News & Blog Podcasts

Ransomware and Cyber Insurance is For Everyone Now with Alexandra Bretschneider

Written by Issa Bissau
explore

Losing customers as a result of a cyber-attack may not be on your radar as a manufacturer or brick and mortar, but should it? Alexandra Bretschneider from RiskProNet Cyber Practice discusses how remote working has put cyber insurance to the forefront for businesses. The cyber world is still very young. Countries are still figuring out the proper legal action to deal with hackers. The insurance world knew this was coming. Now that we’re all online and working remotely, cyber insurance to protect against ransomware attacks is an important decision for all businesses. For more on cyber insurance, listen to the full episode.

Ransomware and Cyber Insurance Transcript

00;00;00;07 – 00;00;30;20
Alexandra Bretschneider
I think it’s a mix of all the above, right? I think we would be naive to say that all of these governments out that aren’t considering cyber as a part of warfare now, right? It is it is a tactical, methodology to wage an attack on another country. And so what does that look like? Right. Whether it’s interference with elections and misinformation and media, or is it a direct attack and shutting down, infrastructure.

00;00;30;23 – 00;01;02;22
Chip Arenchild
Welcomed to know your risk and insurance coverage with risk prone where we will discuss all things insurance for you and your company. Risk. Coronet is a network of independent agencies who offer specialized insurance across business sectors. Regardless of where you are in your insurance journey. We want to invite you to join us to think about insurance differently. Know your risk and insurance coverage with risk Pro net provides answers to all your insurance questions.

00;01;02;24 – 00;01;28;04
Chip Arenchild
Hey welcome everybody to Risk Pro net’s podcast. And I’m really excited today that we get a visit a little bit about a topic that seems to be really pertinent to everybody right now. And that’s cyber insurance. And today our guest is the leader of the risk prone cyber practice group. Her name is Alexandra Brett Schneider. She’s with Jake Jay in Philadelphia, Pennsylvania.

00;01;28;04 – 00;01;30;19
Chip Arenchild
So Alexandra, good morning. How are you?

00;01;30;21 – 00;01;33;17
Alexandra Bretschneider
Good morning chair. Thanks for having me. I’m excited to be here.

00;01;33;18 – 00;01;54;14
Chip Arenchild
Oh, we’re really glad to have you. Thanks for agreeing to be on the call. So let’s just let’s just jump in to tell me first, though, what’s going on in the cyber world and from your perspective, I know you lead the cyber practice group, and I know all you do is cyber insurance. And Jake is a nice size firm in Philadelphia with international clients as well.

00;01;54;14 – 00;01;57;20
Chip Arenchild
So give us a little background on what you’re doing right now, please.

00;01;57;22 – 00;02;22;11
Alexandra Bretschneider
Sure. So, it was a little bit fortuitous for both Jake and myself that we came together from my background. Actually, before joining the insurance, Rob was an IP consulting, so I started my career at Ernst and Young and Think advisory practice, went on to do some telecom consulting, found my way into this crazy thing called the insurance world a little over six and a half years ago.

00;02;22;13 – 00;02;49;08
Alexandra Bretschneider
Naturally kind of gravitated towards this, this whole cybercrime things. And we’ve developed this practice around this and, you know, back in and coverage assessment, benchmark and data, providing resources to our clients, we really value the partnership that you need to create to be successful in the cyber world. So that’s from an insurance carrier perspective. Law firms right now in the right, privacy firms and who plays well in this space, the forensics firms.

00;02;49;11 – 00;03;13;09
Alexandra Bretschneider
And then the big thing that’s really started to unravel in these last, I’d say, 18 months is the need for more preventative resources. So I have a live relationship in partnership. We’ve developed really the IP and cybersecurity space because as these brokers who are listening know, when we’re going through insurance renewals now, the carriers are putting a lot more scrutiny on their cybersecurity controls.

00;03;13;11 – 00;03;34;01
Alexandra Bretschneider
And so because of that, oftentimes my clients are saying, hey, we’re not up to snuff. Apparently, according to this application, we don’t have our client controls in place. How do we get that? Right? And and as brokers, we don’t ever want to be pure I.T consultants. Right. But we do want to be able to be that robust risk management partner.

00;03;34;05 – 00;03;47;26
Alexandra Bretschneider
So having partnered in that space that you can say, hey, I know a couple firms that can help you deploy MFA, that can help you put, an endpoint detection and response system in place. Having those is really important.

00;03;47;29 – 00;04;07;24
Chip Arenchild
Yeah, I can understand that. When I think about cyber insurance in the in the history of it, in the insurance industry, I remember when it started, even though I’m 20 plus years doing this, and I remember, you know, there’s a few carriers doing it and everyone said, oh, you’re going to need cyber insurance. And how it started off with people being concerned about losing someone’s identity.

00;04;07;27 – 00;04;39;21
Chip Arenchild
And now what? It’s I’m amazed at how quickly it’s morphed into what it is today, how identity theft is really not the number one thing as much as, ransomware attacks and things to your system and the potential to do harm that way. What we saw with the pipeline, what have you seen in the six and a half years that you’ve done that from when you started to where it is today, how the coverages have changed and as brokers and as clients, are there gaps that need that, that you recommend people cover?

00;04;39;21 – 00;04;52;19
Chip Arenchild
For example, one thing I used to think about was crime and cyber were separate, and now they seem to be blending together. Any recommendations that you might have for clients and brokers as to, hey, you really got to make sure and pay attention to these things.

00;04;52;21 – 00;05;12;23
Alexandra Bretschneider
Sure. So let’s see the first part of your question around transition, right? So five, six years ago when I joined the industry, to your point, check that was really about data breaches. So the only organization that really seemed to care about cyber were the ones that I already knew that were dealing with proprietary or super private information. Right.

00;05;12;23 – 00;05;35;12
Alexandra Bretschneider
So private health information from primarily a health care organization or financial services slash retail organizations, people who had the financial piece to their operation and, you know, us as laypeople really only cared about it so much as we would eventually maybe get a letter in the mail letting us know that our information may or may not have been breached in here.

00;05;35;15 – 00;05;40;15
Alexandra Bretschneider
Free credit monitoring for two years if you want. And you really never heard that.

00;05;40;15 – 00;05;57;25
Chip Arenchild
That’s funny you say that because the only time it started to become important to my clients is when I think a health care provider was, breached and all said, and they got a letter and they go, oh, this is real, right? But up until that point it never registered. So anyway, I think I understand that what you’re saying, I think probably most of us do.

00;05;57;25 – 00;05;59;01
Chip Arenchild
So go ahead please. Yeah.

00;05;59;02 – 00;06;29;01
Alexandra Bretschneider
Well, and if you think about health care, they really led the charge on this back to hop back in 1996. Right. We’ve they’ve had to learn a long time ago that they had a duty and a responsibility to manage our private information and particularly health information. Since then, you know, I felt the next wave and this was probably 18 and 19, 2019, I’d say, where, social engineering attacks, phishing attacks were what exploded now.

00;06;29;01 – 00;06;49;09
Alexandra Bretschneider
So it was to a point where our across our client base, it was almost once every other week we’re getting that call. Hey, we we fell for something and we found money or information. I had one client send out 3000 Jews in the middle attack season to somebody who was not who they thought they were. But usually it’s it’s financial.

00;06;49;12 – 00;07;10;23
Alexandra Bretschneider
I’m still getting those calls. I had one for $2.5 million earlier this month. So it’s still happened. So that was the next big wave. And then of course, with ransomware. Now I have a quick anecdotal funny story for you. When you look back at my last company, which was a 25 person happening, this is free insurance for all.

00;07;10;25 – 00;07;33;02
Alexandra Bretschneider
We actually suffered a ransomware attack in 2012. This is before it was ever even called ransomware. One day we couldn’t get into our shared drive in our cloud. You know, like that when you’re in a small company, they wear many hats. It with our CEO of our CFOs, that’s operations personnel that she paid $350 for us to get our files back that day.

00;07;33;08 – 00;07;54;04
Alexandra Bretschneider
And we paid it. We got our files back and we all went on with our lives not knowing really any differently. So ransomware has actually been around for a long time. It just didn’t take off until it became its own serviceable model that almost anybody can deploy. Right. You hear ransomware as a service is now possible. So now flash forward into 2000, 2020.

00;07;54;06 – 00;08;18;19
Alexandra Bretschneider
Ransomware had already been a significant threat. But then with the migration to remote working, you had all the defenses down and the priorities of every organization shifting elsewhere just to stay afloat, modify operations, navigate the new world. It just created, the the worst possible scenario for businesses to be then susceptible to ransomware attacks. We weren’t ready.

00;08;18;20 – 00;08;45;06
Alexandra Bretschneider
We weren’t thinking like that. I mean, I know many organizations, even laxed their password changing controls just because they said, hey, it’s already been hectic enough for our users to have to go work remotely and try to figure that out. Let’s not make them change their password every 30 days like we were used to doing. And so all of those things, and the fact we weren’t using commercial grade equipment and technologies at home, created this opportunity for ransomware to take off.

00;08;45;06 – 00;08;55;03
Alexandra Bretschneider
So it’s exploded. And with that, so have the dollar amount being demanded. And the methods that these hackers are using to proliferate these.

00;08;55;09 – 00;09;23;19
Chip Arenchild
They’re almost like pirates. I don’t know of a better way to say it. It’s the it’s the modern, the 21st century pirates. It’s interesting to me. I one of the things I tell, people about is and I don’t know how to do it is how do you find bitcoin if you’re going to pay bitcoin. And then also that people were paying the ransomware demands, but now hasn’t there been a shift in the government and even a shift in some coverage forms that if you do make a payment, maybe your coverage may not?

00;09;23;23 – 00;09;41;14
Chip Arenchild
If, excuse me, your your coverage may not apply if you go to some of these known blacklist, ransomware sites. And I think that’s one of those things that a lot of people are unaware of, of that shift. And I believe even the FBI is recommending or even doesn’t want you to make any payments. Now, is that correct?

00;09;41;17 – 00;10;03;07
Alexandra Bretschneider
Yeah. Let’s talk about the regulatory perspective for a minute. So a couple things. OFAC officer Foreign Asset Control issued an advisory back on October 1st, 2020. And it was it was funny, the response that transpired publicly because it was, oh, my God, I didn’t know we weren’t allowed to pay foreign criminals. But the reality was that was already the case.

00;10;03;09 – 00;10;35;14
Alexandra Bretschneider
OFAC was simply issuing a reminder that, hey, it seems that ransomware is really starting to take off. This is a reminder that you can’t just paint anybody that the attack is being, done by a known terrorist group. You may not pay them and they have their blacklist of criminals. Fortunately, I said white people, we don’t have to memorize that list when you’re going through a cyberattack and fortunately have the support of a cyber insurance policy.

00;10;35;17 – 00;10;57;00
Alexandra Bretschneider
The attorneys, the forensic experts, all of them are checking those lists before you’re in a position where they’re going to recommend that you pay a criminal because the sanctions are are significant. I no one wants to be on the wrong side of looking at the government. What’s been interesting is this new administration really seems to be taking a harder stance here.

00;10;57;00 – 00;11;18;26
Alexandra Bretschneider
And it’s been interesting because, you know, I follow these things and I hear them certain lawmakers, to your point, you are calling for, you know, for the law to be passed that no longer allowed to pay ransoms, period. Otherwise, I’ve seen that other lawmakers are taking a more, I guess, respectful approach in terms of what’s best for businesses out there.

00;11;18;28 – 00;11;48;24
Alexandra Bretschneider
And they’re saying, hey, instead of, analyzing the victims of the attack by saying they can’t pay and leaving them with no potential recourse. How about we sanction the the organizations and the countries that are harboring these hackers? So they’re now talking about issuing sanctions against Russia, against China, against any other country that is harboring and protecting and not pursuing criminal charges against non hackers.

00;11;48;26 – 00;11;59;12
Alexandra Bretschneider
So a different approach where it’s more of a hey, we’re actually going to go after the attacker rather than leave the victims without any options by taking away their ability to pay to get out.

00;11;59;14 – 00;12;19;04
Chip Arenchild
Good. You know, we’ve heard I don’t know what the rumors are. Maybe you can verify that. You know, there’s just warehouses full of hackers sitting in certain countries, right? Just all day long trying to put a Trojan horse in your system. And do you think that’s accurate or or how do you have any feel for how this is being done that you could share with people?

00;12;19;11 – 00;12;24;24
Chip Arenchild
And or is it literally just some somebody sitting in their basement doing it?

00;12;24;26 – 00;12;54;03
Alexandra Bretschneider
I think it’s a mix of all the above. Right. I think we would be naive to say that all of these governments out there aren’t considering cyber as a part of warfare now. Right? It is. It is a tactical, methodology to wage an attack on another country. And so what did that look like? Right. Whether it’s interference with elections and misinformation and media, or is it a direct attack and shutting down, infrastructure?

00;12;54;07 – 00;13;19;15
Alexandra Bretschneider
You know, that in Florida we had the water issue where they attacked the, machinery. Purifying the water system. So there’s so many ways that you can have a legitimate impact on a nation state, just by interfering with technology. So I think we’d be naive to say that. That any government isn’t considering how to use that to their own benefit if and when that situation arose.

00;13;19;22 – 00;13;46;09
Chip Arenchild
Yeah. Okay. You brought up a good point there about the Florida water attack and manufacturers being vulnerable to now being hacked. And I know we saw that with target. Right. Wasn’t it their Hvac contractor where they got in the back door to get into target. What are you recommending for manufacturing clients or do you have a checklist that you use or some way to take a look at exposures to say you have vulnerability in these spots?

00;13;46;09 – 00;13;49;00
Chip Arenchild
And what do you what’s your thoughts there?

00;13;49;03 – 00;14;11;16
Alexandra Bretschneider
Yeah. So actually you touched back on one of the things you were discussing earlier. Because ransomware now is the major wave of what we have to be concerned about is we leveled the playing field. Frankly, what types of organizations have to care about cyber? And the answer to that is everyone. Yeah. No one can operate now successfully for a long period of time without their access to their own network.

00;14;11;23 – 00;14;33;02
Alexandra Bretschneider
Right? It doesn’t even matter what type of business you if you can access your email, you can’t access your point of sale system, your industrial control system. As a manufacturer, it doesn’t work. That’s going to impact your supply chain and everything thereafter. So it’s to the point now where I can’t think of an organization that truly doesn’t need to buy cyber whatsoever.

00;14;33;05 – 00;14;55;09
Alexandra Bretschneider
The exposure is there for anyone and everyone specific to manufacturers that contract that supply chains. You know, we talk about supply chain and cyber. I need a few different things. There’s the IT supply chain. And the examples of that are the seller and the Ryan and Chris attacks, where you’ve got an attack going through an IP provider, a system that then attacks all of the clients using it.

00;14;55;12 – 00;15;31;09
Alexandra Bretschneider
Then you’ve got manufacturers who have their own supply chain, you’ve got dependencies, right? So if you’re dependent on raw material from only one provider, and that provider goes down with a ransomware attack, so that has nothing to do with your own operations. You have a dependency on them to be able to manufacture your product. So cyber insurance policy, depending on the carrier, depending on how it’s structured, may offer you business interruption coverage in the event one of your dependent non IP providers suffers a ransomware attack and you can’t get your product because they’re down from some type of cyber incident.

00;15;31;12 – 00;16;06;16
Alexandra Bretschneider
Beyond that one other piece I look for, the concept of silent cyber has come up a lot, and there’s a lot of blurring with cyber and other types of policies. You know, we mentioned crime already. We’ll come back to that. But we with manufacturers, one of my concerns is property damage. If someone were to hack into an industrial control system and they just shut off a valve or shut off the bell, anything at all minuscule like that, and it causes the machine to jam up and and break and shut down, that is not triggering your property policy.

00;16;06;19 – 00;16;36;10
Alexandra Bretschneider
There was no fire, no water, no explosion, right? There was nothing to trigger coverage for your property damage under your traditional property policy. Property doesn’t cover cyber incidents. So there’s oftentimes a supplement you can buy on a cyber insurance program for property damage. And you’re not ever going to see full limits on that. Right. So we’re not going to be buying cyber policy in the amount of, you know, the I, building limit.

00;16;36;11 – 00;16;40;20
Chip Arenchild
Yeah. Our typical boiler machinery limit, which just matches your property limits.

00;16;40;20 – 00;17;02;04
Alexandra Bretschneider
Right. Yeah. We’re not going to be seeing that. But I if I’m an acquisition I would. Sure. I’d rather have a couple hundred thousand dollars at my disposal to repair, a machine that I would not have had otherwise. So I look at business interruption coverages for, for many factors. If you’re talking to a manufacturing organization, they don’t care about data breaches.

00;17;02;07 – 00;17;21;02
Alexandra Bretschneider
That’s not what gets their interest when it comes to cyber. They have proprietary information and they may want to protect that. But cyber isn’t covering the cost of your IP, right. It’s covering the cost to maybe duplicating, but it’s not covering the value of your IP. So cyber for them, when you’re talking to manufacture you have to talk their language.

00;17;21;09 – 00;17;42;29
Alexandra Bretschneider
And it’s all about uptime and being able to manufacture and meet your your timelines and have your supply chain running at optimal speeds. So if a cyber incident can get in the way of that, that’s when they start to listen. And the question becomes, you know, if the average downtime is 15 to 23 days, depending on which statistic you look at.

00;17;42;29 – 00;18;01;17
Alexandra Bretschneider
And I will tell you, in my experience, that has definitely held true regardless of whether or not you pay a ransom, a typical ransomware attack, you will be down for that long. What did that look like to your bottom line? How does that impact you? And then taking it a step further, the next big piece I look at is reputational harm coverage.

00;18;01;20 – 00;18;21;16
Alexandra Bretschneider
Okay, if you’re down for 20 days and you’re next level in your supply chain, can’t get their their widget from you, and they now go to somebody else and they say, now, I’m glad you were down for those 20 days. I had to find another supplier. I’m going to stick with them. You don’t have a residual business interruption impact.

00;18;21;22 – 00;18;33;15
Alexandra Bretschneider
You’ve lost customers as a result of this. So there’s reputational harm coverage. That’s incredibly important to consider for manufacturers in the event something like that transpires.

00;18;33;17 – 00;18;55;01
Chip Arenchild
It’s just amazing how far it has come in a short period of time. And one of the thing that’s most fascinating about the insurance marketplace, to me in general, is everything works until it doesn’t. And I think right now that’s an example of the cyber we were going along with cyber insurance, and the carriers are trying to get us to promote it.

00;18;55;04 – 00;19;15;07
Chip Arenchild
It’s a new line of coverage for everybody to to sell this new, profit center for them. And then it’s gone. Fine. Right. And it’s morphing a little bit. And then literally, it seems like in the last six months or since the Colonial Pipeline, man, it’s just turned on its head overnight. And what was acceptable last year isn’t acceptable this year.

00;19;15;09 – 00;19;30;25
Chip Arenchild
There’s a consumer buying insurance. What are the things that you think are most important for them to be paying attention to right now? And then where do you think this is all headed? That they should be as they’re looking to make their budgets going forward in the future? What should they be thinking about?

00;19;30;27 – 00;19;52;04
Alexandra Bretschneider
Yeah. So it’s interesting. When I had gone through my seven one renewals, I said a big renewal pioneer. Right. In 2020, all of my cyber journals were flat. Yeah, we were, we were in the thick of of where really the rise of ransomware. But my renewals were flat. Everything was good. Even heading into the fall. Renewals were okay.

00;19;52;04 – 00;20;13;21
Alexandra Bretschneider
And then where I first felt the market whiplash as I call it, was actually on one one. I had a few healthcare organizations that said to me, we were scrambling at the last minute to address these significant rate rate hikes and concerns by the insurance market about control. So I then wrote a white paper in January about the market whiplash.

00;20;13;28 – 00;20;40;06
Alexandra Bretschneider
It really felt like that, to to the brokers and to our insurer. And so while on one hand, I fully support the, intent and and desire behind this, scrutiny that that’s been unveiled from the underwriting. Well, you know, we’re forcing private industry to catch up with our cybersecurity controls to do better, to be better so that we’re not in positions where we have to pay ransoms.

00;20;40;09 – 00;21;01;04
Alexandra Bretschneider
Those are good things. I think the timing of it was a bit harsh. I think we needed better communication from abroad. Strip perspective from the insurance world that this was coming, that this is the intent of what they would be looking for, because it certainly made the brokers job a lot more difficult, their bosses and the bearer of bad news.

00;21;01;07 – 00;21;23;28
Alexandra Bretschneider
And often times you’re even being told at the last minute that these insurance companies don’t want to ride in anymore, or it’s a 400% increase, right? I’ve seen that before. So as a broker, one of the most important things you can do is have the conversation with your client. Now, anyone that you have a renewal in the next six months, talk to them now about what’s expected of them.

00;21;24;00 – 00;21;59;13
Alexandra Bretschneider
So when I take a look at an application that one of my clients please, I look at it and I will give them feedback before I send it to the marketplace now. So there’s a list of things that are absolutely going to be required. And then there’s your nice to haves. And so if I see you don’t have something absolutely required because multi-factor authentication is one of the first ones that comes to mind, it’s really become expected now that you’re going to have segregated backups in some capacity, right, so that you’ve got that option to potentially fail over as long as your backers aren’t also compromised.

00;21;59;15 – 00;22;24;26
Alexandra Bretschneider
Not having publicly enabled remote desktop Protocol. There’s different resources out there that you can try to help your client, Rhino scan so that you can see that they’re locked down already. So those are kind of your top three must haves. Almost can’t move forward, almost not insurable without depending on the size of the organization. Then there’s been nice to have that by this time next year might be must have.

00;22;24;29 – 00;22;42;09
Alexandra Bretschneider
Okay I’m telling my clients now, hey, you’re not doing this yet. Can we agree you’re going to have to put this on your your strategic plan for the next 6 to 12 months. Because if you’re going to agree to that, I’m going to share it out with the insurance companies and let them know you recognize these things are important.

00;22;42;15 – 00;23;06;22
Alexandra Bretschneider
We may not have a place already, but we’re going to do them. And so then even if even if, we don’t have it now by the renewal next year, we’ve done it. We’re in good shape. And so if it does become a must have, we’re already back. So examples of those things having an EDR to I mentioned that already endpoint detection and response having an intrusion detection system having next gen antivirus software.

00;23;06;22 – 00;23;33;22
Alexandra Bretschneider
So those are your more technical pieces. Another slightly more technical one, have somebody conducting a third party pen test or a vulnerability assessment. Right? At this point, depending on the size of your organization, it is reasonable to expect you would have had some kind of vulnerability assessment. In the last couple of weeks, I’ve seen a lot of my clients from our business that was very significantly in scope and breadth, so some have been much more costly than others.

00;23;33;22 – 00;23;55;01
Alexandra Bretschneider
So it’s something that needs to be considered. But if you’ve never done it, it’s got to be on a plan to have done, another big thing you’re looking at now, what is your patch management program? Right. When we think to the Equifax breach, right. That was a known vulnerability that had a patch available that Equifax did not deploy timely.

00;23;55;04 – 00;24;25;10
Alexandra Bretschneider
So they could have entirely prevented that significant use. Right. A data breach back in 2017. And they just didn’t patch timely. So looking at what is your frequency of deploying a patch for a vulnerability? Another couple of big ones having an incident response task. Right. So actually thinking through what will we do if we suffer a ransomware attack, it doesn’t have to be perfect, but thinking through it puts you ten steps again ahead of the organizations who have not.

00;24;25;13 – 00;24;44;19
Alexandra Bretschneider
And then the last one I’m really, really big on, and I say this all the time, you know, you can go broke buying every cyber security technology out there. You can go broke buying insurance. The best defense is actually employee training. Yeah. You know, and that’s a cultural shift. Employee training can’t be a check the box approach.

00;24;44;19 – 00;25;09;05
Alexandra Bretschneider
We didn’t want the here and now we want training and right right right. So continuing message to our employee base. And it needs to be built into our onboarding. Right. And I’m talking you know, every type of organization out there when you onboarding employee data security and owning the privacy and security of an organization’s data has to be part of every employee’s job description.

00;25;09;12 – 00;25;23;24
Alexandra Bretschneider
You are responsible for maintaining the integrity of our system as best you can. That just needs to be understood. We’re all responsible for that. And so I would spend my money, time and energy on really quality employee training.

00;25;23;26 – 00;25;57;23
Chip Arenchild
Well, that’s a great point. I think of what we do internally and I’m sure what other people are doing, and it’s such a fundamental shift if you just listen to the things you you just spoke from the absolutes to the nice to have none of it is insurance, right? Our rules are changing as brokers and being consultants, and what we have to be knowledgeable about are to find partners like you described early on, that you can refer people to, that you can trust and you know are a good job and vetting those, it really fundamentally changes our role.

00;25;57;23 – 00;26;25;08
Chip Arenchild
And this risk is really a 360 view into a company where things are shifting. I it’s fascinating. And again, that’s what makes insurance a fun industry to be part of. You mentioned earlier that being formerly being an IT consultant, how has that helped you make this transition to being a broker? And what do you think is the most valuable thing you bring your clients with that prior knowledge that you have before, getting into this role?

00;26;25;10 – 00;26;50;09
Alexandra Bretschneider
Yeah, I think, you know, that’s actually a fairly simple response, which is really that I’m able to liaise between the CIO side of the House. Yeah, I have a CFO side. Right. So actually, going back to your first question about really, it’s really a pendulum swing that happens in a cyber world. You looked at internet liability back, you know, in the 90s, 2000 era, those applications for insurance required IP to sell them.

00;26;50;09 – 00;27;19;17
Alexandra Bretschneider
And then the pendulum swung. This became the gold rush coverage. And every insurance company and their mother wanted to write insurance. Yeah. So they minimized the number of questions. That’s right. You can get a quote with three three. Right price, revenue and a company name and suddenly provide cyber insurance. So the pendulum swung. And, you know, this was that kind of five years ago timeline, even probably 3 or 4 years ago, you didn’t need it involvement in order to buy the coverage.

00;27;19;17 – 00;27;43;26
Alexandra Bretschneider
And now the pendulum going back and now. So now the way these applications are structured, typically the person who’s managing the insurance riddle can’t answer these questions alone anymore. So they’re involving their in-house or outsourced I.T departments and answering those questions. Right. And so the value I bring is being able to have the conversation with the receiver at the same time.

00;27;43;28 – 00;28;05;00
Alexandra Bretschneider
And that’s really important because when I talk about, you know, all right how do we manage cyber risk. It’s a holistic issue right. It’s not just an IP problem. And it’s certainly not just a CFO problem. What we’re going to solve are buying insurance. You have to look at people process and technology. You mentioned the target breach, right.

00;28;05;00 – 00;28;31;27
Alexandra Bretschneider
And that it was actually for the Hvac provider. I think most people know that story. The story that doesn’t get told that I love to share. Target had the right technology. They had it true, an intrusion detection system, an IDs, and it actually work. It detected that somebody got in who was not supposed to. So when someone came through that actually had vendors connectivity to their network target system.

00;28;32;00 – 00;29;01;29
Alexandra Bretschneider
No not no no. It’s a hey, someone’s in here. They fail on the people. And the process said no one reviewed the alarm and no one acted on the alert. So cyber is itself side by technology. Cyber isn’t solved just by buying insurance, right? Cyber has to be done holistically and needs to include the CFO needs to include the CIO and include HR because it’s got to be part of employee training and understanding of how we protect our organization.

00;29;02;02 – 00;29;23;14
Chip Arenchild
That’s a great answer. And it’s, so often. Right, we it is people in process that it all boils down to. And so many of the things that we do. Can you talk a little bit about artificial intelligence or AI in cyber? That is this is one area in insurance where you have really seen, I think it’s the use of AI, and you could confirm it for us.

00;29;23;16 – 00;29;37;01
Chip Arenchild
Where now when you go to run an option, they’re giving you an assessment of your applicant, or you have to plug in their website and they do assessment. How do you see AI being used in the underwriting of an entity for cyber insurance?

00;29;37;04 – 00;30;01;13
Alexandra Bretschneider
Yeah. So what they were doing is they’re running a public facing scan. So your organization has some connectivity to that to the public. Right. It’s your website. Typically. That’s why they ask for your domain address. And they’re saying okay, what is publicly accessible out there. Because the less sophisticated hackers, that’s where they’re starting. So that comes back to that idea of remote desktop protocol.

00;30;01;20 – 00;30;22;29
Alexandra Bretschneider
So for the non tech people on a phone think of remote Desktop Protocol as though you’ve got your physical building and that’s your network. Having publicly enabled Remote Desktop Protocol is like leaving one of the doors of your building wide open. That’s why did you not close it and not lock it? You just left it open and anyone can walk in and out.

00;30;23;01 – 00;30;41;02
Alexandra Bretschneider
So that’s the type of thing that you’re looking for. And and you’ll see when they run these scans, if they detect something like that and secure report, they’ll tell you, hey, not only do you have to lock that down, but I’m not going to make sure you for the next 60 days because I want to make sure nobody walked in and out of it during this time that it’s been open.

00;30;41;04 – 00;30;43;18
Alexandra Bretschneider
Okay. If that does that make sense for.

00;30;43;22 – 00;30;44;08
Chip Arenchild
Yeah.

00;30;44;11 – 00;30;46;04
Alexandra Bretschneider
Want it back. One of the things that they’re looking.

00;30;46;04 – 00;31;11;28
Chip Arenchild
For it makes sense I think, is this has kind of been thrust upon everybody on this at this renewal cycle. And we’re used to not necessarily knowing all the terms. I think a lot of brokers are walking in blind for their clients right now, so they don’t have the expertise like you’ve spoken about here. They probably don’t have a group like Risk Pro Net to reach out to other resources for markets and for, technical advice.

00;31;11;28 – 00;31;20;25
Chip Arenchild
And so they’re just taking whatever the wholesaler tells them or whatever the policy has been renewing it. And I think they’re leaving their clients vulnerable.

00;31;20;27 – 00;31;50;22
Alexandra Bretschneider
I think one of the other challenges we we have for being eyes is that the underwriters don’t necessarily know. Right? So there’s been you know, when I joined insurance, they’re all coming from that background. And I first looked at at a cyber policy, I actually remember talking to an underwriter very early on. I looked at a cyber application and I said, you have no idea what you’re asking, because every question on here tells you nothing about the security posture of this organization from a cyber standpoint.

00;31;50;29 – 00;32;11;21
Alexandra Bretschneider
Now, they’ve certainly gotten much better. The and then the result of that is now we’re being asked all these questions, we might not be up to snuff. And we’re being told that we can’t have the same coverage for the same price that we had before. But they’re getting better. They’re getting more educated, as they are able to then share those resources that, you know, through the supply chain down to the brokers.

00;32;11;21 – 00;32;27;22
Alexandra Bretschneider
And the brokers will be in a better position to have those conversations. So the best thing you can do is come up with your chapters in which, you know, I must have and you’re nice to have share it out with the client. And it’s okay to say, hey, I’m not the expert on how these things should be done and what they need to look like.

00;32;27;24 – 00;32;39;03
Alexandra Bretschneider
I just know for you to be insurable, these are the types of things that they’re looking for. And so if you want get a conversation with the right people to talk through that and make sure that you’re in the best position possible.

00;32;39;05 – 00;33;01;01
Chip Arenchild
Do you have any recommendations on how brokers should go out and create these partnerships that you describe, that you have any recommendations on how to validate if someone’s good or bad? I would imagine right now IT security people are popping up like weeds in the grass. In terms of opportunities that are arising, how do you validate who knows what they’re doing?

00;33;01;03 – 00;33;20;21
Alexandra Bretschneider
That’s a really good question. I am inundated when cyber Frank talking to me all the time. The reality is, you know, if we’re being honest with brokers, we kind of do the same thing. They all say they’re they’re very good at everything, right? But they’re all the jack of all trades. So I’m quick to say, okay, what is your bread and butter?

00;33;20;25 – 00;33;36;21
Alexandra Bretschneider
If I were to ask someone what you’re absolutely young for doing fast, what would they say? And then that starts to narrow down the scope of why I know they have expertise. I then want to know, you know, what are your client? What is your client base look like with your experience? How long have you been doing this?

00;33;36;21 – 00;34;02;20
Alexandra Bretschneider
With the experience the folks on your team? Some of these firms might be newer, and that’s okay. But if they’ve got a team of former, you know, NSA agents on there and they’re, you know, they’re remarkably intelligent individuals, we might be okay now if they’ve got that kind of sophistication beyond that, you know, it’s okay to ask, have you had a client go through a cyber attack before and what’s been your involvement and experience?

00;34;02;20 – 00;34;21;23
Alexandra Bretschneider
Is that right? I, I’ve had a couple of ransomware attacks in the last couple months with clients who were using outsourced IP providers and in in a couple of the cases, it was embarrassing to see the response of the outsourced it from, you know, it’s one thing can maybe not have had any experience and that knows exactly what to do, right?

00;34;21;23 – 00;34;45;17
Alexandra Bretschneider
That’s actually why we have insurance. Insurance is going to get your breach coach in there and your forensics and I will guide you through that. The problem really was on the communication. They got scared, so they stopped communicating and they shriveled up. And that can’t happen, right? If you’re in dire straits, you need communication more than anything. And so understanding what their experience of being in those situations is important.

00;34;45;24 – 00;35;05;28
Alexandra Bretschneider
And the last thing I would say is this really comes back to even managing supply risk for our organizations. Can you talk about the attacks or not? The someone with Orion Tech, what are your contacts with these providers? If I’m the broker, for one, am I IP firms? I’m trying to limit that as much as possible, of course, but vice versa.

00;35;06;00 – 00;35;18;07
Alexandra Bretschneider
You’re probably limited to the value of the contact, which could be in the tens of thousands of dollars. That’s not going to cover you in an incident. Right? Right. You understand what that looks like, even contract?

00;35;18;09 – 00;35;31;00
Chip Arenchild
Well, I think so many people just assume, hey, I’m working with this large entity. I just have to take whatever they tell me, and it is what it is. And they they don’t feel like they have any control over that whatsoever. On terms.

00;35;31;02 – 00;35;48;22
Alexandra Bretschneider
Back to the client that used to say, hey, I don’t need to buy cyber, I everything I have is outsourced. That’s right. It’s not my responsibility. And I’d say, okay, take a look at your contract and then come back to me because I guarantee you in your contract, they’re assuming no responsibility for these things.

00;35;48;24 – 00;36;12;03
Chip Arenchild
Well, and this has been incredibly enlightening just to hear it. It’s such a deeper level. And you’ve done a wonderful job of just making it sound not necessarily easy, but outlining a plan that you could do. We’ve covered must haves and absolutes and nice to haves, and you probably have a checklist or something. And a lot of good information on where we’re at today.

00;36;12;05 – 00;36;19;06
Chip Arenchild
If someone comes to you and says, I need a cyber insurance broker, why would they pick Alexandra?

00;36;19;08 – 00;36;45;16
Alexandra Bretschneider
So I think it comes back to the same thing as we’ve already discussed, right. And being able to look at cyber holistically, right? Yeah, I’m just buying the insurance, understanding what you need to do to manage your profit. Because ideally when we’re selling our client’s insurance, they’re hoping they never have to do that. And and I started to feel like about two years ago, I had a conversation with my client, five years ago.

00;36;45;16 – 00;37;07;11
Alexandra Bretschneider
Used to be, hey, what is this whole cyber insurance thing? I really need to buy it. Then it was finally okay, I get it on client. And then who? In the last two years? The second hand vendor. I’m buying cyber insurance. What else should I be doing? And so. And brokers need to thank me by advocating ourself and the types of things I’m talking about.

00;37;07;17 – 00;37;26;27
Alexandra Bretschneider
We don’t have to be. I can’t hurt you. Just have to know enough to say, hey, these are the things that are expected of you. I’m not the expert that’s going to help me implement it or figure out hi, and what background of your environment. But this is the things you need to be considering. And if we’re not doing that, you need to have a good reason as to why.

00;37;26;27 – 00;37;51;23
Alexandra Bretschneider
Why is our structure different and what are we doing that still sounds secure, right. When when when the market is this event where suddenly cyber insurance areas are inundated with submissions. Right. And they to we’re getting hit with these crazy increases and the challenges of getting covered. So we’re marketing now more than ever. So we have to go to more market which means their submission file is through the roof.

00;37;51;26 – 00;38;16;10
Alexandra Bretschneider
How do you differentiate yourself from just being that piece of paper? And virtual paper is right. So adding context to that discussion, that’s where I say if you’re talking now to having employee training or tapping, you know, they have a responsibility assessment rather than just leaving that up that in have that conversation that, hey, I thought we don’t do x, y and Z on the application.

00;38;16;12 – 00;38;35;13
Alexandra Bretschneider
Is this something that you can plausibly agree to implement over the next 6 to 12 months? Because then you can include that statement in your submission where you’re up front acknowledging, hey, we don’t have this, we don’t have that. Forget what they’re doing. And we’ve agreed that this is our timeline of getting that done. That’s a lot different.

00;38;35;19 – 00;38;51;16
Alexandra Bretschneider
You got underwriters who have only so much time today. And the second they see that first now, especially if it’s not a health professional indication, they don’t look at the rest of it. So we better have a good story. Now we almost like I do have an option today, but we’re going to have it by September 1st, right?

00;38;51;22 – 00;38;58;29
Alexandra Bretschneider
Give them something to work with so that your submission isn’t just another number. You pile and we come back freaking out now.

00;38;59;04 – 00;39;11;17
Chip Arenchild
Yeah. Good advice. Do you have any recommendation on wholesalers? You’re going direct for a standard broker throughout the United States who doesn’t have an expertise in cyber.

00;39;11;19 – 00;39;35;09
Alexandra Bretschneider
Partnering with a wholesaler? Mistake. Make a lot of them, right? I mean, wholesale relationships are strategic. You’re either using them to access markets you don’t otherwise have directly. And so for my organization, that’s oftentimes the access money to Lloyd’s. Right. A lot of avoid cyber program. Get it back right there. And I learn how to manage their evolving their coverage typically in the past.

00;39;35;09 – 00;39;42;02
Alexandra Bretschneider
That’s an advantageous and pleased with the evolving risk. Now they’re a little bit quicker to now evolving and reducing right.

00;39;42;02 – 00;39;44;15
Chip Arenchild
And restrictions here. Yeah.

00;39;44;17 – 00;40;05;15
Alexandra Bretschneider
But they’re able to really stay with it. Trying to let me know if ransomware right now. But what are we going to be talking about next year. We don’t know what is the next big cyber type of attack. Is it going to be more around data contracts, distributed denial of service? We don’t know. So making sure that we, you know, understand those things is really important.

00;40;05;18 – 00;40;20;20
Chip Arenchild
Okay. Well it’s great. Is there anything else you’d want to add or tell somebody, whether it’s a purchaser of insurance or another broker that’s listening to this podcast that you think’s really important? And it’s been wonderful today. So thank you.

00;40;20;23 – 00;40;42;09
Alexandra Bretschneider
Yeah I mean let’s talk a little bit more coverage. You know, I try to stay light on coverage when I’m getting my broader presentation because this is where you lose an audience, right? Hearing from. Right. So hockey coverage things we need to be thinking about. Adequacy of limits. I think gone are the days on $1 million limit for a health care organization is sufficient.

00;40;42;11 – 00;41;01;26
Alexandra Bretschneider
They need to be buying higher limits. Now. You could exhaust a million just on the ransom payment. I have nothing left over for the rest. Some of the cyber policies out there are uniquely structured, and things you should look for and be selling is when they have separate power of limit. Sometimes they’ll put the breach response separate from the policy aggregate.

00;41;01;26 – 00;41;23;13
Alexandra Bretschneider
So even though you’re maybe buying only a million, you’re getting that extra million for just the right and the breach can go back a lot of value in this world. When you got those these significant ransom payments that could erode your policy, having that separate power and those pieces outside of the aggregate are things we need to be selling more than we do.

00;41;23;16 – 00;41;52;01
Alexandra Bretschneider
Understanding. And this is, you know, part of that, business interaction piece, whether or not a client has primarily on premise or hosted I.T infrastructure, because that’s what’s going to, have an impact on whether or not you need to be very concerned about the dependent or contingent business interruption limits. So oftentimes when I’m selling and I’m reviewing a policy for a prospective client.

00;41;52;03 – 00;42;14;02
Alexandra Bretschneider
And so it’s another broker that’s place that I’m looking at. And I go, okay, you’re buying a $3 million cyber policy. And that’s really great. But I just want you to know, you only get $1 million of real coverage for your business interruption. And that’s because you told me everything you have is hosted. You don’t have anything on premise and all, and your dependent business interruption has one to make it 1 million.

00;42;14;04 – 00;42;38;28
Alexandra Bretschneider
So all if your IP provider goes down, you only have a million of coverage versus if you had you back on your own, you could be on system, your own control, you would have had your policy. When have. And so that’s a little startling to folks who think they’re buying 49 elements, and they’re actually only getting one. So understanding the importance of that now, what’s happened in the underwriting world is they don’t want to offer you full limits automatically anymore.

00;42;38;28 – 00;42;51;22
Alexandra Bretschneider
For the pandemic, that was an option. You may not be able to get them, period. Or you might have to pay more to get them. And that’s because they’re looking at it and they’re saying, well, I underwrote ABC company based off 80 right controls. I didn’t.

00;42;51;22 – 00;42;53;08
Chip Arenchild
Underwrite that dependent.

00;42;53;10 – 00;43;16;25
Alexandra Bretschneider
I.T vendor. So I don’t know what they’re doing. Now. I don’t want to agree to cover that. Whereas, you know, two years ago you could have gotten that full Linux, no question. Now there might be some questions around it. So you actually see cyber applications ask you to list out who your IP providers are. They want to know what dependencies you have so that they have some clue as to why they’re underwriting reputational harm.

00;43;16;25 – 00;43;38;24
Alexandra Bretschneider
I think is really big, depending on in an organization’s operations. Those are things you need to be thinking about. I, you know, cyber insurance is so analogous to property insurance. So the way I often explain that is it’s like, extended period of identity. So you’ve got your, your business income coverage for a while, you’re down and then you buy extended period of and then any of you have residual impact after you’re back up and running.

00;43;39;01 – 00;44;09;10
Alexandra Bretschneider
Same idea I’ve what reputation environment. Looking at we have some limits for or endorsing our coverage for bodily injury property damage, some even off air pollution. Looking at social engineering coverage, and then keeping an eye on the evolving regulations. Right. So, so much of cybersecurity by privacy law, privacy laws are not done evolving yet. We might see a federal one with this administration, certainly more, modifications to state to state law.

00;44;09;10 – 00;44;12;12
Alexandra Bretschneider
So those are things we need to look out for from a coverage family.

00;44;12;17 – 00;44;34;00
Chip Arenchild
Well, that’s great. And you’ve done such a nice job of putting a bow on where we’re at today with the issues going on in cyber, some great advice for what brokers can do, as well as what clients should be paying attention to moving forward. So I think that’s going to be it for this morning. It’s been a pleasure having you on the podcast, and I guarantee we’re going to have you back.

00;44;34;03 – 00;44;43;06
Chip Arenchild
And we just look forward to being able to tell people about you and a jcg and what you guys are doing. And thank you for all your help with in Risk Pro Net.

00;44;43;08 – 00;44;45;25
Alexandra Bretschneider
Thanks so much, champ. I’m a cyber nerd. I’ll talk about this.

00;44;45;26 – 00;45;12;05
Chip Arenchild
All right okay. Have a great day. Everybody, Alexandra Brett Schneider from Jcg in Philadelphia, cyber practice group leader for risk prone at. We hope you enjoyed this episode of Know Your Risk and insurance coverage with risk. Coronet. For more information about Risk Brunet, please visit our website. You can follow us on Facebook and Twitter for insurance insights from everyone at risk.

00;45;12;05 – 00;45;15;28
Chip Arenchild
Pro Net, we want to say thank you for tuning in and see you next time.

Related Resources

View All Resources
construction hat by contract on a table

What is a Surety Bond? Commercial Surety Bonds Explained

Surety bonds are written agreements that guarantee compliance, payment, or performance of an act. Usually, […]

Learn More
Coverage Specialties with Jamie Madonna from AHT Insurance

Coverage Specialties with Jamie Madonna from AHT Insurance

In today’s episode, Chip is joined by Jamie Madonna, the Managing Advisor in AHT’s Seattle […]

Learn More
15th Annual Moody Insurance Golf Tournament to Benefit Judi’s House

15th Annual Moody Insurance Golf Tournament to Benefit Judi’s House

We are incredibly thankful and gracious to all of  our sponsors and golfers who came […]

Learn More
Moody ranked in the Top 100 Property/Casualty Insurance Agencies in the US

Moody ranked in the Top 100 Property/Casualty Insurance Agencies in the US

Moody Insurance Agency is proud to announce we have ranked 91st on Insurance Journal’s 2022 […]

Learn More

Get In Touch

Talk to an expert to see how we can help.

Moody Insurance is here to help provide you with solutions to your personal, business or employee benefits insurance questions. Please fill out the form or call us at 303.824.6600.

service interior

Contact Us

  • By providing a telephone number and submitting this form you are consenting to be contacted by SMS text message. Message & data rates may apply. You can reply STOP to opt-out of further messaging.
  • This field is for validation purposes and should be left unchanged.