Phin Security

What Is the Problem With Cyber Insurance?

In the Gone Phishing podcast episode, host Connor Swalm and cyber insurance expert Brian Mahon discuss the challenges facing the cyber insurance industry, including a significant knowledge and talent gap exacerbated by the Great Resignation, which complicates effective cyber liability coverage.

Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security, and welcome to Gone Phishing.


Podcast Conversation:

Connor Swalm: Hey, everyone. Welcome back to another episode of Gone Phishing. I'm your host, Connor Swalm, CEO at Phin Security. And today we have back on the podcast a good friend of mine, Brian Mahon. Brian, how are you doing?

Brian Mahon: I'm good, Connor, how are you?

Connor Swalm: Oh, I'm doing amazing. If I were any better, I'd be a twin. I always say that to anyone else. That's a twin. I like that. I'm a triplet, so you decide.

Brian Mahon: What that means if I'm a twin.

Connor Swalm: So, Brian, you're a cyber insurance expert. Is it fair to say that?

Brian Mahon: It's pretty fair.

Connor Swalm: Okay. And I love it. Very confident. And on our last episode, got to.

Brian Mahon: Be worried about agency errors and omissions thrown around that expert word.

Connor Swalm: Yeah. I never try to call myself an expert. It makes me feel weird. But on our last episode, we talked about cyber insurance, where it was pre-COVID and post-COVID. And today, what we almost got into was problems with cyber insurance, and that's what we're going to get into today. So what are some problems that you see with cyber insurance as a person who lives and breathes it?

Brian Mahon: Yeah, I got 99 problems but cyber insurance is not one. We have a ton of issues here from an insurance industry perspective when it comes to cyber liability. First, there's a knowledge gap or a talent gap, just like a lot of industries are facing right now, ever since, I guess they coined it the great resignation. But the average insurance agent, I believe, in the US, is around 45, 55 years old. Don't quote me. There's different data points out there, but you could probably tell if you're watching, I guess, the video version of this that I'm not. So that's a good thing, that nobody grows up and wants to be an insurance agent. Let's say maybe you be Jake from State Farm for Halloween, but everybody wants to do something a little bit more sexy, work on Wall Street, be a realtor. So there's a knowledge gap. And I think part of that is, historically speaking, cyber insurance has been around for 20 plus years, as we mentioned on a previous episode, but the commissions weren't there. I mean, cyber was kind of... I don't really think I need that. It was very simple to underwrite and there weren't really cyber specialists out there. Maybe the big brokers, there's 40,000 independent insurance agencies in the United States. Maybe the top ten or 20 might have a cyber team or a cyber specialist. But now we're seeing some more middle market agencies, and certainly carriers develop tech and life science or cyber practices. So it's getting better, but it hasn't been good. So there's a talent issue.

The second issue with cyber insurance is the product. It's a very immature product. I'll say it's matured very fast last few years. But there's no standard form. So what I mean by that is there's no standard skeleton or cyber insurance policy makeup like there is in other insurance products. Like there's ISO (Industry Standard Organization) that says, here are the bare bones for a property policy or a general liability policy. Cyber does not have that. So if you're comparing one cyber policy to another, they are truly custom forms or policy wording products. So it makes comparison difficult and it makes business owners rightfully skeptical. And they're like, what the heck is even covered in this policy?

Connor Swalm: Brian, I had a question on that real quick. We had mentioned in our last podcast that the industry is now collecting data that is used to write more accurate policies. So how does a standard form, I'll use the overused colloquialism, one size fits all, how does that fit into, everyone has their own data, their own environment, their own risk?

Brian Mahon: It's hard to say. In our industry, you have to know both the IT terminology and the insurance industry terminology. So that can be difficult as far as data goes. Some carriers are kind of veterans in the cyberspace where they have much better claims, historical data. And there's new kind of insurer tech carriers who are using more predictive analytics and looking forward, looking for that one in 100 cyber incident or data breach, the big flood, so to speak. They're all doing a little bit differently, but some are just pulling out of entire industries saying, we're not going to write small K through twelve schools, they're too risky, we're not going to write manufacturers, they're too risky. Some are altering their product. Going back to that standard form, there is none. So if they want to carve back their policy language and their coverage, they can do that. There's no one saying to be a cyber policy, you must have XYZ and then others.

Getting smart with underwriting using the claims data of last 20 years, predicting forward using risk assessment tools like a bit site or external scans. Some carriers are doing active monitoring, or what they're referred to as active monitoring, where if you're a policyholder of a specific carrier, they're going to continue doing those scans throughout the policy term, and they'll actually notify you of a vulnerability. Like an open RDP port that's exposed to the Internet mid policy term, not as a way to say, hey, we're going to deny your claim or deny your coverage, but saying, hey, we see something that a hacker could use, a door, so to speak, to open to cause some issues. So we are notifying you as a way to help you.

Connor Swalm: Yeah, that makes a lot of sense. I remember looking at two different policies with a buddy of mine that someone had placed in front of him. One was nine pages long. And I'm going to bastardize this horribly, but it was like, basically, does your front door lock, and is there a human that opens it in the morning? All right, great. Here's your cyber insurance. I'm like, wait, what does this have to do with the servers and the infrastructure and the hardware that's at the actual device at the actual place? And then the second policy was to give you an example. Do you deploy MFA? All right, what's the tool you use? How often do you refresh your policy around this? Do users get onboarded and do they have to do this? Is every single account enabled with MFA? Now it's getting to what you and I know. It's like, oh, well, that creates additional risk. If they don't do that.

Brian Mahon: Totally. Yeah. And you can tell that some carriers are probably going to get hammered because they're not asking anything. And other ones, maybe they're asking you so many questions, they don't even want your business because they're not very aggressive or they're paranoid of claims or whatever. So there's definitely a few different, I'll say, we say risk appetite in our industry. So if you're risk averse, the carrier is asking a million questions. They're not going to give the best premiums. If they're risk tolerant, then, hey, here's a policy, no questions asked. We'll put it on the books.

Connor Swalm: Do you see a lot of that still happening?

Brian Mahon: Not a lot, no. And it's very risk or business specific. Like, nobody's going to get an online quote for $100 million school district. But your $2 million revenue, doctor's offices. A lot of them have cyber insurance policies, or they should at least, that it's not really any questions being asked. So we'll continue to adapt and evolve, and those carriers that aren't doing proper risk management will probably change the way they do business in a couple of years, or they'll go out of business. Gone are the days of the 108% loss ratios on cyber insurance lines.

And we've seen that, to your point, where some of these carriers, oh, this new sexy carrier that starts maybe with the letter C, goes out and underprices everything and writes all this business, and then the claims come in, and then all of a sudden, they can't write new business. And a lot of times they'll sell the carrier in hopes that somebody else can turn it around. So we see a lot of kind of mergers and acquisitions in our industry, both at a carrier or book of business level and then also down to the agency or kind of distributor level.

Connor Swalm: That makes a lot of sense. Now, I work a lot in the MSP industry. It's what we serve at Phin, and you work in cyber insurance. And specifically, you have knowledge of the MSP industry, helping them understand cyber insurance.

Brian Mahon: Help them write policies for their clients, or get them involved in any way. So what would you see as the primary gap between the MSP industry as it stands and cyber insurance?

Brian Mahon: Yeah, I think I read, I don't know, a poll on LinkedIn or somewhere. I wish I took a screenshot because it disappeared into the Internet abyss. But essentially, MSPs are treating kind of cyber insurance one of four ways. I call it kind of a professionalism scale. So one end, you've got MSPs that are mandating all of their customers have cyber liability insurance. Then kind of a step below that, you have MSPs strongly recommending cyber liability. From there, you have them not really strongly recommending, but saying, oh, yeah, it's a good idea, go for it. And they kind of stay out of the conversation. And then hopefully, most MSPs are done doing this, but completely avoid the conversation altogether. Laissez faire. I don't tell my clients how to run their business, none of my business. Leave it up to them and their insurance agent. And I think the first two camps have it right for a number of reasons.

I mean, MSPs are looked at as hopefully a trusted IT advisor, and being able to kind of recommend adjacent professional service providers just helps them instill that professional advisor status. Like, for me, independent insurance agent. We've been recommending reputable, industry specific CPAs, lawyers, HR consultants, bankers for decades because we have to differentiate ourselves and compete and be that trusted risk advisor. Same is true for MSPs. On the other hand, it just makes financial sense for MSPs to recommend cyber insurance because your client has to pay that monthly recurring revenue IT bill. If they're insured properly and they have an issue, their business interruption is covered by a cyber policy. So, not to mention it creates opportunities for MSPs. Either small business can't qualify for cyber insurance, or they want preferred treatment from underwriting by being a good want, you know, lower premiums, lower deductibles, higher limits. So they invest in IT controls, typically through an MSP, and then to kind of wrap this all together and put a bow on it. These carriers are starting to monitor these policies. So maybe an MSP implements some controls. And now their client can get insured, they can get better coverage. Then halfway through that policy, you get that notification of, oh, cyber insurance carrier says, we have this open port, or we have some sort of issue, and all of a sudden the MSP made a couple hundred more dollars of recurring revenue with no salesperson, no attempt, no initiative, no marketing budget. It just is kind of a self-fulfilling prophecy a little bit there.

Connor Swalm: So you're telling me that cyber insurance carriers, the people who are creating these policies, have a way, or in some cases, to monitor the stack of tools that an MSP's client is using and maybe how it's configured in certain ways, and they'll help you point out vulnerabilities in your client and say, hey, your client needs to change this. This is a risk. And I think you gave the example last time of, there's an open RDP port exposed to the Internet. Hey, go shut that off. You're saying that's happening right now. Is that common with a good cyber carrier? Good policy?

Brian Mahon: Yes. That happens regularly. They can see things on their email, their DNS server, their website. So cyber insurance carrier isn't inside your IT network, but they're scanning externally and they can get a little bit of data there to help point out vulnerabilities. And they don't say, call this guy to fix it. They say, hey, here it is, fix it. They leave it up to the policyholder, the business owner, and nine out of ten times they already have an MSP to forward that email to say, hey, should I fix this? And how much is going to cost?

Connor Swalm: Well, that gives me two thoughts. The first is, wow, that is a big opportunity for the MSP, the trusted IT advisor, because now you're having a third party who is in control of your business goes under as a result of an attack, they're there to help you with that. And so that's an opportunity for the MSP to not only be a more trusted advisor, but they don't even have to do the selling. And the second is, I would love to have you back on the podcast. And I want to talk about the future of security awareness. Where is this monitoring going? Is everything going to be Big Brother? Is the government going to get involved? I don't know. I'm sure you and I could, I don't know, over a beer, come up with the weirdest and wildest future scenarios. But I'd love to know what you actually think is going to happen.

Brian Mahon: Let's do it.

Connor Swalm: Awesome. Everyone. Thank you so much for listening. It was your host Connor, CEO of Phin and Brian Mahon of EHD Insurance, and I'll have him back on at some point and we will talk about the future of cyber insurance. Thanks again everybody for listening. See you soon.

Thanks so much for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phin Security at Phinsec IO. That's P-H-I-N-S-E-C IO. Or click all of the wonderful links in our show notes. Thanks for fishing with me today and we'll see you next time.

Reach out to Brian Mahon at iglooins.com