As our dependence on the cyber world increases, so does the risk of data exposure to hackers. Mike Hendrix is the president of Both, Branch & Hendrix Agency in New York state. He began his work on the frontier of technology protection 12 years ago. On this episode of the Trusted Advisor Podcast, he provides insight into the exposure of personal data and how you can protect your valuable information. Listen in to this episode if you are looking to put your technology fears to rest!
Edwin K. Morris (3s):
Welcome to the trusted advisor podcast brought to you by Iroquois group. Iroquois is your trusted advisor in all things insurance. I am Edwin K. Morris. Mike Hendrix began his insurance career in 1983, concentrating his efforts in business insurance. Mike is currently the president of the Both Branch and Hendrix agency located in Olean, New York. Mike also runs a consulting business called insurance management services. Did cyber liability exist 10 years ago?
Mike Hendrix (35s):
Yes, I’ve been selling. Yes, it did. I’ve been selling cyber liability insurance for about 12 years now, and it really has taken off and become an easier sale in the last few years.
Edwin K. Morris (48s):
So what sparked that interest to even get into it?
Mike Hendrix (50s):
Being a small business owner, I recognize the IT challenges that we all have as well as the exposures we have when we’re handling private information. So given that we’ve gone to more and more of electronic format in the way that we do things, I saw the need for protecting ourselves and our customers. And around that time, the cyber liability insurance first started coming out. I recognized my competition was not selling this. And it made me unique in the marketplace to offer a product that no one else was offering.
Edwin K. Morris (1m 22s):
You got into that whole business about 12 years ago?
Mike Hendrix (1m 25s):
Yes. And it was kind of the wild West then because the insurance industry hadn’t fully embraced it. So we had to go to specialty markets. The challenge at that time was finding a broker who understood what the coverages meant. I mean, everyone called the blue pen. Well, people call the blue pen numerous things, a blue pen with a click top, a blue pen with a black hold around it, a blue pen with a clip on it. But they all meant the same thing. And the challenge for people in my position was trying to interpret these insurance policies to best advise our clients on what they were buying.
Edwin K. Morris (2m 0s):
Got it. Well, I mean, it was a learning lesson all the way around for everybody involved, but where is that market now? What’s different.
Mike Hendrix (2m 8s):
What’s different now is there’s more carriers involved and there’s been some standardization to the wording. It’s still not to the format where the insurance services office has offered a boiler plate form that companies are using. A lot of it is still manuscript forms. So the keys to that are you have to work with an insurance company who really understands what it is that they’re offering or work with a specialty broker who really can help educate you so that you’re properly advising your customers and you’re making the product fit what they need.
Edwin K. Morris (2m 38s):
So I’m going to guess this is not a cookie cutter kind of situation. I would assume every instance is going to be a customized approach.
Mike Hendrix (2m 46s):
It can be. But part of that is determining what is it your client needs and what is their exposure? There are some customers who do not have a lot of private information in electronic format. For them, our standard market carriers, like Hartford, travelers, they offer endorsements to a business owner’s policy, which makes it really cookie cutter and real easy to do. But the key is understanding what is it your client needs? What is their exposure? If they have an exposure where they’re either carrying protected the health information, private information for individuals, or they have credit card information, then the best solution for them is a standalone cyber policy.
Edwin K. Morris (3m 25s):
So what kind of claims have you seen in this time?
Mike Hendrix (3m 28s):
I’ve noticed, I mentioned I’ve been selling this for about 12 years. It’s really taken off, the easier sell in the last three to four years. In the last 18 months, I’ve had my first, I’m up to eight claims now, and those claims all dealt with either a denial of service where some hacker has overloaded someone’s consumer site, where the consumers can’t place orders, or that’s been a ransomware attack where they’ve locked down someone’s system demanding a ransom. The easiest of those was resolved within about 36 hours and they were back up to full operating. The worst of the ransomware ones we have is still ongoing and it’s been 14 months.
Edwin K. Morris (4m 11s):
So does that automatically trigger an investigation at the local level as far as the police? Or is this FBI?
Mike Hendrix (4m 18s):
It depends. It depends on the size of the entity. Truly the FBI is not really concerned unless there’s some kind of a major, if it’s a bank. Yes. They’re concerned. If it’s an insurance agency, they’re not really concerned. Basically what happens is that with the purchase of one of these policies, when someone has a ransomware attack, what this policy provides is 24 seven access to the experts who can come in and they can identify, make a plan, mitigate and restore your system. But they also do the forensics because you’re required by state and federal law to, to understand where did the hacker go and what did they take?
Mike Hendrix (4m 60s):
At that point also, the insurance provides you with an attorney to advise you on disclosure laws so that you’re not mistakenly advising an entity that doesn’t need to know who can cause you real regulatory problems. So the attorney will provide you with the advice to how to properly respond depending upon where they went and what they got. And then if it turns out that they breached your data, the policies then provide money for customer notification. So they’re very comprehensive policies and a lot of businesses, bigger businesses have their own IT staffs who do an excellent job at maintaining their networks. But when you get to these areas, you want somebody who really, this is what these specialists do.
Mike Hendrix (5m 41s):
They do it every day. They can get in, they can quickly identify, they can quarantine and stop the process. In those claims I mentioned, most of those claims when they get the ransomware it’s just a matter of being an inconvenience. They don’t care about your data. They just want to try to get the ransom and move on quickly. So if that can be mitigated,
Edwin K. Morris (6m 2s):
They want to make it as painful as possible so you’ll, you’ll pay.
Mike Hendrix (6m 5s):
Correct. And I’ve only had one of those claims where the insurance company recommended paying the ransom. And we joke, we say it’s like the back in the days of the cold war, where the Soviet agent and the U S agent met on the bridge, each handed each other a package, and then backed away because you don’t know really what you’re getting. Hopefully you’re getting the key that will unlock your system. So it can be fixed.
Edwin K. Morris (6m 26s):
What would you recommend to someone selling this in the industry? What are the three top things a, an agent should know?
Mike Hendrix (6m 33s):
Well, the three top things the agents should know is that there, there are markets out there for obtaining this coverage. All of those markets do provide an education source to help agents get up to speed, to help their customers identify what their risks are. And then it is an active marketplace. So there’s more than one carrier out there who can provide a proposal.
Edwin K. Morris (6m 56s):
Is there any kind of state limitations by carrier?
Mike Hendrix (6m 60s):
Not that I’m aware of. The only limitation you’ll see is that in the, in the question years where they get to know a business, they’re going to ask standard questions as far as where’s your data. How is it protected. If you have minimal protections such as you don’t have, like, two-step authentication to get into your file server or your email server. If you’re not using firewalls, if your systems don’t get automatic patches from your antivirus systems, what you’ll see is the cost will be higher or the deductibles will be higher or coverage will not be available until you put those in place.
Edwin K. Morris (7m 32s):
Especially for someone that is just getting into that understanding of where their data is and all of those parts and pieces, I would assume there’s a huge learning curve for the consumer.
Mike Hendrix (7m 43s):
Absolutely. And part of that is the, the awareness. People often think, well, my systems are secure. The number one way that systems are getting hacked is by employees innocently clicking on emails and on links. And the hackers have gotten really, really good. In fact, given our current times, what we’re seeing is emails coming from the CDC or world health organization, or even from the federal banking system, the federal reserve saying, click on these links to get the latest updates. And those links don’t take you where you are. So part of it is employee education that employers have to invest in to tell their employees, if you get something that looks suspicious, if it comes from the CDC, go to the CDC website and then click on their updates, don’t click on updates through an email.
Mike Hendrix (8m 33s):
Edwin K. Morris (8m 33s):
Yeah. Well, you know, and that’s easier said than done because people get fooled all the time. What would you say to, um, is this something that looks like you would add onto a policy or is this create a whole nother stream of revenue?
Mike Hendrix (8m 49s):
To me, the best way, the most complete way to do it is to write a separate policy. We’ve seen the prices for this insurance come down dramatically over the last few years. For a while, it didn’t make sense to, you could add it. If someone had low enough exposures, you could add it to their business owner’s policy. That type of coverage that we’re finding is very, very limited. We’re also seeing that a lot of insurance carriers are requiring their agents to carry at least a million dollars of coverage. You can get that insurance, say a million dollars of coverage, you’re probably looking at anywhere from 1500 to $2,500 a year, depending upon the records you have and the safeguards you have, it’s not cheap, but it’s not astronomical.
Mike Hendrix (9m 34s):
But if you consider on the other side, if myself being obviously an insurance agent, we have pieces of people’s personal information. If our systems get hacked, the cost of notification, just notification alone to our customers is around $61 per record. So at 5,000 records, you’re over $300,000. ANd that’s just customer notification. Oh, if you have credit card information, that’s the next, that’s actually the cheapest one because everyone’s credit cards get hacked all the time. That’s $39 per record. So you’re looking at about $190,000.
Mike Hendrix (10m 15s):
If you have health insurance information, protected health information, that’s the most expensive, that’s around $343 a record. At 5,000 records, you’re talking $1.7 million. I don’t have that in the bank.
Edwin K. Morris (10m 28s):
Yeah, I hear ya. That’s a, that’s an astronomical figure that can grow rather quickly. Well, thank you very much for being here today. We hope to have you again, because I want to hear what else is going on in this whole new technology world.
Mike Hendrix (10m 42s):
Absolutely. I appreciate your time and I’m more than happy to give more information when you need it.
Edwin K. Morris (10m 48s):
Thanks for listening to this edition of the trusted advisor podcast brought to you by Iroquois group, Iroquois, your trusted advisor for all things, insurance, and remember get out of the office and sell. I am Edwin K. Morris, and I invite you to join me for the next edition of the trusted advisor podcast.