Specialty Podcast: Cybersecurity Awareness in Action - Strengthening Culture and Reducing Risk

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

CJ Dietzman (00:09):
Welcome everyone to another edition of the Alliant Specialty podcast. CJ Dietzman here, leader of the Cyber consulting practice at Alliant Cyber. And folks, it is the best month of the year. It is Cybersecurity Awareness Month, and it's a super exciting time for the Alliant Cyber practice. As we wrap up October 2025 and Cybersecurity Awareness Month and look ahead, fourth quarter and beyond, and into 2026, we wanted to make sure we talked about some super important and relevant topics related to the state of the cyber insurance market, related to cybersecurity best practices and of course evolving threats. Folks, I'm super excited today for a lot of reasons, but we've got two of our best pros on this podcast with me. As you know, Alliant Cyber, bringing together the best of cyber insurance brokerage with cyber consulting and advisory, and I truly have the best of that on the podcast with me today. I've got my colleagues, Cara Murray from the cyber brokerage team, a seasoned vet around cyber insurance, the market, mitigating key risks and advising our clients from a cyber insurability standpoint, and also Ben Lorentzen, who's one of our senior consultants and a specialist in cybersecurity, in controls, as well as driving better cyber insurability outcomes for Alliant clients. Welcome, Cara, and welcome, Ben.

Cara Murray (01:32):
Thanks, CJ.

Ben Lorentzen (01:33):
Thanks, CJ.

CJ Dietzman (01:34):
Welcome folks. Let's get right to it. Cara, first things first, let's start with the state of the cyber insurance market. What are you seeing out there? Are we dealing with a hard market? Is it softening? Is it stable? Cara, what do you think?

Cara Murray (01:48):
In Q4 2025, which we've seen progressing over the entirety of 2025, we continue to look at what is a relatively stable market. That stability is somewhat illusory in that it comprises of the fact that we are continuing to see increased claims on a cyber basis. We've seen the stability in the market as a mitigation of the claims impact by the competitiveness and increased capacity in the market. There is a balance between the availability of more carriers in the market, which is enabling the carriers as a whole not to adjust their premiums upward and start hardening the market due to the claims. But that is something that we do expect to see starting in 2026 forward, which is that if the claims trends continue as is, we would expect to see some hardening in the market because there's that claims volume.

CJ Dietzman (02:43):
Interesting, interesting. Fascinating times. Thank you for sharing that. A follow-up question for you, Cara. I know you work with countless clients, Alliant Cyber clients across industry verticals, in addition to your awesome summary of the market that they're all facing, what are you seeing acutely with our clients, with your clients, Cara, that's really driving cyber incidents? What type of threats are driving the incident, the attack, dare I say, the loss and ultimately the claim? Go ahead, please.

Cara Murray (03:13):
Absolutely. We are continuing to see that the major causes of loss remain consistent year over year, so ransomware continues to be above and beyond the leading cause of loss when it comes to cyber. That's for many reasons, but to some extent it's that it's the easiest mechanism with which to get money out of an attack. The ransomware demand comes with a financial benefit for the attackers, and it is very difficult to prevent against ransomware because like any other compromise of a cyber network, you only need one failure on the part of the organization for the bad guy to win. There are many attacks over the course of the day. Most of those are stopped by organizations, but there is always going to be that one failure, which then causes the incident. The other piece that I would say, along with ransomware that continues to be significant, is business email compromise. Getting tricked into giving away an organization's credentials, so an individual's credentials or a specific account's credentials, and that compromise leading to the compromise of the network overall.

CJ Dietzman (04:21):
Cara, those are some sobering points. Weren't we talking about ransomware back in 2017, 2018 pretty heavy? You just reiterated for us that it's still one of the top contenders for major threats impacting our clients today and driving loss and driving claims. Now having said that, it can get overwhelming for many of our clients. Ben, help us out here. In your view and in the context of what Cara just shared and the evolving threat of ransomware and breach and business email compromise and phishing and all these things, what do you think, Ben, how can our clients mitigate these threats?

Ben Lorentzen (04:56):
Thanks, CJ. With ransomware being number one, you got to think what's the root cause of ransomware? That's really employees and employee clicks. Phishing is still the number one way that the bad guys get into your network, attributing to about 40% of all ransomware cases come from the phish click. That’s pretty sobering. The human aspect of cybersecurity and everybody's role, that's the prime predominant way in and the predominant factoring that starts a ransomware event. The big thing here is employee engagement and training. Most folks have phishing campaigns, but what we've seen from our clients is that there's not necessarily a lot of engagement from it and not a lot of, “Hey, I'm going to be really looking out for this.” It's just a humdrum thing like “I clicked it or I didn't.” Maybe there's some punitive repercussions from clicking on an email like “Go take that training again.” People just go through, maybe take a short training course, but it’s not getting folks engaged. But I've had a lot of clients that have really had great employee engagement, and the thing they're looking for there is, are you reporting phishing emails? They're trying to get them to be more proactive about reporting on those emails, and they roll all of cybersecurity training, not just phishing, into a rewards program. If there's quarterly phishing emails, every one of those you report properly, you can get entered into a drawing. You've done your annual cybersecurity required training, but here's some other training that would also be good. Any of these additional trainings, maybe you can also get entered into a drawing. Everyone gets excited about the chance to win something. These are like, “I'll knock some of this out, I'll be on the lookout. I want to win that $250 gift card or whatever it is.” You tailor the reward size and number of them to the size of your organization, but getting people to be like, “That's free money, I want to have that.” I've seen a lot of organizations that have had a lot of success driving engagement through a reward type program where there's quarterly rewards and then an even bigger at the end of the year reward for all the folks that have done the stuff on time.

CJ Dietzman (06:57):
Interesting and progressive thoughts there. I like it. It's the old thing, how to win friends and influence people and influence behaviors. Those are some really creative thoughts. Cara, what do you think? Do you agree with what Ben shared? Is there anything you'd add?

Cara Murray (07:10):
Yes, I absolutely agree. I think that Ben makes a great point on that employee engagement. One of the elements too is having that engagement means that cybersecurity is not just a one time or an incidental item on an employee's checklist, but it becomes part of the corporate culture. Any time you can make that cultural change, that's really what's going to benefit the overall security of the organization. Then you get to see the cross pollination of everyone is engaged at the time when we're doing these trainings. You see that engagement bleed into if you do have an event, employees are much more attuned to bringing that event up through the correct reporting chains and making sure that that communication is active and engaged during an event response, as well as just during the training. You're getting both the benefit of everyone being more secure on the front end because you've done the training, but then also when you do have an incident, there's a lot more comfort internally with making those communications and being able to respond effectively.

Ben Lorentzen (08:13):
Yes, that's great, Cara. Another aspect of that I've seen work well is the idea of a local security champion. Someone in every department or every group, they go to more training and have a monthly call with a cybersecurity group, so they are more in tune with the process and what happens. They're that local SME, that way everybody knows who to reach out to. So, such as “I need to send this encrypted. I don't know how to do that here.” We've got our local security SME. They know how to do that as an ancillary duty. They do that and they can provide some of those details for folks, and it's nice for them to have additional duties. It always looks good on performance reviews to be involved in more than just your job, so really helping in other ways. So, this local security champion, not a security SME, but the local one that can really guide you and point you to, “Here's the help desk number, we got a call, here's the way to send encrypted emails,” all of that. Having that local resource that they're comfortable going to and can also disseminate information throughout the year as well. Something new pops up, it can go to those security champions. They can talk in their weekly or monthly meeting to their group and say, “This is the new stuff going on, everyone take note.”

CJ Dietzman (09:24):
Wow, I love this dialogue, Cara and Ben. We could do this all day, couldn't we? Having said that, time is of the essence and here we are at the close of cybersecurity awareness month in October. In wrapping up and perhaps most importantly into action, Cara and Ben, I'm going to ask you both and our clients and our audience want to hear from you, one or two things into action, next steps. What would you recommend or what would you like to see our audience and our clients do right now in this context of cyber threats, in this context of employee engagement that we spoke of? What are a couple of tangible, tactical things that you would like to see our clients do right now, or what would you recommend? One or two things, Cara, what do you think?

Cara Murray (10:09):
One of the things that we do see clients currently doing along with their employee training is executive-level and IT-level tabletop workshops where you walk through an incident together. One of the things that could be very useful, especially as what we've talked about today, is figuring out ways to distill those tabletop exercises, so essentially the fire drill of an event, down to the employee level, so there's a degree of training in that perspective. Some of what we see in our regular training is here's what could happen and what that might look like and what you're supposed to do about it. But giving more opportunity for that hands-on engagement with employees to handle the event themselves in a trial way.

CJ Dietzman (10:51):
Oh, love it. Couldn't agree more. Cara, when you and I have the opportunity to do these tabletops together or together with Ben or other colleagues, our clients always get so much out of it and find some of those blind spots. Fantastic. Ben, at you now with the same question. What do you think? One or two things that you'd like to see clients do right now?

Ben Lorentzen (11:10):
I want to piggyback off of what Cara was saying there, and I really want to talk about the culture of security, the culture of cybersecurity. Every organization needs to realize that cyber risk is business risk, so it should be important all the way to the top. Those tabletops are a great way to illuminate that problem for leaders and organizations, and leaders need to push that down then, drive that culture of cybersecurity, drive those reward programs, drive those security champions. Because with ransomware still being the biggest, phishing still being the biggest way in, whaling of CEOs down to just random phishing of Joe Schmo employees, everybody needs to know, everybody has a part to play. That risk at each employee is a business risk.

CJ Dietzman (11:54):
Well said. Listen, Cara and Ben, you did not disappoint. Fantastic job. As I mentioned to our audience and all of our incredible clients out there, Alliant Cyber, bringing the best of brokerage and consultative services around cyber risk and security, and I think our brief podcast here manifested that. I hope you got as much out of this as I did. Thank you so much, Cara and Ben, but perhaps equally important, if not more important, thank you to our audience and our clients. Cybersecurity Awareness Month on the Alliant Specialty Podcast. Thank you everybody for attending. Once again, we'll see you on the next one. Alliant Cyber, the more rewarding way to manage risk. Looking forward to speaking to you all again soon. Have a great one.