A Handy Guide to Cyber Insurance Coverage

Host (00:01):

Welcome to the, She said Privacy. He said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century. 

Host (00:21):

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified information, privacy professional, and I help provide practical privacy support to overwhelmed companies.

Host (00:37):

Hi, Justin Daniels here, otherwise known as Jodi Daniel’s husband. I am passionate about helping companies solve complex cyber and privacy challenges during the life cycle of their business. I do that through helping them identify the problem and coming up with creative practical solutions. I am a subject matter expert in cybersecurity and business attorney.

Host (01:06):

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce media agencies, professional services, and financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, visit redcloveradvisors.com. So Justin, who do we have with us today?

Host (01:45):

Well, today I’m particularly excited because we’re going to make the topic of cyber security, insurance fun. And I almost feel like in light of what’s going on, it’s almost like the ransomware grinch is stealing Christmas as we speak with all that’s going on. So today we have with us Kelly Geary, the national practice leader for executive risk and cybersecurity for EPIC Insurance Brokers and Consultants. Welcome Kelly.

Kelly (02:16):

Thank you, Justin and Jodi.

Host (02:16)
Hi Kelly. It’s so good to have you here. And this is really such an important topic. I have people all the time saying, Oh, well, I have cyber insurance. I’m good. I’ve checked the box. I’m, I’m all set. I, I did that thing that someone said I should do, and then they never think about it again. So this is going to be a fun, fun conversation. But before we dive in to that, help us understand how did you come to the world of cyber insurance? 

Kelly (2:51)
Oh, that is a great, great question. Thank you. So I’ve been involved in cyber insurance, probably since about 2005. Cyber insurance, the first cyber insurance

Kelly (03:00):

Policy was written by AIG in 1998, but cyber insurance, as we know, it really started to sort of become a thing back in sort of like the mid 2,000’s And I was on the carrier side at the time heading up a claims department for professional and specialty lines. And we were, I was charged with basically figuring it out and, you know, trying to start to draft a product back then. So it was that’s, that’s how long it, and it’s evolved quite a bit since then

Host (03:34):

I have to imagine the people in 2005 would probably look at someone and say, cyber insurance, what, what, what is that sort of the deer in headlights kind of look,

Kelly (03:46):

That is correct. That is correct. Back then. I think really most, most of the purchasers of cyber insurance were very, very large companies, mostly tech companies. And you know, so it really hasn’t hit mainstream America really until very recently because cyber crime has really run rampant in the last say five to 10 years, 

Host (04:12):

Absolutely.

Host (04:15):

So Kelly, I thought you and I would dive in cause you and I have had many conversations on a variety of topics, but let’s start with, why do companies overwhelmingly have such a hard time getting the right types of coverages when it comes to cyber?

Kelly (04:30):

That is the question of the day, right? I mean, cyber is a very dynamic risk. And I think that that is part of the challenge for everyone, really the insurance industry, as well as purchasers of insurance the cyber cyber risk itself has changed and continues to change very, very rapidly. And the insurance market has tried to keep pace with that. And as a result, the policies themselves are, are very, very long. They’re very complicated and it’s, it’s really still considered a pretty immature product. You know, it’s not like a property policy or an, an error’s and omission’s policy. Something that companies are really very used to and accustomed to and have had in their insurance portfolios for very, you know, for many, many years and understand how it works. Cyber insurance policies you know, probably are updated every 18 to 24 months. So the coverages are different. They, no two policies are exactly alike. Terminology is different. Scope of coverage is different, claim handling services and pre-brief services. All of that is completely different. You know, like I said, you could pick up five different policies and it could be all different.

Host (05:47):

So I’m curious as a business owner, I would ask, well, which one do I need and how do I sort through them all? So one is kind of, you know, what advice do you have for people and what, what should I be looking for? Or, you know, someone from any company, what should they be looking for? And then why, why is it so different? Why if you pick up many different policies, are there multiple different versions?

Kelly (06:13):

And I think the answer to the, to that question really is that the market is still relatively immature. Number one. So you don’t have standardization yet. And I don’t know for sure whether or not we’ll ever get to that point of standardization. You know, and an example of that is, you know, what I consider to be the heart and soul of any cyber insurance policy is the definition of computer network or computer system, because that’s really where all of the coverage flows from. Some policies will define that term as some, in some policies will be computer system and some policies that’ll just be network and some policies they don’t define the term. You know, it really is, is pretty much all over the map. And so that, that is a real challenge for business owners. You know, in terms of how, you know, you’re getting the right coverage and what coverage is right for you. You know, that is something that you really is a very sort of customized, in my opinion, a customized kind of of an approach, I guess, for business owners. You know, what we do with our clients is really look at, at the size of the client the nature of the business, and then try to look at the market from the standpoint of what is right for you and what really is important for you from a protection standpoint. 

Host (07:39):

So Kelly, I wanted to kind of dive into a little more detail of a comment you made about how the policies evolve. And let’s talk a little bit about ransomware and the recent OFAC advisory about potential criminal prosecution. If you pay the ransom to somebody who’s on this exclusion list and the office of foreign asset control and what that might mean for how ransomware coverage may start working as early as next year.

Kelly (08:09):

So, so OFAC, I mean, the, the, this is not a surprising move by the us government to start to try to address ransomware. I, you know, how that’s going to impact the cyber insurance market is still a little bit of an unknown. We have seen the insurance market respond by some, you know, enhanced underwriting specifically around you know, controls and networks security and, you know, business continuity plans specific to ransomware. So you’re starting to see that from underwriters, from cyber underwriters in terms of the coverage itself. And obviously Justin, you know, this, that, you know, if, if you are hit with a ransomware attack and the entity or the ransomware variant is on the OFAC list the insurance company is not legally able to pay the ransom on your behalf is not legally able to reimburse you even for a payment. So that is the position that a number of the carriers have already taken. In some instances we are sort of seeing some sub limits being added to cyber extortion coverage as well. So we’re definitely, you know, the markets are being impacted and we expect the coverage will, will certainly be impacted in the not too distant future.

Host (09:39):

I think that would be helpful. So let’s take one of those situations. If a company pays a ransom, that particular amount won’t be covered, what should they expect to be covered? What are the, you know, if they enter into this ransomware situation or they they’ve, they’ve been forced to enter into this ransomware situation, what, what can they expect their coverage to help them with?

Kelly (10:02):

And, and that’s a good point because there is a lot of coverage that exists in a comprehensive standalone cyber insurance policy that can still provide a lot of protection and assistance for policy holders you know, incident response services. So, you know, you will get when the ransomware incident hits, you will get coverage associated with computer forensics public relations in the event that the organization feels that it would be helpful to engage a PR firm to help mitigate any potential negative press that might, you know, come from the event. There will be legal fees. Like, you know, I know Justin does, does a lot of this you know, helping, helping the entity sort of manage through the process and, you know, grapple with you know, the compliance requirements, do they have to notify their clients? Do they have to notify employees? All of that is all covered and will continue to be covered by the insurance policy. The other thing that is important and is covered would be business interruption loss. So if the ransomware attack shuts the business down for 10 days or five days before they can sort of get back up and running from you know, from backups or however, they, they are able to manage through the process, given that they can’t pay the ransom. The business interruption business income loss will be covered as well.

Host (11:35):

And considering those, we also have a variety of other insurances, right? I might have business insurance and a variety of other insurances. So how do those interconnect is there, you know, if do I have to worry about one insurance over the other one overlapping, or if I, if I have a situation, do I just dive right into my cyber insurance first?

Kelly (12:00):

You know, that is something I think the, the insurance market as a whole is trying to address right now. Many of the traditional insurance products that are out there do have some cyber related coverage, whether it’s silent. Maybe you have a property policy that has business interruption, loss coverage, and it doesn’t specifically exclude cyber perils that may trigger. You may have an errors and omissions policy that has some affirmative cyber in it that may trigger during an incident. So your point is a really good one. One of the things that we encourage our clients to do when there is an incident is to really look at all of your insurance policies in your portfolio and try to determine you know, which ones may have some coverage, which ones may trigger. Our suggestion always is to have the cyber go first.

Kelly (13:00):

You know, we try to coordinate that upfront at the very outset and, and affirmatively state that the, that the cyber policy will go first simply because the cyber claims professionals, that’s what they do all day long. And you want someone who knows how to deal with these incidents dealing with them upfront. You don’t want your property claims professional, trying to sort of manage through it where they see it every once in a while. And you know, it’s a different dynamic. So you really want that claim handling professional on the cyber to, to respond first.

Host (13:35):

And I’m just going to keep talking. So Justin, you might be able to get a word in edgewise, but I have another question.

Host (13:42):

If you want to ask another question, go ahead. It’s just, I’m used to this. So keep going.

Host (13:49):

Is there a Benefit to having your insurance all with one company or, you know, someone might start with business insurance at one company and then maybe they decide, Oh, I guess I should get some cyber insurance, but I’ll go to this other one. Cause it was less money. And I think that’s a risk. I don’t really need to worry about as much. I I’ve talked to business owners and companies, and that’s often how they view different types of insurances. So can you talk to us a little bit about the advantage of having one company manage all your insurances?

Kelly (14:21):

I mean, I think if you have one carrier that is issuing all of the insurance products in your portfolio you, it, it could be an advantage in that, you know, it’s a streamlined situation. You don’t have a situation where two carriers are sort of pointing at each other, if both policies are triggered. I think one of the challenges and one of the things that you will see a lot of these major carriers do is in the event that they have issued, say five policies to one entity a cyber policy, a property, and, you know, an ENO policy, they may add what is called a non stacking endorsement to that, which sort of contains their exposure. So if they, if, if they issued five policies to you, they don’t, they may not want to extend themselves to all of those limits. So if you have one incident that triggers multiple policies, they may actually add a non stacking or an anti stacking endorsement to their policy that says, if this happens and all of these policies do trigger, we’re only going to give you one of those limits.

Kelly (15:29):

So let’s say you have five, you have a million dollar limit on each policy. They may say if all of these policies trigger, you only get one, $1 million in coverage for this incident. Careful, because those are sometimes built into the policy form. Sometimes those provisions will be built into the policy form and you won’t even realize it’s there and other times it will be added affirmatively.

Host (15:57):
So it seems like making sure you’ve reviewed all these with someone who knows what they’re talking about at the beginning. It’s going to be really important. 

Kelly (16:02):
Yes. Very important.

Host (16:06):

Okay. Well, I’m going to have some fun because Kelly, let’s talk a little bit about the insurance policies when it comes to coverage for potential violations of privacy laws that are not a data breach. I think that’s an interesting as to how would coverage work in that instance?

Kelly (16:26):

That is like one of my favorite topics, Justin, I think you probably know that already. So, so going back to 2005, when I started you know, when I was, I was mentioning earlier that that’s when really we started to see cyber policies and the cyber insurance market start to evolve. That was right around the time when breach notification laws started to really sweep the country. Right? So we had California, the first data breach notification law was I think, 2002, 2003. And then you had a number of States that sort of followed in lockstep behind now we have all 50 States that have breached notification laws. The cyber market, the cyber insurance market really grew up around the concept of breach notification and to address the whole concept of breach notification and breach response. So your, your point is, is right on because that is how most of the policies were drafted. And fast forward to 2018 you had the GDPR and you had a whole host of other, the CCPA and a number of other state and foreign privacy laws that were much broader in scope than just talking about notifying customers, clients of, of breaches, right? So impose all sorts of obligations on companies relative to the collection of the data and, and consent and things of that sort. So not all cyber policies out there will respond if, if the allegation doesn’t attach to, or, or relate to an actual breach event.

Host (18:09):

But I think you’re also saying there may be policies out there that do. And so as we have this proliferation of privacy laws that we’re seeing in California, and there are other States that are contemplating passing them, the likelihood of having a violation of a privacy law that doesn’t necessarily have a breach goes up and there may be opportunities to have affirmative coverage to help you with that. But one, you have to work with someone who understands that like EPIC and two, you have to make sure you understand the details of the policy itself to know what’s covered. That’s really what I wanted to make clear for our audience that, Hey, these privacy laws are coming and there are now products out there in the insurance market, depending on your understanding and what you buy that can help you in the instances where you violated CCPA, but it didn’t necessarily rise to some type of data breach notification,

Kelly (19:03):

Right. And that is exactly right. There are there are policies, there are cyber markets out there that will provide affirmative coverage for privacy violations. Many of them, even, even those markets that will provide coverage for the broader privacy violations. Many of them will only provide coverage. If it’s a regulatory investigation, they will not provide coverage if it’s a third party action. So take, for example, BIPA in Illinois, right? You have a private right of action for the Illinois biometric protection act. Right? So if, and I think we saw, I think there’s a lawsuit recently I think against Amazon involving BIPA and, and those, you know, the private right of action around the wrongful collection of personal information, that is something that not a lot of carriers are willing to sort of stick their neck out for, in terms of coverage. And if they are typically it involves pretty detailed underwriting around your you know, your controls and your attention to privacy laws and your compliance with them before they’ll even provide the coverage and also sub limits of coverage. So be very careful about that distinction between coverage for the privacy violation if, if the action is brought by a regulator versus privacy, you know, broad privacy coverage, if it’s brought by a third party individual. 

Host (20:43)
And so then the other question I have is kind of related to, you know, some companies might have a violation a little bit more unknowingly. They didn’t know about a particular piece, or they did their best effort, but still something happened compared to the company who knew, but opted not to do the coverages  – distinguish between those scenarios

Kelly (21:06):

They do in that almost all. I mean, I think all I can probably say all policies have what is often referred to as an intentional act exclusion which typically will include knowing violation of a law. So if you knowingly avoid a law, you know, that you have to, you know, get consent from various individuals, your employees, for example, if you’re going to collect their biometric data and you just say, you know what, it’s going to be too much of a big deal for me. It’s going to cost too much. It’s going to be a pain in the neck. I’m not going to do it. And then you are sued for that. You know, depending on the circumstance and depending on the policy language, your policy could potentially exclude coverage for that based on the fact that if you had senior executives at that organization that knowingly violated the law those policies will not, not likely cover that.

Host (22:07):

Got it. So on the same theme of a company doing their best efforts when it comes to cyber insurance, I buy it. Am I good? Am I done? I don’t have to do anything else, or are there elements I need to do to maintain a strong program within to make sure that I still can, you know, in other words, is it, I bought the insurance. I’m good. I file it away. I can do whatever I want to in the company. Or do I still have to maintain certain levels of training, a certain level of a program? You know, are there elements that the insurance is basically requiring companies to do to still have that insurance be honored?

Kelly (22:47):

It’s a great question, because I think the market is, is grappling with that. It’s right now I think there are a handful of cyber markets out there that will conduct scans public scans of your network. And they’ll do it on a routine basis during the policy period. And they may send you reports and you know, this, after we conducted this scan, this is what was, you know, this is what happened and we noticed these vulnerabilities and some of those policies will require that you promptly address anything that is brought to your attention during the policy period. So if you have a policy like that there may be things that you need to affirmatively do and make sure you’re doing or you may not get coverage. If, if the incident relates back to a vulnerability that they identified and you didn’t address but not all policies are like that. So,

Host (23:46):

Kelly, it’s interesting that you bring this up because I know there’s one carrier that you and I have talked about that does exactly that. And one of the things I think it brings up the companies don’t think about is, is if the insurance company does that and gives it to the insured, there’s no attorney-client privilege that attaches to that. So if the company just decides that we’re not going to do it, we’ve got other budgetary concerns, particularly in the COVID environment, they may ignore it. And then if a breach happens and there’s litigation, those reports are fair game. And a lot of times people don’t consider that, that if they were going with that insurance company and they were going to issue those reports, I’d be telling them you need to do that through our outside counsel.

Kelly (24:30):

Right. And I think that that’s exactly our position. You know, there are more and more of the cyber carriers that are conducting these scans for underwriting purposes and, and they can do that. And they can, as long as they’re not providing the reports affirmatively without your consent. And that’s, that’s the issue. I think you and I have talked about a number of times if the company understands that they are going to, that their cyber carrier is going to run this test and they, and they say, yes, I would like to see that report. Then that’s, you know, I mean, that’s their decision. Maybe they’ve, they’ve decided they want to see what it is and they’re committed to addressing any problems. And as long as they understand the potential you know, pitfalls of that with respect to the attorney-client privilege. And, you know, I think that that’s okay.

Kelly (25:19):

What my biggest issue is when an insurance carrier does these scans and just automatically sends the report to the to the company with the quote. And I’ve had a number of our clients that, you know, when that happens, they are just taken aback and confused and like, look, I didn’t want this. So, and I think these scans and I know Justin, you, and I’ve talked about this as well as these scans are, you know, all different you know, you can run five scans on the same company on the same day and have a different results. So I’m not so sure how valuable they really are. But I do think that they could put a company in, in a worse off position legally at least than they were prior to having it, if they get it without knowing 

Host (26:17):
How often should a company, re-evaluate their coverage?

Kelly (26:21):

Annually And I say that because cyber risk, as we all know evolves at such a rapid rate. And I, you know, I can tell you that the markets you know, we see probably new amendments, you know, endorsements to policies, changes to policies, I would say every six to nine months. And if you’re not, if you don’t have a broker that is really paying attention to this and immersed in this, it’s very easy to miss something. And then you won’t have the most current version and the privacy coverage that Justin and I were talking about before is a great example of that, you know, that sort of happens in the background. The other thing that, that is a really recent change that is, was COVID driven, was the idea of your, the definition of computer system, including employee-owned devices. That was a big change in the market because everybody went remote and, you know, before that, you may have had a definition in your policy that did not include employee-owned devices, only company-owned devices.

Host (27:36):

Yeah. That raises a good point. So if you’re a company who had, you know, sign up for, for insurance a couple of years ago, you have the same coverage COVID hit, would that amendment apply retroactively to the policy I have, or only to new policies?

Kelly (27:54):

You know, some of the, some of the carriers were at least re you know, probably within the last six months or so, we’re issuing, issuing endorsements to existing policies that address that affirmatively but not all did that. So, you know, if you were not sort of paying attention to that, sort of back to your point, Jody, about, you know, I have the coverage, I check the box where I have to do anything. This would be a perfect example of, this is one of those, those times where, you know, the world changed and the work environment changed and the technology, you know, everybody started relying on their own devices and that was a big change for a lot of companies. And if they didn’t have this endorsement or if they didn’t have you know, a definition in their existing policy that encompassed employee-owned devices, whether it was phones, iPhones, or laptops, tablets and then they had a claim or an incident that related back to one of those employee-owned devices, they would not have coverage.

Host (29:04):

Yeah. That’s an important takeaway. I think that everyone needs to make sure if they haven’t already done is to go back and identify your carrier and your coverage and determine are you in scope or has that endorsement followed you or not? Yes.

Host (29:19):

By the same token, Jody, when we talk about ransomware coverage, there’s a huge difference between the coverage where the insurance company pays the ransom versus they reimburse a company or the insured for having paid the ransom because a lot of companies may not have Bitcoin or whatnot lying around. And in the ransomware coverage, did the coverage include access, a ransom negotiator who can comply with OFAC. These are the kind of nuanced details that are now becoming really important because as we sit today, ransomware is now rampant in the marketplace right now. So all the insurance companies are getting flooded with claims and now is when people find out what the nuanced details of these coverage that have a dramatic impact on how they address these problems really works because so many brokers that they work with are not immersed in cyber. And do not understand any of this, unlike someone like Kelly who’s part of her job is she understands how the actual policy works inside and out. And that’s part of the value of what EPIC brings to the table is her expertise.

Host (30:29):

Well, thank you. So, Kelly, what would be some of the best tips that you would offer individuals and companies? So you can kind of pick the cyber insurance tips for companies and maybe something, just knowing what you know, in, in dealing with this all day, what do you do in your, in your personal world to make sure that your data is protected? 

Kelly (30:53):

So I think from the, you know, for companies, from my advice for companies would be you know, almost to what you had said before Jody is, you know, you can’t really buy an insurance cyber insurance policy and check the box and sort of walk away from it. It is it is the risk itself is a very dynamic risk. It changes constantly. You need your coverage to keep pace with those changes in risk. Or you will find yourself in a, in a very unfortunate situation where you have an incident that is not covered by your policy. And that’s whether it’s cyber crime or, you know, to Justin’s point privacy related. So I would say that, you know, it’s definitely one of those, one of those insurance products is I know insurance is not fun, but it’s one of those insurance products that you sort of have to stay on top of.

Kelly (31:46):

For individual, it’s interesting, you know, the market for personal cyber coverage is so small still it’s about 500 million in gross written premium. You know, whereas the, the market for commercial lines is probably between five and 7 billion. But the personal lines market is growing a bit. So there are products out there that you can get typically added on to a homeowner’s policy or some sort of umbrella policy for personal protection for for cyber incidents at your home. But one of the best tips I got was I went to a conference a couple of years ago where Frank Abagnale the Guy from Catch Me if you Can was speaking. And he was really, and his best tip was when you’re using your debit card, your bank card, right.

Kelly (32:45):

That if you’re making a purchase, you should always make a purchase as credit, because then you don’t have to worry about if, if you had a you know, somebody kind of stole your, your your credit card or your information, the bank automatic, the debit card, it automatically comes out of your account. And then you have to fight with your bank that could take months to get your hundred dollars back. Whereas if it was a credit purchase the onus is on the merchant, right? So they just automatically we’ll, we’ll give you the a hundred back and say the merchant was at fault. So I always do that. 

Host (33:26):

That’s a really great tip. I had not heard that. Wow. Gold. So that was good. Well, Kelly, it’s been wonderful to have you, we could talk about this topic for hours, especially when people are saddened, when they don’t realize when they realize they don’t have the coverage that they thought you forgot the fun. I did forget a question. I forgot. You know what? We need to have some fun Kelly off topic from our cyber insurance world. What do you like to do for fun?

Kelly | Host (33:55):

Oh, Oh, so you’re going to make fun of me. So I bought a Peloton right before COVID hit. It really had, it was totally before COVID, but it was maybe in February, we got it delivered. I love it. I have a favorite instructor. We’re Peloton people. Also, ours is now two and a half years old. So we were very fortunate where we I guess now we have an old bike though. So you do, you got to get this cool screen. The flip screen, my husband thinks I’m crazy. He’s like, we just bought this bike. Do you have a favorite instructors? I like Robin. Of course she’s the sort of main one. And I like Hannah. And who else do I like? Jess Sims. Very good. Well, maybe we can have like a cyber privacy tag hashtag yeah, we should do that.

Host | Kelly (34:56):

Well, it has been fun Kelly to have you here. How can people find you? If you go to the EPIC website you can certainly find my contact information there or I’m on LinkedIn. Well, wonderful. Well, Kelly, thank you again so much for sharing so much value and helpful information when it comes to cyber insurance. We really appreciate it. Thank you for having me.

Host (35:32):

Thanks for listening to the, she said privacy. He said security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.