Kip Boyle: Hi, I'm excited to share that we have a new, free bonus just for you.

Jake Bernstein: We've started publishing our very own quarterly cyber risk management journal. It's loaded with over 30 pages of useful content taken directly from our podcast. Here's how we make each new edition.

Kip Boyle: So we start by transcribing the four or five episodes that we've published in the previous three months.

Jake Bernstein: Next, we send our editor and designer the transcripts and our supporting materials for those episodes.

Kip Boyle: Then they revise all the text, they put clickable links in for all the resources, and they create the best look and feel for each episode.

Jake Bernstein: And finally we, Kip and I, make sure the finished PDF is ready for you.

Kip Boyle: So download the current edition now. All you have to do is go to b.link/crmj. That's the letter B, dot link, forward slash crmj.

Jake Bernstein: And if you like it, share it with your friends and encourage them to subscribe to the cyber risk management podcast. Now, on with the show.

Speaker 3: Welcome to the Cyber Risk Management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Kip Boyle: Jake. Hi, what are we going to talk about today?

Jake Bernstein: Hey, Kip. Today, we're going to talk with our guest, Josh Franklin about cyber insurance.

Kip Boyle: Cool.

Jake Bernstein: But this will be quite different than our previous episodes on the topic, which generally have featured cyber insurance brokers.

Kip Boyle: Okay.

Jake Bernstein: Josh, on the other hand, is a trial attorney focused on business litigation and helping his clients recover funds from insurance companies that have denied claims.

Kip Boyle: Ah-huh.

Jake Bernstein: So Josh, welcome to the podcast.

Josh Franklin : Good morning. Thank you for having me.

Kip Boyle: This is great. What we've noticed, Josh, which I think you're going to really clue us all into a lot more is that cyber insurance is growing up through litigation. So it'll be really great to hear from somebody who's participating in all this. So would you introduce yourself and tell our listeners a little bit about your background?

Josh Franklin : Sure. Thank you. My name's Josh Franklin. I'm a business trial attorney. I have a small law firm in Delmar, California, and we focus on business litigation and commercial insurance recovery, which means we represent businesses and business owners who have commercial insurance claims that have been wrongfully denied.

Kip Boyle: Do you have a typical customer size that you work with or certain industry?

Josh Franklin : We really represent companies of all industries. We've had biotech, manufacturing, real estate development, construction, everything, and it's generally small to midsize companies.

Kip Boyle: Okay. I like that because you've seen a lot across different industries, and so good. That's that's fantastic. Thank you.

Jake Bernstein: And it's also really important to make sure our audience kind of appreciates that even if you aren't a mega corporation, you have the ability to try to recover against insurance companies that have wrongfully denied claims. So, that's great. Josh, today we'd like to discuss how your experiences as a trial lawyer over your career have informed your view of cyber insurance and kind of what you can take from your background, and what do you talk about today with your clients? And then, we kind of interrupted you there, just kind of tell us what are you doing now in the cyber insurance space? Like what is your typical engagement regarding cyber insurance and just kind of go from there?

Josh Franklin : Sure. Well, to answer the last question first, we've represented a number of companies and we get contacted all the time. Sometimes we can help folks, sometimes we can't. And I can explain during the show, some of the reasons why we can't help folks that will serve as a lesson to others, but we represent companies that have had some type of data breach. The most common situation that we come across is a business transaction where wiring instructions are compromised due to someone gets access to a company's email. They send out a fraudulent email, sending new or revised wiring instructions, and the money ends up going to an account that doesn't belong to the intended recipient. And I think everyone has some experience with this or knows someone that's had this experience, and it could be hundreds of thousands of dollars in lost money due to these phishing scams and email fraud. And that's kind of one of the most common things we deal with.

Sometimes we've also had clients who have had data breaches that it resulted in ransomware attacks, which they may have had coverage for business interruption, loss, those types of things. Those are probably the most common types of issues that we deal with. As far as being a trial lawyer, I think cyber insurance should be considered a component of a network security plan for any business and at trial, these issues generally tend to look like negligence cases. And I always try to encourage clients and businesses of any size to take whatever steps they can to put themselves in a position to be able to say, if they were to end up at trial, look, we did everything we could do to protect our clients, our customers data. We had a cybersecurity audit, there were recommendations, we followed all of the recommendations, that sort of thing. So that you're in a position of being able to demonstrate that you acted in accordance with industry standards or hopefully above industry standards in terms of the steps you've taken to protect your customers data.

Jake Bernstein: Josh-

Kip Boyle: It was such a juicy topic.

Jake Bernstein: Yeah, no kidding. I-

Kip Boyle: Jake and I are trying to get our word in.

Jake Bernstein: I'm pouncing first as the other lawyer. I heard a word the there that I think is worth quickly discussing, negligence.

Kip Boyle: Oh perfect.

Jake Bernstein: I think everyone has heard that word, but to lawyers, it has a special meaning, and just for our audience, can you give a real brief definition of negligence from like, what do you mean when you say negligence?

Josh Franklin : What I mean is that the business acted reasonably and if you look at a certain whatever the type of business you're in, whether it's accounting or manufacturing, or every business is going to have different standards that your conduct satisfied the standard of care for similar businesses in your industry. So in terms of network security, there are certain basic protections that people are expected to take. Whether it means encrypting data or other two-factor authentication, other types of things, what are you doing? And are the steps that you're taking to preserve the confidentiality of that information, are those steps reasonable and in accordance with industry standards?

Kip Boyle: What a beautiful dovetail.

Jake Bernstein: It is a beautiful dovetail, isn't it Kip? Josh, so I practice primarily on the, I would say more on the regulatory FTC, GDPR, CCPA side of things, and in that world, we have the Reasonable Cybersecurity Standard from the FTC. However, I think you pretty much just restated it. And it's interesting, I think for the audience to note that, that Reasonable Cybersecurity Standard didn't just come out of the blue, it really is just the negligence standard applied to network security and cybersecurity. And I think that's useful to understand, because what it means is that the types of proof and the types of evidence that a company will need really is not necessarily going to differ if it's a cyber insurance claim, if it's just a standard negligence argument, or if it is a regulatory action. So that's super helpful. What a great insight already. We could stop now, we've already gotten the audience's money's worth.

Kip Boyle: That's right. Yeah, we shot, we scored. cool, come back some other day. Actually, we could unpack just that point some more and fill an entire episode, but we actually want to cover, like we have three the other things we want to talk about. So I think we better press forward. We can always have Josh come back, but Josh, our audience is primarily decision makers, right? People who are expected to make decisions about how to do good cyber risk management. So I love that you talked about reasonableness and you talked about how insurance is just one component to a larger plan. So would you tell us about the types of coverages available under cyber policies? I mean, you don't sell it, but you see it. And then, including both first party and third party exposures and coverages.

Josh Franklin : Absolutely. So the two most, the general types of coverages that are offered are first party, which means losses that the company incurs itself, this would be loss of its own data. It could be loss due to ransomware or computer fraud, if the company itself lost money due to a phishing scam or something along those lines. Whereas third party is simply liability that there's harm done to a client or customer as a result of the loss of their data. And then the insured that the company is defending a lawsuit or some claim for damages or negligence as you've put it and damages associated with the loss or compromise of their data.

In terms of first party coverages. They're typically going to include some coverage for a forensic investigation after there's a data breach, figuring out what happened and how to fix it. Data restoration costs, loss of business income if it's your own data that's been compromised and there's interruption in business as a result of that. There's going to be coverage for lost business income and crisis management, public relations costs. Sometimes with more robust policies might be an included component of that coverage, and reputational harm. That's basically the general categories of first party cyber coverages.

In terms of third party, there's going to be costs associated with notification, letting the clients and customers know that there's been a data breach and compliance with data breach notification laws, depending on what state you're in. There might be contractual fines and penalties, which is an important topic for businesses that operate with a lot of credit card transactions. I can give you a story about a huge loss that wasn't covered that you would expect would be. Regulatory defense fines and penalties, and of course, defense costs. If you're sued for negligence in connection with a data breach, a huge component of your loss is going to be defending that lawsuit. All of those are the general categories of losses that are covered under typical third party cyber policy.

Kip Boyle: Wow. Okay. So that's an excellent list. And of course, I want to hear the story, right? I mean, you must have the best stories, and I'm sure our audience would love to hear that story that you talked about, because you know what we tell customers, what I tell customers is, once you get a cyber liability policy, your next step is to learn the exclusions and manage to them. So I don't know if that's what your story's about, but would you share it?

Josh Franklin : Yeah. And I have several, but I'll just start with one. Everyone is familiar with the restaurant chain, PF Chang's, the Chinese restaurant chain. And several years ago, there was a data breach. And the lesson to be learned from this is understand what your business is and where your exposure truly lies. And you would expect with the restaurant chain, their primary exposure is going to be in connection with credit card transactions and the compromise of those numbers. So that happened, credit card numbers were compromised. There was a lawsuit and a lot of it was covered, because PF Chang's had paid I think their annual premium for this policy was around $330,000. So a pretty expensive policy. And they also were hit with the credit card merchant companies assessed what are called PCI assessments, payment card industry assessments, for the credit card merchant has expenses associated with the data breach. And they then have a contractual right to recover those fines and penalties against the insured, which is PF Chang's. Now that is a very foreseeable consequence of this type of data breach. And they did not have a specific endorsement covering it. And most policies, most commercial liabilities policies will have an exclusion for contractual liabilities, obligations that arise out of a contract, which this was and so there was a-

Jake Bernstein: Because you should have known, right?

Josh Franklin : Right. So there was a couple million dollars worth of PCI assessments that were not covered under this very robust cyber policy. So that goes to show, if you operate with credit card transactions, ensure that you have coverage or a specific carve out for coverage for any possible PCI assessments that might be imposed against you as a result of a data breach.

Kip Boyle: Okay. So that was kind of a hidden exclusion, right? Or just a lack of coverage, or basically they missed something important when they bought the policy and ultimately, they got hurt, which is terrible, and we don't want that for our audience.

Jake Bernstein: Definitely not. And Josh, one other component of this topic is that you mentioned in your talking points, in preparation for this show, the critical nature of the application process and ensuring the coverage for the most common types of cyber incidents, but I'm curious, have you seen the application process itself change over time?

Josh Franklin : Yes. There used to be an exclusion for what insurance companies called failure to follow minimum required standards, which means that if there was a data breach and you were sued for negligence, after paying out a claim, an insurance company could then try to recoup the amounts it spent. And I have another example of this for the insured's failure to follow minimum required standards. In other words, the insured would have to defend against a second negligence lawsuit brought by their own insurance company.

Jake Bernstein: That's big.

Josh Franklin : Yeah. And one of the lawsuits that I have in mind, which was for several million dollars, was brought against a hospital system and the allegations were brought on information and belief that certain representations that were made during the application process, such as you'll see these applications that will have all these representations that are in there that the insured regularly installs security patches that they do, there might be technical terms to say that they're compliant with that. That they regularly do this or that. And you need to make sure that you understand those representations, what you're saying and have an IT professional or someone confirm that you're actually doing that, because the first thing an insurance company's going to do on the back end, if there's a sizable claim, is they're going to look at representations and they're going to see if they can find somewhere along the road where you failed to comply with one of those representations. Whether it's neglecting to install a single security patch, and then they can try to get out of coverage for the entire loss by saying that there was a misrepresentation in the application or breach of a covenant that was made in the application.

And that's why I think it's really important to have someone, whether it's a CTO or CISO involved in that process to make sure that you understand what conditions need to be satisfied as a condition of that coverage. And that's usually set forth in the application and it will be highly technical in nature. And don't overlook it and just say, yes.

Jake Bernstein: So it's funny, I thought that we had already shot and scored this episode, but I think we just did it even again, bigger this time. This is such a critical point. In fact, it's so critical that I'm going to briefly restate what Josh just said, basically, so the insurance company, and tell me if I'm correct here, Josh, the insurance company will defend a suit, because they have a duty to defend and that's pretty straightforward, right? In most cases. But if they pay out a large claim, the insurance company is very motivated to basically ensure that its own customer didn't, shall we say accept terms without reading them or just kind of accepted the terms and figured it would be all right. And the reason I'm using language like that is that this is often what I hear when I talk to clients about security addenda, whether they're in an insurance contract or if they're just in any other business to business contract, a lot of companies are willing to gloss over those technical representations and warranties. And I think what Josh just said is that's a terrible idea.

Josh Franklin : Absolutely. Absolutely. That's the first thing they're going to look at when there's a claim, is they're going to turn around and look at the application and see where they can find some possible misrepresentation that they can latch onto. And the problem is that courts look at this and it may be, I can give you another quick example. It may be that it's something that had nothing to do with the actual loss, but because it's in the application, there's a presumption that the representation is material and was relied on by the insurance company.

So we had one client a few years ago who had a policy that was recommended to them by a bank. And they ended up getting this policy. And one of the conditions was that they had to download and install this security software, which would protect the interface in initiating wire transfers. Okay. They failed, they downloaded it, but they didn't actually install it. And it turns out that they were the victim of a phishing scam, where they went into this interface and they initiated a wire transfer. The software had nothing to do with it. They were fooled by the email and it was not a situation where someone hacked into the bank's software interface and manipulated the wire transfer. The client actually voluntarily did that because they had been misled. But because it was a condition of the policy, there was no coverage and there was nothing they could do about it. The fact that they did not install this software completely invalidated coverage for any loss.

Jake Bernstein: Ouch.

Kip Boyle: Wow.

Josh Franklin : Unfortunately, there's a lot of stories like that.

Kip Boyle: Yeah. Well, and it also happens that people get confused about the protections of a personal bank account versus the protections afforded to a business banking account. And they're very different. And I know of cases where banks have said, from our point of view, this transaction was complete and whole, and there was no fraud indicators and so forth. And that's because, as you said, somebody was tricked, and there's no $50 liability limit for things like that. Like there is with personal accounts and personal credit cards and people get surprised by that.

Jake Bernstein: They do. So let's go ahead and move on to our second topic here, which is, Josh, items to negotiate with the insurance company. And I think one of your first examples here is really important. I think it's something that people often don't think about until frankly, until they're trying to make a claim, or get coverage, or get assisted. And that would be authorization of service providers, whether it's an IT consultant, a forensic firm, or your attorney, what can be done there? What can our clients, our customers, our listeners, what can they really negotiate with insurance companies?

Josh Franklin : That's a great question. And with cyber policies, in my experience, some of these items are a lot more negotiable than they would be with other types of commercial policies. So a commercial general liability policy, or a commercial property policy, these are standardized policies. They use the same forms from insurance carrier to carrier. There's not a whole lot of difference between one policy to the next. So you can go out and say, get me three million in limits and get me the lowest premium.

With cyber policies it's very different. These policies are manuscripted, which means each one is unique in terms of the coverage grants and the definitions and the exclusions. And as a result of that, there is some more flexibility in terms of items you can negotiate. So if you have professionals that you rely on and you're comfortable with, and you would want to have available at your disposal if something like this happened, whether it's an IT consultant, or a lawyer, or a PR consultant. It's a lot easier on the front end before you purchase the policy to negotiate the approval of those professionals being authorized service providers in the event of a data breach. You can also negotiate key areas of coverage. The example I gave before about PF Chang's, if you want to make sure that you have some type of PCI coverage, you can negotiate an endorsement for that.

There's also flexibility in terms of, this is what insurance companies are going to do. The things that are most likely to happen, they're either going to be excluded or there's going to be a sub-limit. So you may have a million dollar policy, but you're sub-limit for ransomware or a phishing scam might be $25,000, because those things are more likely to happen. And you don't have as much coverage as you might think you have, you can negotiate a higher sub-limit or removing the sub-limit. You could take away certain exclusions that are problematic for you. These are all things that can be done on the front end and should be done on the front end. And one of the things I'll just, if there's one thing I had to recommend trying to get rid of is if a policy that you otherwise are interested in purchasing has an arbitration clause in it, I would recommend trying to get that removed.

Jake Bernstein: So that's an interesting point, and I don't want to spend too much time on it, because it's kind of a lawyer focused point, but a lot of the times, arbitration is just cheaper litigation. What is your specific, what is your recommendation based on there, in this case? I think I can guess, but why don't you go ahead and tell the audience.

Josh Franklin : Yeah, there's a lot to talk about on this topic, but I'll keep it short. Arbitration is a private dispute resolution process where retired judges or lawyers are hired and selected by the parties to resolve their conflict. And they're paid, but both parties generally have to agree or there's some selection process. And you can imagine that as between a small business and a large insurance company, let's use Lloyds of London or one of their syndicates, as an example, if you are an arbitrator, you can't help but think that the prospect of future business with one of these large insurance companies is going to come into play. And if a decision has to be made, and someone's going to get the raw end of the deal on a decision, in my view, arbitrators are going to be more likely to hand down a decision that hurts a small business that they will likely never see again, and who will never be in a position to retain them again, versus an insurance company who they're trying to cultivate a relationship going forward for future business.

Kip Boyle: Wow. I had never thought of that angle.

Jake Bernstein: You know, I hadn't either. That's actually a really, really important point. Thank you for that. That's a hat trick there for us. Whatever sport you want to make a metaphor with. So, okay. That's great. Kip, do you want to ask about the third topic in the what? Five or six minutes we have left?

Kip Boyle: Yeah, yeah. So the third topic kind of strikes me as a bit of a grab bag, but Josh, you can tell me if I'm being a little too loose with that interpretation, but you were telling us that there are some important conditions of coverage that buyers of policies need to be aware of. And so, I was hoping you could just walk us through, what are the top items?

Josh Franklin : Sure. So number one, we've already touched on it, is complying with any representations that are made in the application. Make sure you understand what those are and comply with them. If there's some... Go ahead.

Jake Bernstein: On that point, when you say, lawyers will often talk about substantial compliance or strict compliance, what level of compliance with application representations is required, or in your experience, is important to have in order to avoid kind of the insurance company taking back the money they already paid you?

Josh Franklin : I would recommend that anyone that has one of these cyber policies that has any type of security protocol referenced in the application, that they consult with an IT professional to make sure that they can establish beyond doubt that they're complying with that, because that's one of the first things the insurance company's going to look at. And especially if the insurance company has had the benefit of defending a negligence lawsuit against the insured. And they're seeing all of the things that are pointed out, steps that or items that were missed and mistakes that were made by the insured, the insurance company then turns around and uses that against them on the backend to try to recoup money that they spent in defense costs or a settlement.

Jake Bernstein: That doesn't seem fair.

Kip Boyle: Wow, talk about money ball.

Jake Bernstein: Yeah.

Josh Franklin : Yeah. It's a big problem. Another condition I referenced, if there's some requirement that any specific software has to be utilized, downloaded, installed.

Jake Bernstein: Do it.

Josh Franklin : Other types of similar policy requirements. Absolutely. Don't even think about putting it off, make sure you do that, because these are often phrased as conditions of coverage. So they're conditions proceeding to coverage. Meaning if this doesn't happen, the coverage does not begin, and there's no argument that you can make to say, well, it didn't really make any difference in this case, I should get coverage. You're going to lose that argument every time, unfortunately.

Jake Bernstein: Another-

Josh Franklin : Yeah, go ahead.

Jake Bernstein: And just by way of example, I think it's important, I mean, I'm going to make an intentionally goofy example here, but I want to point it out because hypothetically, Josh, if a cyber policy says, thou shalt install McAfee Virus Scan, Norton Antivirus, Windows Defender, and insert other name, and you don't install all of them, even though it's completely silly to do so, they could deny coverage. Is that the idea?

Josh Franklin : Absolutely. And they will.

Jake Bernstein: And they will.

Josh Franklin : Another important condition that you need to be aware of, not only with cyber policies, but any type of liability policy, is obtaining the insurer's consent before spending any money. You can't authorize any payment or whether it's a settlement or hiring a forensic analyst, or any of those expenses, make sure that you obtain the insurer's consent before doing that because that's a condition of coverage and oftentimes there's specific exclusions for payments that are made without the insurer's consent.

Another other important condition is timely reporting. If something happens, especially if you have a claims made and reported policy, there are specific requirements in terms of when a claim has to be tendered in order for there to be coverage. And if you miss that, even if the incident occurred during your policy period, if it's not reported until after that policy expires, or sometimes there's an additional period, a reporting period, that's tacked onto the end of that. But if you miss that window, there's no coverage, and it's again, a condition proceeded into coverage. So there's nothing you can do about it.

One other thing I wanted to mention, especially in the context of data breaches, is be aware of what your policy's retroactive date is. So you might have a policy that starts, let's say you have a policy coming up and it's starts November 1st, make sure that your retroactive date isn't November 1st. And we generally recommend that the retroactive date be at least one year before the policy period, because, as you guys know, oftentimes when there's a data breach and there's an investigation, it's determined that there was actually malware or something else that was introduced into the network before the data breach was discovered. And the policies are written in a way that if the data breach that you are reporting now is deemed to be related to something that occurred beforehand, those claims are going to be deemed one claim that was first made at the time of the first incident. And if that first incident was before your retroactive date, you're going to have no coverage for any of it. That's another important-

Jake Bernstein: That's kind of like a-

Kip Boyle: This is so hard.

Jake Bernstein: The preexisting conditions for businesses in a way.

Josh Franklin : Correct.

Jake Bernstein: So one thing you just mentioned, and I want to make sure we hit this before we finish up here, is what is a Claim in this context? With a capital C. What does that mean?

Josh Franklin : Well, in the third party context, the classic definition is it is a demand for monetary or non-monetary relief. And this can be tricky, if you get a demand letter or you get a letter from a customer that says, hey, I don't like the way that you did this and my data may have been compromised, and you can't charge me. Or either I'm demanding money, or I want you to not charge me for future services. Something along those lines could be deemed a demand for monetary relief or non-monetary relief, and that's deemed a claim, and you need to make sure that is... You should treat it as a claim and make sure that it's within, if you have a claims made policy, that it's reported during that particular policy period when you first receive that, because if you turn around and you're sued six months or a year later, and they look and they find, the insurance company finds that initial letter, I mean, we have cases that we've dealt with on this precise issue, they'll say, Hey, that first letter was a demand letter. You didn't tender, this claim actually arose during that prior policy period, and because you didn't give notice of it during that policy period, you have no coverage for any of it.

Jake Bernstein: Wow. So, I mean, the lesson, I think, from this whole episode is insurance companies have a very unusual, a really conflicted relationship with all of their customers. On the one hand, they do exist to serve their customers needs and provide coverage. On the other hand, though, it is just as true that they exist to make a profit. In fact, I'd say that's probably their number one priority. And never forget that, because what that really means is that they will honor the contract, but they're going to do everything they can to recover money from you if you didn't abide by your side of the deal.

Josh Franklin : Absolutely. And always remember, this is sometimes a surprise to business who haven't been through this before, but the insurance claim process is an adversarial process. It's not as though you're going to snap your fingers and someone's going to show up in your living room with a check. That doesn't happen. It's an adversarial process. You need to expect a fight, and you need to be prepared.

Jake Bernstein: That's a really good ending message there. So go ahead Kip, why don't you wrap it up.

Kip Boyle: Right, yeah. Thanks, Josh, for being our guest, we really are glad that you joined us today. And as we close out the episode, I imagine some of our audience might like to speak with you. So how could they find you on the internet and otherwise?

Josh Franklin : Absolutely. Well then name of my firm is Franklin Soto LLP and the website is franklinsoto.law. Dot L-A-W.

Kip Boyle: That's a cool .law. I hadn't heard that top level domain yet. Okay, great.

Jake Bernstein: It is.

Kip Boyle: Okay. So that wraps up this episode of the Cyber Risk Management podcast. Today we discussed cyber insurance coverage and exposure from a litigator's perspective, which was super informative. And we did that with the help of our guest, Josh Franklin. Thanks again, Josh, thanks Jake. We'll see you all next time.

Jake Bernstein: See you next time.

Speaker 3: Thanks for joining us today on the Cyber Risk Management podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.