Skip to content

Why Is Cyber Insurance So Hard?

 

Transcript:

Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Conor Swam, CEO of Phin Security, and welcome to Gone Phishing. 

Connor Swalm:

Hey, everyone. Welcome back to another episode of Gone Phishing. I'm your host, Connor, CEO at Phin Security, and today I am joined by the wonderful Will Brooks, not only a friend of mine, but an evangelist in many, many senses of that word. Will, how are you doing today? 

Will Brooks:

I am doing great. 

Connor Swalm:

So, Will, you work at FifthWall  Solutions? Can you explain to everyone listening what that is? 

Will Brooks:

Yeah, super fast. FifthWall  Solutions is a wholesaler, and a wholesaler in the cyber insurance space. Effectively, what that means is there's these insurance companies that say, I don't want hundreds of thousands of agents coming to me every day looking for quotes, so I'm going to work through one business. And in that case, we kind of the mouthpiece for a lot of agents, and we have a whole MSP channel now where we partner with MSP to help simplify cyber insurance. 

Connor Swalm:

Awesome. For those of you who have been paying attention or listening to previous episodes, you may be wondering, didn't we have somebody else from FifthWall  Cyber Insurance on our podcast? 

The answer is yes! We had the wonderful Wes Spencer on our podcast who's worked with Will a bit and actually, depending upon when this releases, we will have done a webinar or will be doing a webinar with Reed, who also works at FifthWall.

Will Brooks:

Yeah, FifthWall is everywhere. It's great!

Connor Swalm:

Yeah, if you're looking for cyber insurance, you can't get away from them. 

Will Brooks:

It's a wall. We can't move at all, but somehow we're everywhere. 

Connor Swalm:

Somehow you're everywhere. You're breaking the fourth wall now, and that's why you're FifthWall. 

Will Brooks:

Look at that. 

Connor Swalm:

So, cyber insurance, why is it so difficult? Why is it so hard to understand? Why is it catching people by surprise? I could ask 100 questions here, just from the partners that I've talked to and their experience with it so far, but what are your thoughts on this? 

Will Brooks:

Well, I think it's difficult because back when cyber insurance was kind of new on the scene, carriers had no underwriting details because, in the insurance space, it's still kind of a baby. So carriers are still kind of figuring it out and so you had all these carriers who started giving out cyber insurance like candy, and they were saying, “Hey, you can get a policy, all you have to do is show us that your business has a pulse. So give us revenue numbers, give us a website, and you're good, we'll give you a policy.” Right? 

And then the pandemic happened. Everyone went remote, and all these carriers lost a ton of money. So they kind of, like, rebounded in the opposite direction real hard. So instead of saying, “Hey, let's slowly start implementing a little more strict security on here,” they're like, “We're just gonna throw a ton of security controls on these applications. We're gonna require more and more every year. We want to find out everything we can about security.”

So even though the policies themselves haven't really changed all that much, the point of entry to get one is why things are so challenging, because carriers don't want to take on bad risks, and they're still building out all their tables on what is a good risk. 

Connor Swalm:

Got it. What do you think was the reason that the underwriters of these policies were losing so much money when they would write cyber insurance policies early on in the pandemic? 

Will Brooks:

There were no security recommendations, so literally anyone could get a policy, and they did not have to have even the most basic of security control. Carriers did not care about that. Their thought process was, if you have internet exposure, then you should have a cyber policy so that we're just going to start selling cyberpunk. So carriers lost a ton of money because all these companies went remote during the pandemic and none of them had security. So they basically were opening themselves up for some serious attacks. And then you think of, like, no one really knew what to look for. No one knew exactly what a phishing attack looked like or what we know when people get emails with these gift card scams and all this kind of stuff, no one knew what to look for.

So you had that, the ignorance on that side, you had no security like EDR or MFA controls even in place, because people found it annoying and they're like, “I'm not going to do all that,” so, all these companies that were lacking security quickly got hit by all the new ransomware actors on the scene, and carriers had to pay out because their contracts didn't say otherwise. 

Connor Swalm:

Yeah, someone we just had on the podcast, honestly, now that I think about it, I might have been the one that said it to them. Just with, I get a ton of questions from partners about cyber insurance, and my answer is always the same, “I have no idea. Just answer the questions and tell the truth this is my advice here.”

Their statement was, that it used to be if you had, like you said, if the business had a pulse. I made the statement if you had a pulse. So if you could say, “Yeah, you know, my Apple Watch is saying my heart rate is roughly 50 beats a minute right now.” It'd be like, “Congratulations”, slap the policy down in front of you, like, “Here's your policy.” And now it's like a 37-page questionnaire. 

The biggest difference that I've seen from looking at old policies, I did this with Wes privately a bunch, old policies' and current policies was, “Hey, now that you have MFA, tell us how you're actually using it. How often do you require people to enable MFA? Do they have to enable it on all accounts? Give us the list of accounts that you've circumvented this for and tell us the reasons as to why.” 

And it's actually what I would say the end goal of insurance is that you pay an amount commensurate with the risk that the underwriter is taking by being willing to pay out if you end up, like, for car insurance, getting in a car accident. With cyber insurance, it's like, well, if the only thing they are measuring is, do you have a business that is in business and a heart rate, well, that doesn't tell me anything about the risk, that business-related risk. So that's what I see as changing. 

Will Brooks:

Yeah, there was no active understanding of what the risk security posture was, but to be fair, carriers didn't even really understand it at the time they were writing these policies for protecting someone's network, but they didn't understand what goes into what is considered to be a secure network versus not. Like, when you look at auto applications today, it asks all these questions about, “Do you have daytime running lights? Do you have airbags that work? “Do you have an alarm system? “Like, all that kind of stuff and cars haven't really changed that much. 

And I guess the other challenge with security is that it's so rapidly evolving. So it's just you have new threats pretty much regularly, and then you have new security measures or updates in your security measures to meet those threats. So you run back and forth, and carriers can't really keep up because they're basing their eligibility requirements and what makes for a good risk versus a bad risk off of, like, two-year-old data. It's hard for them to generate everything that they need in order to stay completely up to date on the risk. 

Something I always like when I'm talking to partners about cyber insurance, is they'll often ask, like, “Hey, what's the, what are ways to save my clients money on their insurance? And how can I, you know, how can my clients get a better rate?”And yes, having better security controls can help with that, but usually, because that opens up the door to more carrier access.

 Usually, you're only going to be eligible for a cyber insurance policy if you have the right security in place. And so when we're having conversations I always like to point out that if your client is being told that their security is not good enough for an insurance carrier, they probably have pretty bad security because carriers are already two years behind. So that's like, that opens up a big conversation. 

Connor Swalm:

You bring up a really good point too, which is that if underwriters are two years behind in understanding what risks and what vulnerabilities of business today is actually facing, or like, willingly retaining. We were talking about something before the call happened, which was, well, this new chromium, as of today, it's September 28 for those of you who are listening. 

The chromium-related, I don't want to say bug, but exploit just upgraded and CVE report was just upgraded to a level ten. And it's like, well, there's probably millions of businesses around the world that are vulnerable to that exploit now, unknowingly. And then most of them probably have some form of cyber insurance. How in the world can a cyber insurance underwriter account for anything like that today? Because of how fast technology iterates and increases. 

Will Brooks:

Yep, it's crazy. They can’t, and that's, I think the biggest challenge is they're going to, and I mean, insurance always has been the game of risk, right? So they're literally taking on these risks knowing. I mean, that's the interesting thing about cyber. There's so much speculation from people. You hear all the time, cyber is not sustainable. But then you have people on the other side who say, cyber is going to be bigger than property one day.

So it's all over the place, but these carriers are taking on risks and they're saying, “All right, we're willing to take on x amount of risks, at x amount of dollars, and they have their whole tables built out.” We like to say it's organized gambling, it really is. So it's legal, organized gambling. 

Connor Swalm:

Gambling is legal also and organized like actual gambling. 

Will Brooks:

Yeah, I guess it's organized. I was thinking like mobster level but, yeah, you're right.

Connor Swalm:

I was thinking like back office poker room kind of gambling. 

Will Brooks:

Yeah, like you got to go through a hedge maze to get to the poker game. 

Connor Swalm:

They do the little slot where you can only see their eyes. Like, who do you know here? 

Will Brooks:

Honestly, I don't really like gambling, but I would totally do the hedge maze part. 

Connor Swalm:

Yeah you know, I'm already paying to go to corn mazes in the fall with my wife anyway, so it's like, what's a hedge maze? 

Will Brooks:

Yeah, that'd be great. 

Connor Swalm:

So one thing that's clear to me from not only my conversations with you, but conversations with MSPs, conversations with MSPs clients, is there's a whole bunch of buckets here and let me outline them. There's the underwriter, there's wherever FifthWall sits, there's the MSP partner, there's the client. All of that at every single level there needs to be different information that gets talked about. There needs to be different questions that get asked about what's the right thing to do for the person who ends up getting insured. How should we make it easy? How is FifthWall making it easier? How should it be made easy on the consumer to get cyber insurance? 

Will Brooks:

A great question. So we partnered with MSPs for that reason. We saw pretty quickly when the carriers started to get strict on security controls, we would have to develop a channel where we said let's work with the security providers, and then partner alongside of them to effectively help make their clients a good risk before we even approach the carrier market. Because where the real issues are right now are with the application process, and when an application gets submitted, and then the carrier has questions or concerns. So it becomes this game of ping-pong back and forth between the carrier, the agent, client, the MSP, all these people, and they're involved in this four-way ping-pong game, which doesn't even really make sense. I don't even know what that table would look like. 

Connor Swalm:

Pickleball, maybe. 

Will Brooks:

Pickleball, there we go. But it gets very complex. And so if we can come in and make the client a good risk before we even approach the market, it saves a lot of time. And what we've kind of done is work alongside MSPs to say, hey, tell us all about your client security posture. We can put together reviews. We can do these things so that we can make sure that the client understands what they need to implement and fix before carriers will consider.

And then on the other side of that, the only thing the client ever sees is we've kind of created a process where the client still feels like it's 2016 and the only information they have to provide is the pulse stuff. And so it really simplifies the process for the client. We still have the cybersecurity control conversation, but they don't. The other risk that gets run is a lot of times a client might. Fill out this application not knowing what any of these controls mean, and then they misrepresent their security posture, and that leads to claim denial and all those issues, too. So if we can remove as much potential for that, it simplifies. 

Connor Swalm:

So a conversational topic I have with MSPs all the time is their jobs as the trusted advisor. When it comes to cyber insurance, are MSPs only the trusted advisor? Do they have a certain less amount of duties as a result of, I don't know, what regulations around cyber insurance or insurance in general, or do they have more responsibilities? What's MSP's responsibility here? 

Will Brooks:

That's a really good question. I like to tell MSPs that, look, whether you like it or not, cybersecurity or cyber insurance is becoming part of the overall cybersecurity strategy for your clients like it needs to be. You don't really have a choice in this because it funds all the incident response. That said, they're not licensed, so there's only so far they can go in talking about insurance in the first place. So we want to make sure that they are given that high-level conversational topics, to be able to say, “Hey here's why we recommend it, here's why it's so important, but we're not going to go into the specifics on limits and how much you should be carrying and costs and all that kind of stuff.

That's why we work with FifthWall. They can come in and tell you all that stuff.” The MSB is not going to pour over their policy and tell them if it's good or not, or rather they shouldn't. So it's that kind of piece where the partnership is very tight-knit, but we like to look at it as” let's stay in our lanes here, we'll focus on the insurance piece, and then we're going to toss it over to you when it's time to talk about the controls that need to be implemented.”

Connor Swalm:

When should an MSP get someone like FifthWall involved in the insurance conversation? And before you say “Before the conversation starts the MSP should have us involved,” usually how I see MSPs or cyber insurance is so new that it's usually a responsive topic. It's not something that I see most people trying to get an understanding of before they need to be a part of a policy or a test that they're doing things. When should MSP get somebody else involved who is licensed? 

Will Brooks:

Yeah, there's two approaches. A lot of MSPs are reactive when it comes to this. A client brings an application and they're like, oh, I gotta get someone involved because I don't wanna deal with this. What FifthWall does that's unique is we help train MSPs on a proactive approach so it's not even a, “Oh, when should I get FifthWall involved conversation?” It's an “I recognize cyber insurance is really annoying, and I want someone who can make it easier for me,” so they reach out to us, and then what we like to do is help them create a pattern. Kind of like the whole QBR conversation thing, but almost create like, an annual cyber insurance review. 

Let's have that conversation. Let's get it on the calendar, let's know what your client's renewal dates are, know what your client's limits are, and then get that security cyber insurance person-minded person involved in the conversation so that everything can kind of be made sense. 

Connor Swalm:

Yeah, I think you're absolutely right, at least from the trends that I've been seeing in my conversations with partners, is that cyber insurance is now being pushed down to smaller and smaller organizations, largely because of what you had mentioned earlier, which was, incident response is not only painful but also incredibly expensive. And if you don't have a policy in place, that is going to help you verify. Okay, did we have a breach? What got accessed? What got exfiltrated? What got stolen? Is there something on our systems today? There are a million questions that are going to get asked, and you're going to pay for every single question if you don't have a policy in place to take care of it. 

So I even see some of our partners getting their two or three-person clients with CPA shops or small businesses now getting some form of cyber insurance, which is, you know, if you were to say that three years ago, you'd be like, what the heck is that MSP trying to do? Like, no you don't need that. 

Will Brooks:

I don't even know how to use my computer, why do I need insurance? 

Connor Swalm:

Yeah, they're still trying to get Windows 2012 servers and Windows Seven running on devices. 

Will Brooks:

Windows Millennium Edition

Connor Swalm:

Vista MS Docs. Let's go back to MS Docs. What would you recommend to folks who are listening to this and feeling overwhelmed? Where should they start? Where's a place for them to begin trying to understand or take the first step on their cybersecurity insurance? 

Will Brooks:

Yeah, I mean, definitely. I mean, as much as I love to plug FifthWall, which I do all the time, because I work there, but there's also the reality of you're going to go the traditional agent route, you need to make sure you're working with an agent who really dedicates their time to cyber insurance. It's so rapidly changing. Most agents do not have the time to focus on it because they have eight other lines of business. So I've seen the agents that are the agencies, the brokerages that are really successful have an agent whose kind of sole focus is that cyber insurance. So you got to find someone who really gets it. That's why FifthWall only does cyber insurance. We recognize how complex it is. We want to keep up to date on all the trends, all the changes. That's why we focus solely on that. And if you're going to go the traditional broker route, you need to find someone who knows what they are doing.

Connor Swalm:

Where would you like people to reach out and look for not only you, but also FifthWall? 

Will Brooks:

Yeah, If you go to FifthWallSolutions.com, depending on who you are, MSP, agent, end client, there's, you know, ways to route to where you need to go. And then also https://www.linkedin.com/in/wi1bo/ with a one as the L because Wilbo Baggins is my handle.

But just Wilbo one is the l, the l is a one. Don't forget that part. But, yeah, that's. That's where you can go. I drop a lot of content like this all the time, sharing information, updates on the cyber insurance world and how it how it morphs into cybersecurity. 

Connor Swalm:

For those of you who are listening and are as equally confused as I am as to still somehow find Will Brooks on LinkedIn, we will have the link to Will's LinkedIn in the show notes, and we'll have a link to FifthWall as well so that you can find all of them. Will, it was wonderful having you on. 

We do security awareness. Cyber insurance includes security awareness. Would you mind coming back on another episode to talk about where those two Intersect, if at all? 

Will Brooks:

Yeah, that’d be a blast. Let's do it. 

Connor Swalm:

Awesome, We'll have Wilbo Baggins back on the podcast, an evangelist in many senses of the word for you all to listen to and try to understand a little bit more about cyber insurance. Thanks for coming on today, Will. 

Will Brooks:

Yeah, thank you.

Connor Swalm:

Everyone, thanks for listening to me and Will talk about what is sometimes the most boring subject known to man. Maybe math takes that, but cyber insurance is definitely trying to edge it out at this point. 

Will Brooks:

I was also a math major, so there you go. 

Connor Swalm:

You were?

Will Brooks:

Yeah, I'm sorry, we're still on the podcast. We're wrapping up, but yes, we can talk about the next one. 

Connor Swalm:

We'll talk about that. So, everyone, we'll talk about that on the next podcast as well, that we have Will on. And thank you so much for joining us. Thanks for listening. Thanks for watching, and we'll catch you next time. 

Connor Swalm:

Thanks so much for tuning in to Gone Phishing. If you want to find out more about high-quality security awareness training campaigns, and how to launch them in ways that actually engage employees to change their habits, then check us out Phin Security at Phinsec IO. That's P-H-I-N-S-E-C I-O or click all of the wonderful links in our show notes. 

Thanks for phishing with me today, and we'll see you next time!