Insurance agencies are attempting to manage the high volume of cyber-attacks claimed each year. As cryptocurrency increases in popularity, so does the opportunity for individual cybercrime. What happens if the attacker comes back? Can you afford to pay the ransom again? Learn what you need to do to protect yourself and your business in today’s world of cybercrime. Join your host Chip Arenchild and cybercrime expert Patrick Hernandez from Sullivan Curtis Monroe on this episode about navigating cyber threats.
Cyber Threats in the Wake of Cybercrime and Cryptocurrency Transcript
00;00;00;05 – 00;00;20;03
Patrick Hernandez
We see now that folks recognize it’s much more, potentially profitable and endangering to their well-being to commit theft, via, online events such as cybercrime or extortion, as we’re seeing. No longer do they need to go out and rob a bank and put their body in peril. They can do it from the comfort of their couch.
00;00;20;05 – 00;00;35;08
Patrick Hernandez
So in addition to state sponsored attacks, which, have been publicized throughout the past ten or so years, we’re also seeing a rampant increase in organized crime using this as a means to generate revenue.
00;00;35;10 – 00;00;59;12
Chip Arenchild
Welcome to Know Your Risk and Insurance Coverage with Risk Pro Net, where we will discuss all things insurance for you and your company. Risk net is a network of independent agencies who offer specialized insurance across business sectors. Regardless of where you are in your insurance journey. We want to invite you to join us to think about insurance differently.
00;00;59;14 – 00;01;26;19
Chip Arenchild
Know your risk and insurance coverage with risk Pro net provides answers to all your insurance questions. Good afternoon or good morning, wherever you may be. Welcome everyone to another episode of Know Your Risk and insurance Coverage with Risk Pro Net. I’m Chip Aaron Child your host. And today we’re talking and again about another hot topic in the insurance market that has implications for everyone.
00;01;26;22 – 00;01;47;15
Chip Arenchild
A marketplace that is changing rapidly has caught a lot of people off guard. And I think it’s very timely that today we have, Patrick Hernandez from Sullivan, Curtis Monroe, which is a nice independent agency located in Southern California. They do wonderful work. Patrick’s been an integral part of their success. And so, Patrick, welcome to the show.
00;01;47;16 – 00;01;48;22
Chip Arenchild
How are you today?
00;01;48;24 – 00;01;50;10
Patrick Hernandez
Thank you for having me, Chip. I’m doing great. How are.
00;01;50;10 – 00;02;14;18
Chip Arenchild
You? And we’re doing fine. Well, cyber insurance, brokers are going through some renewals this time, and it’s kind of caught everybody off guard as to what to expect. Can you give us just a little state of the Union on the on the marketplace right now and what we should be expecting both not only as brokers, but also if I’m a consumer, purchaser of insurance, listening to this podcast today.
00;02;14;20 – 00;02;38;17
Patrick Hernandez
Yeah. No. Great question. If we had to distill it down to one word, it’d be changes and unfavorable changes. The market is hardening dramatically as a result of really poor experience carriers are having, from a loss perspective, from a number of different, attack points, whether it be extortion, cybercrime or the traditional incident response claims that we’re seeing out there, today.
00;02;38;20 – 00;02;56;01
Chip Arenchild
Of those things that we’re seeing right now. You know, I kind of have a joking little thing going with when clients ask me about cyber insurance, I ask them, do you know how to buy Bitcoin? And then we be a little flippant right now, but I, I know things are changing. I know what’s the status on paying ransom right now.
00;02;56;01 – 00;03;02;02
Chip Arenchild
If I’m a client and I’m attacked. Do you have any advice for what I should be thinking about or what I should be doing?
00;03;02;05 – 00;03;18;19
Patrick Hernandez
Yeah. Great question. Honestly, I would ask a question even before that was, what would you do if you had any sort of cyber event, let alone a very specific one, such as a ransomware attack? But that being said, you should have your incident response plans and know who you’re going to call when that bad day comes.
00;03;18;21 – 00;03;44;17
Patrick Hernandez
Cyber insurance policies have means to assist in answering that question with dedicated, claims teams and vendors who can assist in things as specific as complying with ransomware demands. One thing we’ve seen policies develop is go on to extend coverage to include cryptocurrency. So we, there are a number of vendors that could be available through your insurer to meet that ransomware demand.
00;03;44;17 – 00;03;57;16
Patrick Hernandez
Timely, because like you or I or many don’t know, it is, quite a process to go out there and acquire Bitcoin or some other, cryptocurrency that is very likely going to be required by the attacker.
00;03;57;18 – 00;04;23;02
Chip Arenchild
The cryptocurrency, it just it’s amazing, right? It’s almost going hand in hand with this change in the marketplace right now. Who’s doing this to our country. And I mean, it’s been on the radar screen for a while, but it really wouldn’t seem like until that Colonial Pipeline and whether it was national defense or whatever happened. But it seems like since that event, there’s been a dramatic change, both in the market side in addition to what the government’s doing right now.
00;04;23;02 – 00;04;27;23
Chip Arenchild
Do you have an update for us on where do you think things are at and where they’re going?
00;04;27;26 – 00;04;50;10
Patrick Hernandez
Yeah, things have really transitioned over the past 4 or 5 years. We see now that folks recognize it’s much more, potentially profitable and endangering to their well-being to commit theft, via, online events such as cyber crime or extortion, as we’re seeing. No longer do they need to go out and rob a bank and put their body in peril.
00;04;50;11 – 00;05;12;13
Patrick Hernandez
They can do it from the comfort of their couch. So in addition to state sponsored attacks, which, have been publicized throughout the past ten or so years, we’re also seeing a rampant increase in organized crime using this as a means to generate revenue. So it’s, unfortunately been identified as, a cash cow by these bodies.
00;05;12;13 – 00;05;19;22
Patrick Hernandez
And we have multiple throughout the country. Throughout throughout the world and in multiple countries engaging in this type of activity now.
00;05;19;25 – 00;05;36;11
Chip Arenchild
So it appears or feels like it’d be safe to say that, this is here to stay. And it’s really one of those things is a matter of when, not if it’s going to happen for most businesses or with the potential things out there. Do you feel that there’s ETA? Is that even an accurate statement?
00;05;36;13 – 00;06;09;18
Patrick Hernandez
That’s an accurate statement. And what’s even scarier is that it’s no longer just relevant to the quote unquote fortune 1000 sized companies. Given the systemic process they have developed in terms of how do you target someone, penetrate them, gather enough information to perpetrate attack, they’re able to do this on a, more a larger scale, as well as identify smaller businesses that likely don’t have the IT infrastructure or budget to stay on top of all the various, vulnerabilities they need to patch.
00;06;09;24 – 00;06;22;25
Patrick Hernandez
These are being scanned for identified, and these backed bad actors are, targeting and latching on to them to to perpetrate their various crimes. So it’s it’s unfortunate the direction we’re heading.
00;06;22;28 – 00;06;48;08
Chip Arenchild
Well, Patrick, this coverage is seems to have changed from being mostly concerned about protecting someone’s personal identification to now phishing attacks and ransomware. And those seem to be the primary drivers. And you hardly ever hear about, the someone’s identity being compromised and having to do those reporting services. Plus, I think most of us as consumers and we’ve gotten those notices, whether it’s from anthem or for somebody else.
00;06;48;08 – 00;06;55;19
Chip Arenchild
And frankly, when I’ve gotten them, they look pretty shabby as it is from a reporting standpoint. So can you tell us where we’re at today?
00;06;55;21 – 00;07;13;28
Patrick Hernandez
Yeah, of course. No, that’s a great I think everyone at least has some sort of personal experience or an anecdote they can share about receiving and offer for credit monitoring or some other notification letter. So that was really the beginning of the cyber product. And then we got to see cybercrime as a threat vector really take off.
00;07;14;01 – 00;07;33;01
Patrick Hernandez
And folks needed an insurance product to try and address that exposure. And there was some finger pointing in the industry, to be honest. You know, traditionally this is something and, you know, underwriter would say, no, that’s a crime exposure that should be really, really addressed by our Crime Underwriter and their policy where that Crime underwriter was saying, this is cyber related.
00;07;33;01 – 00;07;52;00
Patrick Hernandez
I can’t underwrite to this. I don’t know the intricacies of these threats. And there was a bit of finger pointing taking place at the time. It was what we would call very soft market. It was a buyer’s market, and there really was a race to develop the most competitive form and establish a foothold in this emerging insurance product.
00;07;52;03 – 00;08;24;02
Patrick Hernandez
So with that, we saw a number of carriers offer a variety of interesting and nuanced type of coverages. Cyber crime being one of them, and one of the more relevant ones to the news stories we read today. And something that we really urge all of our clients to look at and, at least ascertain if the value is there, which, as you mentioned earlier, really only a matter of time until they need to answer that question of how they’re going to deliver Bitcoin or perform forensics on their network or something of that nature.
00;08;24;02 – 00;08;32;14
Patrick Hernandez
So really vital. But it’s really taking dramatic shape, as you mentioned from the notification letters, we might have been receiving ten years ago. Yeah.
00;08;32;15 – 00;08;53;09
Chip Arenchild
You know, another point you just brought up I would like to get your opinion on is as brokers and also as insureds, this this blending of two different coverages, you just brought, the one that I think up until this hardening market was the one I used to be worried about the most was crime and cyber. And you know, with crime, it was the fraudulent funds and the computer transfer.
00;08;53;12 – 00;09;09;03
Chip Arenchild
And then you started to see it be incorporated in a cyber policy, and now you see them kind of blended together. Do you have a recommendation on for both a broker and what insurers should be buying to cover those gaps? It’s, I’d be curious what your thoughts are about that.
00;09;09;06 – 00;09;45;07
Patrick Hernandez
Yeah. Great question. In short, I’d rather have double coverage than no coverage if you had to overlap between your crime and cyber. That being said, really, that’s where an insurance professional’s expertise is going to be paramount to insure you’re not potentially double paying in overlapping coverage. And I when I talk about the rapid development of these cyber policies, one of the unfortunate result of that is we had a number of carriers who were developing their own insurance clauses and sharing agreements, and there isn’t uniform language contained within the insurance agreements.
00;09;45;07 – 00;10;15;28
Patrick Hernandez
And definitions change their intense change. So it takes, a broker or someone with technical ability to really review that. And. Sure. What you’re buying isn’t, a misnomer. It truly is covering what you’re expecting it to cover. Now, in review that your insurance broker should be reviewing where the cyber policy ends and where the crime policy begins, to make sure you’re addressing your exposures as efficiently as possible.
00;10;15;28 – 00;10;21;27
Patrick Hernandez
But at the end of the day, I prefer an overlap as opposed to a gap. And I’m sure I’m sure most would as well.
00;10;21;27 – 00;10;57;14
Chip Arenchild
I would agree, I think I think you bring up a great point with all the carriers having different definitions of basically the same insuring agreement. It’s difficult for a broker if you don’t specialize in this line of business. I think to be able to take a proposal for coverage and really be able to know what it means. And do you see you see ISO or anybody starting to talk about standardizing this or because it’s such a fast moving market, I could see where it needs to stay surplus in London, and a lot of flexibility is needed on the behalf of the carriers right now.
00;10;57;17 – 00;11;24;05
Patrick Hernandez
You’re absolutely right. We talk about, the cryptocurrency example we brought forward earlier. You know, when some of these insurance agreements were written by legal teams, they thought they were addressing every threat vector. Well, they might have missed some, and some might emerge that they had no way of knowing about. So omitting cryptocurrency from what would be considered, an acceptable extortion payment is a good example that’s widely uniform now, but it wasn’t for quite some time.
00;11;24;05 – 00;12;08;06
Patrick Hernandez
So these policy forms are unfortunately playing catch up to what’s happening in the real world, which kind of is a problem for developing a filed language with established rates. It’s, likely going to remain in the surplus line space, at least the breaking, cutting edge coverages that seemingly become more and more important as new threats emerge. But we’ll continue to see some sort of uniform, as the insurance industry develops their own language and agree upon the ways we’re, we’re going to refer to certain concepts are and sharing agreements is hopefully something that will make this process a little less daunting, for both buyers as well as insurance brokers.
00;12;08;09 – 00;12;33;11
Chip Arenchild
You know, I think it illustrates exactly why you need why we’re doing this podcast. You need member firms, agencies like members of Risk Pro Net that have dedicated, dedicated expertise in cyber and, and blend these things together like you’re illustrating. It’s very difficult to just take that proposal that someone send you and just say, it’s like, Greg, remember the old ad for ragu spaghetti sauce?
00;12;33;13 – 00;12;57;19
Chip Arenchild
It’s all in there, right? You know, and you can’t trust that as a broker, because when it happens and it’s not there, that’s our problem. That being said, are you seeing that this product is, you find yourself as a broker working more with our traditional carriers? Or do you find that you spend more time in the wholesale market, and you really are leveraging those wholesale relationships with may even be one step ahead of you on the cutting edge.
00;12;57;19 – 00;13;03;05
Chip Arenchild
Do you have, a feel for where this is headed or a recommendation on where to work in this space?
00;13;03;07 – 00;13;31;01
Patrick Hernandez
Yeah, no, that’s a great question. And unfortunately, it’s one that’s also going through changes consistently. We’ve seen in the soft market extremely competitive pricing from a number of, surplus lines carriers. We’ve seen standard markets compete on price as well. That being said, we’re seeing a dramatic change in the profitability and outcomes of some of these placements, which is causing some carriers to exit the space in its entirety.
00;13;31;03 – 00;13;54;29
Patrick Hernandez
Others that might have been price leaders are now one of the highest priced, markets out there, because they know what these losses look like as they acquired such a large portion of the of the, the portfolio out there, so to speak. So it’s kind of a rotating, list of names in terms of who can address the coverage in the most price efficient manner.
00;13;55;00 – 00;14;24;29
Patrick Hernandez
Now, there’s also the value and the coverage considerations that must be made. We talk about the hardening market generally here. One specific thing that is happening beyond just the pricing is the limitation of, coverages dedicated to cybercrime. We’re seeing outright, reductions in renewal terms, perhaps taking in extortion limit, cutting in half, leaving it to a quarter of what it might have been the preceding year.
00;14;25;01 – 00;14;56;03
Patrick Hernandez
So there are unfortunately a number of different changes that are occurring in response to the adverse loss carriers are seeing. It’s often a mix of, of how they are adjusting their terms, whether it be price or reducing limits. So it’s really important to navigate and continue to market, continue to talk with a variety of carriers to ensure that the, appropriate mix of changes is suitable for your client.
00;14;56;03 – 00;15;15;17
Patrick Hernandez
It might change year over year now, as, claims made coverage, of course, important to recognize that there could be some retroactive date implications by changing carriers year to year. But typically, you can find full retro coverage out there. One of the many variables, an astute broker needs to be mindful of.
00;15;15;20 – 00;15;34;28
Chip Arenchild
Yeah, it just it illustrates for me, one of the fun things about the insurance market and maybe a lot of people don’t think it’s fun, but, reminds me of the saying that everything works until it doesn’t. And I think the illustration I had was a car. Right. You turn on a car, and every time it works, you think it’s the easiest thing in the world.
00;15;34;28 – 00;15;57;22
Chip Arenchild
But the minute it doesn’t turn over, you realize how complicated it really is. And I think this, that, that the marketplace can change literally overnight or within weeks and go from being soft to being hard and being restrictive and just delivering bad news. I’m actually encouraged by that because it means it’s viable and it’s it’s working. But even though it’s painful, it’s painful for everybody.
00;15;57;24 – 00;16;18;02
Chip Arenchild
Do you have any recommend Nations for how do you get that best submission in front of that underwriter? What do you need to what should we be promoting that our clients are doing? What should clients be doing not only now, but thinking into the future, what they could be doing? I know that’s a big question, but how do we get ahead of this thing or be the best prepared for it going forward?
00;16;18;05 – 00;16;21;19
Patrick Hernandez
No. Great question. And I figured let’s just start start with the basics.
00;16;21;22 – 00;16;22;05
Chip Arenchild
Okay?
00;16;22;05 – 00;16;38;23
Patrick Hernandez
Put on my old underwriting hat and kind of walk you through what I would look for in a submission and just kind of talk about how an underwriter arrives at a price point and move into some of the more the minutia, the finer points that, really can make a difference when it comes to your ability to obtain the best possible term.
00;16;38;25 – 00;17;09;24
Patrick Hernandez
So, first and foremost is how is a policy rated? Well, in a perfect world, every, commercial entity would know the exact quantity, exact type of the records they hold. You know, what information is being held by them or their vendors. Important to know that distinction, that you are legally responsible for information you accept. And if you were to hand it off to a third party, you have a professional duty to ensure that that third party is holding, holding those records securely.
00;17;09;27 – 00;17;14;17
Patrick Hernandez
But unfortunately, no one really has. Very few had the answer to that question, especially in the small middle market space.
00;17;14;22 – 00;17;23;02
Chip Arenchild
Totally. It’s all made up, right? You’re like, give me how many records? I don’t know, give it your best swag. And that’s what we’re going to put on the application.
00;17;23;04 – 00;17;53;10
Patrick Hernandez
Exactly, exactly. So we have to do something in lieu of that because it’s just not available. So the best widely available metric that can hopefully determine the size and potential Exco exposure is revenue. So revenue is the primary rating basis for the cyber insurance product. Now, the revenue of the exposure of a health care company of $100 million to that of a manufacturer of $100 million is vastly difference.
00;17;53;12 – 00;18;21;27
Patrick Hernandez
So the next step is identifying what industry they are in. And that really we’re going to be beginning to see, you know, the spread start to occur in terms of pricing, protected health information by going to be substantially more costly for an insurer following a breach. In addition to the notification, you’re looking at substantial regulatory fines and penalties, whereas a manufacturer might have limited to no sensitive information.
00;18;22;04 – 00;18;45;17
Patrick Hernandez
Maybe outside of employees or maybe information protected under an NDA. You know, they there’s certainly exposures they have from extortion and things like that that we’ll get into a moment. But at this top, top level, that’s really how these things are being rated, from they’re pretty straightforward amount of limits, retentions, loss, experience, all things that are going to be, factored in to arrive at price.
00;18;45;22 – 00;19;06;19
Chip Arenchild
Our loss is looked at since, you know, you think of other traditional losses, in the industry, ottowa losses are workers comp claims or glosses. How do underwriters view a cyber loss? I would think that’s got to be like the big stink of death on that thing, right? Like, can you overcome a loss? I guess would be my a better question.
00;19;06;22 – 00;19;26;05
Patrick Hernandez
Yeah. So that is actually a really interesting question and one that like the cyber product has changed over time. So maybe about ten years ago having a loss depending on how that loss was addressed could be a good thing. You know we noticed that. And ideally there’s not a it’s not severe loss. Maybe there was some intrusion into the system.
00;19;26;05 – 00;19;52;04
Patrick Hernandez
And they conducted a thorough forensics and ensured that there was nothing lingering on their network. Well, as an underwriter, yeah, that’s a loss. But this is likely someone who’s identified and remediated any issues going on, whereas a, an applicant for coverage, shows no losses, but they show they also might not have the best controls. There honestly might be someone under the hood of that network, tampering around.
00;19;52;04 – 00;20;14;08
Patrick Hernandez
There’s not aware of it yet. Often the delay to discover that an event has occurred can be six months or longer. Often the more severe ones lasting the longest. So it can be almost a good thing to have a claim where there’s a great story behind it and a lot of due diligence was done, to ensure that this isn’t going to happen again.
00;20;14;10 – 00;20;29;18
Patrick Hernandez
Now, as we move into this hardening market, there’s specific concern around the cyber crime. Of course, that once a target potentially a future target, you complied with a ransom demand. Will they come back to the well a second time?
00;20;29;18 – 00;20;31;21
Chip Arenchild
Yeah. Can you pay it again? Yeah.
00;20;31;23 – 00;20;54;06
Patrick Hernandez
Exactly. So there is specific concern about these types of losses and what sort of things are being done to prevent them in the future. You know, what sort of failure of protocol resulted in the loss itself? And how can we ensure it’s not going to happen again? So that really kind of dovetails into the next part of the analysis of an underwriter.
00;20;54;06 – 00;21;23;07
Patrick Hernandez
Is, is the controls right? It used to be very basic. Are we seeing antivirus software? Is there a firewall is perhaps on the high end intrusion detection? Or penetration testing occurring once quarterly a year? You know what? What have you. Now we’re transitioning into much more sophisticated, questions and expectations of what an applicant will have in place.
00;21;23;09 – 00;21;28;21
Patrick Hernandez
Probably the most common one we’re seeing in the industry right now is the presence of multi-factor authentication.
00;21;28;24 – 00;21;46;10
Chip Arenchild
Tell me what is what is essential for a client to have, and then maybe what are the nice to have that aren’t essential? So if I were to say, hey, if you’re if you’re looking to improve your cyber coverage or you want to get cyber coverage in this market, you need to have these things.
00;21;46;12 – 00;22;14;27
Patrick Hernandez
Yeah. It used to be really industry dependent, to be honest. Health care entity needed to have rigorous controls in place to ensure that they were, an acceptable risk, whereas a manufacturer could have minimal. That’s really changed, especially stemming from, these cybercrime losses, this business email compromise, where now we’re seeing even what would be considered quote unquote, innocuous risks or industries are being required to carry multifactor authentication.
00;22;14;29 – 00;22;44;26
Patrick Hernandez
They might have limited information or exposure to be had. But the mere fact that, a criminal could get an employee to unknowingly but willfully remit money to a fraudulent wiring number. Those losses can be substantial. Hence, we’re seeing the reduction in the limits available there. As well as the underwriters honing in on the controls specific to these types of losses.
00;22;44;29 – 00;23;10;21
Patrick Hernandez
Whether that be mortal factor authentication, whether it be requiring policies and procedures of verifying wiring information with a phone call, we’ll see in some policies language that say if you do not verify a wiring, instructions with a phone call, the claim is excluded. So there’s a number of ways carriers are trying to specifically address this type of loss.
00;23;10;23 – 00;23;18;07
Patrick Hernandez
And unfortunately, it’s becoming more and more onerous for applicants to kind of meet the standard that is expected of them.
00;23;18;13 – 00;23;34;22
Chip Arenchild
And I would imagine then the applications insureds are filling out may have some warranty provisions they need to be paying attention to as well. The, the idea of just checking a box and saying, yeah, I think we got something, probably not a good idea right now.
00;23;34;24 – 00;24;04;04
Patrick Hernandez
Absolutely, absolutely. There’s representations and warranties included within the policy, and you really should be working with your insurance broker to make sure you’re answering those questions accurately and correctly, and that the representations are limited to the polling group of those in that room. It’s very possible that, lower level employees aware of some fact or circumstances that could give rise to a claim if not navigated and addressed appropriately in the application process.
00;24;04;06 – 00;24;23;13
Patrick Hernandez
You could see that claim when it does become known to the C-suite or officers of the company, be excluded as a result of, of potentially a broad polling group in the application process. So definitely something beyond just answering the questions. There are, implications of those representations and warranties, as you, highlighted.
00;24;23;13 – 00;24;40;06
Chip Arenchild
Yeah. So so, Patrick, I’m, I want to improve my coverage. I’m a client or I’m insured. I want to improve my coverage in this. What would you tell me? That I need to really be paying attention to today? And how do I get my application to stand out? And then what do I need to be thinking about?
00;24;40;06 – 00;24;55;11
Chip Arenchild
Do I need to be, my capital expenditures, thinking about I should budget so more money for it? Is there any product that I need to be moving towards? Employee training? You know, some of the things that I know people are doing to try and prevent these attacks from happening to them.
00;24;55;14 – 00;25;24;29
Patrick Hernandez
Yes. All of the above. Right. All these things you need be doing. But there’s a little hope for folks out there. Insurance companies recognize that not all applicants meet these standards. And they need to right business to remain profitable. Right? They can’t just write for that. Five people out there that have pristine cybersecurity controls. So what they’re looking to do is help improve the cybersecurity posture.
00;25;25;01 – 00;26;02;07
Patrick Hernandez
A number of their applicants, in fact, we see some folks willing if the application process is started early enough and there are deficiencies within the responses, direct them to some resources, some cybersecurity specialists that might be able to resolve whatever the situation might be, whether that be creating multifactor authentication controls or other policies and procedures. And beyond that, while that might be available in the application process and something to talk with your broker, they’re very likely to have some connections for resolving issues of this kind, given that we’re doing this on a day to day basis.
00;26;02;09 – 00;26;48;12
Patrick Hernandez
But at binding, a lot of carriers will now offer discounted or complimentary services alongside the actual risk transfer component of their policy. So, for example, that might include training that might include access to policies and procedures. We is scoring your cyber security posture. We have interesting ones. We always like, ones that actually conduct test business email compromise events and provide a report to, the officers of the company to identify perhaps which which employees are likely going to need some additional training to avoid falling victim to, a fraudulent email.
00;26;48;15 – 00;27;08;09
Patrick Hernandez
So if there’s really a robust number of resources that are becoming available, this is kind of been what we’ve seen developing in the past few years from carriers. The next innovation that they’re taking, because they most folks have come back to them as the parameters titan of and the standard is raised of what they need to be.
00;27;08;09 – 00;27;31;26
Patrick Hernandez
Folks. It’s a that’s great. I’d love to do that. I recognize this is a serious issue, but how do I go about doing it? And brokers insurers are all stepping up to try and address and answer this question. And, obviously we would insurance carriers would not like to have losses. So they want well-protected insureds to, be partners with.
00;27;31;28 – 00;27;50;16
Chip Arenchild
Well, it’s nice to hear that there’s a lot of thought going into not just buying a policy and hoping something doesn’t happen, but really taking a look, a holistic approach of being able to say, hey, if something does happen, we’re here to help you out. But in the meantime, why don’t you take a look at these things as as ways to mitigate it?
00;27;50;16 – 00;27;54;28
Chip Arenchild
And if you can do them, we’re going to both be better off for it.
00;27;55;01 – 00;28;11;27
Patrick Hernandez
Yeah. It’s great. I think insurers and insurance is really played that part historically, whether it be cyber, whether it be property controls, in terms of what buildings need to have in place to ensure fire protections, we’re seeing that now play out in the cyber space.
00;28;11;29 – 00;28;34;22
Chip Arenchild
I would also imagine with this uptick in attacks that would probably seen an uptick in cyber security providers. Do you have any recommendations for what a client should be looking for to evaluate a cyber security advisor as they start to branch out into something? Do you just pick up the Yellow Pages, do a Google search? What should we ask?
00;28;34;22 – 00;28;36;13
Chip Arenchild
What do we need to know?
00;28;36;15 – 00;29;00;27
Patrick Hernandez
Yeah, no. Great question. I actually like to start, one step before that. And, teams of outsourced IT services, that is an area where a lot of folks might initially look to answer this question. Well, I already work with someone who provides all my outdoor, out service IT support. Perhaps they can direct me. They very likely might have connections there, but that is also an exposure.
00;29;00;27 – 00;29;20;00
Patrick Hernandez
As I mentioned earlier, just because the information is being held by a third party does not mean that you, your commercial entity as the information acquirer, are not responsible for that. So you want to make sure, first off, your insurance policy extends coverage to that third party. But you also want to review the contracts you have in place with that vendor.
00;29;20;00 – 00;29;51;14
Patrick Hernandez
You know, what would they be responsible for? Are they required to carry insurance things of that nature. So best to start there. But that’s, traditional place for any commercial entity. To start is work with someone that they, utilize to manage both their information technology as well as the security component. Currently. That being said, there are a number, a vast number of local, national, widely known cybersecurity firms that do phenomenal work.
00;29;51;14 – 00;30;22;20
Patrick Hernandez
And depending on the specific needs, depending on the industry, the types of exposure or threats that you may be up against. There’s certain vendors, cybersecurity vendors that may be more appropriate for you. I would work with someone, your, your broker or your carrier to navigate to the one that’s most suitable for your specific profile. But, yes, I mean, folks are, your carriers are not intending to or not intending not wanting to pay claims.
00;30;22;23 – 00;30;50;05
Patrick Hernandez
So it’s incumbent upon them to make sure that you are appropriately secure, to avoid, any events as well as understand what exactly, what information you have, what exposures you have, and ensure that you are adequately being charged for those exposures. So it’s, all, all plays together, with the goal of improving cybersecurity for, for all of us.
00;30;50;05 – 00;31;10;27
Chip Arenchild
So as, as we’ve been visiting today and I think about what’s going on and the attacks that that have made the paper and have been well publicized, it doesn’t really appear that any business can go without cyber. I think for a while, you know, it’s difficult to get people to talk about it. Obviously now they can and there’s contracts that require it.
00;31;11;00 – 00;31;30;05
Chip Arenchild
What do you tell the manufacturer that doesn’t think it matters to them? I, you know, the Colonial Pipeline, where they took control of it and they couldn’t pump oil, I think open people’s eyes. And I believe there was also, a, metal manufacturing or metal smelter in Germany that got hacked and they destroyed their equipment, and it was a large claim.
00;31;30;05 – 00;31;42;25
Chip Arenchild
So vulnerability your system seems to be something that people haven’t thought about. And that’s all the way down to the local asphalt plant that has a a motherboard. Right. Or, a control panel that may go to the internet.
00;31;42;27 – 00;32;07;09
Patrick Hernandez
Yeah. We also saw a potential contamination of water supply in Florida. So there’s a lot of really concerning things out there. You’re, kind of touching on the greatest fear is that these cyber attacks can result in physical or potential damage or bodily injuries, which is very, very concerning. And we’re beginning to see that happen. And it seems that no target is off limits for some of these bad actors.
00;32;07;11 – 00;32;33;15
Patrick Hernandez
That being said, though, for the small, medium sized business, perhaps an industry that’s not traditionally highly exposed to these types of attacks is that these cyber crime ones, cyber crime attacks are not limited to the traditional misconceptions about the cyber policy, where we’re talking about liability to third parties who were financially harmed by the release of information, notifying those folks, extortion.
00;32;33;17 – 00;33;05;13
Patrick Hernandez
Is is a very in ransomware is available to hit any and all computers for folks in the manufacturing industry if their office network is not segmented from their operations environment, there’s concern that that can transition over and halt production. Right. The insurance policy does offer business interruption coverage, such as you might see on a property policy, if a building or if that same building were to burn down, you would have coverage for the loss of profits during the outage.
00;33;05;16 – 00;33;36;18
Patrick Hernandez
That also exists with the cyber policy with, of course, some, time deductibles and things of that nature, as well as the business email compromise. I mean, of course, as any successful, commercial operation is going to be, changing, have money changing hands through wiring, through sold goods, through money due to vendors. All those transactions are opportunities for bad actors to insert themselves and redirect those funds to, their organizations or that them personally.
00;33;36;18 – 00;33;58;21
Patrick Hernandez
So it’s unfortunately, we’re seeing the activity transition away from the traditional intent of the cyber policy with liability and incident response now to cybercrime, extortion, funds, transfer fraud, things of that nature. So it’s, really something that it applies to any, any business at this point.
00;33;58;23 – 00;34;22;24
Chip Arenchild
It’s becoming apparent. You know, it’s super interesting to hear that. So how is your background as an underwriter really prepared you to be a broker? And, I’d be curious to know, what do you think is the advantage of hiring Patrick and ACM to be your cyber broker in this day and time versus, someone who doesn’t specialize in it?
00;34;22;26 – 00;34;47;00
Patrick Hernandez
Yeah, no. Great question. Kind of personal question about how I found my professional career changing. So as an underwriter, I was knowledgeable about this product that was not widely known about. We are the brokers I worked with were not comfortable going through the intricacies for, their insurers. And I was working from mom and pop all the way to fortune 500 companies out here on the West Coast.
00;34;47;02 – 00;35;12;14
Patrick Hernandez
It was fairly specialized in the, underwriting background that we had been trained on, so got to see I run the gamut of various insurers and talk to people of varying levels of technical ability, but really had no insurance background. And the broker wasn’t comfortable linking those two things. So I was asked often to come out and speak to folks, translate, explain to them what is this product they are buying.
00;35;12;16 – 00;35;32;23
Patrick Hernandez
And I found, personally that much, much more enjoyable to get in front of people and educate them, walk them through the intricacies of the policy, answer, you know, hypotheticals as well as, underwriter was permitted to do. And I found a lot of enjoyment in that. I felt getting in front of broker out in front of buyers was really rewarding.
00;35;32;23 – 00;36;14;10
Patrick Hernandez
So, that led me to kind of transition over the broker side, where I’ve now been at solving Curtis Monroe since 2017, now obviously offering the gamut of insurance products, but really relied upon to educate folks, insure that the product is meeting their needs, and working with the marketplace to achieve the optimal outcome. So we take, you know, very, craftsman ship type approach to it, understand you understand the exposures and make sure we’re really, navigating through the entirety of the marketplace to arrive at a policy that meets your needs at the most cost efficient way possible, and having those value consideration conversations with you.
00;36;14;10 – 00;36;38;25
Patrick Hernandez
So, as opposed to here’s your cyber policy, here’s what it costs. Yeah. You should be good. No, we like to make sure that you really know what you are and aren’t covered for. I often like to have the folks responsible for information technology in that room so they can hear it firsthand and, maybe impart some knowledge that the CFO or, or owner isn’t necessarily, aware of at the time.
00;36;38;25 – 00;37;00;23
Patrick Hernandez
So I really like to get into the details and ensure everyone’s comfortable with the product. That’s really what we do, the approach we like to take. And, I of course I can talk about this forever. It sounds like, I’m sure, really happy always just to kind of maybe answer questions, misconceptions, you know, no obligation to purchase anything like that.
00;37;00;26 – 00;37;02;09
Patrick Hernandez
It’s really a passion of mine.
00;37;02;09 – 00;37;24;01
Chip Arenchild
So it comes across Patrick as a passion of yours, right? You can hear in your voice and, understand as you talk about it that it is a passion. And I also I think the other thing you just said that caught my attention that the average broker, if they don’t specialize in this, is the blending of the cheap information officer are their IT person.
00;37;24;04 – 00;37;39;22
Chip Arenchild
And most brokers can’t speak at all to some of the things we’ve discussed here today. And so when you’re going to take a look at the exposures, a company has, and you need to have that person in the room when you’re just as ignorant as the other people filling out that application, you’re really not doing the best service for anybody at all.
00;37;39;22 – 00;38;00;25
Chip Arenchild
So I think that illustrates a great point on why specialization is important. And that’s something in this insurance business that just doesn’t seem to change. There’s it just continues to niche. And you need to find people that really are passionate about what they’re doing. I’ve really enjoyed our conversation today, and I think some of the things you shared have been, enlightening for me, and I’m sure they’re enlightening for all of our audience.
00;38;00;27 – 00;38;12;24
Patrick Hernandez
Well, thank you for having me. I always, exciting topic, constantly developing topics. So I’m sure we might have some more updates for you in the future, but very much appreciate you giving me the opportunity to come on and share some insight. So thanks, Chip.
00;38;13;00 – 00;38;35;25
Chip Arenchild
You. You’re very welcome. Is there anything else you think that our audience would need to know whether it’s, directed towards member brokers, as they go out and potential sellers? I know that Risk Pro Net does have a cyber practice group that’s available for people to join if they want to continue to learn more on their own, or anything that an insured might need to know that we haven’t covered here today.
00;38;35;27 – 00;39;00;14
Patrick Hernandez
Yeah, of course, for risk pro net members, we of course offer a number of various different resources, one of them being the cyber practice group, chaired by me, but helped by a number of our members and their various expertise, and really provide a great insight to the marketplace at any given time. In terms of what, insurance carriers are changing, we mentioned the dramatic hardening that’s occurring on this call, as well as current events.
00;39;00;14 – 00;39;18;28
Patrick Hernandez
What are things that we can take and learn from what’s happening in the real world and communicate to our current clients, our prospects, and ensure that they’re adequately addressing this? So, yeah. Shameless plug. Please join us if you’re a permanent member, once a month for our call. I try to keep it pretty quick. You can tell I can talk quite fast.
00;39;19;01 – 00;39;22;26
Patrick Hernandez
So we’re trying to get you out of there in no less than an hour. No more than 30 minutes.
00;39;22;26 – 00;39;44;22
Chip Arenchild
A on Patrick on the on those calls. I just want to make sure that people understand one of our purposes within risk per unit is to make sure that we’re transmitting knowledge, because knowledge is power, and that it helps when you run into a problem in a certain sector of the country, that when you can call your peers and ask, are they having the same problem or do they have a solution?
00;39;44;29 – 00;39;58;23
Chip Arenchild
And I know that we’ve been very successful being able to get things done by leaning on each other and maybe finding a different outlet or a market that someone else hasn’t heard of. And so I think that’s maybe the most valuable thing about being a risk pro net member.
00;39;58;25 – 00;40;19;20
Patrick Hernandez
Critical critical that just market intelligence leveraging our combined knowledge. And obviously, we’ve talked here about needing access to vendors who might be more suitable to address a specific need. That is all. Share that that aggregated knowledge in that room, which is available to anyone. Right. With love for risk pro net members to participate in that meeting.
00;40;19;22 – 00;40;24;29
Patrick Hernandez
Whether it be a fly on the wall or an active member, we always look forward to to great insight from folks.
00;40;25;01 – 00;40;40;24
Chip Arenchild
Now, let me ask one more time. Is there anything you think that insured that we haven’t covered today? If you were going to give a 32nd blurb to a potential insured or insureds out there that are listening, what would be your, state of the Union and I you’re hopeful message to give them?
00;40;40;26 – 00;41;10;24
Patrick Hernandez
Yeah. No, it’s it’s unfortunately if not now when. So in anticipation of that, really need to prepare all your policies, procedures and answer those questions, what would you do if you had a breach? Who would you call? How would you obtain Bitcoin? If you needed to address a ransomware demand? Would you comply with that ransomware demand all things that need to be addressed ahead of time, because when these events occur, unfortunately, they’re at the worst possible time for you and they’re also often very time sensitive.
00;41;10;26 – 00;41;31;26
Patrick Hernandez
So do the pre-work. Now, whether that be, you know, obtaining an insurance policy to transfer this risk or lining up vendors and relationships and just having answers to those questions, have that 911 emergency number available. So you know what to do when things go wrong. That would be my advice to everyone listening to this.
00;41;31;27 – 00;41;53;15
Chip Arenchild
Right on. That’s excellent. And that’s risk management 101. Right. Be you know, proper preparedness equals prosperity. So, anyway, hey, it’s been wonderful to talk to you guys. Everybody, this is Patrick Hernandez from Sullivan. Curtis Monroe, a risk prone member in Southern California and also the chair of the risk prone at Cyber Practice Group. Patrick, have a great day.
00;41;53;17 – 00;41;58;05
Chip Arenchild
Thanks for taking some time to visit with us and our listeners, and we’ll look forward to having you on again.
00;41;58;08 – 00;42;01;13
Patrick Hernandez
Likewise. Thanks, Chip.
00;42;01;15 – 00;42;20;01
Chip Arenchild
We hope you enjoyed this episode of Know Your Risk and insurance Coverage with Risk Pro Net. For more information about Risk Brunet, please visit our website. You can follow us on Facebook and Twitter for insurance insights from everyone at risk Pro Net. We want to say thank you for tuning in and see you next time.
