Managing Cyber Risk: The Insurance Component Leaders Shouldn’t Overlook

Cole French:

Security incidents are so common they hardly make front page news these days. If they do make headlines, a prominent element of the story is the estimated cost. The estimated cost begs the question, just how do organizations pay the cost to recover from security incidents? Join us for today’s conversation on cyber insurance and its importance in the ecosystem of an organization’s overall cyber strategy. Welcome to the Cyber Compliance and Beyond Podcast, a Kratos podcast that brings clarity to compliance, helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is the leading cybersecurity compliance advisory and assessment organization, providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services, and healthcare. Now, let’s get to today’s episode and help you move cybersecurity forward.

Here on the Cyber Compliance and Beyond podcast, we talk a lot about risk. It is the most important consideration across the board for any organization. Accurate and holistic assessments of risk, along with the actions defined to mitigate them, are essential to the survival and thriving of an organization over the long haul. As is often said, it isn’t if a risk will be realized, but when and to what degree. As a follow-on to that, it is always better to be over-prepared than under-prepared. The conversation around risk most often centers on what could happen, the likelihood that it’ll happen, the impact, and mitigations. Following those considerations, perhaps the hardest and most important question to ask is, what’s the cost? Nothing threatens the existence of a business more than the cost being too great to bear. This is true well beyond the realm of cybersecurity, but the cost to cover cybersecurity risks is growing at an accelerated rate in ways different from other areas of risk.

As we’ll break down in today’s episode, cyber insurance is rapidly becoming an indispensable element of an organization’s overall risk mitigation strategy. Joining us for our conversation today is Mark Wescott. Mark is an experienced insurance industry executive with a strong background in brokerage operations, account management, and organizational leadership. He currently serves as president and CEO of AC&B Insurance Services, where he oversees a team of more than 50 professionals and the placement of over $65 million in annual premiums across commercial, personal, and employee benefits lines. We hope you enjoy this episode. Mark, I appreciate you taking some time to join us this afternoon.

Mark Westcott:

Hey, I’m happy to be here. Thanks so much.

Cole French:

So can you just give us an overview of what type of risks insurers are most concerned with as we get into this topic of cyber insurance? And even we’ll get into later on how compliance plays a role in that as well.

Mark Westcott:

Sure. I mean, I think one of the things that’s interesting about the industry is that it’s always evolving, always changing. For a long time, you had your core lines of coverage, at least as far as business insurance goes. So typically that’s property and general liability, workers’ compensation, business auto, and some degree of an umbrella policy. You can buy that up at varying limits. It kind of sits over the top of all of your liability insurances. And then you’ve got some of the professional lines and the specialty lines like directors and officers liability, employment practices liability, crime coverages, different types of coverage for projects, business builders risk coverage. And cyber liability coverage is one that tends to lay outside that core group. But I think over time it’s going to become something that’s integrated into that core group so that instead of those primary lines of five lines of coverage, you’ll have six with cyber being a part of that.

Cole French:

So what are insurers looking at from a cyber insurance perspective? What are the most important considerations from your perspective?

Mark Westcott:

Yeah. So I think with the society that we live in today, I mean, so much is done on the web, so much is digitized. There’s so many things that are growing. The most recent things that’s starting to impact some of these coverages, we’ll see how the AI movement starts to impact cyber liability coverages. But it really starts at the core business functionalities, usually within the IT group, establishing some protections for the data that they may keep on their servers, whether it’s third party data or their own data, and setting up business continuity practices to preserve their business and their revenue streams. Cyber liability and insurance is really just one piece of an overall risk management strategy. There’s all kinds of different things that you can do. Insurance is a risk transfer instrument. And basically what that means is per contract, which is the policy. You’re transferring that risk to a third party, that being the insurer.

There’s other things that you can do, whether it’s putting up in this particular case, using firewalls and technology and multifactor authentication for things, there’s all kinds of things that you can do outside of just using the tool of insurance.

Cole French:

So when you are potentially, or when you’re evaluating somebody for a cyber insurance policy, you just mentioned multifactor authentication, firewalls, things like that. Are you verifying and validating that organizations have those in place? Or what degree of validation do you go to make sure they have those in place and that ... Because something we talk about a lot is organizations say, “Oh, I have this, I have that.” And they do, but maybe it’s not configured properly or it’s not fully implemented. So how do you go about, from an insurer’s perspective, validating that it’s actually functioning as intended?

Mark Westcott:

Right. So that’s kind of hard to do. It’s easier to do on some of the primary lines. So say for example, a particular carrier provides the property coverage for, you’ve got several warehouse locations and they want to come out and inspect some of them to make sure you don’t have pallets stacked too high. Make sure the building is made out of the things you say it’s made out of, make sure the contents are what you say it is, all that type of thing, that stuff is easy enough to do. Generally, cyber liability coverage placement starts with an application. And in both instances though, if you’re misrepresenting your exposure and what you’re doing to protect your exposure, if there is a claim situation, then a lot of times that will come to the surface and carriers will get to see whether or not you were truthful in describing your exposure.

There are certainly cases where people misrepresent and when a claim presents itself, a carrier can exclude it because for example, I’ll use a property example, you told us the building was made out of steel and it’s actually wood frame, those types of things. And obviously one is more susceptible to fire than another. So you can do those kinds of things with cyber. I don’t know if there’s any particular tests that carriers do just to validate whether or not to try to attack it or make sure that there are firewalls in place or not. Generally, they might interview folks from the IT department and do a survey, but again, they’ll leave it up to the insurers to represent their risk accurately.

Cole French:

Yeah, because I can see how that would be particularly challenging because the building example you just mentioned is I can go and look and see that it’s not steel, it’s a wood frame. Whereas with technology, it’s a lot more in the eye of the beholder, people can misrepresent or misunderstand. There’s a lot of variation that I think would be hard to predict, to A, predict and hard to prove at the end of the day.

Mark Westcott:

It is tough. And I will tell you that as this coverage was originally written, I think it’s been in place for about 20 years or so and evolved over time. Originally, it started out as something that claims filed for a hack of information that can be filed under a general liability or even a directors and officer’s liability policy. And over time, the industry started to put exclusions on those policies and then write strictly a cyber liability coverage form, and they built that out over time. So a lot of times early on as this policy started to evolve, it would incorporate conversations or at least a survey from the IT department on what kind of firewalls do you have in place and that type of thing. And folks that were in that space tended to look at it as kind of like their kingdom. “Hey, I’m in the IT world, I know what I’m doing, I know how to protect my stuff.” And so they would take an affront to some of the questions and take offense to it, feeling like they were under the microscope for how they did their job and the decisions that they made with protecting data.

And so early on, one of the biggest obstacles was to get IT departments past that and say, “Hey, look, we’re trying to understand what the actual risk profile looks like for you guys and you may be doing all the things that you need to do and that’s 100% great.” But me as an underwriter on the other end of the conversation needs to understand what you’ve done and what things are in place so that I can price the risk appropriately.

Cole French:

Yeah. In the compliance space, we run into a lot of the same things. I would say probably similar to what you’re describing. I think it’s more in a historical context. It used to be viewed very much as an adversarial relationship, if you will, where it’s like, “Oh, my auditor or my assessor’s coming in to try to prove that I’m not doing my job.” Like I say, I’m doing, I think we’ve moved past that to a large degree. I think organizations have grown to understand and appreciate where compliance fits in and how it benefits them. When it comes to insurance, do you guys factor in any sort of industry certifications, compliance certifications, things like that? Do those help offset risk from your perspective? How do you guys approach that?

Mark Westcott:

So there’s some of that, but it’s more about trying to write the right kind of narrative for a certain risk profile. And I’ll give you an example. So say for an example, again, we’ll go back to the warehouse example. If you’ve got your facility sprinklered, if you’ve got a safety program in place, maybe you’ve got a separate place to keep flammables, maybe you don’t stack pallets too high, all these types of things, maybe you’re keeping track of work comp and workplace injuries and trying to celebrate safety days and all those kinds of things. Those are things that we can put as an insurance broker, we can put into a narrative so that when we go out to the marketplace to look for the best coverage terms at the best price for you, we can represent that accurately and represent you as someone who’s a good business partner for an insurance carrier to do business with.

And so that’s really, it shouldn’t be a transactional thing. It should really be something where you’re trying to find good fits so that you’ve got a working relationship. And in that particular instance, as an underwriter, you can take more uncertainty out of the equation and uncertainty equals higher prices. So the more uncertainty you have in the equation and understanding that narrative and that risk profile, the higher your insurance premium’s going to be. If you’ve got a good risk profile and a good narrative, then you can get some discounts. On the flip side, if you’ve got another insured that doesn’t care about any of the things that I just mentioned, the insurer makes recommendations on things to do from a loss control perspective and the insured is unwilling to participate in any capacity, okay, that’s fine. You can do that. Those are business decisions, but what that then turns into is more uncertainty from the underwriting perspective and that generally leads to a higher price.

So where compliance fits in and where certifications fit in is that they fit into that narrative and the story that we tell the marketplace, “Hey, these guys, they do this, they check these boxes, they’ve passed this audit, they’re working with these compliance requirements, all these kinds of things.” And on top of that, if you guys have any recommendations, they’re willing to have a conversation with you and maybe adopt some of the suggestions you might add. Well, that tells an insurance carrier, “Hey, these guys not only run a good shop, but they’re a good business partner going forward. We want to take a shot on writing that piece of business,” and they’ll try to put together a good program for you.

Cole French:

Okay. So it really is on a case by case basis, it sounds like. And then the relationship with your insurer is really important.

Mark Westcott:

Very much so. We used to call it as a kid like whisper down the lane or telephone?

Cole French:

Yeah, yeah.

Mark Westcott:

Got a group of people sitting in a circle and one person says something just to one person and it makes it all the way around the room and it gets back to you. And usually what you hear at the end isn’t even remotely close to what you said at the beginning, right?

Cole French:

Yep.

Mark Westcott:

So the relationship between an insured and an insurance broker and an underwriter is very much the same. The underwriter doesn’t know anything about the insured’s particular business. It’s just something that they learn about through a submission request or a description of their exposures and their risk profile. They learn about it from the broker. The broker has to bear testimony as, “I’ve been out to the insured, here’s what I’ve seen. Do you want to see it?” That kind of thing. And then based upon that, the underwriter then evaluates all the risk values, think like an auto fleet, several locations, property exposures, the number of customers coming into the site, all that kind of stuff, and then they try to hang a number on it as far as a premium goes.

And so it’s hard to do that. So the more detail that you have about the insured and their approach to navigating their exposures, the better.

Cole French:

And the broker is who, if I’m an organization thinking about, “Hey, I think I want to get cyber insurance.” So the broker is who I’m working with. So that’s the relationship that you really want to focus on, build, strengthen, all those kind of things?

Mark Westcott:

Correct. So when you’re working in the commercial insurance space and insuring businesses, there aren’t very many insurance carriers that will write direct, and that meaning directly from the insurance carrier to the insured, the person buying the insurance. You can get small business owner policies from folks like farmers or State Farm, some of those kinds of things, but you start getting into the bigger business space, then you have to go through a broker to get quotes. The general idea is that insurance is a complex instrument. Unless you’re in that space, you’re not really fully aware, fully educated on what you’re buying and what you need, all that kind of stuff. And so you need to work with a broker to understand the coverages that you might need and how they’re represented in the marketplace for finding best coverage terms.

Cole French:

That all makes sense. So in your opinion, what are the biggest benefits of cyber insurance? Obviously at a high level, it’s reducing risk, but are there additional benefits or could you just elaborate on the benefits? If I’m an organization thinking about, “Hey, I think maybe I should get cyber insurance,” what benefits would you say I’m going to receive, aside from just reducing risk?

Mark Westcott:

Sure. There’s a ton of them. I mentioned earlier how the coverage started with some of those first claims of businesses getting hacked and maybe they’ve got an online business and they’ve got 100,000 records or 10,000 records of credit cards, information from 10,000 customers or even more and keeping that information safe and protected. So originally this coverage started out as a third party coverage. And so what that means is if a first party coverage is you and your own exposure on your own policy. So if you own a home, it’s you on your homeowner’s coverage. You’re the first party privy to that coverage. Third party would be if the damages are experienced by someone else, but the expectation is out there that you had something to do with the damages and you may be liable to someone else for those damages. So it originated as a third party coverage, which means that business owners would buy the coverage if they experienced a hack or were shut out of their systems or lost revenue streams or any of those kinds of things.

If a suit was brought against them, then the coverage would respond to damages for the violation of the private information. It would also cover things like the notification expenses that you as an insured might accrue and notifying the people that were affected, any kind of credit repair expenses that you might have to pay for for the people that were affected, those types of things. Over time, carriers started to round out that coverage and started to add first party coverage elements to it. So again, I misspoke. If you’ve got expenses associated with notification expenses, then that could be covered. If you’ve got reputational and PR expenses that you accrue to try to repair your reputation, that’s something that’s also covered. If the hack damaged some of your computer system, that could be covered. If somebody called and said, “Hey, we planted a bug in your system, unless you pay us 100 grand, we’re going to turn it on and it’s going to destroy your revenue stream.” So the ransom coverage is there.

They’ve also started to add things over time for social engineering, which is someone posing as one leader within an organization sends a note to another person within the organization saying, “Hey, you need to pay this invoice or you need to send this entity $10,000.” So there’s hacks for that stuff. That’s the social engineering coverage. What’s also out there is invoice manipulation. So that’s where someone can hack into your system and say, look at your billing system and find out who some of your vendors are and create a separate invoice and send it to them and say, “Hey, you need to pay this amount for this service.” And then the vendor pays for it. They think they’ve paid you for the service that you’ve provided or the relationship, if you will, and it turns out that they’re paying a third party. And so now you as the first person and them as the vendor as a third party are both affected by it.

So there’s all kinds of things that are there. That coverage is evolving. The expenses are getting greater and greater. First off, you’d see limits at maybe a million bucks. Now to get two million, five million, $10 million worth of coverage is becoming more of the norm. The next wave out there is figuring out what to do with AI. Nobody really knows how to ensure that liability yet. I mean, it looks really cool and sounds really cool. There’s a lot of good uses for it, but if you use AI technology and it turns into some kind of misrepresentation of your product or anything like that and it’s put out there for the public, who’s on the hook for that? Nobody really knows yet.

Cole French:

Yeah, I mean, that’s one of the things with AI is like, who do I actually attribute this to? And from what you’re just describing, insurance is in a lot of ways is who can this be attributed to? And that kind of dictates how a policy functions. So if you have something like AI where, I mean, yeah, I guess it affects you as an organization, but who do I actually attribute whatever it was that took place to-

Mark Westcott:

It’s a real argument.

Cole French:

Yeah.

Mark Westcott:

Yeah. Does a liability lay with the professional, the engaged AI to come up with whatever the answer was that they were trying to resolve with AI, or is it a failure in the AI technology? Is that the liability? Who knows? But I think what we’re all starting to see is, and you’ve seen this too with regards to email phishing scams and all this kind of stuff where you got the bad email addresses that don’t match up to where the thing is perceived you think it might be coming from. There’s usually that external email banner that’s on there. “This came from somewhere else,” and doesn’t really make sense why somebody’s asking me for this stuff. We’ve been trained how to identify with those things, but with AI technology, those kinds of things are going to get harder and harder to tell what’s real and what’s not real.

So does that make us more vulnerable to scams? Probably. Well, who’s liable for that? I mean, that’s going to be a systemic thing. Some unanswered questions.

Cole French:

How do you guys, as an industry, how does that ... I mean, obviously I’m sure you can’t talk to it at a micro level, but at a high level, how is that type of stuff? How do you guys figure that out from an industry perspective?

Mark Westcott:

It’s hard to know. So some of the C-suite executives that we’ve spoken to just in general like, “Hey, are you guys using AI?” A lot of times the answer is yes. “What are you guys using it for? And then have you guys given any thought to how you want to cover it for customers?” So usually the answer to the first question is yes, we use it. Two, the answer to question number two is we use it for internal things. So think like aggregating spreadsheets or writing slide decks for something, those types of things, but they’re not using it for external things. And then with regards to how to insure it, they usually say, “We have no idea. We don’t know yet.” But some of the things that you would want to consider is as an underwriter, you would definitely want to know if an insurer is using AI and how they’re using it.

If they’re using it for in house things, that may be fine, but if they’re using it as that first level of response to client questions or customer service stuff or inquiries or whatever, then that might not be a good thing. Those are two separate situations that would need to be underwritten differently. So it’s hard to see where that’s going to go.

Cole French:

Yeah. And I can see there’s, I mean, just like we’ve talked about already, a lot of variation, different types of organizations, different types of use cases, different levels of understanding, just a lot of variability, which makes it difficult. When you were talking earlier about what coverage includes, you mentioned the PR stuff, damage to hardware, things like that. As far as things that can be covered, is it just a cost? Is that all that’s covered or does insurance also provide resources sometimes? If I’m a small organization, I don’t really have the manpower to do some of these things. Does insurance also include providing those actual resources beyond just covering the cost associated?

Mark Westcott:

It can. So that think of PR remediation expenses, and a lot of times folks have to go external for those things. You can do that. The biggest part is to understand what the coverage elements are of your policy, and a broker can help you do that. So I mean, how many times, if we go back to some basic examples, homeowner’s insurance, somebody has a flood, they got damages in their house, and they realize that after the event, they realize the only coverage that they have under a homeowner’s policy is maybe 2,000 bucks in water damage somewhere. And they’re like, “Wait, I thought this was covered.” It’s very important for each insured to understand what’s covered in each one of their policies and understand what they’re buying, and the broker can help somebody do that. What the industry does, generally speaking, is they’ll start out with a basic coverage form and let’s just say this is the basic coverage.

There’s no bells and whistles on it. If you wanted to add the PR remediation stuff, I’m just saying that, for example, that’s not quite how it works, but if you wanted to add the business income coverage elements to it, then that’s going to be an extra premium. If you want to add the social engineering coverage, then that might be an extra premium. So you get to pick and choose as an insured the types of stuff that you want to have covered under your policy. Some carriers might include it all in there at just one price. There’s just some different things, but it’s important to see what the different carrier offerings are and understand what you’re buying relative to what you need covered.

Cole French:

Yeah, I think this is a good segue into something we talk a lot about here, which I mentioned in the intro, which is this concept of risk. And we did an episode a few months back on risk assessments.

And in the compliance world, sometimes people think, oh, that’s just evaluating my security controls and how effective those are for whatever compliance frameworks that I’m subject to or I’m wanting to maintain compliance with. But really a risk assessment is looking at your entire organization and identifying all the risks, not just cyber, but anything and everything. And I think what you’re describing ties back to us, how we stress the importance of doing risk assessments holistically and doing them well. So you identify all those risks. So then when you walk into a conversation with a broker and you are talking about cyber insurance, you know what risks are the ones most relevant to your organization. So you can have an informed conversation about what your insurance policy should look like. So it’s not just what kind of technologies do I need to deploy within my organization? It even goes to stuff like, what kind of insurance coverage do I need and what do I not need?

Because there’s definitely stuff you may not need in a particular scenario.

Mark Westcott:

Sure. So I mean, I think that really you hit the nail on the head there and there’s two things there. The insurer would rather know about the exposure than not know. A lot of times there’s some fear involved with, my insurance is already expensive. If we true up the values on my statement of values and maybe instead of it being my stuff being worth a million bucks, it’s actually worth two million bucks. Well, that’s going to make my insurance premium go up and the odds that I actually have a $2 million loss are slamming none, so we’ll just leave it at a million bucks. Well, then say you have a total loss, you’re kind of in a pickle because you’re underinsured, but the expectation there is that somebody’s going to pay to repair or replace that total exposure, especially if you’ve been paying a certain premium to a particular carrier for several years.

So the idea of understanding the exposure, having that being accurately represented is not only paramount, but what it also does is it sends the message to the insurance provider that you want to be a good business partner and talk about having the correct understanding of the risks involved and what kind of insurance stuff that you need. The property one example I gave is that’s an easy one to remedy because that’s one of the cheapest rates per $100 of coverage or $100 of value that’s out there. It’s usually in the cents range of 10, 15, 20 cents per $100 of value. So you might true up something, you said it was worth a million bucks, but it’s worth 1.25 million. Well, to get that extra $250,000 in limits to cover that property might only cost you a couple hundred bucks. It’s an easy fix. On the homeowner side, if you’re not buying an umbrella on policy, if you’re not buying umbrella limits for your own personal risk, then you’re making a big mistake.

You can get a million, $2 million in additional limits sit over top of everything. People need to understand that liability limits are finite. So general liability stuff on your premises or the auto liability that comes with driving a car. To have a couple million dollars of additional limits to sit on top of that, you can usually get for a few hundred bucks a year. I mean, that’s a no-brainer. A lot of people don’t do that.

Cole French:

It sounds like insurance, just like we talked a lot about having a cybersecurity strategy as an organization, it sounds like insurance functions the same way. It’s not just cyber insurance. I need to be looking at insurance from a strategic perspective because yeah, I mean, I might need it for some cyber thing that happens, but what about if there’s things in it? You described the umbrella policy sitting over top of the coverages I already have. So it’s like you need to look at it more holistically than just one thing. It’s a whole strategy. Would you agree with that?

Mark Westcott:

A hundred percent. And I’m in the industry, I tend to be risk averse, so I’ll gladly put that out there. But just from a general understanding, it’s not unreasonable to understand that a million bucks doesn’t go as far as it used to, or 350 grand in liability limits on a homeowners doesn’t go as far as it used to. We think about tough situations where maybe you’re driving a car, you run a stop sign and you hit a school bus. I understand that’s catastrophic loss. Every parent that has a kid on that bus is going to sue you though. And as soon as you run out of assets or run out of insurance coverage, your personal assets are at stake. Who wants to play that game? I don’t. So I’m not advocating for something that’s really unrealistic is definitely something that you can consider. And it’s different for everyone.

Everybody’s got a different level, like what helps them sleep at night? They need to decide that, but being aware and then making an informed decision about what it is that you might want to do to navigate your own risk is something that everyone should consider.

Cole French:

So you mentioned the lawsuit component, which is something that I know from there’s cyber attacks that have happened that I mean, that’s one of the biggest things. One of the biggest most prominent from a news perspective afterwards is all the lawsuits or the size of a class action lawsuit against whoever that particular victim of that attack was. So I assume that’s something that cyber insurance covers is litigation and all that kind of stuff that comes, but I’m sure there’s limitations to that. And then further, if I do, let’s say I do have to use my cyber insurance, what does that do to me going forward? Am I going to be paying really high rates because I had to leverage my cyber insurance or how is the insurance affected by it being actually used?

Mark Westcott:

Yeah. So for me, in my experience, there’s not a lot of situations where customers have a lot of claims. I’ve had some that are affected, but it’s not like I’ve got an 18-year-old driver in my house and he’s wrecked two cars for each of the last three years and you get that kind of repetition that goes along with it or the recurring events that may happen under work comp coverages and that kind of thing. I think that for renewal situations, for cyber liability coverage where you’ve got some claims and Any insurer’s going to want to know what have you done to remediate it? What did you guys do to fix the holes in your firewalls or the holes in your security system? Did you add multifactor authentication stuff? Used to be a lot of carriers didn’t require that. Now most of them do. So if you don’t do MFA, then they’re not going to provide some cyber liability coverage limits to you.

So that’s some things to consider. As far as the lawsuit stuff goes, I’ll give you an example more on the general liability side of things. So general liability coverage is out there for the premises operations. Your product liability, so you make widgets and somebody stepped on their widget and rolled their ankle and that kind of thing or there was a product malfunction. Generally speaking, you can get coverage terms where the defense expenses are outside the limits. And so the limits that you have available are strictly for settlements and those types of things. I’m less familiar with what that might look like on the cyber piece, so I’d have to get back to you on that piece.

Cole French:

Now, in the compliance space, I think I mentioned, or maybe I didn’t mention this at the beginning, but a lot of compliance requirements stem from government regulation. So I’m curious, and I know auto insurance, for instance, is we have to have it. It’s regulated. Is that something that exists in the cyber insurance world? Are you seeing any government regulations or requirements or mandates that organizations have coverage in certain instances? Obviously, I don’t know that they would necessarily be able to mandate it across the board, but it’s like, hey, if you’re going to do ... Because we’ve actually seen this, we’ve had customers come to us and they’re getting these requests for proposals. And in those requests for proposals, one of the requirements is that you have to demonstrate that you have a certain level of cyber insurance coverage. And so I was just curious, obviously that’s private.

In that particular case, it was private industry to private industry, but I’m curious, is the government starting to require or mandate any types of coverage?

Mark Westcott:

I mean, that’s a good question. I haven’t seen any of that. That doesn’t mean that it’s not there yet or not present, but usually that’s a bit of a risk transfer instrument that’s navigated through contract language. So say for example, say you own a business and we’ll go to the warehouse location again, and let’s say then you hire a third party that’s a landscaper and you want them to come onsite and redo the landscape around your structures and maybe there’s some sidewalk work, I don’t know, whatever it may be. But generally speaking, you want to get proof of insurance from that vendor with regards to the insurance that they carry for their business. And not only that, but you might in the contract require that you get what’s considered additional insured coverage under their policies so that when they’re on your site and providing a work product to you, if they do something that results in a customer getting hurt or anything like that, then they can defer that lawsuit to you first since it was your stuff that caused the claim, that type of thing.

But those kinds of things are all in contracts that you have between business parties, right?

Cole French:

Yeah, we actually, as an organization, to do the assessment work that we do, we have a accrediting body that accredits us to do that work. And one of the requirements of that accrediting body is that we maintain cyber insurance coverage. And I can see what you’re saying. So that protects, obviously it protects us, but it also protects them as an accrediting body. So if somebody went back and said, “Oh, I can’t believe you guys gave an accreditation to this organization.” It protects them as well.

Do you have any examples of good and bad? So do you have any examples of organizations that really or instances, not necessarily specifics, obviously, but just instances in which an organization was able to use their coverage to recover from some sort of cyber incident and they would consider that a success story?

Mark Westcott:

Sure. So I mean, think about the business income element. So online businesses and you sell, maybe you have $3 million worth of income revenue that’s coming in through online transactions and somebody hacks your system and all of a sudden that’s cut off. So let alone navigating things with the customers and maybe you lost their information was taken and you’re having to navigate that, but you have a real first party exposure. If your business is only drawing $5 million in revenue a year, and I don’t mean only, I’m just using that as example, but if your annual revenue’s five million bucks and all of a sudden $3 million of it gets cut off, you got a real problem. And so having that coverage element as part of your cyber program is certainly paramount to the success of the organization. If you don’t sell that much stuff online, again, you’re a landscaper, like I mentioned before, maybe you don’t need that coverage element of it, but if you’re doing online stuff with regards to payment and all those kinds of things, then you might need that piece.

And then I mean, every day there’s the phishing stuff. There’s the social engineering fraud stuff that’s out there. It happens all the time.

Cole French:

Would you say that’s the most common from a claims perspective and what people are actually operationally leveraging their coverage for? Is it mostly phishing and that type of malicious activity or are there other things that are more common?

Mark Westcott:

It feels like it. I think that there’s so many, I feel like that’s a coverage and that’s an exposure where the schemes are ever evolving. There’s always something new about what somebody’s doing for an online scam. And so yeah, I do think that is a big part of it. And then there’s a whole safety side of it. I mean, businesses are training their employees every day. I mean, we’re an agency that’s owned by a bank. We get annual training on things to look out for. We’ve got a place where if we think we got a phishing email, we send it and say, “We think this is phishing.” And usually IT’s like, “Yep.” They create their own, so they test everybody on a regular basis. So there’s all kinds of things that we try to do to mitigate that.

Cole French:

Yeah, we do the same thing here at our organization as well. Same. We do phishing exercises, also do have a place where they’ve made it super easy. It’s just one button to click if you think it’s some type of phishing or malicious email or whatever, just suspicious and highly encouraged to do that. That gets me thinking actually, you mentioned training, which is obviously something we do as well, not just phishing and those type of simulations, but also what we call awareness and training, annual security awareness. Is that something, as an insurer, are you looking at how well are organizations training their users from a cyber perspective when it comes to coverage levels, costs, things like that?

Mark Westcott:

Not only that, but they’ll also look to make sure that the scope of some of that exposure is as narrow as possible. So basic analogy is think about how many people within your organization are handling cash. Not that anybody’s really handling cash anymore, but from a crime coverage perspective and theft, employee theft perspective, you limit that. And so from a cyber coverage, folks that have access to these systems and how they run them and all that kind of thing, they want to see who’s doing that and understand that that’s pretty limited and their internal securities in place too to minimize the possibility of some of that exposure and damages.

Cole French:

So as we wrap up our conversation here, just wanted to give you an opportunity, Mark, to mention anything else you think would be important for our listeners as they think about cyber coverage and risk management.

Mark Westcott:

Sure. I think that the biggest thing is to exercise some caution in utilizing some of the AI tools that are out there. I certainly understand that how intoxicating they can be and the appeal of being able to use them and the efficiencies they might offer with regards to getting through the Workday. We know tons of companies that are starting to use it internally. They see it as a means of managing expenses, whether it’s in their finance departments or whatever it may be, maybe minimizing some of the salary expenses associated with their operations or whatever. Those kinds of things can be okay, but we really don’t understand what the liabilities are that are going to be created by using AI. And so I would just encourage folks to not get out over their skis a little bit and use some caution as they start to use it and really understand what they’re using it for and how they’re using it before they jump in the proverbial pool.

Cole French:

Yep. I think that’s great advice. And I appreciate you taking some time today to join us on the Cyber Compliance and Beyond Podcast to share your perspective on this important topic.

Mark Westcott:

No problem. It was my pleasure. Thanks for having me.

Cole French:

Thank you for joining us on the Cyber Compliance and Beyond Podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss or you just have some feedback for us? Let us know on LinkedIn and Twitter at KratosDefense or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode and until then keep building security into the fabric of what you do.