Financial R&R: Cyber Risk in 2020 & Beyond

Intro (00:01):
Welcome to Financial R&R a show dedicated to financial insurance and risk management solutions and trends shaping the market today. Here are your hosts, Ron Borys and Ryan Farnsworth.

Ron Borys (00:13):
Welcome everyone to the latest series of podcasts coming from the financial institutions and professional liability team at Alliant I'm Ron Borys. And with me today is a series of folks, subject matter experts. Bobby Horn, John Loftus, David Finz, Ryan Farnsworth and Steve Chappelle, as we are looking to wrap up the year 2020, and start to think about 2021, the focus continues to be on the market and the various sort of nuances and challenges that the market is going to present. Today we want to talk a little bit about cyber liability. We're obviously hearing that going into the new year cyber can be a particular area of concern, tremendous activity going on in 2020. David, you've been with us for two weeks now, and in two weeks, we've already figured a way to get you involved with a large high-profile client in a ransomware event. So, it's good to see that you're already sort of up and running, getting actively involved in solving problems for clients, but Bobby, maybe we can start with you, looking at sort of 2020, starting to answer the questions about price, about coverage, about markets, what are your thoughts? How are you advising clients relative to cyber budgets and sort of what to expect?

Bobby Horn (01:30):
We're trying to get ahead of it. Obviously, the last six months have kind of turned the cyber market has kind of turned on its head of it, where we're seeing underwriters not only cutting limits, but increasing retentions and rates. So, really trying to get out ahead of that with our clients, letting them know what we're seeing in the marketplace, what they can expect going forward, not only from a pricing and retention and limit standpoint but also from an underwriting perspective and what the carriers are looking for as they really focus on certain controls that seem to be the cause of a lot of these ransomware attacks, along with the renewal applications or even new business applications. We’re including separate ransomware applications that are attached to the applications. Because again, they're really focusing on certain controls that if they aren't in place, higher likely that they're going to be hit with a ransomware attack. So, really just want to make sure that we're getting in front of it, making sure they know what's on the horizon and putting them in the best position with the markets when we present their renewal.

Ron Borys (02:32):
Well, thanks for that, Bobby. I think, certainly that process is going to continue to be complex and underwriters are going to want information relative to various exposures that they're trying to get their arms around. I mean, David, in your first two weeks here, you're already involved in the complex with cyber claim. Steve has already kind of gotten a flavor for kind of some of the things that we're sort of working with relative to the cyber claims world. Is there real concern or is this something that underwriters are just using as a way, to try to drive the market?

David Finz (03:06):
Well, it is a significant concern. I think that the question is if you are a company seeking cyber insurance, can you differentiate yourself from your peers, such that the underwriters, understand that you have taken appropriate measures and there are specific things that you can do to not only shore up your security, but also present yourself as a good risk, and time doesn't permit us to go through all of those here, but some examples of things that companies should be doing are running IT security scans, training their employees around how to spot phishing emails that could be used to compromise the system, de-credentialing former employees and limiting admin controls. So, these are things that can be done by companies, so that they're minimizing the likelihood that they will experience an attack. And then in the event that they do have a ransomware event, there are specific things that they should be doing to interact with their carrier and with the service providers that will be attending to the response to that incident in order to make sure that they maximize their recovery from their policy.

Ron Borys (04:19):
Yeah, listen I think differentiation is an important sort of term. And we hear that a lot, even as of this week, we were having conversations. So, some clients who are hearing some things out in the marketplace about what to expect for next year and listen, John, since you've been here, you've got an opportunity to work with a lot of large existing and new clients. And I think you've have certainly experienced, firsthand being actually able to differentiate clients for those who kind of look at it and say, is that just someone something somebody's saying to me, or is that really possible? Maybe you can talk a little bit about to David's point, how on the brokerage side, you and Bobby and Ryan and other folks are, are out there differentiating clients and really sort of showing their risk profile versus other concerns and considerations amongst the underwriters.

John Loftus (05:07):
Sure. Yeah. And, to your point, Ron, I think as challenging as the market may be this is an outstanding opportunity for us to demonstrate the value and partnership that a broker can bring to the table for our clients. So we're embracing it. And I think it starts with the communication, as Bobby said with our client, giving them appropriate and consistent updates on the market where things are trending. So, we don’t our risk manager, one of our clients would never be in a position where they underestimate the pricing or market dynamics, where they had issues with their budgeting. But beyond that we are acutely aware of the risk where carriers are getting hit with the claims and what we need to do to diffuse those concerns and better position our clients. So, how do we do that?

I think what we pride ourselves on is that partnership and collaboration, not only with the risk management, but, the chief information security officers, the information security teams that our clients we're really focused on, what may differentiate us is our knowledge of not only where carriers are getting hit with claims are just our knowledge of information security, and to be able to have those constructive, informative conversations and develop that partnership and trust with chief information security officers. So, we can go directly to these experts and really get some more detailed and insightful information than what a carrier's accustomed to just receiving on a ransomware supplemental application or just a generic application, and really crafting an addendum that really does objectively demonstrate the maturity of one of our clients' information security programs. And it's that partnership with the marketplace and the relationships we have with the key underwriters at the cyber insurance companies will really make a difference this year.

Because when we're asking these underwriters in a challenging market to make some exceptions to price something differently than what they're rating model or what their management is expecting, they need to be able to explain, why they did that or what the underwriting justification was to make that exception for Alliant. And we enable these underwriters to really document their files with objective information that shows, okay, here's why we quoted this client so differently for Alliant. Here's why we agreed to these coverage advancements that were not really, we're not given the authority to, or we're supposed to be pushing for more rate. Here's why we made that decision to their management and where they feel comfortable agree to the concessions or the aggressive pricing or whatever it may be that we're trying to drive for our client. And I think that's all goes into what is really going to differentiate us in the coming year and our approach. That's going to help our clients.

Ryan Farnsworth (08:14):
That's really helpful, I think for a lot of clients to understand how to attack this market, right. It seems as though every insurance company, whether it is a cyber specialist or a D&O insurer or any other type of property and casualty insurer is trying to develop their plan for how they're going to write either a profitable business or achieve more rate in this marketplace. So, having a prepared plan as John and Bobby talked about is tremendous. I know I always learn a lot when we talk about these types of cyber issues and having that ready to take to the market is important. And on the flip side, right, no one wants to be caught shorthanded when they actually have a claim or an incident or a cyber event. So, maybe pivoting to David and Steve, what can insureds and clients do now to sure differentiate themselves from the underwriters and from their other peers that the submissions that they're seeing, but what can they do to ready themselves for an event itself?

Steve Shappell (09:16):
Yeah, I'll start first, because I want to highlight comments from Bobby, John and David on kind of the pre-claim and post-claim collaboration that they were highlighting in the relationship building with the client and stakeholders within firms and then stakeholders at carriers. I mean, those relationships make a difference again, pre-claim and certainly post claim when we have that level of collaboration that John and Bobby and David have been talking about, I'll let David elaborate a little more on that.

David Finz (09:51):
Thanks, Steve. There's a multitude of things that company should be doing to prepare themselves to thwart an attack, and also to shore up relationships with vendors that can help them respond to an incident. If there is one takeaway that I'll leave for our listeners today, it's to back up your data, it is so important to have multiple backups. In fact, at least one of them should actually be offline, off the network so that it is segmented, and it is not vulnerable to an attack. But apart from that, once an incident has been discovered at that point, it's important to engage the vendors who can assist you. Each of the insurers with whom we place business are going to have preferred consultants, threat consultants that they work with. Some are rigid in terms of requiring that you use their panels.

Some are more flexible, but having that conversation with your underwriters and claims adjusters in advance makes the conversation that much easier when the event occurs. And you're going to want to engage them, put the carrier on notice and make sure that any expenditures that you are undertaking are incurred with the consent of your insurer in emergency situations that can sometimes be difficult to orchestrate, which is one of the reasons that you want to make sure that the vendors that you engage are pre-approved and these vendors can assist not only with assessing the threat and trying to identify the modus operandi, if you will, of the threat actor, but also determining whether or not there's a description key available such that maybe you don't need to pay the ransom because in fact, the FBI or some other law enforcement agency is familiar with this threat actor and you can terminate the threat without having to capitulate to their demands. There's a lot of variables involved here. And the time to have those discussions with your insurers is before an incident takes place, not when you're in the throws of having to respond.

Bobby Horn (11:54):
I've been on both, sides of those types of claims, where we we've negotiated the vendors prior to any kind of incident, whether it's ransomware or other. So, we had those steps in place so that when an attack did occur, everything was lined up accordingly. And there were no issues with the carriers on the flip side, we've seen it more, our clients have come to us after the fact and have wanted to, oh, well we work with this firm. We want to use them for this event. And the carriers said, well, look, you can't ask for us at the time of the event, this needs to be negotiated prior. So, we need to a good job of making sure our clients are aware of these provisions and the policy to make sure that, Hey, if there's anyone you're working with currently, we need to get them approved beforehand. So, that's really important on the brokerage side to make sure that those conversations are had before the policy is even put into place.

Ron Borys (12:41):
Yeah, thanks for that, Bobby. I was going to say one of the first things that we do with a client that we pick up new or buying cyber for the first time is making sure that their incident response plan is aligned with the various sort of requirements under the policy. The reality of it is, if you find yourself in a breach or a ransomware event the first call that you're going to make is not going to be to us. It's not going to be to your insurance carrier. It’s going to be to that breach coach or that party that you have confidence in. Who's going to help you navigate that situation. I mean, as we all know, these events happen, they're very time sensitive and responding in a quick and orderly manner is, is extremely important.

That is not the time to figure out who the right vendor is or who the right breach coach is or who the right forensics firm is. It's really important that those decisions are being made well in advance and from just a pure governance perspective and I know Ryan has seen this and certainly Steve, you've seen this as well. I mean, cyber response of this cyber preparedness incident response is becoming part of the governance process. There's not a single board or senior executive at any major public or privately traded company who is not focusing on this intently at every board meeting each quarter.

Ryan Farnsworth (14:05):
No, that's right and Steve, I want to get your thoughts on this as well, but every public company has that as a risk factor. Now, every fund board meeting has a cybersecurity committee that walks through these types of issues. It doesn't matter what type of company that's the world that we live in today and addressing these types of issues is critical because it now falls within the fiduciary duty of a director and officer and ensuring that those conversations take place has now also filtered into our conversations around the renewals of directors and officers liability insurance. So, the presence of this type of risk is something that we'll continue to see for years to come.

Steve Shappell (14:45):
Yeah, I completely agree, Ryan. It's become big issue. And even the SEC has weighed in on this issue numerous times that cybersecurity and the disclosure and reporting on cyber exposures is a critically important disclosure, which obviously gets a lot of attention to the board because they take those responsibilities very seriously

David Finz (15:09):
That actually touches on something else that I wanted to say, which is that a ransomware attack presents a risk on a number of levels, right? It's an operational risk. It obviously has a financial component, but it also presents reputational risk to a company in terms of how it safeguards the privacy of information with which it's been entrusted by customers, by employees, by donors, by vendors, but also reputationally how it responds to an incident. Investors are looking at that. What kind of security did you have in place? Did you make any material misrepresentations or omissions in your public filings with respect to what measures that you had in place? And also companies have an obligation now to exercise due diligence, to make sure that they don't make payments to a sanctioned entity. The US Department of Treasury has weighed in on that as well. And it's incumbent upon insurers and policy holders to have safeguards in place to address that. And again, that's something that threat consultants can help with. So again, it's a multifaceted risk that companies have to contend with, but this is where as a service provider, we as a firm can assist our clients in lending them our experience, our knowledge about how to handle these incidents and also to put them him in touch with the right professionals to be able to respond.

Ryan Farnsworth (16:39):
David, I think that's a perfect way to wrap up this conversation. We and all of our clients are thrilled to have you as resources together with us as we go into the year 2021. Many of us would not have expected that cyber risk would've taken on a new, a new life of its own, essentially during 2020. And we look forward to tackling this risk and many other issues together as our clients seek to find a more rewarding way to manage risk into 2021. We look forward to having you join us on our next podcast for the Alliant financial institutions group. And in the meantime, please check out our website at www.Alliant.com. Thanks everyone.