In The Public Eye: The Public Entity Cyber Landscape

Introduction (00:00):
Welcome to the Alliant In The Public Eye Podcast, a show dedicated to exploring risk management topics and challenges faced by today's public sector leaders. Here are your host, Carleen Patterson and Justin Swarbrick.

Carleen Patterson (00:19):
Welcome back everyone to another episode of In the Public Eye. We have been focusing in the last few episodes on the difficult public entity market for property related issues, but at the same time that we've been experiencing these challenges, the cyber landscape has also changed significantly. So today, Justin and I have invited Susan Leong who leads our public entity cyber team, and David Reese with whom we work in London to discuss the cyber market for public entities, both here and abroad. Susan and David. We are really happy to have you join us, but before we get started, can you each tell us a little bit about your roles at Alliant and Howden?

Susan Leong (01:00):
Thanks, Carleen and Justin, and thanks for having us. I am the cyber line of business practice leader for our public entity practice. And I started actually out in re-insurance over 15 years ago and I moved over to Asia about eight years ago to work specifically on cyber and now being at Alliant, I have been able to luckily marry the re-insurance as well as the public entity and the cyber line of business altogether.

David Reese (01:25):
Thanks, Susan. And hi, Carleen and hi Justin. And so, my name's David Reese, if I had the cyber practice at Howden's Specialty in London. And so, I focused on all things, cyber and tech E&O, across a range of different industries, different sectors, and across any country across the world. I've been doing cyber specifically since 2005. I was at Marsh back in 2005 and left Marsh in 2012 to set up the cyber practice at Perelman Specialty and worked very closely with Alliant and especially with Susan and Justin on various public entity, cyber placements.

Justin Swarbrick (02:02):
Well thank you for joining us today. We've talked a ton about the market this year and just the volatility of it. And it really stems back to 2017 for both property liability and other lines of coverage. But cyber was one of those lines of coverage that really didn't seem to be too effective until now. And, now it seems really to be the most volatile of all lines of coverage. And if you could just talk a little bit about what exactly happened, why it didn't seem to be impacted through the hard market cycle and why it's changed so drastically right now, I think that'd be a great place to start.

Susan Leong (02:44):
I think what's thrown it into the hard market is ransomware losses. That's first and foremost. So, ransomware incidents have been around probably since around 2014 and maybe a little bit earlier. However, they were small, they were maybe five, 10 or 25,000 in demands. However, the hackers have realized that they can really monetize on public entities as well as the private enterprises if they locked down the systems entirely. And once they realize this, they've started demanding much higher amounts into the six-figure, seven figures and now we're seeing eight figures. So, it's just really changed the payout of insurance companies and, what they're paying out in losses. And in addition to that, we are also seeing zero-day events such as solar wind, Microsoft exchange and assailant so that's just accelerating everything that's been going on. And then the past losses that we've seen of kind of that data breach piece hasn't gone away.

Justin Swarbrick (03:51):
And can you just briefly explain what the zero-day losses are? I know that those have become a significant CERN from the marketplace, but can you explain exactly what that means?

Susan Leong (04:02):
Sure, and when we think of just kind of solar ones, as an example, it's where there it's a type of software or application that many organizations use. So, it's implemented across so many industries and there might be for solar winds. It was an update that the hackers were able to implant malware into some of the updates. So once these updates ran at a broad level, they were able to really get their malware into multiple areas. And so, it’s an aggregation concern ultimately for the insurance companies. And it's an ability for hackers to reach large swaps of organizations quickly.

Justin Swarbrick (04:47):
Got it. For public entities specifically over the past several years, it's become really the norm to have cyber liability. And historically it's, it's been something fairly easy to secure in the marketplace. It just seems like that's changing so rapidly. So, for our public entity clients, whether they buy insurance currently or don't buy cyber insurance, what exactly are underwriters looking at from the public entity sector in terms of cyber risk and exposures?

Susan Leong (05:22):
I can speak first and then I'll toss it to David for the London perspective. So specifically on the public entity side, because historically public entities have had lower budgets and their private counterparts, which affects the amount of people that they have hired as well as the software and the hardware in place and other security measures that really just cost money. The insurance companies are looking to see if they are now putting resources into these areas. Are they doing multi-factor authentication? Are they purchasing endpoint detection, software? Are they having individuals behind that software manage it? How are they handling their backups? Do they all do kind of the 3, 2, 1 rule have three copies of it, one copy that's offline and disconnected to the system and then one copy in the cloud and then one working copy. And, just so looking now scrutinizing very closely the controls, the way they scrutinize the controls across all other industries. Yeah.

David Reese (06:34):
I'd agree with that. It's the same from the London market perspective in terms of what insurers are looking for. It's almost as if some of the items that Susan just mentioned, they've gone from being things which maybe, a year ago, two years ago were nice things to have, and maybe viewed as, if you have these things, you put yourself into a better group, so to speak. Whereas now it's almost that these items are must haves, and it is often the case that if financial does not have these, that they may not get a quote or the quote that they do get is worse than it would have been had they implemented some of those controls. So, yeah, I’d also said that the market's quite reactive at the moment. Like it's pretty fluid in terms of what's happening with rates and ensure appetite.

And it seems to react to, we're obviously talking about public entity, but some of the items, I think some of the issues, if you like is that the hackers are targeting particular vulnerabilities. And so, they're picking on those vulnerabilities as opposed to pick it on. I'm going to say they're targeting those industry groups or those insureds, which have those vulnerabilities. And it just so happens that some of those might happen to be public entities, but at the same time they could be manufacturers. They could be in the healthcare sector. So, it's almost as if having those vulnerabilities happens to fall into public entity, but it can equally fall into other industry groups as well.

Carleen Patterson (08:05):
In the past, the cyber marketplace was pretty broad. There was a lot of different carriers writing cyber, and then the number of carriers that would write public entities have that pool of underwriters was much smaller. It sounds to me that it's not just individual carriers anymore, but it really is, or even specific and underwriters, it sounds like it's much more worldwide based. The problem is, and it's much more systemic. Am I right in thinking that?

Susan Leong (08:38):
Yeah, Carleen, absolutely. You're spot on. I mean this, the ransomware incidents, the zero-day events, just, the normal, typical hacking that happens, accessing data in an unauthorized manner. It's all systemic across all industries, globally. So, this is not only a US public entity cyber issue. And it's just been exacerbated. It's been fairly quiet for many years for public entities. And until the hackers realize that, hey, these are entities that control critical infrastructure, such as, water, power, electric police, and fire, 911, schools, that if they take these entities down, there's a better likelihood of payout. And, kind of them understanding that, the budgets have been low historically, so their controls might not be similar to their private counterparts. And then, so it might be a little bit easier to infiltrate these entities. And then just really from, an insurance company standpoint, they're just paying out a lot in claims and every sector, including public entities. So that's part of the reason that we're seeing that it's systemic because a lot of these insurance companies, they're not just domestic here, they have Lloyd's syndicates, they're global, they're in multiple countries, etcetera. And they roll up into one or very few balance sheets and financial statements.

Justin Swarbrick (10:09):
Susan, you had mentioned the ransomware epidemic being a key driver to this market and why it's hardening so fast and the size of those claims. For those of our clients and public entities out there that purchase cyber liability. They know that is one of the coverage parts, that's a trigger on the policy and an insurance company will actually pay a ransom in. In some cases, we created our own worst enemy by having that coverage included on insurance policies and actually paying these ransoms over the years.

Susan Leong (10:45):
I'll take this one first and also ask David for his perspective in London, as well as the Bermuda market that he works with. That definitely has been discussion. And I think just from a human standpoint, yes. If you go to the well, and there's water that you'll probably go back to the well and keep getting water until it's dried up. And I think we're at an inflection point in the industry where, as you said, there's the payout of the extortion payments from the insurance companies. And for the most part up until very, very recently in the last 12 months, they've been full limits if the insurance company approves of it in writing, and now we're starting to see them, sub-limited and also co-insurance as well as excluded in some extreme cases.

David Reese (11:37):
Yeah. And, and to add to that I agree. I think there must be a feeling and a sentiment that having this insurance coverage under a policy does sort of feed the problem to a certain extent. And that's certainly exacerbated by fairly recent events actually involving certain insurance companies that suffered cyber events. And there's been a bit of a panic within the cyber insurance community from the perspective that there's a thought that hackers are actually trying to steal the data within the insurance company to find out exactly who's buying cyber insurance, what extortion limits they have in order to target those entities with the higher limits. And so, there is an argument to say that having that cover as funded the problem, but at the same time, there's also an argument that without that cover being available, the repercussions of the cyber event to particular insurance, in public entity and other areas, the financial impact would have been far, far worse.

David Reese (12:40):
Had they not been able to pay that ransom. So, in terms of the business interruption, the damage to data and the knock-on effects from the event. And so, it's almost that having that insurance did help avoid a worse situation, but I certainly do think that in order to make this problem go away, there needs to be more involvement from governments in terms of trying to focus down on these hackers, these groups, and trying to, put a stop to them and things like freezing Bitcoin wallets and things of that nature, where these funds are stored. So that there's certainly things which people can do to help this problem go away.

Justin Swarbrick (13:16):
Yeah. I remember when we would talk about cyber, it was all about the services. It was having somebody there to call right after you had a breach. And, that was the value of the policy. But in the past two years, we've just seen a flip of that. I mean, the services are still important of course, but we've seen just such massive payouts that it’s no wonder that the market is where it is today. Have you seen any particularly interesting claims or large claims worth noting?

David Reese (13:50):
Yeah, sure. I can take that first if you want Susan, just I've seen a lot, I suppose I'll start by saying and certainly seeing Susan touched on earlier on that the ransoms themselves are substantially bigger these days. It's not abnormal to have ransoms in the tens of millions and certainly seen a few of those. I think one of the worst I’ve probably seen involved a hospital network in the US. It was actually the way in which the hackers got into to the network was problem in the first place. It was actually essentially the CSO clicked on a phishing email, which was successfully blocked by the firewalls and the systems in place to block such phishing emails. However, he managed to click on one on a personal device. But due to the amount of sort of leeway that he had within the network and how people could jump from one part to another, because of his rights, then it ended up pretty bad, and basically spread across the entire hospital network that the ransom demand was large to start off with.

David Reese (14:54):
It was, it was around $30 million. It did get paid, it was negotiated down, but it got to the point where the hospital was in the process of having to move people around into different hospitals in order to get care because they just couldn't function. And so, I think I've seen a lot in terms of large ransomware losses, but when you started to see obviously like an impact on human life it was, it was quite a severe case.

Susan Leong (15:19):
And similar to David we at Alliant have seen quite a bit in public entity, both in frequency and severity. They've increased substantially year over year. The one that comes to mind is actually it's your quintessential hack during a holiday. Everybody was not around; it was a very large school district and it just had thousands of servers affected immediately. And it was a seven-figure ransom demand, and it's still being worked on that they're still making sure that everything is cleaned out of the system and that they can move forward in the way that they were before.

Justin Swarbrick (16:01):
Those are large claims obviously, and probably hit the press that we've all seen in the media, but it's not just the severity piece. It's the frequency too, that we're seeing. And it's the hundred, the $200,000 claims that are probably having a massive effect.

Susan Leong (16:18):
Yeah. And these claims the way they hit, they were used to where they only hit one coverage part in the past, which is typically, that piece where you have to notify individuals and maybe provide some credit monitoring and a call center thereafter. But with these ransomware incidents and why they've exacerbated the hard market is that they hit multiple coverage parts. They hit potentially those three that were just mentioned sometimes business interruption, data recovery if there's any type of negotiation or payout, they hit the cyber extortion piece. And then if there's some sort of class action, it hits the liability piece. And if the government finds out that all the steps under laws and regulations weren't taken, it could hit the governmental fines and penalties piece as well. So, as you can see, it starts adding up very quickly.

Carleen Patterson (17:08):
So, in some of these cases with the claims that you talked about, were there steps that the entities or the clients could have taken to avoid it? Are there some loss control things that they could have done? So, like for instance, with the hospital, were they redundancies? Or is there something that they could have done to avoid that huge claim? Or is it something because they got in with the malware and everything else there wasn't really any kind of an alternative?

David Reese (17:39):
Yeah, certainly. I mean, in that particular case if they'd not clicked on the link, that would have certainly, but I think knowing what happened on that claimant, and then on other claims that we've seen, there are lots of things which can help. And you touched on one just the redundancy. So, backups when this kind of event happens, that's one of the first things that is looked at is the are you going to pay, or you're not going to pay, and if you've got backups and you can back yourself up from those backups to the same sort of point as you were prior to the event, then there's potentially a need not to pay the ransom. So having backups which are separated from the network is certainly a good thing.

Sadly, one thing that we all seen a lot more of, and again, something Susan was just touching on in terms of the various covers, which are impacted. We're seeing a lot more of these ransomware events, not just being, they've knocked down your system and a demanding a ransom, and they've also managed to steal data. And so, they're threatening with a ransom for them to release the keys, to unlock the system, but it kind of takes away one of your cards, because even if you have backups and they happen to have data, which they can release onto the dark web forces you in a way to pay the ransom and because the backups don't necessarily help you there. But there are certainly things that you can do, so backups, segregation of networks, multifactor authentication, phishing training is key as well.

Carleen Patterson (19:05):
Yeah, it really goes back to Justin's point, which is that all of the services that come with the insurance policy are also still critically important. I had a good public entity risk manager friend, and they do all kinds of training and their risk management department. Two of the people managed to click on a link that, really caused critical issues in their claims management systems, their computers for a good long time. And so, even with the best training and the best knowledge clicking on links is a bad thing. So, we try and avoid that. We didn't really talk specifically about the market and what we've been seeing in the insurance market. You all are in front of our clients quite often, and having to share the bad news, how are they responding to this hard market? And what have they been ending up doing when it comes to their renewals of policies?

Susan Leong (20:03):
From the Alliant side, it varies honestly, depending on individuals and their specific situation, it's a spectrum of shock, frustration, amazement to complete acceptance. It's an unfortunate time in the marketplace where the rising costs are forcing many public entities to make really hard decisions on where to deploy their limited budget. Many of them are taking this as a learning opportunity and asking questions, asking for help on how to make the right moves toward strengthening their cybersecurity controls. Most of them have been very understanding and working closely with us to provide as much information on their cyber security controls as possible to give them the best chance in the marketplace. We're also seeing, unfolding before our eyes and a renaissance really, at the IT departments at public entities. For the first time. And I'm starting to CSO positions opened up or they didn't exist before and were filled very quickly.

They're looking now very closely at their legacy systems, historical data held, do they actually need this data or should they, not hold it anymore? Public entities, it's part of why I like being in this part of insurance, that our clients are actually showing quite a bit of resilience and grit in the face of tough times, but it's tough times for sure. I mean, they're making very tough decisions. There is one client that had the discussion of, whether they have cyber or wind coverage, so it's not pretty out there.

Carleen Patterson (21:32):
Wow. So how do you as a broker prepare yourself when you are facing these clients to make sure that we're bringing the best product to them?

Susan Leong (21:40):
David, you want to take this one and I’ll go after.

David Reese (21:43):
Sure. So, I think having information is key and I think obviously preparing an insured and advising them on the marketplace in terms of what's going on in order to educate them and give them realistic expectations about what can happen. I think information is certainly key just because it allows you to obtain the best possible terms that you can. And as I've mentioned earlier, in some cases just obtain terms. And so, it's working with the insurers and, pushing forward the idea of this particular insured, having these items and ticking the right boxes and therefore making them less of a risk and less susceptible to ransomware events and things of that nature. And also working with insurers who are dedicated to this space insurance that are committed and insurers that have the ability and capacity being the operative word in order to carry on writing this business. Even through these tough times.

Susan Leong (22:46):
I think David's more pragmatic than me. I like to say coffee, wine and ice cream are getting me through this. No, really. I think, like any other job, being a broker is just a long-term game and it's really having those relationships and knowledge way before the hard market comes. And just, we've been as a company studying this line of business for years and learning the ins and outs of the policy wording, carrier appetite, studying the claims trends, like how David said having this information on hand accumulating and analyzing this data that we have and really building strong relationships with the marketplace and our clients. So, when we are in a bad storm, we're able to utilize information effectively and have honest conversations of what's going on versus going into these relationships cold. And, so with all that, you just hope that all the preparation through the years will take you until the hard market ends, right?

Justin Swarbrick (24:01):
We’re dealing with two things this year. It seems like one significant rate increases to just a significant increase of data needed to just obtain quotes. What do you anticipate the market looking like in a year from a pricing and coverage perspective, but also from an information-needed perspective so that our clients can start preparing for that?

Susan Leong (24:31):
I think it's going to get worse in the next 12 months before it gets better. We'll continue to see more of the same carriers leaving the public entity space. Just last week we heard another one leaves the cyber public entity space, tightening of terms and increase in pricing, perhaps even more drastic coverage reduction strategies. If the current ones that they are trying to implement do not work in China, stabilize their losses. They're going to continue to test to see what helps them stabilize their losses in the insurance carrier space. And our public entity risk managers need to have a plan and communicating closely with the IT departments. So not only a plan to obtain the information needed but also a plan if an incident should happen. Not just having that plan in writing, but actually testing it out to making sure that okay, where everybody is supposed to be when this happens, you know exactly what you're going to do and nobody freaks out or there's not a specific kink in the system.

Susan Leong (25:36):
And if there is, it's fine, you work it out on that kind of practice piece. And then really just, more education on best practices and communicating all this that they're doing back to the insurance companies, because that's what. If you're filling out an application and the question just says, you have this, yes or no, and you're working on it and you're going to complete it in the next two months, like grab a Word document and put that information in. Or if half your applications have multi-factor authentication, then grab that, or even pick up the phone and say, hey, I want to know why our other applications should have multi-factor authentication. And kind of think through that item and if the budget is available, work through it. So, it's kind of holistic, seeing it from beginning to end and then looping in all your partners as to what's going on in your organization.

David Reese (26:35):
Echoing what Susan's just said. But I, unfortunately, agree that it's going to get worse before it gets, but you can liken it in a way to the property market in the sense that when the wind stops blowing as hard in the property market, then things start to get a bit better from an insurance perspective. It's the same here. Just because we're not seeing any change in the trend and the severity and frequency of these claims, but with all of this focus on the cyber cover now, in terms of the questions that insurers are asking, and as much as their insurer questions, they're obviously there to the benefit of everybody in the chain, obviously the insured themselves, as well as the insurer to have to pay less losses. But if, more and more entities are paying attention to this and implementing, what are now classed as almost basic line controls, then it would have to move to a point where hackers are going to have to do something slightly different in order to achieve what they've currently achieved. And so weirdly, maybe this is a hard market. And obviously, the claims that we're seeing will come to something positive in the future.

Carleen Patterson (27:43):
What you both mentioned with regard to the marketplace. It’s critical that the story that our clients are able to tell the markets is really important. What are they doing before? It was a tower over here. Risk management was a tower over here, and they really didn't talk a lot. And it seems like more and more, they're actually in the conversations and having conversations with our underwriters directly and bringing the IT folks into those meetings, which I think is really helpful. And it goes back to the theme that we've been talking about, regardless of what the subject is, which is data, is really important. So, as we're kind of wrapping up, Susan, this is for you, dealing directly with our clients here in the U S what do you think you would have said to them 12 months ago, if you knew today, what was going to be happening in the cyber market? and what do you think you would have told them? And what will you tell them 12 months from now?

Susan Leong (28:47):
I understand your systems and data document, you’re understanding and have a plan on how you will protect your mission-critical systems and data in a cyber incident. Unfortunately, insurance prices will go up to astronomical levels. I wish I knew 12 months ago how bad it would be. David actually was one of the first people that warned me of the hard market. He could speak to it, but I don't think that we both knew how bad it would be for public entities in the US. And so, with that, I would ask that they budget much higher than anything that they've heard in the marketplace as far, because I know a lot of public entities work very strictly on budgets and, getting their approval from the board, etcetera. I think in the next 12 months, plan and budget have a continuous plan of how your organization is improving your cyber security controls, test your incident response plans, your business continuity plans to see how it works, where the kinks are again in it, and then work it out when it's kind of that you have the safety net, that this is not actually real, so that when, if knock on wood, it does happen.

Susan Leong (29:59):
You are a smooth-running machine and really again, budget for your organization to improve your cyber security system. So not only budget for the insurance but on the cybersecurity side, the insurance marketplace will continue to need data that is not going away at all. Now be prepared to provide it, the prices and terms will likely deteriorate in the next 12 months. So be prepared for what this means for your planning and budget and continue to ask the good questions that they're asking, because as their broker the insurance companies, the vendors, everybody's out there to help each other to fight the good fight. So, continue asking the questions and be prepared to have tough discussions with your boards in the future about this.

Carleen Patterson (30:43):
So, David, since you had the crystal ball and were warning Susan of the hard market, can you add onto what Susan talked about?

David Reese (30:52):
Yeah, sure. I, I think it's just from doing the cyber on, obviously on a day-to-day basis since unseen it through lots of different geographies as well. It was apparent that something was happening. But I think in terms of what I would have said 12 months ago is, I think I've mentioned this a few times, but these IT security protocols, which before were nice to haves and, and now you should have. It probably would have been that: focus on this stuff now. Like, make sure you're implementing this stuff as opposed to sort of focusing on it now in the current day and in terms of going forward, what would I say with 12 months notice, just carry on doing it. Like it's, it's for the good of everyone. So, if it'll help you as an insured. Obviously not the people are trying to help the insurers, but if the risks are better risks, everybody's going to win from that.

Carleen Patterson (31:43):
Yeah. That's a good point. I guess it's a general theme, which is, as brokers, when we are representing a particular client in a particular state like maybe it's a county in Oklahoma, that might be our client that we try and differentiate and individualize that client to the insurance market, but ultimately it is a global market. And so, while we're trying to represent that particular client, there's also a lot of things going on in the insurance market that clients can't control. And so, it's just another I guess just another realization that it's a global market, what happens in public entity in the UK or the public entity or even airlines or whatever it is, it does come back and impact our individual municipal and public entity clients. So really would like to thank both Susan and David for joining us today. It is a challenging public entity, risk management role that you all have. And we are focused on trying to provide information to help you navigate 2021 and beyond. So, thanks very much to both of you and talk soon. Thank you.