Cyber Insurance Missteps: What Companies Are Getting Wrong

Intro  0:00  

Welcome to the She Said Privacy/He Said Security. Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:21  

Hi, Jodi Daniels, here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:36  

Hello I am Justin Daniels, I’m a shareholder and corporate M&A tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

 

Jodi Daniels  0:57  

And this episode is brought to you by, oh my god, that was so love. Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business. Together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com so you always tease me that I like to match my earrings to my outfit, and I figured out that my earrings would match your shirt really nicely. You could go for a whole new look.

 

Justin Daniels  1:42  

Would you like me to take off my shirt, give it to you? So you live on the broadcast now.

 

Jodi Daniels  1:46  

Now that was really not what I was thinking.

 

Justin Daniels  1:48  

Okay, well, there you have it.

 

Jodi Daniels  1:50  

Okay, let’s bring it back to today’s episode.

 

Justin Daniels  1:52  

Why? I think people thought that was very, very strange, but nonetheless,

 

Jodi Daniels  1:56  

We’re gonna come back and talk about something security-ish, okay.

 

Justin Daniels  2:00  

So today we have an interesting guest, because a lot of people ask us a lot of questions about cyber insurance, particularly about how much is enough. So when I went to speak at the Secret Service event in Atlanta, there was a panel before me with Ralph Pasquariello, who I’ve known for years. So I said, “Hey, Ralph, why don’t you come on the podcast. Let’s talk a little cyber insurance.” He said, “Sure.” So today we have Ralph. Ralph Pasquariello, who is the senior partner at The Tech Collective. He works with the FBI, GBI and the US Secret Service on the Atlanta cyber fraud Task Force. He is also a former executive committee chairman for the Tech 400 Cyber Symposium, advisor to the Georgia Tech Research Institute. He has served and shared on various boards and a number of organizations. Hello, Ralph.

 

Ralph Pasquariello  2:51  

Hello Justin. Hello Jodi.

 

Jodi Daniels  2:53  

Hi and hello. If anyone heard him, he really wanted to be part of our conversation. So Ralph, we always like to start these episodes by trying to understand people’s career journey. So can you walk us through yours?

 

Ralph Pasquariello  3:09  

I can give you the real long story, but I’ll give you the short story. So we moved down here almost 30 years ago from New England, and you’ll tell by my Boston accent that comes out once in a while. And I was a Global Traveler. I traveled the globe for about 15 years with a company, Heidelberg, out of Germany, and about 15 years ago, I left that due to some reconstruction with the company. But it was all good. It was just great. I love being with them. And I started in the property and casualty world. I found it was very boring. And within six months, writing so much insurance, I fell on to data breach insurance, which was great. And I hooked up with some people that were really, really smart in doing a lot of the attestation type stuff for SOC two SOC three insurances. And you know how that all blends together? And the nice thing was that I landed on data breach insurance, and I found it fascinating, and it kind of convened with Arizona missions for technology and things like that. And as that evolved, I just got deeper and deeper into it. And as you know, the data breach insurance just kind of morphed. And the natural evolution we came into cyber insurance, and it’s been 15 years doing that, and like you, I’ve just seen so many changes, and it’s just grown and grown and exploded and gone up and down. And I’ve seen a lot of insurance carriers come into the market, leave the market. It’s just been, it’s been a wild ride, and it continues. So that’s kind of what I’ve done in the last few. Game years and last 30 years. So it’s been amazing. And I like it because it’s unlike general liability and liability policies and all that stuff. It’s so stagnant and flat and the cyber just juices me. It’s great. I love it. It’s never ending. There’s never a dull day in cyber world, as you know.

 

Jodi Daniels  5:22  

That’s very true. It is. It is very juicy. Lots happening in this space. And I am also a New England transplant, actually, but from the Connecticut area, yep.

 

Justin Daniels  5:34  

So why don’t we start off this way and level set for the audience. Ralph, can you explain to the audience, you know what really is the role of cyber insurance for companies?

 

Ralph Pasquariello  5:46  

The role for the insurance versus insurance brokers, and we can get into that too. But you know, my mission was always, when I entered insurances, to keep people in business right, to keep businesses alive when anything happens to them, whatever that catastrophe is. And growing with cyber insurance, I’ve just noticed so many mistakes along the line, but the the admission or the purpose for cyber insurance is to pay for all of the damages that that clients and customers incur when the event happens, you know, and there are so many different categories, you know, that is the forensics, is the notification cost. There’s remediation costs, the replacement cost, I mean, go on and on and on, the third party damages the business interruption. So the insurance is to pay for those damages and keep people afloat and that’s and that’s what it does, hopefully.

 

Justin Daniels  6:52  

So because, I guess one follow up I wanted to ask you, Ralph, because this is many times where you and I might intersect, is, what are your views, sometimes, on the kind of limitations of liability that people put into their contracts when it comes comes to data breaches, because you could have a data breach that is beyond your insurance coverage, but it could be limited contractually by what limitations of liability. So I’d love to get your experiences or whatnot when somebody calls and the interplay of contractual liability and then insurance coverage, or what it may or may not cover, right?

 

Ralph Pasquariello  7:25  

So what? That’s a good question, the limits. You know, the limits are always very, very important. We’re going to get into that. We’ll speak to that a little bit. But what I find is a lot of times, majority, times 80% now is what they’re recording, is that people are underinsured by 80% or 80% of the people are underinsured when it comes to cyber insurance, and some of them by two to 3,000% it’s astounding the requirements That carriers and underwriters require to get insurance as elevated over the years. I mean, years ago, you know, you want a cyber insurance policy, you fill out the five page application. Next thing you know, you have a policy. Thankfully, over the years, the underwriters have said, Look, we need to step this up. You need better security. You know, years ago, you got discounts on your premium if you had those security postures in place, which was great. But now they say, Look, you have to have an MFA if you’re not, if you’re writing insurance with an area that doesn’t require that, you’re in the wrong business. So most of the 10 majors all require MFA, some endpoint protection, maybe some privileged access management. You know, there are different levels of that security depending on how much insurance you want. You want a million dollar policy, that’s fine. If you want $30 million the hoops are going to be a lot higher, to jump through security wise in order to secure that insurance. The mistakes that I have seen, and I haven’t seen, a lot of claims that have been denied, but the mistakes that are made are people say, Yes, we have this in place for security, but they don’t implement that security. They have a breach, and forensics comes in and finds out that, hey, you know, you said you had XYZ in place of the security, but you didn’t plug it in. It’s not implemented. So they deny that portion of the claim, or the entire claim, depending. The other thing I have seen too is that things that are like social engineering claims, of fraudulent transfer claims and things like that, that people think their cyber insurance policy covers that and it doesn’t. You have to cross the bridge to a commercial crime policy. So that’s very, very important if I see clients that don’t. Have a commercial, a substantial commercial, crime policy, I would say, Look, you need, you need both and and obviously, well, not obvious to them, but have those with the same carriers. So if you have your cyber insurance policy with one carrier and a crime policy with another carrier, that’s not a good idea, because there are fine line risks and breaches and things that are just like, is it this or is it that? But if you have both those policies, then you’re usually covered.

 

Jodi Daniels  10:32  

Ralph, the statistics that you shared about the underinsured are very enlightening and scary. Why do companies struggle so much to figure out what is the right amount of insurance to get?

 

Ralph Pasquariello  10:46  

Yeah, good question. Jodi, so it’s been my experience for years and years and years, you know, you meet with the CFO, you know, Justin calls me, says, Hey, you got to meet with the ABC Company. I go in there, and the CFO says, hey, well, we’re in compliance. And I’m like, Well, what does that mean? You know, they’re basing their insurance on a third party contract, on a vendor or a client. You know, we have these contracts that say, if you want to do business with me, here’s what you need for insurance. So the CFOs are basically checking the box. You know, I had a big client here in Atlanta. They do business with Nike, and Nike said, Hey, we want you to have 5 million. Well, I came in to write all their insurance. Previously they had a million dollar policy. They were kind of pushing back because, you know, other companies wanted them to have 5 million, and when I got through with them, they had 15 million because I did a whiteboard for them. I said, Look, business interruption, we listed all of the 17 things that will, you know, in, you know, push that limit up. And when we were done, the actual breach at an 85% level was somewhere around 55 million. That’s what they would be responsible for. So when we got through, I said, Look, what if I’m half wrong, we’re into the 20 million. And we finally settled on 15 million. That’s what they could afford. That’s what they wanted. But basing your insurance limits to being compliant for a contract is ludicrous. I mean, it’s like, why would you do that? You know, you have to realize what is at risk, what’s my financial risk? You know, people do quantifications, you know, see our cues for finding out what their risk is. But they don’t step over the fence and say, Now, what does that do for our insurance or what is our insurance limit. You know, a lot of the security people are based, you know, they think they use different programs, or, you know, different solutions to figure out what their risk is on the security end, but not on the insurance end. And it doesn’t make any sense.

 

Justin Daniels  12:57  

So, Ralph, you bring up a really interesting point there with that story, which is usually where I get intermixed with you, is how you negotiate that contract in your example, with Nike, and what your limitations of liability are, what the carve out for a breach might be, become incredibly important, because that’s another way to limit how they might go after your insurance. But what I find is, do you have a clause in your agreement that says, hey, if there’s a breach of confidentiality, you’re liable. I tell people, insert the word data breach, and it’s the same thing. And you have to realize that almost every data breach is a breach of confidentiality, and if you don’t cap that liability or address it to your point, you may run through your insurance very, very quickly.

 

Ralph Pasquariello  13:43  

Real quick, real quick. And the other thing too, which is in the news today, you know, we know what’s going on. I won’t mention any names, but the business interruption is one thing, but contingent business interruption is another thing, right? So if my providers or my network goes out and it, it forces me to shut down, I need to look at my insurance policy and make sure that I didn’t have sub-limits under dependent or contingent business and corruption. That’s really, really important, because I’ve seen so many policies, they may have a 10 million or 15 million for business interruption, but then on a line item, contingent business interruption may have a supplement for $5 million so it’s that’s critical.

 

Jodi Daniels  14:35  

So Ralph, and your story of the company that is looking at what the client is asking, and in your analysis, you identified much more what might be the big topic areas that a company should think about to help them go above just what they have to what they think based on their customers. And you know, trying to pull from a bit of your analysis, what are going to be those? Areas that they should think about when they identify their coverage amount?

 

Ralph Pasquariello  15:04  

It depends — it just depends on the industry they’re in, right? If they’re in the healthcare industry, well, hey, you know you have phi, you have all the notification costs, because you have data that is going to drive that claim. You know, if you have, you know, 50 million people and their information on your system, and that gets out on your network, then those notification costs are going to be huge. HIPAA fines will be huge. You know, if you’re in a manufacturing sector, you may have SCADA systems that are running out. If God forbid you get a brick that comes in and ruins all of your devices, your restoration and cost and your repair costs are going to be through the roof. You know, could be millions just to replace all of the systems that drive that business interruption. Is probably the most underestimated claim, and people just don’t think of that with downtime being 25 to 30 days average. Right now, if your company’s doing $800 million a year in manufacturing, and you’re down for 30 days, it’s huge. I mean, it just really, really, it kicks you and the CFOs just don’t think of that we do. We do a system. Our new program is a care program where we do an analysis and risk assessment, and it benchmarks your company against your peers in your industry, with the exact size company that you have. And say, Hey, you have $5 million, but all of your peers have a $25 million limit with an 85 percentile risk. What do you want to do? Do you want to keep it at $5 million? Or do you want to raise it? So that’s what we’re doing now. That’s what my company does now, we assess.

 

Justin Daniels  16:59  

Thank you. So kind of building on that a little bit, Ralph, as we talked about, you know, companies struggle to figure out how much insurance to get. Can you walk us through a little bit more on how you help them solve this problem of how much do I really need to have? Not what the contract says, but really looking at the risk, the kind of data I have, the network, the industry I’m in. Can you walk us through that in a little more detail?

 

Ralph Pasquariello  17:22  

Yeah, we take all of those, you know, we, first of all, we start with the applications that we’ve filled out. We make sure those applications are right. Years ago, like I said, the cyber application, you fill that out. Now we’re at 15 pages for a cyber application. You take into consideration they now have to fill out a ransomware application. They have to fill out an MFA application, and, like I mentioned before, a Commercial Crime application. So now we have 50 pages of applications that a CFO needs to fill out. He can’t do it himself. He has to have the help of his IT team to see. So whoever is going to help them fill those up, we then look at those, and we analyze the applications, also the policies they now have, and also contracts that they have, to find out where they got How did you get to where you’re at? That’s what I want to know. You know, when it comes to insuring a building, we have a statement of values for the property, for property insurance, and we know your building’s worth $200 million so that’s what we insure it for. There’s no guesswork. However, in the cyber world, there’s a lot of guesswork. Like I said, the average broker will go in and say to the CFO, how much do you want? How much insurance you want for cyber they don’t know they rate it to be in compliance. We need this because we need to be in compliance of that. So we take our system, we use three national companies that we use, and we have 200 million companies on a database. We have all the analytics, and we do outside testing as far as security, and then we posture that again, with their peers. So we get a peer report. It’s an industry wide peer report that we get that says here’s where you should be, and that’s from experience on claims, potential claims loss runs all the things that we take into consideration. It’s about a 50 page report, but it shows that CFO, here’s where you should be. We don’t dictate that, you know. We leave that up to their broker. We work with their broker. We work with their lawyers, CPAs, their tech team, but we’re just analysts. We come in and we say, Here’s where you should be from our experience and from all the information that we have out there on your company.

 

Jodi Daniels  19:50  

So Ralph, now that I hopefully have the right amount of insurance, I’m hoping that if I have to have a claim, it’s going to be upheld. But sometimes claims are denied. What are the trends that you’re seeing for denying claims?

 

Ralph Pasquariello  20:05  

I haven’t seen a lot of them. Jodi, and again, it’s usually the denial of a claim is because of incompetence on security, you know? And again, you said you had XYZ in place and you didn’t. And therefore those are the claims that I have seen that have been denied. Because when the forensics come in, and they do in their analysis it was fraudulent what you know, whatever the trigger was, that’s what they’re going to analyze. But if you don’t have, if you don’t have the process of procedures of security in place that you said you had on that application, that’s why that application is so important, and that’s why now it’s 15 pages long and you have to get your IT involved. So, you know people, it’s like car insurance. You know, people go out and they buy car insurance, they pay it, and then they don’t pay it. And that’s why there’s so many uninsured vehicles running around, because people pay to get the certificate, and then they don’t pay. So it’s very, very similar to that. You know, companies go through restructuring, maybe someone forgets to renew their whatever that security posture is but I think that’s why it’s so important to that, especially with cyber insurance, people in they renew their insurance once a year. You know, January comes around and they just renew it. They renew it with cyber you cannot do that. You need to take a deep dive find out, what do the threats look like? Does our old policy still protect us against? Take the advice of someone that knows besides that you need this, this, this, because the threat, the threats change like you know, the threats change all the time, so we have to be really cognizant of that. I like to meet with my people. I used to quarterly to say, hey, what do we have? What do we need? Do we need to adjust it? How is our data? Database has grown our maybe our clientele has grown. Maybe we’re taking on new clients. And you know, you can increase those limits at any time. It doesn’t have to be on your renewal or the Renewal Policy. I just have one locally. We had a really good call with them. They had 15 million on their policy, and I had the broker on the phone, had the client on the phone, his IT team were all on the call. We’re on a team’s call. And he asked, “Can I do that now?” And the broker said, “Well, you really need to wait.” And I said, “No, you don’t need to wait. You can do that right now. You can increase your policy by $5 million tomorrow.” And he was under the impression that it would be X amount of dollars. It’s not incremental. If you have a base of $10 million, you want to increase it by $5 million. It’s only like adding an umbrella to a policy. So the initial cost for that, your main insurance, the initial cost is high. But to add on to that incrementally, in layers, it’s not that much money. And now the cyber rates are all flat. Everything is pretty much flat right now, we haven’t had any increases this year, so it’s a good time to buy.

 

Jodi Daniels  23:26  

That doesn’t happen very often when you’re here.

 

Ralph Pasquariello  23:30  

No, well, we had increases of 20%, you know, 20% 2021, and 2020, we had increases of 20% on cyber insurance, and a lot of that was because of the ransom attacks people now the ransom payments are going down, um, due to some good security. But there’s also other trends on cyber crime that are going up. So see both.

 

Justin Daniels  23:58  

Pretty soon, the next policy will have the deep fake laws.

 

Ralph Pasquariello  24:05  

You’ve been reading? Yeah?

 

Justin Daniels  24:07  

Well, you know what? I showed up and I played for him at the Secret Service event. Anyway, yeah, so Ralph and all of your users of experience with handling all these different kinds of claims from your personal perspective. Do you have a good security tip you’d like to share with our audience?

 

Ralph Pasquariello  24:22  

Yeah, like I tell my wife, don’t click on anything. Don’t open anything, hun. You know it’s, I would say, multi factor on everything you log into all of your accounts. Just be really leery of anything. And you know, the thing is, uh, passwords, you know password protection. Don’t put you know, as you know. And I know your passwords need to be locked. You know, I’ve been to FBI events that have said, you know, 15 characters in the password. And make it a password phrase, not a word. You know, they have a. A lot of the programs now that can detect your password in a matter of seconds. I mean, it scrolls through 25 million different passwords per second. So it’s, it’s, it’s unbelievable. Like I said, you know, just be, just be aware. I mean, even if you sent me something today, Justin and it was photos or some documents, and I wasn’t expecting that. I wouldn’t reply back to you in an email and say, Hey, Justin, did you just send me this? I would call you. I would call you on the phone number that I know I have for you, not on the one on the email, because business email compromise. You know, they come in, they take over your system, and they can do anything. The invoice manipulations that are going on and and all the claims we’ve seen have been horrendous. And how do you blame somebody? When I replied to you in an email, Hey, I noticed your invoice that you changed your routing instructions on your bank, and you replied back to me, Oh, yes, Ralph, we did that. We decided we were going to change banks. No big deal. Okay, I hit send. There goes the money. So it’s my two factor is calling someone on the phone and making sure, or if you have a password, right, a secret password is something that, like with my children, I have, if anything is ever wrong, God forbid they know what the password so it’s imperative that we check and recheck and validate things. So that’s, I guess that’s my my two cents.

 

Jodi Daniels  26:41  

When you are not advising on cyber insurance and keeping up with the latest trends. What do you like to do for fun?

 

Ralph Pasquariello  26:49  

or fun? I love being with my family, my grandkids when they visit. You know, I love family, being with them all the time. I love to cook. I’m a good cook. My wife’s never cooked. She cleans. She won’t let me clean either. I coach. I’ve coached high school football for many years, and I stopped that a couple of years ago, and now I’m an official. So I’m a certified football official for high school and college, and I’m usually busy every week. Next week is my first game, so next Friday, and that carries me all the way through until just about Christmas. And I like being on the field with the kids. Like giving back to the community. I played football, and I just, I love, I love the sport. I love all sports, and I just like working with the kids and being a good role model for them, I guess, and it’s important to pass that along. And occasionally, if I have time, I may go, I’ll go golfing. I’m not that great, but I enjoy it. I like being out there. And I’ll sit out in the golf cart and enjoy the weather and smoke a cigar while I’m golfing. So that’s usually what I do.

 

Jodi Daniels  28:04  

It’s hard to believe that the summer in Atlanta is almost over and now we’re going back to school. I’m gonna leave you that right there for anyone listening. We are crazy in Atlanta and we go back to school in August. No. Ralph, thank you so much for joining. If people would like to learn more and connect with you, where can they go?

 

Ralph Pasquariello  28:24  

They could go to email me, which would be great. It’s ralph.p@thetechcollective.net wonderful, or find me on LinkedIn. That’s, that’s where I get a lot of action, inbound action, and it’s furious, fast and furious. I can’t believe it, so, but I enjoy what I’m doing. I’m kind of glad I’m not writing insurance anymore, because I really, really enjoy what I’m doing, because I can help both worlds, the security world, the security teams and also the insurance brokers that need this.

 

Jodi Daniels  29:03  

Ralph, thank you so much for sharing all that you did with us today. We really appreciate it.

 

Ralph Pasquariello  29:09  

Thank you both. You’re a great couple.

 

Outro  29:15  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.