Skip to content

What Is the Problem With Cyber Insurance? | EP 019

Connor Swalm

 

 

 

Connor Swalm

Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to Gone Phishing. 


Hey, everyone. Welcome back to another episode of Gone Fishing. I'm your host, Connor Swarm, CEO at Phin Security. And today we have back on the podcast a good friend of mine, Brian Mahome. Brian, how are you doing? 


Brian Mahon
I'm good, Connor, how are you? 

Connor Swalm
Oh, I'm doing amazing. If I were any better, I'd be a twin. I always say that to anyone else. That's a twin. I like that. I'm a triplet, so you decide. 

Brian Mahon
What that means if I'm a twin. 


Connor Swalm
So, Brian, you're a cyber insurance expert. 


Connor Swalm

Is it fair to say that?

 

Brian Mahon

It's pretty fair.

 

Connor Swalm

Okay. And I love it. Very confident. And on our last episode, got to.

 

Brian Mahon

Be worried about agency errors and emissions thrown around that expert word. 


Connor Swalm
Yeah. I never try to call myself an expert. It makes me feel weird. But on our last episode, we talked about cyber insurance, where it was pre COVID and post COVID. And today, what we almost got into was problems with cyber insurance, and that's what we're going to get into today. So what are some problems that you. See with cyber insurance as a person. Who lives and breathes it? 


Brian Mahon

Yeah, I got 99 problems with cyber. Insurance is not one. We have a ton of issues here from an insurance industry perspective when it comes to cyber liability. Right. First, there's a knowledge gap or a. Talent gap, just like a lot of. Industries are facing right now, ever since, I guess they coined it the great resignation. But the average insurance agent, I believe, in the US, is around 45, 55 years old. Don't quote me. There's different data points out there, but. 

You could probably tell if you're watching, I guess, the video version of this that I'm not. So that's a good thing, that nobody grows up and wants to be an insurance agent. Let's say maybe you be Jake from State Farm for Halloween, but everybody wants to do something a little bit more sexy, work on Wall street, be a realtor. So there's a knowledge gap. And I think part of that is, historically speaking, cyber insurance has been around for 20 plus years, as we mentioned on a previous episode, but the commissions weren't there. I mean, cyber was kind of. 


Connor Swalm
Oh, yeah. 


Brian Mahon
I don't really think I need that. It was very simple to underwrite and there weren't really cyber specialists out there. Maybe the big brokers, there's 40,000 independent. Insurance agencies in the United States. 

Maybe the top ten or 20 might have a cyber team or a cyber specialist. But now we're seeing some more middle market agencies, and certainly carriers develop tech and life science or cyber practices. So it's getting better, but it hasn't been good. So there's a talent issue. The second issue with cyber insurance is the product. It's a very immature product. 

I'll say it's matured very fast last few years. But there's no standard form. So what I mean by that is there's no standard skeleton or cyber insurance policy makeup like there is in other insurance products. Like there's ISO industry Standard organization that says, here are the bare bones for a property policy or a general liability policy. Cyber does not have that. So if you're comparing one cyber policy. 

To another, they are truly custom forms. Or policy wording products. So it makes comparison difficult and it. Makes business owners rightfully skeptical. And they're like, what the heck is. Even covered in this policy? 


Connor Swalm
Brian, I had a question on that real quick. We had mentioned in our last podcast that the industry rather is now collecting. Data that is used to write more accurate policies. So how does a standard form, I'll. Use the overused colloquialism, one size fits. All, how does that fit into, everyone has their own data, their own environment, their own risk. 

Brian Mahon
It's hard to say. In our industry, you have to know both the kind of it terminology and the insurance industry terminology. So that can be difficult as far as data goes. I mean, some carriers are kind of veterans in the cyberspace where they have much better claims, historical data. And there's new kind of insurer tech carriers who are using more predictive analytics and looking forward, looking for that one in 100 cyber incident or data breacher, the big flood, so to speak. They're all doing a little bit differently, but some are just pulling out of entire industries saying, we're not going to write small K through twelve schools, they're too risky, we're not going to write manufacturers, they're too risky. Some are altering their product. Right. Going back to that standard form, there is none. So if they want to carve back their policy language and their coverage, they can do that. There's no one saying to be a cyber policy, you must have XYZ and then others. 

Connor Swalm
Yeah. 

Brian Mahon
Getting smart with underwriting using the claims data of last 20 years predicting forward using risk assessment tools like a bit site or external scans. Some carriers are doing active monitoring, or what they're referred to as active monitoring, where if you're a policyholder of a specific carrier, they're going to continue doing those scans throughout the policy term, and they'll actually notify you of a vulnerability. 

Like an open RDP port that's exposed. To the Internet mid policy term, not. As a way to say, hey, we're. Going to deny your claim or deny your coverage, saying, hey, we see something. That a hacker could use, a door. So to speak, to open to cause some issues. So we are notifying you as a. Way to help you. 

Connor Swalm
Yeah, that makes a lot of sense. I remember looking at two different policies with a buddy of mine that someone had placed in front of him. One was nine pages long. And I'm going to bastardize this horribly, but it was like, basically, does your. Front door lock, and is there a. Human that opens it in the morning? 

All right, great. Here's your cyber insurance. I'm like, wait, what does this have. To do with the servers and the infrastructure and the hardware that's at the. Actual device at the actual place? And then the second policy was to. Give you an example. Do you deploy MFA? 
All right, what's the tool you use? How often do you refresh your policy around this? Do users get onboarded and do they have to do this? Is every single account enabled with MFA? Now it's getting to what you and I know. It's like, oh, well, that creates additional risk. If they don't do that.

 

Brian Mahon

Totally. Yeah. And you can tell that some carriers probably going to get hammered because they're not asking anything. And other ones, maybe they're asking you so many questions, they don't even want your business because they're not very aggressive or they're paranoid of claims or whatever. So there's definitely a few different, I'll say. We say risk appetite in our industry. So if you're risk adverse, the carrier is asking a million questions. They're not going to give the best premiums. 

If they're risk tolerant, then, hey, here's. A policy, no questions asked. We'll put it on the books. 



Connor Swalm

Do you see a lot of that still happening? 


Brian Mahon
Not a lot, no. And it's very risk or business specific. Like, nobody's going to get an online. Quote for $100 million school district. Right. But your $2 million revenue, doctor's offices. A lot of them have cyber insurance.

 

Policies, or they should at least that it's not really any questions being asked. So we'll continue to adapt and evolve, and those carriers that aren't doing proper risk management will probably change the way they do business in a couple of. 


Connor Swalm
Years, or they'll go out of business. Gone are the days of the 108% loss ratios on cyber insurance lines. Yeah. 

Brian Mahon
And we've seen that, to your point, where some of these carriers, oh, this new sexy carrier that starts maybe with the letter C, goes out and underprices everything and writes all this business, and then the claims come in, and then all of a sudden, they can't write new business. And a lot of times they'll sell the carrier in hopes that somebody else can turn it around. So we see a lot of kind of mergers and acquisitions in our industry, both at a carrier or book of business level and then also down to the agency or kind of distributor level. 

Connor Swalm
That makes a lot of sense. Now, I work a lot in the MSP industry. It's what we serve at Phin, and. You work in cyber insurance. And specifically, you have knowledge of the.

 

Brian Mahon

MSP industry, helping them understand cyber insurance. 


Connor Swalm
Help them write policies for their clients, or get them involved in any way. So what would you see as the primary gap between the MSP industry as it stands and cyber insurance? 


Brian Mahon
Yeah, I think I read, I don't. Know, a poll on LinkedIn or somewhere. I wish I took a screenshot because it disappeared into the Internet abyss. But essentially, MSPs are treating kind of cyber insurance one of four ways. I call it kind of a professionalism scale. So one end, you've got MSPs that are mandating all of their customers have cyber liability insurance. Then kind of a step below that. 
You have MSPs strongly recommending cyber liability. From there, you have them not really strongly recommending, but saying, oh, yeah, it's a good idea, go for it. And they kind of stay out of the conversation. And then hopefully, most MSPs are done doing this, but completely avoid the conversation altogether. Laissez fair. I don't tell my clients how to run their business, none of my business. Leave it up to them and their insurance agent. And I think the first two camps have it right for a number of reasons. 
I mean, MSPs are looked at as hopefully a trusted IT advisor, and being. Able to kind of recommend adjacent professional service providers just helps them instill that professional advisor status. Like, for me, independent insurance agent. We've been recommending reputable, industry specific CPAs, lawyers, HR consultants, bankers for decades because we have to differentiate ourselves and compete and be that trusted risk advisor. Same is true for MSPs. On the other hand, it just makes. Financial sense for MSPs to recommend cyber. Insurance because your client has to pay that monthly reoccurring revenue. IT bill. If they're insured properly and they have an issue, their business interruption is covered by a cyber policy. So, not to mention it creates opportunities for MSPs. Right. 

So either small business can't qualify for cyber insurance, or they want preferred treatment from underwriting by being a good want, you know, lower premiums, lower deductibles, higher limits. So they invest in IT controls, typically. Through an MSP, and then to kind. Of wrap this all together and put a bow on it. Connor. These carriers are starting to monitor these policies. So maybe an MSP implements some controls. 
And now their client can get insured, they can get better coverage. Then halfway through that policy, you get that notification of, oh, cyber insurance carrier says, we have this open port, or we have some sort of issue, and all of a sudden the MSP made a couple hundred more dollars of reoccurring revenue with no salesperson, no attempt, no initiative, no marketing budget. It just is kind of a self. 
Fulfilling prophecy a little bit there. So you're telling me that cyber insurance. Carriers, the people who are creating these. 

Connor Swalm
Policies, have a way, or in some cases, to monitor the stack of tools that an MSP's client is using and maybe how it's configured in certain ways, and they'll help you point out vulnerabilities in your client and say, hey, your. Client needs to change this. This is a risk. And I think you gave the example. Last time of, there's an open RDP port exposed to the Internet. Hey, go shut that off. You're saying that's happening right now. Is that common with a good cyber carrier? 

Brian Mahon
Good policy? 

Connor Swalm
Yes. 

Brian Mahon
That happens regularly or. Yeah, they can see things on kind of their email, their DNS server, their website. So cyber insurance carrier isn't inside your IT network, but they're scanning externally and. They can get a little bit of. Data there to help point out vulnerabilities. And they don't say, call this guy to fix it. 

Connor Swalm
They say, hey, here it is, fix it. 

Brian Mahon
They leave it up to the policyholder. The business owner, and nine out of ten times they already have an MSP to forward that email to say. Hey, should I fix this? And how much is going to cost?

 

Connor Swalm

Well, that gives me two thoughts. The first is, wow, that is a big opportunity for the MSP, the trusted. IT advisor, because now you're having a. Third party who is in control of your business goes under as a result of a attack, they're there to help you with that. And so that's an opportunity for the MSP to not only be a more trust advisor, but they don't even have. To do the selling. And the second is, I would love to have you back on the podcast. And I want to talk about the. Future of security awareness.

Where is this monitoring going? Is everything going to be Big Brother? Is the government going to get involved? I don't know. I'm sure you and I could, I don't know, over a beer, come up with the weirdest and wildest future scenarios. But I'd love to know what you actually think is going to happen.

 

Brian Mahon

Let's do it. 



Connor Swalm

Awesome. Everyone. Thank you so much for listening. It was your host Connor, CEO of Phin and Brian Mahome of EHD Insurance, and I'll have him back on at some point and we will talk about the future of cyber insurance. Thanks again everybody for listening. See you soon. 



Thanks so much for tuning in to gone phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phin security at Phinsec IO. That's P-H-I-N-S-E-C Io. Or click all of the wonderful links. In our show notes. Thanks for fishing with me today and we'll see you next time. You now.