Welcome to Risky Business Commercial Insurance with Butler Buyers. This is Paul Martin. And my guest today joining me as always, Colin Rooke, commercial risk reduction specialist at Butler Buyers. Colin we’re going to go back to a topic that well, we haven’t touched for a while. But it was a pretty common theme for us in 2021. And that’s this issue of cyber crime. And it’s been pushed off the headlines a little bit by other events that have been going on, but it never really went away. And now here we are pretty much the end of Q1 of 2022. So we’re starting to get the assessments of what last year looked like. And we now got the numbers on this issue of ransomware and cyber crime, and all of that. And all of a sudden we’re talking about it again, because guess what the numbers are in, and they’re really noteworthy. And what did we see last year, with companies being attacked on electronically and digitally? And what’s the insurance industry’s perspective on this?

Yeah so, good lead up. So now that 2021 is finalized, I can report that roughly a quarter of all Canadian businesses experienced some cyber attack last year. To make matters worse, and this will lead into the topic of this show. Of those businesses that experienced some ransom demand ransomware, 56% paid the ransom. And so I want to talk about why that’s happening, what’s going on. Dispel some of the myths about well, is this growing because more businesses are buying it. Talk about again, what’s causing these ransoms, and then what you can do about it. And lastly, how this is impacting the insurance markets. And how they are addressing this, and how their stance has changed very specific to ransomware or cyber extortion.

Well I guess insurance companies are at the end of the day, not in the business of paying out claims. They end up doing it as a course of business, but it’s not their mission, or their ambition is to go out and pay out claims. So when they start to see a category of claims going up, I would assume they respond. They look at it and say, hang on. What are we doing here? And probably starts with a process of making it harder to get. Secondly after that then raising deductibles, and eventually just taking it off the table. Am I even close to what the process looks like?

Yeah, exactly. We’re getting very close to the taking it off the table. Cyber Liability Insurance is still fairly attainable. However, where underwriters and insurers are getting a lot stickier, is cyber extortion or ransomware. And so within the policy now, we are seeing decreased limits. So it’s now not uncommon that the max payable might be 25% of your overall limit liability, which was never the case before. Depending on any third party scan, or work done on your system. They might say you know what, there’s so many vulnerabilities here. We’re not going to offer it all together. So they have the ability to offer it, and they’re saying we won’t. And then there’s other insurers that are saying, we’re not going to get out of the space. But all we’re doing is paying for ransomware, so we’re not offering it. We want to be a player in cyber liability, but we’re not going to offer that coverage whatsoever.

And others are waiting around to see okay, if we are known for not offering ransomware, or sorry extortion coverage, will that impact the likelihood of our customers receiving ransomware? So the insurance company says, well if we are known for not offering it, and the hackers or criminals are able to determine who our policy holders are, are they going to leave them alone? And that is proving also not to be the case. It doesn’t matter if they think you have it or not. There’s really no deterrent. But from the industry perspective, it’s a ginormous lost leader.

That sounds ominous I think in the sense of, there’s been a lot of comfort drawn by business owners, and those who run companies. That been drawn from the fact that they could get this insurance, and that it was always this backstop. Now you’re saying that pardon upon insurance policy may well disappear, that it might not be available anymore. And that takes you to the position of okay, then what? What’s my next step after that? How do business managers, business owners protect themselves? What do you do with this thing?

You have to put the work in. So the issue is 53% of all attacks on Canadian business, were caused by an individual working in that business. So you could look at that and say, 53% of all the activity was human error. And so the industry says we… And of course we talk about this all the time, but we have to get better. Our customer have to get better. We’ve got to start talking about this. We’ve got to start educating. We have to understand what a cyber threat is. We have to have an internal policy. We’ve got to work on incident response planning.

In my opinion I’ll say, it’s not that we’re going to get to the point where it’s not available. But they’re going to limit who gets it. And they’re going to reserve it for the businesses that understand. That are taking the recommendations from whether it’s their IT provider, or the insurance industry third party audits, or all of them. And they’re saying okay, if we wrote out a wish list of what we want all of our clients to have, those that get a 100% scorecard, we’re going to offer it any deviation from that. It’s going to be a no.

And to take it a step further, we end up talking about multifactor authentication all the time now. And cyber insurers are demanding it, even if you have absolutely no need. So you don’t have anyone logging in remotely as an example. There’s no access to the server, or the system through your phone. And they’re saying, we don’t care. You got to have it anyway. Even if that’s not the case, we just need you to have it.

It’s a funny thing about how sometimes the insurance industry is the leader in dragging people along. They are the ones at the pointing end of the stick, if I can put it that way. In terms of feeling the impact of the conduct of these cyber criminals. So they’re the ones that are most vehement about, here’s the steps you’ve got to take, and by the way if you don’t I can’t do business with you.

Exactly. And I feel like I say this all the time, but some of the recommendations that we were reviewing two or three years ago, went from a recommendation, to best in class, to now a requirement. And then those recommendations are evolving. And at a high level when you talk about IT, if you don’t view your IT provider as a strategic partner in your business, and the IT space as a necessary investment. No different than locking doors on your office. If you don’t have that view that they are so important to how we operate, and what… I don’t want to say whatever they say will do, but again if you don’t have that level of confidence where they are that valued advisor, you’re going to find yourself in this group.

That’s going to have ransom, or paying the ransom, or not being able to get proper coverage. And again it’s not a matter of we’ll call in. What if I throw up a big deductible, they’re going to take it. No they’re not. It’s not a deductible issue. The payouts are growing in frequency and severity. And we are starting to see the insurance market take a stand on extortion coverage.

Right. This is an interesting topic, and right in your kitchen if you’re running a business. So I want to continue with this, but we got to take a little break. You’re listening to Risky Business Commercial Insurance with Butler Buyers. I’m Paul Martin, back after this.

Welcome back to Risky Business Commercial Insurance with Butler Buyers. This is Paul Martin. And joining me Colin Rooke, commercial risk reduction specialist with Butler Buyers. And just before the break, we were talking about the severity of claims, and the severity of demands being made by the cyber kidnappers if you want to call them that, the extortionist. That the frequencies going up, the values are going up. Insurance companies are saying whoa, I don’t know if I want to play this anymore. All right. So what does the business owner do? That’s the question. You can acknowledge all of this stuff, but say all right then what? So if someone calls you up and says, help me with this, saying what’s first steps on this one?

Yeah, good point. You’re right. I don’t want to just leave it all as doom and gloom, and then hand out the show. But at minimum, at absolute minimum, and this is not something new. It’s something that has evolved over time for us. But I’m sure we talked about our cyber risk scorecard five, six years ago. But if you just did that, it’s something that you can reach out to us. Request it, it’s self scoring. There’s no risk of well this is rigged, and whatever my answer’s going to be. It explains before you go in, what’s a yes, what’s a no, what’s an unsure. But so you can go through this risk assessment. It’s going to tell you, are you a target, do you have stuff that someone wants or not. But also the scorecard Excel… the scorecard itself, there’s 20 questions on there. But they’re all designed to spark conversation. Whether you have a yes or a no, these are all big ticket items.

And so you’re able to work through that, and really think are we exposed? Have we done this? Why aren’t we doing this? We’ve talked about this. That sort of thing. That would be the first step. Now I don’t want to suggest that if you fill out the score card, and it says your risk is low, you don’t need any protection. That needs to be determined later on. But it will certainly let you know, at a high level where you fit. From there we are also able to do system scans that by… They’re done by a third party, not by Butler Buyers. That will say, okay we’ve done this first step. And now we can look for known vulnerabilities, and we can also rank any class of business where they fit within their peers. The likelihood of breach, the average cost across all different lines.

And spoiler alert, ransomware is always the highest by five to tenfold in these claims examples. But it lets you know where you fit, based on how your system set up today. Where you fit among your peers, where you fit among Canada. And also how this could impact you. And it’s a very detailed report. And then we can take it a step further. And it’s something that I believe every business should have, is a proper incidence response plan. Regardless of coverage, what are you going to do when you find yourself locked out? When you find yourself with a ransom. If your answer is well, I’ll just call my IT department, you’re in big trouble.

Yeah. And we tend to talk about this in the context of, it’s simply an isolated event. It’s behind your closed doors, inside your business. And work your way through it. Now this has an impact on customers, it has an impact all the way down the chain. I think about a pretty well known one in Saskatchewan. I think it was Christmas day or something. The SLGA, the Liquor Board got hit. And I remember talking with some of their staff the morning after. Customers came in, they were actually handwriting the sale down on a piece of paper. That’s how debilitated it was. And so if you’re in business, sometimes it means you’re not in business the next day, because you’ve got too many problems to deal with.

Yeah, absolutely. And just back to the coverage question. If extortion is excluded on your cyber polls, usually the perks that go with it are removed as well. Which would mean business interruption, so lost revenue as a result of that breach. So it’s something they could really think about. But great example. And I do not want to suggest that if you have a breach, you wouldn’t call your IT provider. Obviously they’re going to play an integral role in getting you back up to speed. But it’s all those other components.

What do we tell our customers? What do we tell our staff? Do we need help from a PR firm? How bad is this thing? In the event of ransomware, who’s going to help? Are we just going to pay it? Are we going to put in a claim? Are we going to hire a negotiator? Do we need a forensic analysis to help us out? And so it’s answering all those questions in advance, and really sorting out the true cost of a breach. And knowing whether or not, is it $10,000 a day in lost revenue? Could it be a 100,000 a day, 500,000? Understanding the full impact of downtime, and also the social consequences of that breach.

This is a little bit off the topic, but as we are having this conversation here today, there is currently a war in Eastern Europe. And one of the participants the Russians are famous for being active, extremely active in the cyber attack world. They look at the West now a country like Canada, which is sending supplies to the enemy. Does that ramp up that this is… We’re at war now. And this is one of the battlefields that will be played, is that this will… The Russians may not be doing well militarily, but they certainly are doing it well in this front. And will they just amp up their activity? And in fact business owners need to understand, if your nation is a Quasi participant in a war, you’re a target. And they’re elevating. They’re going to stop targeting companies in Africa, they’re coming after us. Are we actually liable to be more subject to these attacks going forward?

Yeah very good point, and I was hoping we had time to briefly discuss. But Putin has promised increased cyber activity. And the articles are all suggesting, where is it? I would argue that it’s coming, they’re planning it out. If it’s anticipated today, then we’re going to ramp up security and watch more closely. But you look at the economic sanctions that the world has imposed on Russia, while he’s got to pay for this war somewhere. And cyber crime is big business. And he’s made outward threats saying, we’re going to ramp this up. I believe that we are going to see a significant increase in the frequency, and severity of cyber crime in the future.

Really this would serve as a warning to any business owners that are listening to this. Is that the war we’re not necessarily isolated from this, and that the war can be brought to our doorstep in a digital wage. And whether you like it or not, you may well be a participant in this, and you’re certainly more of a target now. So if for no other reason than that, get ahold of Colin and his team at Butler Buyers. They have this free scorecard. They’ll allow you to walk through, and you can self test yourself. And see whether or not you’re a high risk, or a low risk, or you need to do some work on it. Colin, we run out of time on this one, but we’re talking about pretty serious stuff here. So and encourage anyone to reach out to you, and you’d be quite pleased to entertain a call I’m sure.

Thanks Paul.

You’ve been listening to Colin Rooke, commercial risk reduction specialist with Butler Buyers. I’m Paul Martin. You’re listening to Risky Business. Thanks for Joining us, talk to you next time.

Welcome to Risky Business commercial insurance with Butler Byers. This is Paul Martin, your host and business commentator on CKOM, and joining me today, as always, Colin Rooke, commercial risk reduction specialist with Butler Byers. And Colin, I’m sure people who listen to this show on an ongoing basis, they’re probably about to say, “Oh, those two guys are going to talk cyber again.” Well, we’re going to trick them. We’re not talking cyber today.

We’re going to talk about something that no one has talked about for the last two years, that’s COVID. And you think, well, COVID is a health thing. It’s a political thing. It’s a public safety thing. But I guess it’s also an insurance thing, isn’t it? And this convoy thing brought something right back into focus for us and it was kind of interesting, because maybe a year ago, 18 months ago, we were talking about business interruption insurance, and when my business got shut down because of public health restrictions and stuff, insurance didn’t kick in. Now, if you were in Ottawa or you were down at Coutts, Alberta, or you were at a border crossing in Windsor or something, there’s a good chance, especially in Ottawa, that your business got closed down for a while. I mean, that has also raised its head hasn’t it? It has put that question of business interruption into the minds of the industry again.

Yeah, it’s really funny. If you said, “What are the odds that in over a two-year span, there’d be two major nationwide stories that both would have business interruptions?” So insurance in the forefront, as major exclusions impacting those businesses, I don’t know if this has ever happened before or we’ll see it again, I just never thought that, yet again, a giant gap in business interruption wording, or at least we’d be in a position where you have clients that would expect to receive something that could be told sort of twice in an 18 to 24 month period. That although you feel that there should be coverage, unfortunately, in the wordings, there are exclusions that are very, very relevant to the situation.

Well, who would have guessed as a business owner, if you were in downtown Ottawa, for example, or near Parliament Hill and you think, “I kind of got choice location here because I’m right in the center of everything,” and that you end up with your business being closed by officialdom, basically police cornering off your area, you can’t get in or out, can’t open, there’s no customers can come in and there you are, you did nothing wrong and all of a sudden your business is closed and it’s by fiat from some authority.

Yeah. And even further to that, and we saw this with COVID, what if you close for the safety of yourself and your employees and your customers? So, just like when the pandemic first started, even prior to any sort of information or forced closures, you had businesses saying, “We want to close our door for this because of fear of the unknown,” and then you take this freedom convoy and they’re parked out front and there’s a lot of people, there’s a lot of upset people, there’s concern as to, is this going to continue to escalate? And you say, “I’m going to close my doors and I can’t possibly operate.” Well, you could be in a position where, again, two times in a 24 month period, you would call your broker and say, “I want to put in a business interruption claim,” and unfortunately, there’s nothing for you.

Now, you skip ahead and you say, “Okay, I understood that I voluntarily closed, there’s no damage to my premises, I don’t really like the fact that there’s a pandemic exclusion, but, due to order of civil authority, I had to close. No different than COVID, I was told for the safety of my business, there’s too many protestors, I got to shut down.” Yet again, you’re finding yourself in a position where your policy, I’ll say, in most cases, will not pay because there’s no direct damage as a result. You weren’t forced to close because of damage nearby to your building surrounding area. It has to do with one, the pandemic, and two, the threat of, yes, there’s a concern for safety, but technically, if they didn’t break in, if they haven’t damaged your shop as a result, you’re probably not going to see anything for it. And so, it’s just this unique situation where yet again, you have business owners saying, “My policy should be kicking in to help me,” and yet again, we’re saying, “No, it probably won’t.”

So is there thing that business owners should be aware of, or can be doing, or how are brokers coming at this and how are we responding to these unforeseen and these unexpected kinds of developments?

It’s a good question. And I think the point of this conversation is that it serves as a good wake-up call to the industry itself. The insurance carriers to say, “Okay, well, maybe we have to revisit some very old wordings,” and I think we’ll see that because the more exclusions we see, the more challenges, there’s going to be markets out there that will say, “Okay, as a competitive advantage, I’m going to amend my wording just enough.” And it’s timely, it’s topical with brokers, for one, and our customers to say, “Well, if you’re going to relax your position on this area of business interruption,” I’m guessing that we’re going to get a lot of brokers out there recommending our clients move to this market. And so I think these two scenarios, one, just the pandemic itself, and then now, the Freedom Convoy, I think it’s just a big eye opener that just because it’s always been worded that way, maybe now is the time to revisit and change accordingly.

There are a couple of other big picture trends going on here that I just wonder, Colin, if they’re coloring them too. I mean, I look at Saskatchewan and as a business commentator, I’m just looking at the number of people that are seasoned senior people in our business community who are retiring. Or we’re seeing lots and lots of organizations going through intergenerational transitions at the leadership level. And I’m guessing the insurance industry is no different. And then we have this other thing called the Great Resignation that’s floating around out there about how people are long-time career people are just rethinking their jobs and what they want to do with their lives and they’re just up-and-quitting, basically. Is the insurance industry feeling the same effects, and, if so, does that mean what we were talking about previously about wordings needing to be changed and all that, the old seasoned veterans and the really experienced people may not be around to have some input on that?

Yeah. It’s a big problem in our industry. COVID fatigue is very, very real, but on top of that, we are in the sort of third year of the worst hard market that we’ve had in a very long time. And so, in addition to our customers’ premiums increasing with no rhyme or reason, I mean, there is a rhyme or reason, but it often doesn’t feel like there is. You’ve got overworked senior underwriters that were maybe thinking of calling it a career, however, they’ve got a great routine going. They like the work environment. They like their book of business. They like their clients. And now every single renewal is a fight. Every client is upset. Every broker wants to argue with you.

You’ve got pricing increases that really you can’t explain. You’ve got unhappy customers, unhappy brokers. It’s a lot of extra work. And now you’re displaced. You’re working from home. The insurance company you worked for maybe wasn’t set up for this or slow to adapt. And it’s just easier to say, “You know what, I was thinking of calling it a career anyway, I think I’m just going to do that.” And so without knowing the specific numbers, but due to the industry articles that we’re seeing and just working in the business and learning that this person has resigned, this person has retired, we’re seeing a lot of it. It is a big deal. And from our purposes, we’ve got all this, we’ve got young, new junior underwriters that are expected in a very short time to perform at a senior level. And again, they’re overworked too, but they’re also not seasoned enough, or haven’t been around long enough to make a lot of these calls, for example, around credits or discounting or even class of business. So I think we’re seeing an unfair share of that in this industry. And the result of that is it’s so important to have your story straight. In fact, now, more than ever, when you’re dealing with junior inexperienced staff.

Right, Colin, that’s a really important topic, and I want to pick it up, but we’ve got to take a little break. So we’re going to take a commercial break, be back after this, you’re listening to Risky Business Commercial Insurance with Butler Buyers. Back in a minute.

Welcome back to Risky Business Commercial Insurance with Butler Buyers. Paul Martin here, and joining me is Colin Rooke, commercial risk reduction specialist with Butler Buyers. Colin, just before the break, we were talking about one of these, kind of, waves that seems to be going over society. The so-called Great Resignation that’s the sort of volatility of the labor market, and especially, seasoned people who are saying, “I’m rethinking my career in the wake of COVID and all of the disruptions that came with that,” and you made the comment that the insurance industry is getting more than its fair share of that, and put a little flag up that you’d better become your own best advocate in all of this, because the industry, you’re liable to be sitting across the table from someone who’s somewhat greener or more junior than the seasoned person you would’ve been sitting across the table from even a year ago.

Yeah, absolutely. And if you don’t have the experience, a lot of your authority will be stripped or not available. And so you’re relying on reaching out to upper management, underwriting managers, and they’re overworked themselves. And so if it’s a proper risk managed account, and you’re working with Butler Buyers Insurance on a risk management plan, or let’s say you have not been and you’re just using the traditional approach, if you’re dealing with someone that doesn’t know what they can or cannot do, or what credits could be there or aren’t there, or what kind of leeway they have, it’s our job to make sure, now more than ever, they are armed with the right story to tell.

It used to be, you could talk to the senior underwriter directly and say, “This is where they were, this is where they are now, and this is where they’re going, and this is how we’re going to get there.” And you would explain the risk and they would understand, and they would know, “Based on my book of 40 similar types of businesses in that same category, you’re right. You are ahead of the curve. And here’s what I’m going to do to get this account.” Now, if you’re forced to reach out to a less-experienced underwriter who has been working from home since day one, training has been challenging, it’s all been remote and they’re not sure what they can or can’t do, now you’re relying, there’s another hand in the pot. You’re relying on that underwriter now to sell that story to a senior underwriter or an underwriting manager.

And so the point being is it’s going to take more work than it ever has to convince that market that this is a risk worth fighting for, a risk that you want, because the person on the other end of the phone or the email in this case, doesn’t have the experience to know what’s what. And so any information that you can arm that individual with is going to help long-term. So I would say now it’s more important than ever to focus on the story that’s being told about your company, especially when dealing with less experienced staff in the insurance industry.

Basically, you’re saying you have to be much more proactive as a business owner in terms of becoming your own advocate effectively, and if you don’t do it, there’s no one in the industry who’s got the depth of experience to be able to sort you out from your peers. So, if you’re going to get the best rate and the best coverage, it’s up to you to tell the story that, “I am better and here’s why, than all my peers,” and that’s really what you’ve been advocating since we began this program is the step by step plan, build it up, tell the story, be able to differentiate yourself from your peers, and that’s how you will get better coverage, or maybe in these markets, coverage at all.

Yeah, exactly. So if you’re talking with someone that’s experienced, you could say, “Okay, I’ve got a concrete building I want to insure in Eston, Saskatchewan.” And you could be talking to someone that’s had 40 years in the industry saying, “Something about the ground, or I don’t know where, in all my years I’ve never had a fire. Yeah, there’s a lot of wind, but for whatever reason, those buildings are built solid. I know them well, I’m going to take a chance on this building. I’ve been there before and I’m comfortable with it.” But now if you’re dealing with someone that’s junior and they say, “Not only have I never heard of Eston, Saskatchewan, I don’t have any familiarity with the region and certainly not any building or structures in that area.”

It’s our job to convince them that it’s a great risk because they’re not coming from a place of knowing. It’s one thing if they already have a pretty good idea, it’s another when they don’t really at all. And so the selling of the risk of the account is so much more important. And now, the example I just gave would even assume that maybe the underwriter is from Saskatchewan, but what if you’re dealing with a junior underwriter in Toronto that has never been to the prairies, let alone the specific location that you’re dealing with? And so the story, the risk management plan, what gets this client from good to great, is vital because you’re now going to rely, potentially, on that underwriter to upsell this to someone else that you may or may not even have an opportunity to speak with.

An interesting conundrum, but at the end of the day, it’s really about your broker. If you’re buying insurance, it has to be more than someone who just takes quotes for you.

Yeah, I guess what I’m trying to say is that it’s really easy to put no effort into the pricing of an account. There’s computer programs that tell you what the rates should be, and if that’s all you’re looking for, then any underwriter can take your submission and tell you what the program says the price for the risk should be. So, if you are average at best and certainly below average, then don’t waste your time. Don’t put the work in and accept the pricing because that’s what it’s designed to do. But if you consider yourself best-in-class or certainly working to get there, and you say, “I put a lot of work in, we’re a great company. I feel that we’re deserving of credits and discounts,” then you have to pay particular attention to what’s being said about your company, and the insurance application is not going to do it for you.

Colin, we’ve run out of time, as always, we just seem to blast through these things, and I think the point we reinforce here is you and your team are available for people who are listening to this and think, “Yeah, I am above average and I want to advocate for myself and protect my own interests.” You’ll be more than willing to have a free consultation with them.

Yeah, absolutely.

You’ve been listening to Colin Rooke, commercial risk reduction specialist with Butler Byers, commercial insurance. I’m Paul Martin. Thanks for joining us. This is Risky Business. Talk to you next time.