Close this search box.
Cybersecurity Insurance makes progress in the right direction

EP 80: Cybersecurity Insurance makes progress in the right direction

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

May 25, 2021

Cyber insurance companies are starting to figure out what practices actually reduce the risk of a major cyber incident. Walk through an insurance application with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, JD and Cybersecurity Practice Lead. AND: Will all attorneys please join us online for a free, one-hour CLE on June 23, 2021 at 12 pm Pacific where Kip and Jake will teach you how to answer client questions about ransomware? Sign up here:


Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at and

Jake: So Kip, what are we going to talk about today?

Kip: Yeah. Okay. So here comes the real good stuff, right? The real good stuff that we can give you now. We're going to talk about what I've recently learned from filling out a cyber insurance application for one of our joint clients.

Jake: So Kip, I want to ask you if you can just give us the bottom line upfront, but first, haven't we talked about this before and haven't in the past, we found that cyber insurance applications, let's just say, leave a lot to be desired? At least from our perspective. Has something changed?

Kip: Yeah, we have talked about this before and yes, absolutely something has changed. And what's changed is that the cyber insurance companies are starting to figure out what controls actually reduce the risk of a major cyber incident. And so we're seeing the applications for coverage change to reflect that. And what we're also seeing is that policy holders actually have to do these things, or they're probably not going to get coverage.

Jake: So what we're really saying is insurance companies are tired of paying out many, many, many claims when people aren't doing even the minimum type of activities that would reduce the risk?

Kip: Yeah. They really, I would characterize what they've been doing to this point as a testing phase. Gathering data, trying to figure out what exactly are the losses and how are those losses caused? It's typical insurance industry maneuver to want and to gather lots of data to understand the problem space. Because I don't know that they're making any profit on cyber liability insurance right now, but they have to, or they're going to have to stop selling it.

Jake: Yep. That makes perfect sense. Okay. Well, is the episode over now? Can I get back to drafting some legal memoranda?

Kip: I don't think it is over yet because actually there's some... I think people would want to know what these controls are, what are these requirements? And there's actually some cautions as well because as I went through this application, I was actually surprised by some of the things I saw in there. Not surprised as in, "Oh my gosh, they, they shouldn't do this," but rather, "Wow. I'm happy to see this in here." And, "Ooh, wow. People who apply for insurance should really think hard about how they answer this question or that question." And so I think folks, everyone who's going to get cyber liability insurance either for the first time or on a renewal are going to start to see these new things. And I think we should share the details.

Jake: Yeah, I totally agree. Before we do that, we should tell them what our friends, Chris and Jay told us over the phone the other day. I think Chris has been a guest on the podcast and these two guys are two independent insurance brokers that we've worked with in the past to get our clients the best value on a cyber liability policy. And what they said was in addition to the new requirements that we'll be talking about on the application form, some insurance companies are even requiring a recent, external network penetration test prior to the application approval. And they will decline to write the policy until found defects are corrected. And just to be clear, and maybe you can speak to this, this is one of those very surface level network, almost more of a port scan than a full pen test, but still this is a new thing.

Kip: Yeah. I would say that as an industry, we've really lost the meaning of a penetration test. That term used to mean that somebody would use manual effort and custom scripts and whatever it took in order to meticulously review externally facing systems and networks. And then apply what they learned and their considerable skills in order to actually enter the network. These days, it's really devolved more to what I would call a vulnerability scan where we've got a piece of software that automates the detection of missing patches, bad configurations and that sort of thing. And so that's what a pen test seems to mean these days is just "Hey, let's just scan that thing with Qualys or some other commodity vulnerability scanner."

And yeah, that's helpful but yeah, it's not exactly a full on in-depth test, like it used to mean, but I think it's amazing actually that insurance companies are requiring it because at this point the applications have been fairly passive. It's they just ask a bunch of questions. You check yes or no, fill in a few blanks, but they never really seemed to check on anything, right? They never really verified. It was just, it was all a trust based exercise with penalties for fraud, right, in the signature line? I mean, that's how they enforced that you put the right answers.

Jake: Now it's a bit more like your typical life insurance policy where they probably will send someone out to check your blood pressure, weigh you, get a blood test, things like that.

Kip: Yeah. Maybe a simple EKG if you're getting a really large amount of life insurance. So yes. And what this all comes down to is there's a maturation process going on here. And I think life insurance is a reasonable way to understand it, but I actually think fire insurance is a much more apt metaphor. And I've written and talked about this before and that's... So I've spent some time thinking about this and fire is something that's just too useful for us to live without.

So when we started building big cities, we brought fire fire into the cities with us. And we've had many major catastrophes where fire has gotten out of control. You've got the Great London Fire of 1666, and then the Great Chicago Fire of 1871, the Great Seattle Fire of 1899. There's others, right? And the loss of property life was staggering from fire that got out of control. And eventually we just said like, "Okay, well we're not going to stop using fire. So we really have to figure this out." And things like firewall. Jake, I think we've talked about this before, but the term firewall used to mean a literal wall made out of bricks that we would keep fire from spreading from one rowhouse to the next.

Jake: That's a fascinating thing. And folks, he meant 1889. No need to add us on Twitter or something about the 1899 slip up there-

Kip: Oh, did I say 1899?

Jake: crosstalk Seattle Fire.

Kip: Oh gosh.

Jake: It's all right Kip. We forgive you. But the audience may not. So I just wanted to pave that over-

Kip: Thank you.

Jake: ...right now.

Kip: Oh, thank you. I don't know what else.

Jake: So how did we figure out the best ways to reduce the risk of fire in cities?

Kip: Well, so eventually people said, "We want insurance against fire," but they couldn't buy insurance because there was no product, but people wanted it. And insurance companies said, "Oh, here's an offer or an opportunity to sell something." Not unlike what's going on right now. I mean, we're using computers, they're too useful to stop using. They bring a tremendous amount of risks that are going up more and more and more. And so people are like, "Hey, we want some insurance because these things are... If they go crazy, it's going to cost too much money." So, okay. So when that happened with fire insurance, the insurance industry did the same thing. They started asking themselves, "How do we decrease the risk of fire so that we can actually sell a product that makes a profit?"

And so now today, I think none of us alive really went through this evolution. I mean, who doesn't take for granted things like well-funded fire departments in cities and fire hydrants in convenient locations everywhere? Building materials that tend to resist bursting into flames, built in sprinkler systems and buildings, all that stuff, right? All those preventative controls came from insurance companies saying, "We're not going to write you a premium or a policy at all. Or if we write you a policy you're going to have to pay a larger premium because you don't have these proven, fire prevented controls. And so that's, that's what's happening right now is insurance companies are going through that same evolution.

There's one big difference though. And anybody who's been listening for any length of time knows what I'm about to say is that cyber is not a static risk. Fire is a static risk. We really don't have the kinds of fires in our society today that we used to. But that's because fire as imutable, it never changes. It's always the same. So once we box it into the corner, it pretty much stays where we want it to stay, but cyber's not like that. So even though we're going to talk about a lot of controls that the insurance companies are coming up with, that list is going to change over time. So, I mean-

Jake: Kip.

Kip: That means we're going to have more episodes like this.

Jake: You might say that fire doesn't innovate.

Kip: Fire doesn't innovate. Exactly.

Jake: You know I can't resist.

Kip: And I always like to give you the opportunity to say it. Enjoy it.

Jake: Before we go any further, I want to say that you may not want to answer some of these questions on this list that we're going to talk about as an applicant, because they may be uncomfortable, but you have to, and you have to be honest. And the reason for that... Well, there's two reasons. One is if you simply don't answer, they're not going to process your application. So you won't be able to get the cyber reliability insurance. That's fairly obvious. What's less obvious are the consequences if you fudge any of the answers. And that is really on its way to insurance fraud. And that's a bad thing, it'll cost you way more money in the long run if you attempt to defraud the insurance company. You'll sacrifice your premiums and you won't get coverage.

So bottom line is, don't do it. So Kip, why don't we... We're not going to say the name of the insurance company, but it is a typical cyber liability insurance. And by the way, interestingly enough, this is actually labeled a short form application. And it's only four pages, really three of substance, but it's pretty detailed. So why don't we go ahead and you just take us down this application and we'll talk about it.

Kip: Yeah, will do. So it's in numbered sections as you might expect. I mean, just actually it reminds me a lot of a tax return form. It's just dripping with bureaucratic look and feel. And so the first section is just the same stuff you'd find at the top of a tax return. Like, "Who are you? Where do you live? What's your website address? What's your phone number?" And for the life of me, I can't imagine why they want to know it but if you have a fax number, they want to know that too. Who the heck has a fax number anymore? I think the medical industry, right? But is anybody else? I don't know. I haven't seen one in a long time. Okay. So there's your general information. And then the second section is about the form of your business. This is very typical. This really hasn't changed, these first two sections, since I've been assisting customers-

Jake: And these are pretty generic.

Kip: ...these things. Yeah. Pretty generic. Third section, they want to know how much revenue you've been generating. They want to know the current year, the last year and the two fiscal years ago. So they're going to want to... They want some demographics. Now, this is where it starts to get interesting. So section four, they're asking, "Do you have records with private or sensitive information in them?" And they actually define the term sensitive information in bold type. And it is a long list. I was going to ask you, looking at this list, is this list concurrent with GDPR and CCPA and or is it a subset?

Jake: So it's not directly the definition from any of those statutes. The way it's written is really to be all encompassing. It is definitely heavily influenced by GDPR and CCPA. It basically is saying private or sensitive information includes any information or data that can be used to uniquely identify a person. And that is essentially the core of the modern-

Kip: Okay.

Jake: ...privacy definitions here. And it does give one of those classic, including but not limited to lists that harkens back to an older time period of PII. But no, I would call this a modern definition.

Kip: Okay. And so I guess the reason I'm asking is because, well, first I was wondering if it was omitting anything like really crucial. It sounds like no, it's not, but I would also not encourage applicants to think that this is a legal definition of any kind. I just feel like it's just there more for convenience or something.

Jake: Be careful there, it is a legal definition because this is a contract and therefore-

Kip: Oh, that's true.

Jake: ...and therefore there is a legal component to this. This is why I'm on the show Kip.

Kip: Yes. Yes. It's true.

Jake: And so it's not a statutory definition.

Kip: That's what I was trying to say.

Jake: ...but is a legal definition for purposes of a contract.

Kip: Okay. All right. So they're asking you, "Do you have any of this sensitive information?" They want to know, "Do you have paper records?" And they want to know if you have electronic records. So they actually have two different spots in the application for you to differentiate between paper records and electronic records, which I thought was interesting.

Jake: crosstalk which I think is fascinating. I mean, they say, "Please provide the approximate number of unique records." I don't know about you Kip, but in my experience a lot of clients, at least their initial response is, "Well, I have no idea. A lot." Right? And I think that is that is not a sufficient answer anymore. You don't necessarily have to know to within four significant figures, how many records you have, but you probably need to know to the nearest thousand, I would imagine,

Kip: I would think the more specific you get here, the more excited and happy the insurance company is going to be. And I was wondering like, "Okay, now what are they going to do with this information?" I wondered, are they going to somehow use it to approximate the cost of a potential claim for this company?

Jake: That's what they'll do with it, because right now the way that most statistics have come together, and this is pre CCPA damages calculations is that there's a lot of kinds of... There's a lot of data on average cost per record. And so that's what they'll do with these numbers. Now, obviously with CCPA and soon CPRA, they can get even a little bit more granular. So that's what that's for.

Kip: Okay. So if you don't know how many records you have, you might want to start counting. You may want to take a census. Now, here's the next section. And this section, I don't recall this existing before. So I think this is a new section, but listen to this. "Do you collect, store, host, process, control, user share, biometric information or data such as fingerprints, voice prints, facial hand, iris/retinal scans, DNA, or any other biological physical or behavioral characteristics that can be used to uniquely identify a person?" And if you say yes, then they've got a supplemental question here. But let's look at this. Wow. Jake, do you think this is like the... Why wasn't this part of the sensitive information that they asked about in just the previous question? I mean, why do you think they broke it out as a separate question?

Jake: So the reason is that, and we actually haven't talked about this much on the podcast recently if at all, but there are a number of biometric information specific laws. The one that comes immediately to mind is Illinois's BIPA. And I don't remember what that stands for right now, other than biometric information is the BI. Probably biometric information protection act. I'm just going to guess.

Kip: Probably.

Jake: I bet that's right.

Kip: But the Twitter sphere may go after you for that one. I can't-

Jake: They may. Well, that one I have couched in, "I'm not sure." So hopefully they'll forgive me if I'm slightly off, but the basics reason is that it's another class of data that can come with consequences for losing it. BIPA in particular has, I'm pretty sure, a private right of action. Again, I don't practice law in Illinois that much, so well, actually at all.

Kip: Currently.

Jake: Yeah. Currently. So that's what this is about. And it's a growing issue. So that's why.

Kip: Interestingly, they don't ask how many of these pieces of biometric data do you have? So it's interesting. They ask you for records in the previous question about private or sensitive information, but they haven't yet got to the point where they want to know just how many of these bits of biometric data you have. So, and then if you say yes, then it's like, "Have you reviewed your policies related to collection, storage destruction," so on and so on, "with a qualified attorney and confirmed compliance with laws?" How interesting

Jake: No, that is fascinating. I'm not sure how I feel about that. On the one hand, it's not necessarily their business to know if they've gotten legal advice, just because of attorney client privilege. On the other hand, I totally understand why they're asking. And it's fascinating.

Kip: And if they're asking this question on biometric information, wouldn't they ask this question about just sensitive information?

Jake: You would think, but I mean, who knows where this form is coming from?

Kip: I just think it's fascinating.

Jake: It is fascinating.

Kip: I can't help but to compare and contrast like, "Well, if you ask me it here, why didn't you ask me it there?" So it makes me wonder. Obviously ladies and gentlemen, I'm like the consummate analyzer, right? I can't help but to just pull this stuff apart. And maybe there's no good answer. Maybe there's an insurance. Maybe there's somebody who works for an insurance carrier in the audience who might be able to reach out to us and give us answers to some of the things we can't quite figure out. That would be nice. So I would invite you to do that.

Jake: My guess is that there is not a particular reason. There was someone who wrote this form and they just thought it was a good idea. So they put it in there.

Kip: Okay. Well, we'll find out.

Jake: It could be that simple. The last question here crosstalk is really simple. "Do you process, store or handle credit card actions? If yes. Are you PCI DSS compliant?" Okay. So let's move on to the next section, which is also really interesting. It's titled IT department. And this-

Kip: I haven't seen this section before either.

Jake: This is definitely a new section for me, at least. "This section must be completed by the individual responsible for the applicants network security. As used in this section only you refers to the individual responsible for the applicants network security." So this is really fascinating on a number of levels. One, they're asking really IT department specific questions, but they're also asking a specific person to frankly, go out on a limb and really put themselves out there. So obviously the first question here is, "Who is responsible for the applicants network security? Name, title, phone, email, address, IT security designations, if any?" They have a simple two choice checkbox for whether or not your network security is outsourced or managed internally. They want to know the number of IT personnel. "How many dedicated IT personnel are on your team?" And then-

Kip: Then the next part is just absolutely riveting to me. They actually have a separate signature block inside this IT department section where the named individual is actually signing and affirming that information is complete and accurate. And, this is fascinating too, "They consent to receive direct communication from the insurer regarding potential urgent security issues." So I just, I saw that and I was like, "Wow."

Jake: Well, Kip I do. I wonder if despite our earlier conversation, if we do need to reevaluate our metaphor or our analogy to fire insurance, because this does start to feel more and more like health insurance or life insurance, I should say. Because life insurance application asks all kinds of personal questions. You give the right you give them the right to ask you more questions and to run tests on you. And if you think about life insurance, right, your risk is dependent on external factors obviously, but also a lot of personal choices. And I think that's what this is looking to me like is, yeah, there's external factors, but they also they care far more about what choices you are making. And section six, the next one, actually six and seven are included in this, the...

Kip: In the attestation?

Jake: The attestation section here. And while these aren't particularly huge sections, I mean, none of these, this whole thing obviously is three pages. It's not a huge, huge... It's the short form one as we said. But section six is information and network security controls. And while these are somewhat basic, "Do you use a Cloud provider to store data or host applications? Yes or no. Please provide the name of the Cloud provider." Humorously, that's way too short aligned for most clients who are going to have to list more than one.

Kip: Yes.

Jake: They do cover that though. Then they want to know if you use multifactor authentication to secure Cloud provider services, and then they want to know, and this goes to, I think, an issue with a lot of non cybersecurity professionals. "Do you encrypt all sensitive and confidential information stored on your organization systems and networks?"
I mean, you and I both know it's not that simple. That isn't really a yes or no question. Well, you mean-

Kip: They think it is.

Jake: Do you mean at rest? Do you mean in transit? Do you mean at all times? Do you mean backups? I mean, what do you mean? crosstalk Maybe that's me just being a lawyer, but it's also me being a security professional. So I think it's okay. I'd rather them ask than not. I do think that overall these types of forms will need work over time.

Kip: But doesn't it, I mean, okay. So man, I'm just, my head is spinning here. So first of all, we've got these multiple sections where a named individual in the IT department is signing off saying, "Yes, these answers are correct." Including questions that are just simplistic, overly simplistic. And it's like, "Boy." Because some of them are overly simplistic, if you get denied coverage because you file a claim and you said, yes, everything's encrypted. But then the insurance company says, "No, you didn't encrypt everything because here's one exception where you didn't encrypt it." And then there's a bunch of disagreements. And so, ah, man, this just looks like a rat's nest.

Jake: Well, it's a, yeah, it's a can of worms. Let's just keep-

Kip: Oh, come on.

Jake: ...throwing metaphors and similes and analogies and whatever else. It is a problem because I'm not how you answer this question of, "Do you encrypt all sensitive and confidential information stored in your org systems and networks?" And here's the question if they say no, there are two subquestions. crosstalk The problem is that you're really limited. If you don't happen to you use segregation of servers or access controls with role-based assignments, you'd have to say no to all of these. And you might be denied. The application might be denied even though those are not the only choices from a security operation standpoint. So look, it's not perfect and that's fine. I think section set is even more interesting in a way, because of how specific it is. You can tell that obviously-

Kip: It's called ransomware controls section.

Jake: It's called ransomeware. Exactly.

Kip: It's huge.

Jake: And why do they care? Because ransomware is the main thing right now. Right? Kip, why don't you go ahead and take us through this and we can react to some of these questions.

Kip: Yeah, sure. And as I do it, I just want to remind everybody that we did an episode not too long ago about the something called the essential eight. And the essential eight is eight practices that are designed to help reduce the risk of a major IT security incident. And one of the major incidents that it's designed to reduce risk around is ransomware. And so when I saw this section, which we're going to go through now, one of the things that I asked myself was, "Oh man, how much, how much essential eight goodness am I going to find in here?" So let's think about that as we go through it.

So they want to know if you pre-screen emails for malicious attachments and links. And if you say, yes, they want to know, "Do you have the capability to automatically detonate and evaluate attachments in a sandbox?" And when I read that, I was like, "Ye gods, they actually have somebody over there who knows what they're talking about." I mean, those are terms of art that I would in my line of work that I would not expect to see on an insurance policy application. So I was kind of, "Oh, that's cool. They get it. Wow." And then they want to know if you can access your email through a web app or a non-corporate device. "Do you allow remote access to your network and do you use MFA?" MFA is all over this application, by the way, it's just over and over. And they even want to know if you do it, "Who is your multifactor authentication provider?" And they have a space for you to put it in there.

Jake: crosstalk want to know... Super fascinating is that they actually give a dropdown and they provide 1, 2, 3, 4, 5, well, five pre-selected MFA providers. And then an other, when you can type in your own, but I find that to be fascinating. And the same thing is true with so-called NGAV, next generation antivirus. I've not heard NGAV before. I like that.

Kip: I've never tried to actually pronounce that before.

Jake: Product. Yes. And then they want to know who, and there's a lot more options here. They have an EDR tool question. Do you-

Kip: Endpoint detection and response tool.

Jake: Yep. Which is a real, common, new, modern system.

Kip: And that EDR tool is important because what it does is it actually validates the fact that most cyber attacks are fought on the endpoints these days. Nobody's doing a frontal assault on a firewall, unless your firewall is poorly configured and they can quickly figure that out. And then more MFA, more MFA, they keep asking about MFA. And then there's a big section on a data backup solution and do you have one? And if you say yes, then they have all these supplemental questions of which MFA is another one twice, at least twice in there. Oh, here's the one that I just went, "Oh, yes." Here's the question. "If you do have a data backup solution, are backups kept separate from your network as in offline or air gapped or in a Cloud service designed for this purpose?" Yes. Yes, yes, yes. A thousand times yes. This is great. I love seeing this.

Jake: Well, and I think what they're really doing here is... And actually B is interesting too. "Estimated amount of time it will take to restore essential functions in the event of a widespread malware or ransomware attack." They want to know if it's zero to 24 hours, one to three days, four to six days, one week or longer. Why Kip? Why do they care? Well, because business interruption insurance, this is all... Look, it is make no mistake. None of this ultimately is about effective or reasonable cybersecurity, even though it gets you there to some degree, it's about the dollar. It's about how much money are you going to potentially cost us if we decide to write this policy? And there's nothing wrong with that. That's how insurance, that's how they have to operate. But it is fascinating because as recently as a year or two ago, nothing like this was on insurance applications. At least the ones that we saw.

Kip: Yeah. That's true. And insurance has pretty much worked this way since the first known contracts were written way back in like the 1300s to cover maritime, right? Because that's when people started sending ships to the New World and everything was weird and nobody knew just what they would find. And a ship would leave and just mysterious never come back and nobody knew why. But there was a lot of money invested in it. But yeah, so insurance has just pretty much, I think, conceptually worked the same as it always has. And there has to be a profit. If there's really not a profit, if there's not some way to pay claims, then the whole scheme just doesn't work. But I really think it's both Jake.

I think this application is doing two things at the same time. It's helping the insurance company put a boundary around their losses, their potential losses. And it's also sending strong signals to insureds about what their practices should actually be. And these are I think, the equivalent of, "Is your building near a fire hydrant? Have have you constructed the walls out of flame resistant materials and do you have a sprinkler system?" And to the extent that you say no, no, no or you have weird systems that you have to explain using the additional comments section? That's all going to work against you in terms of you getting preferred rates and that sort of business.

Jake: And we haven't talked about it, but I love phishing controls the section on phishing controls. It's very short, very simple, but it's obvious what they care about. They care about the business email compromise. Right?

Kip: Yep.

Jake: That's why they say, that's why one of the questions is, "Does your organization send and/or receive wire transfers? And if yes, do you do or not do all of these different things?" And we're not going to go over it because we're running off time here, but it is really important to ask these questions.

Kip: And what they ask, the things that they're asking, "Do you do this? Do you do this?" Well, gosh, that's the stuff that I tell my customers that they should be doing. And so when I was wondering how much of the essential eight is in here, a lot of it. There's a lot of essential eight in here. It's not called that, but it's everywhere in here.

Jake: I have to give a lot of credit to this insurance company for having an application that simultaneously does a really nice job of providing almost a basic checklist of how to get reasonable cybersecurity. Now, it's obviously focused on what the insurance company cares about-

Kip: Right. Right.

Jake: You'll note they have-

Kip: I think of it as an education piece, right?

Jake: It is.

Kip: As the person who's responsible for filling this out does fill it out, they're getting a very visceral reaction. Like, "Oh my God, we don't do that. Oh my God, we don't do that." And then they're like, "Oh God, do I dare to admit that we don't do that? crosstalk get coverage?"

Jake: That's where it gets interesting. Now, it is also interesting that they finally are including a loss history. That's super common in insurance applications in general. Haven't seen it until recently in the cyber place. But this is certainly... It's basically asking about the last three years, have you had a cyber incident that's cost money?

Kip: And one of the questions that stands out to me is, "Have you received any cyber extortion demand or threat?" That's a flimsy question, right? Because I mean, if you had some random email that came in that was a baseless extortion attempt, do you have to say yes?

Jake: That starts to get into, I think, a different level of question there. I think they probably mean credible cyber extortion demand or threat.

Kip: crosstalk words matter, right? I mean-

Jake: crosstalk words do matter. Yeah.

Kip: Anyway, so this again, just can't help to... When somebody asks me a question like this I'm like, I'm parsing the hell out of these questions to make sure that I am answering truthfully."

Jake: Well and you have to, because the second you start making a claim, someone's already going to go over this, your application history and your application answers, and they're going to start setting up questions to ask. Because if they can find that you answered any of these dishonesty or inaccurately, they might be able to not pay your claim. And that's the business model.

Kip: Yeah. Well, anyway, plenty of other things in here that if we had more time we could do a double episode for sure, with all the stuff that's in here. But I think the points that we wanted to make, I think we've made it, which is the bar has been raised. The insurance industry is getting their act together as far as what exactly is it that reduces the risk of a big claim. And I think this is just going to continue.

Jake: Yeah, I think so.

Kip: Any other thoughts before we wrap it up Jake?

Jake: Many, but let's wrap it up and we can come back to this topic.

Kip: Okay. Well, we will come back to this in the future, but for now this episode is over. Today, we reviewed what cyber liability insurance companies are starting to figure out about what practices actually reduce the risk of a major cyber incident. Thanks for being here, everybody. We'll see you next time.

Jake: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management podcast. Remember that cyber risk management is a team sport. So include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at and Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.