're going to hear some of them. So, let's get right to it. So, Peter, as an expert in corporate insurance, will you tell our listeners what they need to know about how cyber insurance actually works?

Peter Marchel: Sure. One of the most difficult things about cyber insurance is it is a constantly moving target. We see new methods of attack against insureds happening on a weekly basis. And as a result of that, the insurance policies need to keep up. And what I mean by that is, extortion and ransomware. 10 years ago, or even five years ago, it was not that big a deal, but today it's a very important coverage to have in your policy. What also makes insurance policies difficult in the cyber realm is the fact that no two policies are the same. It's unlike your home or auto, which has similar what's called ISO language, which has been approved by an insurance commissioner and used throughout the country. Cyber insurance is kind of like the wild west of insurance. And so you've got a lot of different changes happening and you've got a lot of policies that are being created, what are called non-admitted policies by London and other markets.

Kip Boyle: Wow. So, we had a guest on a little while ago, his name is Chris Brumfield. He works for an independent insurance broker, and he was kind of talking about some of this stuff. Is your company also a insurance broker?

Peter Marchel: Our company does three things based on my background and experience. We are an excess surplus lines broker, basically we're a broker's broker. We have a lot of retail brokers that come to us when they have difficult to place or difficult matters to ensure. We in turn specialize in the management liability, professional liability in the cyber space. And so we have certain programs and contracts that we have rights to out of different markets, London being one of the major ones. And then we also have a proprietary product that we've developed for financial institutions, dealing with cyber and criminal issues.

And one of the difficulties that we see is that with the insurance policies, there's not a clear line or lane of coverage. So for example, if you have a cyber policy and you have a situation where somebody phishes, you and what phishing is, is somebody basically acts like they know you or they're a friend and they convince you into clicking on their link and you click on their link and then they have malware on it. They can do several things. One of the things they can do is they can actually use that malware to trick you into sending money to a place you didn't intend to, for instance, a false or dummied up invoice. Well, if that happens, the cyber policies, generally there could be a gap because that's considered a criminal matter, a criminal activity because it's theft. So that's where we get into some of these gray and mixed lines of insurance coverage.

Kip Boyle: How interesting. So let's see. So you are a broker's broker, which kind of makes me think you're a gentleman's gentleman, something like that. And crosstalk-

Peter Marchel: We also do consulting. So we do consulting for clients that says, "Can you ask us to review our policy? What kind of coverages do we have or do you have?" We also work with clients on developing incident response plans. We do that for several financial institutions around the country. And then the last thing that we do, the last leg of our tripod for income stream is, I am an expert witness because of my background. I'm hired by attorneys across the country to assist them in litigation when somebody's not paying a policy on either the insurance company side or for the insured.

Kip Boyle: Oh, so you would represent either side.

Peter Marchel: Yes.

Jake Bernstein: Well, he wouldn't represent either side. He's not representing either side. He's an expert witness about the policy in either direction. And I'm super curious how much litigation is going on right now surrounding cyber policies or if it's really too early to tell.

Peter Marchel: Well, that's a really good question, Jake. It's growing and it'll continue to grow. Because, what's happening is, as more people are being affected by cyber incidents, we're seeing policies being challenged. And in some respects we're seeing situations where either the insured and the insurance company never thought a particular event would occur. And so they're claiming that it's not insured. So yes, what we're going to see is increased litigation in the cyber space as people work to define these terms. Remember I said earlier that no two cyber insurance policies are the same. And that creates a lot of difficulty because definitions mean a lot in contracts and they mean a lot in the insurance world.

Jake Bernstein: Totally. So one thing that I haven't talked too much about on this podcast is my background as a former regulator for the state of Washington. I was an assistant attorney general in consumer protection. So we didn't have direct jurisdiction over insurance. The office of insurance commissioner in Washington does that and every state has their own. And that's kind of what you were getting at, regarding the kind of more typical consumer grade insurance policies. But, back to the cyber liability, I'm also really curious to know, right now what we've heard from other people in the insurance space is that cyber insurance is basically dirt cheap. The insurance companies themselves don't really understand the level of risk. It's difficult to underwrite. There's no actuarial science yet that's particularly reliable. How do you see all of those factors playing into someone trying to get an enormously high payout from an insurance policy?

Peter Marchel: Well, I think as the losses continue to mount, you will see that the insurance carriers will start narrowing policy coverages. The terminology that we see will start to become more defined. And I think it'll become similar amongst policies, and you will see an increase. I mean, insurance companies are in the business to make money. They don't want to go out of business, and they clearly will if they're under pricing the insurance policies that are out there. Another issue you mentioned, regulatory bodies. I mean, that is another area that's growing that we're seeing because it seems like there's no two states that have similar cyber regs and laws in place as far as a notification. And so what we're finding out is that a lot of the different state attorney generals are using that as a revenue base in fining companies that run a foul of their regulations.

Jake Bernstein: Well, yeah, and that's not even getting into-

Kip Boyle: It really is the wild west. I mean, I'm just thinking about six gun or six shooters. And I mean, there's just like, nobody knows what's going on.

Jake Bernstein: Well, and we haven't even seen, I mean, the California Consumer Privacy Act, CCPA, won't be enforceable for approximately another year. And I did account yesterday. There are a baker's dozen state that are looking at enacting comprehensive, or at least some kind of privacy regulations and new statutes. And those are in some ways I could see people trying to shoehorn coverage for that under cyber policies. But I think Peter, as these losses mount, I think we're going to see less and less of an appetite for kind of broad based policies. And I'm curious if you recall, it sounds like you might given your background, the kind of surge of environmental litigation in the late eighties and going into the nineties. And I don't know if this is apocryphal or not, but I have been told that some very large insurance companies nearly went out of business or had some major concerns because of a sudden surge in environmental litigation being covered under policies that no one really thought would happen. One, is that true? And two, do you see any parallels between what's going on right now in cyber insurance?

Kip Boyle: Great question.

Peter Marchel: I agree. I believe that is true. I know that Lloyds came under fire, and out of that, they changed a lot of things. And part of that was it's retrospective. So it'd be like 20 years from now somebody saying, "Okay, well, because of this policy, we're going to cover this." I see some of that of happening, but I don't think it will happen to as great at the extent, because what we're finding out in the cyber realm is things are changing so quickly. I mean, let me give you an example of a situation that I can see coming down the road.

I was having a conversation with CFO of a bank the other day, when we were talking about some of the programs they have installed for their depositors, so that they don't have to worry about people getting in and stealing their data. And, how you can authenticate that you have the right person. And one of the things that he said to me was really eye opening and that's that there's so much data that's available out there. And a lot of the data that's available out there is from the public. So for instance, your home loan can be found online and the numbers and things like that. So there's a lot of different things that are out there in the public space that the government's actually opening up. And so it's going to be interesting as we go down this real, if the regulators are going to really start hammering companies, if the companies don't turn around and point the fingers back at, "Hey, here's some of the information that's available out there and it's being made by government agencies."

Jake Bernstein: Yeah. And that just creates a host of authentication challenges. I mean, you think about, I was just going through applying for a new mortgage for a new house purchase. And as I went to unfreeze my credit, each of the credit reporting bureaus asked me a series of questions and they were pretty darn specific. Honestly, I'm not sure. I think I actually got one of them wrong, and so I couldn't get one of my scores right away. But, a lot of that information these days is public. And so those types of questions as authentication challenges may not work much longer.

Peter Marchel: Exactly.

Jake Bernstein: That's fascinating. At which point a policy holder and then the insurer are going to be faced with these questions of, who's liable for something that neither of us caused? It's fascinating to me. I just think that this whole industry is due for a major shakeup in the next decade. I have a more specific question for you though. Have you seen any litigation where a policy claim has been denied because the insured didn't do enough? They didn't either do their due diligence. They didn't have a reasonable cyber program. Anything around that? I'm sure.

Peter Marchel: Yes, there are. There's a couple of cases that have come down. One case that's famous in the banking space is called PATCO, it's off the east coast. And it was dealing with authentication and requirements of authentication for depositors. And what the case was looking at is if you have an agreement, a bank does, with a depositor, and it's a small business, their authentication may be using a token, or it may be a password. If you're doing business with a large commercial account that's very sophisticated and say, running millions and millions through, you would think that their security would be more difficult. It would be more than just a password, more than just a token. And so, one of the things that they're looking at is the validation of who people say they are online and how you can do that.

There's another case that we're seeing, and this is where some of the insurance companies are pushing back. And this is where the language is being tested, and where they'll come back and refine policies is, you look at a loss, what causes the direct loss. If you receive an email from somebody that's phished you, and it's a dummy email, and they say, "Please pay this invoice," and you pay the invoice. Well, what causes that loss? Is the direct loss the person that phished you and told you to send it to this dummy invoice, or is it the employee that looks at the invoice, thinks it's true, and then sends the money?

Jake Bernstein: Or is it the failure to have a cyber program that trains that employee to not send the money in that case? That's a really, really interesting example because I think for Kip and I, the kind of classic business email compromise, which you just described with the phish and the send me money request is one of our kind of go-to cyber risks. And to know that cyber policies may not cover it is, I think it's really important detail. And I think it's something that it's going to be difficult to figure out. I mean, you kind of alluded to this earlier that this is a criminal act, and I completely agree. It is a criminal act. I don't know. What would you recommend that insureds do surrounding this? And how do you know if your policy's going to cover you for a BEC, which is one of the most common kind of forms of loss associated with cyber risk?

Kip Boyle: It can cost millions of dollars.

Peter Marchel: It can. And actually they're starting to see claims where that's becoming more. It's tough because when we're talking about insurance policies, we're talking about contracts and we're talking about highly complex contracts. And we talk about contracts that are interrelated with other contracts. And when I say interrelated, I'm talking about the situation that you're doing right now, where it could be a criminal act and it may be covered under a criminal policy, or it may be covered under a cyber. And what insureds need to do is they need to seek out people that are experts, that not only understand an insurance policy and how it works, but also the language of law. If you have a policy that says, "and", it requires two things to happen, the thing proceeding the and the thing after the and. Which is quite a bit different than the word, or, which it can be triggered by either the one above or the one below.

Kip Boyle: Man, my head is spinning already.

Peter Marchel: Yeah. We had a situation, we had a client that had an $8 million loss because of the word and versus or. And it was an $8 million loss that the insurance carrier didn't want to pay.

Kip Boyle: Yeah. And I don't think insurance are going to by default, without a warning like this, they're not going to fuss over prepositions, right?

Peter Marchel: Right.

Jake Bernstein: Oh. But, these are critical. Conjunctions are critical. And I think what I just learned is that I need to make sure I learn more about insurance generally, because I've definitely got the language of law down, but the insurance area is a little bit more specialized. But I think Peter, what you're saying is that particularly with these niche policies that are not regulated, you need to have them vetted or read by someone who understands law, insurance and preferably cyber risk. And you're one, I'm one, Kips got a part of that, but there aren't many people in my experience who really check those boxes.

Peter Marchel: No, that's true. And that's part of the issue. The other thing you mentioned non-admitted policies, this issue is with admitted policies as well. And let me give you an example, a lot of people on their ENO policy or some other type of business policy they may buy like a business owner's policy, which are for smaller businesses, may throw in quote unquote, a cyber component. But, the problem with the cyber component is it's thrown in, which means it's freer. They don't charge much for it, which is worth that value. The problem is they're not well written. They don't have a lot of coverages. And then there's a lot of policies that have sub limits.

So for instance, the example that we were talking about the other day with phishing. We had a client that we reviewed their policy and they had a hundred thousand dollars limit for a phishing activity. And this was a $8 billion company that had a couple hundred employees. So you look at something like this and it just takes a higher level of sophistication. And rather than putting the insurance on the bottom of the plate, really needs to move up to the top level. Because, when all else fails on preventing a cyber incident or a cyber breach from occurring, you want to be able to look to the insurance company. And the insurance company does two things. Number one, it provides an access to resources to help that business get its feet back on the ground so it can continue in business. And number two, if it's a well written policy, the insured only has to pay the deductible. And that's primarily what you're looking at. There's nothing worse than having to pay twice. Pay for a poorly written policy and then pay again when the loss occurs.

Kip Boyle: So Peter, I've got a question. I got a question for you on this. So, we're in the wild west of cyber insurance. I think we all agree to that. And so the hope is that it's going to become more structured, better regulated, standardized. And then ultimately cyber insurance is going to be as easy to shop for as today when I shop for coverage for my personal automobile. Because, it's all very, very standardized, as long as I have the same coverage level selected, I can almost shop on price. But, cyber's so different because the adversary is changing the way they attack us all the time. And so it just makes me wonder if cyber insurance is ever going to be able to achieve the same standardization as say, a fire insurance policy would.

Peter Marchel: Ultimately the goal is for that to happen. The question is, will we get there? It may be a situation where we can get 80 or 90% there. And what I mean by that is because the activists that are attacking businesses via cyber continually to change. It's how quickly can we change and adapt and actually be forward thinking on different ways that we can prevent that. Authentication is one of the key things that insureds can do is have good cyber hygiene. And learning how to authenticate emails that are coming in and blocking bad ones, as well as educating employees on what to look for when they click. If somebody asked you to transfer half a million dollars and you'd never been asked to do that before, ask questions. Why? What's going on?

Kip Boyle: Absolutely. But I just think there's going to be new forms of attacks. And it seems like cyber-

Peter Marchel: Oh, there will be.

Kip Boyle: Yeah. And so it seems like cyber insurance is always going to struggle, right? And insureds will always struggle with the idea that they may have a really well thought out cyber insurance policy. But, this first time a new type of attack shows up and they suffer a loss and they go to their policy and they see that there's no mention of this new type of attack and this new form of loss. And is it really a technical issue or was it a fraud or did we get tricked? And it just seems like that this cycle of insurance keeping up with the state of the art of cyber attack is going to be with us forever. I don't know how they're going to deal with it. So I was just curious to know if anybody is talking about this yet.

Peter Marchel: I mean, we have. It's part of what you and I have talked about before, when you look at an incident response plan. It's constantly looking at what you do and how you do things and what needs to be changed. And the insurance policies are looking at the same thing. What's going on? How can we assist the insureds in defeating these threats? What do we need to have in place? What can we do to make sure that we price it appropriately? And so that's one of the reasons you have exclusions is because they've evaluated it. And they've determined that without these exclusions, they can't price it appropriately or they need to increase the prices.

Kip Boyle: Right. So I want to ask you another, oh, Jake, I want to ask Peter one more question.

Jake Bernstein: No, I want to ask him a question.

Kip Boyle: Okay. Ask him a question. I'll wait.

Jake Bernstein: Okay. I think Peter May have to come on a second time just because there's a lot to unpack here. But here's my question, Peter, which is, you just mentioned exclusions and one of the things that, yeah, I'll just be honest and say, I found it disappointing was that right now, and I do mean like right now, insurance companies aren't really asking a lot of their customers in order to get a policy. In other words, there's not a lot of requirements for the insured in order to buy a policy. Or put another way, it's not affecting your premium that much whether you're highly advanced or not, at least in some areas. And what I'd like to know is first of all, is that already changing? And second of all, do you see kind of a reasonableness cybersecurity program being in place as a necessary requirement before you're able to get decent coverage in the future?

Peter Marchel: That's an interesting question. Let me answer it this way. Fives, six years ago when people first started, or actually even earlier in that, eight, nine years ago, when people started looking at cyber insurance, the policies, the applications were very long. Eight, nine, 10, 12 pages long. And the problem with that was, is insureds didn't want to fill them out. Either they didn't have the time, or they didn't have the knowledge because a lot of the questions really required somebody from IT, somebody from the board to help answer those, and somebody from risk management. What we've gone away from is more consistent questions that we're seeing from different carriers and also a lot smaller applications. And because of that, I agree with you. They're probably not aware of all the risk that need to be done.

I think in the future, what you'll be seeing is you'll be seeing questions that probably follow NIST, the requirements of NIST, where are people in their preparation of preparing for that? What do they have in place? I also see the questions of what type of an incident response plan is in place, because that's very important on how you're going to respond. The studies have shown, if you have a response plan in place, it can reduce the ultimate payout in the ultimate cost, as well as the downtime of the company.

Kip Boyle: Definitely. And prompt detection.

Jake Bernstein: That is super fascinating. Kip and I like hearing that because we've kind of put in with the NIST cybersecurity framework. I think that out of all the frameworks that are out there and the standards you could choose, I think that one is the only one that is really meant to be fully modern and kind of something that you can base a program around, as opposed to a series of check boxes that I don't think work very well. So I thank you for that. That's a real interesting commentary.

Kip Boyle: Okay, Jake, so let's not fight over the guests, but I have one more question for Peter. So Peter, as a broker's broker, and with your perspective, I wanted to ask you if you've heard any talk yet about best practices and emerging best practices. Because, I know that's a necessary step for insurance carriers to more formalize and more standardized things. And specifically what I heard recently, somebody told me without attribution or any evidence, but they said that they were starting to see insurance policies, cyber insurance policies, where it was a condition for the coverage and for being paid out if you had a claim, that you had to be prompt with the installation of security updates on your computers, and that was an emerging best practice that insurance companies were going to start focusing on. Have you heard that yet?

Peter Marchel: I have not heard that specific. What I have seen is, and we have had some litigation already where insurance companies have asked what types of things insureds were doing and insureds listed what they did. And then subsequently a loss came in and the insurance company was looking at it and the company failed to do that. And so that was used as a defense. And I believe that lawsuit, it's back east and still in the courts. So I can't comment on any more than that, other than insurance companies are looking at it. So if you are filling out an application and you say that you're constant on your updates, and it turns out that you're not, that can used as a way to defeat coverage.

Another thing that we see common in a lot of the policies is where an insurance company, as a precedent, or excuse me, an insured as a precedent to bringing any kind of a claim has to affirmatively do certain things like callbacks. When a client says, "I need you to transfer this money," you have to call them back. In talking with CEOs and CFOs of those companies that buy those types of policies, a lot of them are banks, they tell me, they say, "Peter, we don't have a problem when we fail. We don't have a problem when we follow our procedures. It's when fail to follow the procedures. That's why we need the insurance." And so there are some insurance policies, they tend to be a little more expensive, that don't require that conditions precedent to recover.

Kip Boyle: But, so it's almost a form of errors and omissions in the nature of the failure.

Peter Marchel: Yeah. It wouldn't really fall in that lane. It's just in order to recover under this cyber provision of this policy, you have to affirmatively do certain things. And if you fail to affirmatively do that, then that's a defense for the carrier.

Kip Boyle: Okay. So that's something for our listeners to be watching out for. So we've a lot of really great stuff today, Peter, and we're so glad that you were our guest today. If somebody would like to reach out to you to learn more, to have a conversation, how would they do that?

Peter Marchel: They could reach out to me and my company. It's Marchel Risk Consulting, and we're on the internet and locally we're 425 788 4349.

Kip Boyle: And you spell Peter's last name, M-A-R-C-H-E-L, is that right?

Peter Marchel: That's correct.

Kip Boyle: Okay, great. Because I had to practice that, I just want you to know, to get it right. But anyway, so thanks for joining us today, Peter. We really appreciate it. And that wraps up this episode of the Cyber Management Podcast. Today, we talked about how cyber insurance really works today with our guest Peter Marchel, and we'll see you next time.

Jake Bernstein: See you next time.

Peter Marchel: Great. Thank you.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport and should incorporate management, your legal department, HR and IT, for full effectiveness. Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk business strategy program. Find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.