Skip to main content

The Changing Landscape of Cyber Liability

This episode we are discussing what’s new in the cyber liability landscape with XS Brokers. Scott Burns is the Vice President in Management and Professional Liability at XS Brokers and is seeing more and more cyber policies come through the door. Scott tells us that the necessity for companies to have this coverage and to add on the bells and whistle is increasing ten fold. The coverage is only one of many bonuses of having a cyber liability policy in place. Make sure to check out our other cyber podcasts here.

Cyber liability is one of the most important coverages to have. Stay protected against human error.

Edwin K. Morris (3s):
Welcome to the trusted adviser podcast brought to you by Iroquois. Iroquois, is your trusted adviser in all things as insurance. This week, you’re listening to this special segment of Charlie’s corner hosted by our very own Charlie. Welcome to our Trusted Advisor Podcast.

Charlie Venus (24s):
Today’s guest is Scott Burns. Scott is Vice president at the XS broker’s in their management and professional liability practice. And we’re here today to talk to Scott about cyber liability. Welcome Scott.

Scott Burns (36s):
Hey Charlie. Thanks for having me thrilled to be here.

Charlie Venus (39s):
Thanks for coming. First off, Scott, I’ve been reading the news in preparation for our talk and it’s kind of amazing some of the stats that I’ve just recently scene that there’s been an increase of in cyber attacks of over 300% since the pandemic started in 2020, that more than 50% of businesses had a cyber attack of some type this morning from a IRMI I got, this is the average ransomware attack now costs a $155,000 and it results in 21 days of downtime. Now when cyber liability started, we were thinking about loss data and you know what it costs for the notification expense, what the heck’s going on in the marketplace now.

Charlie Venus (1m 29s):
Well, Charlie, you bring out some statistics that are a bit staggering if you ask me. And a truthfully is not something I’m totally surprised by, but the state of the cyber world is, is certainly one that is constantly moving as you and many, the agent’s know the exposure has changed to substantially from when cyber was first introduced over a decade ago, the coverages have responded and continue to respond, to change to address some of these new exposures and new claims that we’re seeing I’m From A claims standpoint, what has been the shift is it used to be, you know, a notification expense. And like you said, maybe some identity theft losses, but that’s shifted to other areas now.

Scott Burns (2m 10s):
Yeah, It, it really has notification costs and protect your client’s data was always sort of that the driver of this cover, we’ve seen that move a number of times, you know, we entered into this phase where, and we still see a lot of these claims today or a social engineering claims and funds transfer claims became a very, very prevalent. And we still do see that the bad actors, ah, that I called them. They’ve decided that in, in addition to training to dupe people out of money, they’re just going to lock people out on those systems. So the ransomware claims were that we see it regularly, or just consistently the number of that the bad actor used to ask for it was a lot smaller. You cited a number of that. It’s a $150,000 it more, and I’m not surprised to see that.

Scott Burns (2m 54s):
And having the ability for these bad actors to ask for that are from that money is, were seeing your a very regular.

Charlie Venus (3m 2s):
So do you have Any insight ’cause when the, the ransomware attack started it, it typically was under $50,000 that they were looking for. And my understanding was that that was kind of the cutoff point where the FBI would investigate over 50. They would investigate under 50, they wouldn’t, but it seems like that’s kind of going out the window now. And some of these demands, or even as high as a million bucks for sort of the larger companies.

Scott Burns (3m 29s):
So there are times when it’s even, even higher than that, that new years ago. So, I mean, we would seek claims come in for a $500 ransom. And now that you know, the, the, the bad actors that just decided they can swing for the fences, they can try and get more from these businesses. They know how valuable and how it dependent businesses are on their technology and their data and their systems are my organization uses the cloud almost as many, many, many businesses use clouds and other types of technology to store in house, or all of their data are dependent on with this technology too, to operate. So bad actor’s know very, very quickly if an organization can’t function, because there technology is not working the game and often they don’t have a choice.

Charlie Venus (4m 13s):
You look at it from a coverage standpoint when I was on the retail agency side, where you were to try to sell people, the whole suite of cyber coverages, but the one’s that you needed to have were the third-party liability and the first part, the notification expense. Now you, you know, you need to have business interruption, you need to have the ransomware extortion coverage. You need to have the crime coverage, either on the cyber policy or the, or through a crime policy. I mean, what are you seeing from coverage offerings? And is there anything else that the customer really needs of this area?

Scott Burns (4m 48s):
It’s really interesting because we’re starting to see some of the companies who offer a cyber try and make changes. It pushes in terms of, and specifically in terms of, of ransomware offering you some limited ransomware, when it, or putting a, a, a co-insurance clause. I’ve seen a couple of companies come out of the co-insurance on of ransomware. And it is because these companies, are seeing the claims hire a lawyer, and you know, where we’ve gotten to a point where clients see that value in the coverage our insureds see the value in the coverage it is now can the carriers’ find a way to outrun these losses or, or a price accordingly, or limits certain areas where they are getting popped a ton.

Scott Burns (5m 33s):
the nice part. Is it obtaining the covered is still a relatively easy and the costs of still fairly inexpensive relativity, you know, some of these minimum premiums for a million dollars of coverage with a very broad policy language that include all the bells and whistles is the sort of just described. It can still be as inexpensive as to say a thousand dollars or, or even less, but I don’t see that, that staying, I see that changing ’cause the claims are becoming so frequent and the expenses of these things that is, as you pointed, you know, it, it’s not 500 bucks anymore. It they’re a big numbers. So it will be interesting to see how a lot of these companies continue to maneuver within The Changing Landscape by that, I mean, new claims and new types of claims coming new competitors trying to be aggressive with pricing and coverage and established companies trying to find a way to not only maintain the business.

Scott Burns (6m 30s):
They have to be competitive put out in the competitive, the policy forms, and still be relevant players in the marketplace

Charlie Venus (6m 36s):
Now, I know there’s, you know, one of the national carriers out there, their writes, a lot of cyber liability, they recently instituted a requirement for multifactor authentication. And I’ve even seen that there is some supplemental apps now for ransomware coverage. Is that becoming the norm now in the market place? Or is that, or are they kind of leading the pack there?

Scott Burns (7m 1s):
I don’t want to say its becoming the norm and I, I could see this becoming the norm. I could see that a multi-factor authentication is going to be a must have, or you know, maybe not this time than a year and now for now or in the year and a half of two years now, where, if you don’t have that, you’re not going to get all the bells and whistles uhm from the companies’. So, I mean, it was great observation because we could still get terms or any indication price point is with limited information, is the insurance or a website they’re operations and the revenue that’s changing and we’re in some of the markets are really pushing to get that information to a multi-factor authentication in some of these ransomware, supplemental is we’re seeing that.

Scott Burns (7m 43s):
And I think they are trying to drive behavior and change that within the industry. It remains to be seen how successful in that.

Charlie Venus (7m 51s):
Are you seeing anything from a partnership standpoint between the carriers and companies that can do the test, the firewalls test that network for security, or are those partnerships growing or is that just kind of stagnant right now?

Scott Burns (8m 7s):
One of the Really great features when you spend money for a cyber policy are, are all of those partnerships and services that the cyber companies are including a lot of that is because the cyber insurance companies they understand that this is in everybody’s interest to, to try and prevent these things from happening. So getting risk management team’s in place or getting an immediate response teams in the event of an incident only serves everybody in the, in involved better, right? So having an insured, who’s willing to pick up the phone to say, Hey, I think I might have a problem.

Scott Burns (8m 46s):
Having an insurance company who has got partners who are crisis management team or a immediate response teams that can really help make a difference in limiting the loss if it’s approached early on. So yes, it’s one of the areas that I think that cyber insurance companies have done a really great job is finding a real experts in dealing with problems and not only dealing with problems, but putting experts out to help insurance or mitigate, manage that risk before a problem.

Charlie Venus (9m 17s):
So people are buying the coverage, you have more people are buying the coverage. But one of the things that I see as it is it just the concern from my standpoint, or it could be off on this, but that people buy the coverage, but there’s never really any discussion before a claim happens as to, Hey, this is your cyber policy. This is, you know, the risk management, a, you know, this is who you call, if there was a claim they’re going to jump in quickly to try to mitigate the loss. I don’t know that a lot of that happens pre-claim on the cyber side in that, not as much as I think happens on workers’ compensation or general liability auto and are, the companies doing anything to try to push that.

Scott Burns (10m 2s):
You know, it’s really funny because when some of these carrier partners of ours came out and said, Hey, we really want to get, this is a really great feature. You know, some of these added benefits to the insureds when they came out and sold us on this and said, Hey, make sure your, your using this, because what we wanted to do is get those insurance to buy in to this process. I would ask the company, is that well, how often do these insurance take you up on that? And a couple years ago that the response was a very little today. You use the benefit’s outside of paying a claim or dealing with in the event of a claim, or really not. I asked that question regularly of the carriers. And the response now has changed quite a bit from where it was a couple of years ago.

Scott Burns (10m 45s):
More and more insureds are taking advantage of these benefits. This is a service that’s included with these policies and they should take advantage of it. And we are seeing more and more insureds do that. So, you know, thrilled about that. Ultimately these claims are just becoming so prevalent that something needs to be done.

Charlie Venus (11m 1s):
This goes back a couple of years ago. And so I know it’s more prevalent today, but the, the frequency of cyber claims were more frequent than property claims. When you put that in a perspective, you know, educating people on cyber and making sure that they have a risk management process or utilize in the risk management resources that the carrier is asking or providing to them is important, but as well as getting, this is how you report and deal with the claim, getting that information as well.

Scott Burns (11m 33s):
You’re absolutely right. We had a claim come in yesterday. We’ll still obviously process a claim on the same way for any other line, with the claims scenario yesterday the agent called me, and said, Hey, my insured has a problem, were not sure what to do. And I said, glad you called so I’m glad we’re going to get the, a team of experts involve so that they can a piece through exactly what’s going on. And we can try and prevent this claim from sort of exploding. So, you know, immediately this was pushed into the carrier. And as we’re already in that process of trying to get the experts involved, they’ve already reached out to the insured and the process of determining what happened and how, how best to resolve it is already underway.

Scott Burns (12m 13s):
A breach notice. I came in yesterday at 4:30 or less than a sort of a four or five hours on the clock. Nice part is all of these policies have sort of breach response teams that work 24/7, but it’s a really important to notify companies when there is a problem in notify them.

Charlie Venus (12m 33s):
Now is the most common entry point for all of these hacks, is it is still phishing, or is it coming through the network or just a combination of it, both

Scott Burns (12m 42s):
We Are seeing in a combination of both. I mean, it’s still the, the big driver of claims for us is human error an employee clicking on a link to, or shouldn’t or wiring money, or where they shouldn’t, or are not picking up on the phone calls to verify something is still very much the drivers of these claims is human error, people, right? It’s not, somebody’s actually busting down the, tech doors to wire transferred money out of, in account it’s that you or I getting duped into sending money to the wrong place, or we’re clicking in a bad link or what we’re doing a number of different things that provide an access for

Charlie Venus (13m 18s):
Are any of the carrier’s providing any guidelines on the administrative controls that companies need to have in place, because this, most of these claims do. And like you say, come from human error and it’s really the administrative controls that people put in place or are gonna be the means to control them.

Scott Burns (13m 35s):
We’re seeing more and more questions asked about that. And what I mean by that is the underwriting process. Are there more controls in place? What is this look like? Some of the carriers do a very good job of saying, of identifying potential issues and reaching out to insureds is saying, Hey, this is something that you should have you or your tech team should look into. In addition to just regular cyber risk training, you know, in my organization goes through this two or three times a quarter where we see this training type situation in an attempt to prevent people from clicking, where they shouldn’t or sending money, where they shouldn’t or any other way that a cyber criminal can kinda get in a maintenance and communicating with employees it’s critical right now,

Charlie Venus (14m 22s):
How is coverage changing overall to keep up with the, with all of the threats that are going on and the increase in cyber,

Scott Burns (14m 31s):
I don’t envy the role of the insurance agent because it’s very, very difficult to keep up with all the changes in the cyber marketplace. You know, I look at these things all day and we’re getting notifications from carriers. I wouldn’t say in a weekly basis, but on, but regularly, where are some coverage form is changing or some coverage is being added or restricted. So it’s constant moving target and the big case, or I’ll always make my insurance companies as your coverage is skiing. And you know what, as long as you can continue to put out competitive products that address the needs that our insureds are dealing with it face it, like then we will continue to approach to it because there’s too many, there’s so much variance from one company to the next.

Scott Burns (15m 17s):
Now you have the core components have a cyber policy, but not, I don’t want to call in the bells and whistles, but it’s the, the newer bells and whistles that really differentiate a insurance company, his from one carrier to another.

Charlie Venus (15m 30s):
So do you have any examples of those newer bells and whistles?

Scott Burns (15m 34s):
So a lot of bricking as a new coverage that has been, I don’t know, I call it new, but it’s something that is becoming more and more regular with all, with many of the insurance companies all have the business interruption covers weren’t they’re, you know, with every company three or four years ago, a lot of the crime language and a lot of groups that sort of adopted social engineering into that form, but how they address it in terms of the nuts and bolts of the policy and the policy language, or varies from one company to another, am I gonna ask my insurance or, or my insurance agent’s to read for or five different cyber policies to figure out what that nuts and bolts of each one.

Scott Burns (16m 14s):
I, I don’t know that the best use of the times that’s a big time commitment, but it is meaningful to lean on somebody who does spent a lot of time. You spend a lot of time in this, but they’re obviously the professional lines are people who focus a lot in cyber, lean on them and ask them to questions in push your wholesaler’s or your underwriters too, give you feedback. On where they think coverage i going and what policy addresses is each specific insurance needs to really, really critical.

Charlie Venus (16m 42s):
If you were Advising a retail agent on how to assess the coverage needs of their clients. What would you say, or what resources would you recommend to them?

Scott Burns (16m 52s):
The first thing that I would recommend to them is to offer cyber insurance. I still deal with too many agencies who are uncomfortable with selling the product and because are uncomfortable. They don’t offer it for me offering the product and offering options to insureds is obviously is self-serving, but it also meaningful because these insurance have this exposure. If the commercial risk has this exposure. So taking the time to get the option or two options, there many options, it’s still a very easy to do it. The harder part is a making sure that each risk is a nice fit before the appropriate market.

Scott Burns (17m 34s):
That’s the challenge that comes with experience. So again, lean on your underwriters, lean on your wholesale partners or your brokers, because how it is difficult to maintain what each cyber market is doing at anyone time, unless you are doing it everyday.

Charlie Venus (17m 47s):
So, in to Your comment that, you know, there are a lot of retail agents that don’t feel comfortable with cyber, you have a product that you can access on through XS Brokers were what is it, a five pieces of information typically, and you can provide cyber quote. It may be multiple cyber quotes.

Scott Burns (18m 6s):
Charlie we partnered up with a, a number of groups who are able to, obviously we’d love to work with all of the Iroquois members, but what you do is we try and make the process of obtaining cyber terms from multiple carriers, as easy as possible. But the process can be as simple as putting a name of the insured in identifying their state in a lot of the time that the platform that we partnered with, will, pull all the information and we’ll pull the insurance or address it will pull their areas of operation. It will pull their websites at that point that the agents really only have to input for the revenue. And from there we approach eight or nine insurance companies very, very quickly. I would hate for the insured the agent to say, Hey, Scott, you just sent me nine quotes.

Scott Burns (18m 49s):
I don’t have the time to read on is fair enough. I do a lot of coverage comparisons. You know, I happy to give a recommendation on what I think would be a fit for each specific insured because, you know, we do a lot of this. So yeah, it’s something that we really try and make easy for the agency-base to get terms. And then as partners. So we provide guidance on which option we think is the best

Charlie Venus (19m 12s):
What’s the easiest place for them to get to that. Or is it just to simply call her email you or to go to your website?

Scott Burns (19m 18s):
So it’s either one, I’m a big phone call guy, and I know some people are not, so it email is fine and we can provide the access to that platform that we just described, that you can go in to To that and pull up are cyber platform there. We really try to make the process of obtaining quotes and obtaining a proposal that you can present to your insured’s like super easy, super streamlined. And then I, well, I, I would absolutely welcome. Hey, Scott, what options do you like here? What option do you think is the best fit for this insured? And a phone call for me is great because, you know, then it gives me an opportunity to sit down and get to know, our, Iroquois corporate partner agency partners or a little better I’m and we can walk through a risk over the course of four or five minutes and say, Hey, here’s what I like.

Scott Burns (20m 6s):
And here’s why I like it. And sure, this is cover is great for this risk, but I like this one a little bit better, because I know that are willing to extend coverage for funds held in escrow or, or, or, or whatever. A little nuance is really important for each insurance.

Charlie Venus (20m 24s):
What I like about it as it’s a fast solution. And going back to your point, every commercial account has this exposure. And if the retail agent is an offering the cyber coverage, then they’re creating an E&O exposure for themselves. And essentially they’re providing the cyber coverage for there E and O policy

Scott Burns (20m 43s):
Is so I’ll give you a little anecdote, but a partner with the retail partner down, in Texas. And he and I spent a lot of time trying to get in to use it as long-time partner of mine. I sent to him, Hey, you know, do me a favor and have your team takes 30 seconds to put it in the name of the insured, select the state, identify the risk and put it in there, the revenue and say, lets try this over and experiment. I’m not worried about hit rate. Cause you know, a platform is doing this and lets walk through to see how many hits we can get over the course of the next three months. And he said to me, that’s wonderful and lets try it. I love the idea. I know. My team is not comfortable with selling it, but lets we’ll tuck these proposals in behind the, the other line that we’re presenting.

Scott Burns (21m 24s):
We’ll talk to him about it on every risk they’ve run all over the course of three month’s they’ve run a, maybe a hit rate of five or 10%, right? If we hit five out of a, a a hundred, I’d be thrilled, right? Charlie they quoted over 300 risks. We’ve found over 35% of them over the course of three months. So the producer’s and the agency, principle’s thrilled. We’re thrilled it because obviously, you know, it’s another hook into our agency base and its services that we extend to them, but I’ve been blown away the hit rate on this. So it’s a, it’s not a lot of work and we’re binding a much larger number. Then I thought.

Charlie Venus (22m 2s):
It’s not only a really a great story, but its great that those clients are getting a cyber coverage so that they needed.

Scott Burns (22m 9s):

Charlie Venus (22m 9s):
But Scott really, I really appreciate you being with us today, but a lot of great information,

Scott Burns (22m 13s):
It was super. And thanks for having me with a partnership the partnership that we have with Iroquois is second to none. I love working with all of the agency base, thank you again for your partnership and Charlie, thank you for the time delighted to be here.

Edwin K. Morris (22m 29s):
Thanks for listening to this edition of Charlie’s corner brought to you by Iroquois Group. I am Edwin K Morris and I invite you to join us or the next edition of the Trusted Advisor Podcasts.