Business Email Compromise (BEC) Scams

Home • (Page 2)

Paul Martin and Colin Rooke discuss the dangers of Business Email Compromise (BEC) scams.

RiskyBusiness · Butler Byers Risky Business – BEC Scams

Listen to the full podcast h er e, or read the transcript below.

Paul Martin:

Welcome to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin, the business commentator, and joining me, our usual man across the desk in the studio is Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. And Colin, over the course of the last few years as we’ve done this program, we’ve spent an awful lot of time on cyber, cyber coverage, cyber threats, that whole word cyber. It’s in the news every day. We’re always hearing about scams and people being, whether that’s ransomware or their data is being held hostage or whatever. Even in the face of all of that and that conversation, there’s still a lot of people who don’t really truly understand what we talk about when we say cyber cybersecurity, cyber threats, it’s, it’s one of those words that’s in the lexicon, but you ask somebody to define it, it gets a little bit more challenging. And you see this in the world of business all the time as you’re trying to explain to people, this is a real threat to your enterprise. And they go nod their heads, but their eyes kind of glaze over at the same time, they have a hard time grasping. What are you seeing with this when you bang on a business owner’s door and you say, let’s talk cyber and the threats that are associated with it and the implications for your insurance coverage, what are you hearing back from them?

Colin Rooke:

Yeah, that’s a really good point. We were in meetings actually with a cyber liability insurer at the office here, and we talked about that you are now, there was a period where cyber was considered new and you think about the target attack and it hit mainstream news, and then cyber went quiet for a really long time, and now it’s on the forefront, you can listen to the news, they’re talking about data breaches. There was another very large and it had a breach, it’s on the news now and so it is top of mind you can’t ignore it. You can no longer pretend you didn’t know what it was or much about it. But despite all the information out there, there’s just still a giant misconception as to what is it? What does it entail, what are my risks? And as evidenced by when we beat the door down, as you said, we often find ourselves faced with trying to explain that when we’re talking about cyber, we’re not worried about your backups.

The idea that you say, oh, all of our data is stored off site, we’re fine. That’s not what this is. And then we don’t do a lot of credit card transactions or we don’t store any credit card information. And I just wanted to spill that myth, that is also not what we’re talking about. We’re not concerned with that at all, I mean, backups are assumed. In fact, if you didn’t have backups, there’s no cyber liability insure anyway, that’ll quote you. So the idea that I say my data, it is not we’re talking about, so we’ve developed this guide that really explains in layman’s terms, if you have a breach, what is actually going to happen to you? What is it going to look like? And for the most part, it’s Business Email Compromise, that’s where it starts, or BEC scams. And so we’ve got this guide that we’re happy to distribute to anyone that wants to learn more, but I think it really does a great job of just walking you through what happens, how are you targeted, why are you targeted? What are they after? How do they know they’re after it? And so we can send this out, you can read it. It’s something that you could distribute to the whole organization and just ask people to have a quick read. It’s not a detailed incident response plan. There’s nothing that anyone has to do, but it’s full of these kind of ahh-type moments in here of what we are talking about when you have a breach, why they do it and what the result is, ultimately.

Paul Martin:

I get a thought that comes to mind here when you’re doing it, and it’s kind of a throwback to the 50s of Desi Arnaz saying to Lucy, “You got a lot of ‘splainin to do here”. You must be very frustrated when you look at business people and all they hear is, you’re talking away and they hear “Wa wa wa”, and this cybersplaining that’s going on. I mean, it’s as much about education as it is about identifying the threats, isn’t it? It’s just trying to get people to get their head around understanding the breadth and the width of this challenge that we’re all facing.

Colin Rooke:

Yeah, a tough one, right? Because you think just to use Target, very, very old breach. I mean, let’s assume that Target would have a larger IT budget than, and so to be able to say, well…

Paul Martin:

This is Target, the department store in the US, I mean major big publicly-traded retailer known globally.

Colin Rooke:

Exactly. So is it honestly possible that a smaller enterprise as it all figured out, and giant Target just didn’t have backups? They didn’t malware protection, it is a targeted attack. In fact, I haven’t mentioned this in years, but I actually met and worked with the broker who handled the claim from the plumbing and heating company that caused the whole Target breach and all it was, was a very simple business email compromise. And so they thought they were dealing with Target and sent some things to Target they shouldn’t have. So they let the malware in passed it along, and that’s that.

When you talk about, again, Business Email Compromise scams, all this is a cyber criminal, impersonating what seems like a legitimate source, like a senior level employee supplier, vendor partner, ad rep, someone that you regularly do business with. So gone are the days where it’s the Saudi prince that’s going to send you millions or the misspelled or odd looking letters, they don’t do that, they put a lot of time and effort. And the average cost across North America of a successful BEC scam is $4.9 million, and so they put the work in. So how do they get there? How do you become a target? Well, it’s not mass email. It’s not because you’re on a dark web. They pick you out. They go to your company’s website, they look at your LinkedIn page, they look at key individuals. They want to know their social media profiles. What they do, they want to know the hierarchy within the organization.

I mean, they read every email post every company bulletin newsletter, and then they come up with a plan of attack. And to make matters worse, with the help of AU, they could do this in seconds, what used to take months. They can do in a few seconds all that intel, but it’s all very deliberate because they’re looking for key people in a vulnerable situation working on a known subject. So how does it start? Ton of research. Then when the research is done and they know as much as they can about the organization, they pick a target one person, they deliberately go after one person that they think they can influence and they’re very good at it. And all the eggs go into this basket and you are the focal point prior to launching the attack.

Paul Martin:

All right, we’ve got to take a little break here, but you made a comment or a statement that I want to really come back and pursue when we come back and you said “they” meaning the bad guys, put the work into it, and I guess we can learn from that, so we’ll talk about that. You’re listening to Risky Business Commercial Insurance with Butler Byers. We’re going to take a little break, back after this.

Welcome back to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin, and joining me, Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. And just before the break, you alluded to the fact that the cyber attacker, the criminal puts in the work they do, the research, they prepare to take you on, to come at you at a very pointed, deliberate process. And I guess the message in that for business owners is you too have to do the work to protect yourself to repel or rebuff these attacks. Is that a fair comment?

Colin Rooke:

Yeah, really good point. I mean, they’re going to spend a ton of time learning about your organization before they select an individual and they launch malware, malicious malware. And so by the time that person is selected, they’ve got a lot of, well, they have a big investment in this breach. And so back to why this guide was developed, this is part of the answer. This is part of the mitigation of a potential attack to at least understand what’s happening and why it is pretty common for executives to blame someone in the front office for it was probably this temp worker wasn’t paying attention and clicked something they shouldn’t. Nope, not true. They want the accounts of individuals that has access to funds, access to sensitive data, HR personnel that has payroll and employee data. They’re after the top. This is not an entry level position type scam.

Paul Martin:

It’s an interesting point is that you will talk to the business leader in an organization. They may have a couple of hundred employees. In all likelihood, the message you delivered to the owner or the CFO doesn’t probably leave that office, it’s not transmitted through the organization. But at the same time, as you say, it’s people with access to the funds that are the target. So it’s probably the leader who’s actually the most vulnerable in all of this, which is ironic, isn’t it?

Colin Rooke:

I can say with certainty that I don’t have a real stat here, but I’ll say most of the time the person that I am speaking to about the nature of the risk is also the one that calls me saying, “I made a mistake and I don’t know what to do”. But for those that are uneducated, they typically would say, “Well, it won’t be me. It’ll be someone under me”. But it doesn’t make any sense to target someone with no access. I mean, if you’re going to impersonate someone, if you’re going to trick someone into moving a large sum of money, it’s going to be CEO asking CFO. It’s, there’s going to be an urgency to it. And furthermore, and why we have this guide is you’ll say, well, years ago there was this fraudulent email that came through that was loosely looked like Paul Martin, a whole bunch of spelling mistakes, some verbiage in there that I knew it wasn’t Paul, I deleted it and I learned my lesson, nope. When they launched the malware, not only do they follow, so when they pick their target, launch the malware, they follow everything you do, and then they learn who you interact with most. And then they launch malware to follow those people. And by the time they’re ready to trick you, they know how you think, what you do when you do it. And they also know how the other end responds. Each and every time. They are experts, they know more about your patterns than you would know about your patterns. And then when these mistakes happen, it just seems like a regular course of business. You transfer a fund, you accept something from someone else. Oh, there’s a little hiccup. Please call the bank. You call the bank, you’re not talking to the bank. The bank sends another account number. You send it to that account number. Sometimes they go for a third. I still didn’t get it. I don’t know what’s going on here. Try this one. And then at some point someone says, Hey, stop. I’m a little worried about this money. And then you look into it, you never spoke to the bank. It never went where you thought, and either you have a breach, the fender has a breach, but you’ve been tricked. And I guess that’s what I want to dispel today, that in order to stop this from occurring, you need to understand who is targeted, why they’re targeted, and what types of tactics they use. A super interesting one that I guess really isn’t talked about. Well, actually two, data theft. So you’ll get an email from what looks like your own IT people saying, “We’ve got a breach on the go. Please change all your passwords and do it quickly”. And again, you’re not even speaking to your own IT. You think you are, you change all the passwords, you’re being monitored and they steal. Or another one, how many people would question an email from their attorney? And so the attorney impersonation email only comes to you in the event that you’re regularly working with an attorney. So you’ve got some litigation underway, you’ve been writing some big checks for some time now, and lo and behold, a big check around the time they would ask for the money or an attorney saying, we’re able to settle, my advice is to do the following. You call the attorney, the attorney answers, that’s AI, you send the settlement, is all fake. And so this guy, again, goes through all that so you can understand how the cyber criminal thinks at minimum. So then you can prepare yourself better when it happens to you.

Paul Martin:

So I mean, this sounds a little bit daunting, right? I mean, not a little bit, a whole bunch daunting for average. We got real lives to live and we’ve got real businesses to run and to spend the time trying to grasp this as one of likely a dozen threats we have to worry about. This is why you’ve come up with this guide. You just make it really easy for people to, you short circuit the system really by just making, here’s a quick thing is how long would it take me to do it? What would I get out of it?

Colin Rooke:

Yeah, you can read it in five to 10 minutes. It, it’s not designed to be exhaustive, but it’s pretty all encompassing. You would certainly get the gist and there’s help in there. It’s not all, “This is what it is, this is how they’re going to get you”. It does talk about what you can do. And Paul, you and I have joked about this and we’ve talked about it on shows, but if the attorney reaches out urgently with a settlement, “Write a check, write a check”, and if the attorney says, “Oh, that wouldn’t be possible to take a check. We got to have this thing firmed up in the next 17 minutes. Do a transfer”. You say, “Not a chance”, but they get you. They know your patterns, they know what you’re stressed out about, they know what’s on your mind. But yeah, so this guide walks you through what it is. It’s easy to circulate. You could put it right into your employee handbook, have people sign off on it once or twice a year. They got to read through and sign off, but you’ll at least leave knowing, okay, I’ve got the basics. I’ve had a crash course, a mini masterclass in what Business Email Compromise scams are, how it is how they’re going to get to you. And yet there’s still this myth out there that I know I’m not going to download a zip file, nothing good comes from zip files, no one uses them. That’s right, they don’t. But they do use Dropbox and it’s going to come from someone that regularly sends Dropbox files.

Paul Martin:

All right, well, a bit scary. But you know what? You can protect yourself. It is about, the bad guys are going to do the work, you might have to do a little work yourself. You’ve been listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. Today, we’re talking about Business Email Compromises and a guide that you can call him up or his office and his team and just ask for a copy, and he’d be pleased to supply it to you. I’m Paul Martin, this is Risky Business. Thanks for joining us, we’ll talk to you next time.

Artificial Intelligence – AI

Home • (Page 2)

Paul Martin and Colin Rooke discuss the latest in AI.

RiskyBusiness · Butler Byers Risky Business – AI

Listen to the full podcast here, or read the transcript below.

Paul Martin:

Welcome to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin, the business commentator, and joining me as always, Colin Rooke, Commercial Risk Reduction Specialist with Butler Byers. Colin, as we get rolling into the end of the first quarter of 2024, I imagine we’re talking about that already and looking at Q2, I mean, you look at the headlines and you look at listen to newscast or whatever, and the story of the day, AI this, AI that, AI is going to solve all our problems, AI is the cause of all our problems. Artificial intelligence is really gaining a lot of attention, and I guess it is in the business world too. I’m wondering, we haven’t really talked a lot about this, but anytime there’s a major development in business, I guess it probably has some impact on commercial insurance. So thought maybe we better talk about that. And I’m guessing, but I’ll let you fill in the blanks. Are there implications with AI and commercial insurance?

Colin Rooke:

Yeah, AI, it’s a really good topic. Obviously people are at this point aware of AI. There’s a lot of talk in the news, really everyone is talking about AI and really mixed emotions around it. If you’re really into tech, this is something that’s quite cool. I spent a ton of time talking with my son. He uses AI all the time, and he’s usually the one pointing out to me what new app or new program is coming out and what it can do. And if you’re less sort of in the know or aware, it’s really easy to have a lot of AI related concerns. So what I want to do is just talk about ways that AI will impact or the workforce in 2024 and beyond. So I’ll start with some stats around it, ways that it’s going to change the workplace, but then I do want to talk about the risks to your company or how to prepare for this new reality with AI.

So it can do a lot of great things, but then there’s steps you need to take as well just to make sure you’re doing it the right way and you’re thinking, again, of the risks. And I’ll tie that into how is this going to impact commercial insurance program? Why would an underwriter care? And then if we’ve got some time, I just want to talk very quickly about a really neat to me way that hackers or cyber criminals are
getting your info that I honestly can’t believe I hadn’t thought of. Almost a little ashamed, but also I find it very interesting.

Paul Martin:

Well, now you’ve got our interest. So let’s first talk about AI though, and the implications for those in leadership positions in business. What considerations do you need to be thinking about here?

Colin Rooke:

Yeah, so the global AI market is expected to grow by about 35, 40% each and every year. And I know that’s just predictive, but really the point is that AI is here to stay and it’s going to continue to change how we look at work. And so some of the things that, key things that are really going to help the workplace is one enhanced decision-making capabilities. So for example, HR professionals are able to leverage AI, which in the field there’s a lot of burnout. HR professionals do a ton of work, a ton of stress, and frankly, they’re often working in areas outside of what they went to school for. So you’ll hear from HR professionals, I’m spending a lot more time training and working on implementation than I am policies and procedures and big picture stuff. Well, AI can really help with that. AI can help with workflows and building out performance objectives and evaluations and helping other managers in the company look for screening questions for new employees.

So one of the great ways that AI can help, another thing, and everyone that’s heard about AI is pretty aware of this, but increased productivity. So the stats show that depending on the role and depending on the type of company you’re in or you own or manage, up to 60, 70% more efficient. And just if you look at workflows, all the redundancies, there’s just a lot in there that you can automate. So that’s going to change the workforce or continue to change in 2024. The other thing that one of the ways it’s going to impact the workplace is a lot more focus on the legality and ethics around AI. So now that it’s not new, as new and exciting as it was anymore, there’s a lot of questions and concerns about policies and procedures, the access to data infringements on personal information. And so you’re going to hear a lot more about policy makers saying, okay, this is how you can use AI and this is how you can not use AI.

And there’s a lot of concerns around where they get their information and are they taking it from a source that frankly you are allowed to borrow. And then when it comes to hiring, overall, employers really need to think about skill-based hiring when it comes to AI. So if you’re dabbling with AI, you want to understand, okay, how can AI help us in these areas like productivity? You really need to hire people that are either familiar or have the ability to learn and adapt, work around and help implement AI for your company. So these are sort of four ways where it’s going to impact the workplace in 2024. And then I’m going to talk next more about, okay, how to prepare a workforce for the use of AI.

Paul Martin:

Well, these are big, all of those are big topics. I suppose the legal part is that’s likely long ways until we get that sorted out. But some of the things that you talked about in terms of just the interface between employer and employee, that hits us right today, and it hits every company regardless of size. And I’m guessing that’s where a lot of the attention is being focused these days.

Colin Rooke:

Yeah, absolutely. And so when you talk about the pros of AI, like productivity and then what the media is saying, one of the things that you need to be thinking about is how does that impact my current workforce? I mean, there’s a lot of worker unrest around AI and what it can do, and does it affect my job security? So when you talk about, again, productivity and automating routine tasks, if you’re not careful in explaining what tasks you mean to automate and how that will impact your current workforce, you risk low morale, increased turnover, and frankly, just great employees leaving, thinking their job may be threatened when there’s a chance that it’s not threatened at all. And so very, very important, you think about, okay, what do my people think about ai? And really consider if there’s not a broad understanding the impacts it could have.

Another issue, and I touched on the focus on legality and ethics and transparency around ways it’ll impact the workplace is regulatory concern. So if you’re using AI, and AI is operating as the 13th man in your company, you have to realize that anything AI produces you will help be held accountable for that content. And so again, are you infringing on any laws? Knowingly or not? Knowingly is something that
you really need to be aware of. Another big issue is increased cybersecurity risk. So again, you’re using a bot or any sort of AI-based technology. We have cyber criminals that are aware of this. And so what cyber criminals do is they’ll create dummy sites to data poison, so they know that people are looking for certain info. They create sites that would be very juicy to artificial intelligence, and therefore when accessed, they may be downloading well, either a virus itself or they can actually use different methods or tools to change ability, which then opens up the organization to, they call it stealth attacks as a result. So again, something to think about that you’ve got an automated program acting as your company. Well, how vulnerable is that program? The other thing, and again, it’s a little-

Paul Martin:

Just before you jump into that, Colin, we’ve got to take a little break and I don’t want you to lose that thought, but let’s come back and pick that up in just a moment. You’re listening to Colin Rooke, Commercial Risk Reduction Specialist with Butler Byers. This is Risky Business. We’ll be back after this break.

Welcome back to Risky Business Commercial Insurance with Butler Byers. I’m Paul Martin and Colin Rooke, Commercial Risk Reduction Specialist with Butler Byers is joining us today. Colin, just before the break, I kind of cut you off there. I’m sorry about that. But you’ve been raising some questions that I think employers and those in management positions and businesses really need to be getting their head around as with the arrival of AI. And it’s no longer just a novelty, it’s actually working its way into our day-to-day operations.

Colin Rooke:

Yeah, it is. And one of the points I want to end on is sort of the risks of the use of AI, and then I’ll talk about what you can do about it. And I think this is probably next to worker unrest. One of the most more important things to consider is distribution of harmful content. And so you have to realize that AI is still computer based. It is still learning and on what is asked of it or the way things are asked, it is going to deliver certain content. And so if mistakes are made in the prompts, whether intentional or not, you really need to watch the content that emerges as a result. And so if you’re not, there’s a lot of reliance on AI to do the work for me. And so you type into AI, a certain subject matter, you sort of paraphrase, it looks good, you maybe really don’t read the whole thing, but it looks like a great response.

And then later you realize there is offensive language or AI took a slightly political position that you didn’t realize it did, or may have taken a certain stance on a topic that you didn’t quite realize AI was taking. And then you also have to realize that the end user ultimately thinks you are the one that did this. And so it’s something to be very cognizant of, especially when you have individuals in the workplace using AI. They may be misrepresenting the organization they work for and not really being aware that they’ve done it. And so to prepare for this to mitigate risks, which is what we’re here for and what we specialize in, it’s just it’s very important to have comprehensive policies around the use of AI. I mean, that’s first and foremost, what am I allowed to do with it, if anything at all? So we can help with that, but it’s very important to have policies in place around AI.

Well, and then another point is I talked about worker unrest. Kind of the number two issue here is foster psychological safety. Let the people know AI is a tool, not a replacement. You don’t have to fear AI. And when we talk about automation, it’s typically redundant tasks that if you ask the individual, if they like to do those redundant tasks, they will typically say no. And so then you can appease a lot of these concerns by explaining, yeah, we’re going to automate a ton of what you do, but not to render you up to lead, to free up your time for bigger and better things. And I think when you look at what we’re planning here, it’s going to be the stuff you hate doing. And that’s another really big step in preparing for this future with AI.

Paul Martin:

Well, this gets us into the realm you just keep, every time we open a door here, it leads to two more corridors, and I think we could chase around on this forever. But before we run out of time today, you teased us a bit at the beginning of the program with something that is a cyber threat that is so obvious we forgot to even notice it. Maybe I’m going to get you to elaborate on that right now.

Colin Rooke:

So I spent a ton of time over the last 10 years learning everything I could about cyber, cyber risks. We do this program, I’ve had other vocational speeches, and I’m pretty good at predicting what could cause a breach and I missed this one. QR codes, you can’t trust them,that’s the new thing. So QR code sends for quick response. We’ve all seen them, those squares that have a ton of data embedded. Sometimes it can be an article, a website, a menu at a restaurant. Well, they’re taking QR codes and they’re either replacing it. So the QR code at the end of the table at the restaurant, that could lead you to a hacked website. It could look just like the menu, but it’s not. They’ll put posters up in airports, public places, they’ll create a fake event, scan this to learn more about it. There’s the virus right there. So what’s interesting though is these hackers, cyber criminals have learned that people trust them. People trust the QR code, they see a QR code, they’re not worried about scanning it. And so now the new thing is we’re going to modify those. We’re going to hack your device. We’re going to jack your URL. We’re going to send viruses. We’re going to Phish using that. But yep, I hadn’t thought of that. And it makes complete sense. Scan this to download the app for this program you want, well, it’s a virus.

Paul Martin :

They’re starting to put them on TV screens now. Commercials will actually feature a QR code and say, here, screen this or scan this while you’re watching a television program or something. And so they’re coming not just in fix like the poster that you see in the hallway, but it’s actually they’re bringing ’em right into your house.

Colin Rooke:

And for example, let’s say you’re streaming. You’re streaming your favorite Netflix show and you didn’t pay for ad free and then up pops a commercial with the QR code, and it’s a product you’re interested in. And suddenly that’s now it’s a virus.

Paul Martin:

Colin, you never cease to amaze me with the things that you remind us that we should be cognizant of and how even just the most innocent things in day-to-day business life, really, you need to look past the obvious and to understand what implications those have for my businesses. And I guess that’s the reason for this program, is we talk to business leaders, to owners, to those in management to say, we’ll help you through this. There are lots of things out there that you don’t have time to think about. That’s what we do. So reach out to Butler Byers and we’ll be pleased to walk you through. There’s step-by-step plans, and to just remind you of some of the most recent threats that are out there that you probably didn’t even expect. You’ve been listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. I’m Paul Martin, this is Risky Business. Thanks for joining us. We’ll talk to you next time.

Cyber Market Update Ransomware Returns

Home • (Page 2)

Paul Martin and Colin Rooke give an update on ransomware.

RiskyBusiness · Butler Byers Risky Business – Cyber Market Update Ransomeware Returns

Listen to the full podcast here, or read the transcript below.

Paul Martin:

Welcome to Risky Business Commercial Insurance with Butler Byers. This is business commentator Paul Martin, joining me as always, Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. Colin, end of the year start of a new year. This is the time when we start to get data and we get analysis of trends and which way things are going when we get year end figures. I’m assuming they’re starting to trickle in now as we get a little bit into 2024. One that was prevalent a couple of years ago and we really didn’t talk about much last year was cyber and the ransomware and all of that sort of stuff. But I gather it’s making a bit of a comeback. Is that a fair description?

Colin Rooke:

It is, yes. Very fair. So 2023 was the largest as far as successful Stiver, ransomware payouts 2023 was the largest ever recorded after, yeah, it really did take a dip in 2022. You’ve got Russia in conflict with Ukraine, so when they’re focused on war, they’re less focused on while stealing your data or encrypting it or deep fakes social engineering. And so there was a dip. And then I’m assuming, and yeah, I’m sort of blaming Russia, but I’m assuming that the war is getting quite costly. It’s lasting longer than they thought it would. So they’ve really ramped up the efforts. And it is very interesting that ransomware is back. Now, the type of ransomware has changed, but for the last 18 months or so, I mean almost actually closer to two and a half years I’ve been saying it’s really gone away. We’re now in the era of AI and social engineering and deep fakes where they’ll spend months learning.

They’ll be in your system for months learning every keystroke so they can replicate you. Exactly. And then they strike. However, that’s proving to be a lot more costly. And so they say, let’s go back to old reliable, where we can go for the big game, the big fish, or at least the big dollars. It’s not necessarily only the big company, but just they’re saying themselves rather than death by a thousand cuts. We’ll just go back to large ransomware payouts. And so yeah, just big changes in the industry. So to give you some context, the grand total for successful reported ransomware payouts was exceeded in the fourth month of 2022, or sorry, 2023. So they beat the 2022 total four months into 2023. And then the average payout, or I guess successful payout has gone up four times that of 2022. And so it’s more often and it’s larger dollars. And then I guess what I find very shocking as well is when it came to ransomware across the industry, so all industries all reported 40% of extortion payments were successful 40% of the time. If they had something you needed, you paid the freight, which it is a pretty high success rate.

Paul Martin:

Those are staggering numbers. And to think that it had gone away, or at least we had the perception that it had gone away. In fact, all it was doing was evolving. And I guess any other business, the business of being a cyber pirate, you look at ways to get more efficient and lower your costs and increase your revenue. And they were able to start to figure it out that I don’t go for your whole envelope of data, I just start to get more selective and get the stuff that’s more sensitive.

Colin Rooke:

And it’s really important to understand that this is for profit. There’s colleges, there’s whole organizations that only exist for cyber crime, and these are not individuals playing pranks on companies in their basement. I mean, this is big business. And so they took a step back. And so the nature of ransomware as completely changed. So they are essentially moving away from data encryption. They’ve determined that on the cybersecurity side of things, that it’s proving to be more difficult to get in. They can do it, it just takes longer. So it might take a week to actually get ready to encrypt from the initial breach. And then it takes a lot of manpower to both encrypt the data and then actually when the ransom is paid, it takes a lot of manpower to get that up and running. So they’re saying, we don’t like that because that’s a lot of overhead.

And so the more successful they are, the more overhead they have. And maybe they don’t like paying employee benefits, I don’t know. So what they’ve turned to is back to sensitive or restricted data. And so rather than say we have just turned everything off, and if you want that back, you’ll pay the following. They said too much work. They’re looking for sensitive data, restricted data, data that you don’t want out. And all they do is say, this is what we have. If you don’t pay the following by X, we’re going to release it. And so the challenge with that is when you’re dealing with encryption, you’ve got some choices. You can say, I have backups. Yeah, we’ll be down for a week, but we prepped for this. We listen to call and show we’ve got an incident response plan, and we we’re pretty confident that we’ll be up and running right away and the impacts will be minimal. And the cyber crime experts know that. And so they say, okay, well yep, we’re going to go back to those tidbits that you will pay to not have released. Or if we do, there may be litigation against you for losing it. And that seems to be the new angle.

Paul Martin:

It is just getting more sophisticated, isn’t it? I mean, this is the whole point, and you made a comment earlier and I had like to explore that is that I gather to a degree, this is state sponsored stuff as well. Some of these, you talk about the war in Russia and Ukraine, that part of this is a mechanism for funding the military effort, isn’t it?

Colin Rooke:

Yeah, they say that.

Paul Martin:

I guess we don’t really know, but we can speculate on that.

Colin Rooke:

Yeah. Where if you look at where the crime is primarily centered, the activity and the investment in these publicly, or sorry, yeah, publicly funded schools, it certainly appears that there’s an investment made and its government involvement. Another interesting stat that it’s funny that I have to completely change my tune on from the last five or six years. So I used to say, and the data now reflects a totally different argument, that if you were a victim of ransomware, there was honour among seeds that said it all the time, that typically you aren’t hit again. And the other funny thing about this business is that there’s a lot of competition. So there’s some research that shows now that 80% of organizations that do pay are victims again. And also 29% of extortion victims. When that company does in fact pay, that data is still released. Nonetheless, I guess there’s less honour among CS and because of competition, there’s no real list that says this is off limits. We already got them once. They’ll come back because they know that someone else is going to anyway. So it’s particularly concerning.

Paul Martin:

Alright, we’ve got to take a little break, Colin, so just stand by. We’ll be back in a couple of minutes. You’re listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. This is Risky Business. I’m Paul Martin back after this.

Paul Martin:

Welcome back to Risky Business Commercial Insurance with Butler Byers, Paul Martin here. And joining me is Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. Colin, I guess what we’re seeing is this evolution that we’ve been talking about in the way the cyber criminals and ransomware is being played out now. So even if you’re kind of up to speed as a business owner, you really have to refresh yourself on this, doesn’t it? Because this game is changing and the way the pirates are coming at you is changing and evolving as well. You’re seeing any other trends here? Are we able to see in data what direction this thing is moving into?

Colin Rooke:

Yeah, another, I guess, shocking overall trend. Then I’ll give some sort of industry trends on the nature of the crime and where it’s going. But so what’s happening? So there’s a new, I guess, big game target, and these are third party vendors. And so rather than go after the mothership, they’ll go after a third party supplier. And often that is an IT provider. And so a cautionary note is that when choosing a third party vendor, someone to, if you’re outsourcing your it, you really want to make sure, I guess you are feeling they have a handle on your cybersecurity. You want to see a detailed plan, you want to be completely up to speed, you want know that they’re going, they’re lifelong learners because again, I guess in the effort to be efficient, they’re saying, well, rather than go after one company, we can go after a company that services hundreds, maybe thousands of companies, and then we can extract sensitive data from it and all of them at the same time. And so I’ve talked about cloud providers, how they’re just a business as well, and that your data could still be lost, but there seems to be a trend saying, well, we’ll go after a third party vendor that works with some of these large, and we’ll start there. And so really further to that, just where is this going?

How is this threat going to evolve from 2024 into 2025? Well, it’s about 101 billion projected by the start of 2025 spent on service providers specific to cybersecurity. There is 3.5 million open cybersecurity positions worldwide. So that’s a today’s stat, 3.5 million jobs. These are people saying, we need help with this and come work for us, whether it’s a third party or not. But that’s a lot of open positions. Premium growth is expected to increase by 21%. Now, that’s not all increases, but those choosing to take out cyber liability policies, depending on the industry, we actually, we are seeing rates stabilize some decrease depending on who they are. So it’s not all just rate increases, but premium growth overall. And they’re anticipating by the end of 2025 that the total cyber, the annual cost of cyber crime globally will be 10.5. Trillion’s a big number.

Paul Martin:

That’s a staggering number. It really is. And I mean, as someone who watches the evolution of the business community, I’m taken by just how much the IT and security industries are coming together and how they are changing. I think back three, four or five years ago, I might’ve known of one or two companies in the province, for example, or players that were kind of specialized in the cyber world, and now there’s way more of them and they’re far more sophisticated, but they’re also getting size. They’re getting the weight and scale and clout that they need to be able to take this on. So what this says to me is that the player on the negative side, the pirate, if I can use that term, they’re getting more sophisticated. They’re turning into heavyweights. And to compete with them, to actually protect yourself against them, you need to be a heavyweight on your side of the equation as well.

Colin Rooke:

And one of the best ways to actually get a handle on where you stack up is to purchase cyber liability insurance. And here’s why. Almost every single insurer now will do a third party scan or an audit, or they will monitor your system remotely included in the premium. And you think, well, there’s no free lunches. Why would they do that? Why would they monitor my system 24 7 and why would they invest? And there’s got to be a hidden fees. No, because if you are paying a premium, let’s say it’s $20,000 for 5 million in cyber liability coverage, rest assured they don’t want to pay that 5 million. So if they can invest and if they can look for abnormalities, if they can help you avoid an incident they’re going to. And so some of the best ways to get a handle of do I have a breach that I don’t know about is actually through the policy itself.

They’re very good at doing scans on the dark web to say, do I have customer data that’s leaked or email addresses or websites or web addresses linked to the business they don’t know about? And so they’re actually contrary to a lot of lines of coverage. They’re really putting in the effort, and it’s one of the best ways to actually monitor activity is to have a policy because the insurers are saying, this has to be profitable for us. I mean, we’ve got to offer the coverage, but we have to make money while we do it. And so it’s really a great way to mitigate risk.

Paul Martin:

All of this sounds quite daunting. And so if I’m a small business owner or a medium-sized business owner or someone in management is responsible for this, saying, what do I do with this? This just starts to get to where I feel like I want to crawl in a hole and pull a blanket over myself.

Colin Rooke:

Yeah, I can see there’d be an urge to just cut the internet cord and go back to handwritten checks. It is pretty scary stuff, but there’s a lot you can do, but really, if you’re putting in the work, you can do a very good job of mitigation. It’s those that are saying, we don’t matter. There’s nothing that we have that someone wants or that’s someone else’s problem. It’s big businesses problem. But I’m going to give one last shocking stat. So this is from the United States government, the National Security Agency, and so last year, 4,000 ransomware attacks per day in the us. And again, this is right from a government agency, publicly available information. I mean, that’s a scary thought. That is just in the United States, that’s not worldwide, and that’s growing.

Paul Martin:

Yeah, it really is. It’s growing. It’s scary. And if we leave people who are listening to this, if we leave them with one message is, yeah, you can deal with it, but you have to deal with it, right? You can’t ignore it. You have to actually just take it head on and people such as yourself and your organization, you can help walk them through this and explain it and give them some confidence that you can significantly improve what you’ve got right now. Just give us a call. Yeah, absolutely. You’ve been listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. I’m Paul Martin. This is Risky Business. Thanks for joining us. Talk to you next time.

What To Expect In 2024

Home • (Page 2)

Paul Martin and Colin Rooke discuss what to expect in the insurance industry for the new year.

RiskyBusiness · Butler Byers Risky Business – What To Expect In 2024

Listen to the full podcast here, or read the transcript below.

Paul Martin:

Welcome to Risky Business Commercial Insurance with Butler Byers. I’m Paul Martin, the host of this program, and joining me as always, Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. And Colin, it’s that time of year. We’re entering a new calendar year, and it takes a few weeks into the new year when we start to get the numbers and the summary on what happened in 2023, are we starting to see those numbers trickle in and get a bit of a flavour for what was 2023 for the insurance industry and what’s that mean for all of us who are in business and need to buy the coverage?

Colin Rooke:

Yeah, we’ve talked quite a bit about how 2023 looked, and certainly, I mean, if you look at Canada large catastrophic losses, we’ve talked about it on the show that I believe 2023 was the second worst year on record. However, although that certainly does impact the insurance market from a global perspective, and this really does pertain to more to commercial insurance than it would residential. But on a global perspective, claims have been pretty low and returns are improving. And so as a result, we’re seeing in the industry more capacity released, so about 20% more capacity coming out of Lloyd’s of London or London itself. And then on the reinsurance side, so that’s the insurance of the insurers are buying more capacity there as well. So if you follow the show for the last three or four years, I have spent a lot of time explaining why the rates are so high and referencing reduced capacity, unwillingness to deploy capital.

They’re saying there’s no benefit to me, claims are out of hand and returns are low, and so we’re going to keep that money. And that capacity has been a term that every single broker, broker around the world I’m sure has been hearing and using frequently with their clients is capacity. I don’t have any capacity. I can’t find capacity. And as the risk gets more complex, as you look into specialty lines, excess liability layers or towers they call them, it just gets worse. I mean, trying to build a hundred million liability for a client was darn near impossible. And again, it’s capacity. It’s capacity. And so we’re looking at reinsurance renewals, and reinsurance renewals really are the telltale sign of what the prediction is for the upcoming year. And so it’s, again, insurers buying insurance on their book. And if the pricing is going through the roof, which it was in 2023, and in 2022, you’re going to see rates go through the roof.

Why? Because there’s not enough in-house capacity, meaning the insurance companies, they don’t have enough internal funds to back their book. They’re buying reinsurance, so insurance for large claims. And as that price goes up, so does your premium. And so on a global perspective, and certainly in North America, we are seeing reinsurance renewals are decreasing. But the interesting thing about this report is capacity has gone up, reinsurance capacity has gone up, and yes, reinsurance renewals have lessened, but not for everybody. In fact, not for most, but just overall it’s down. And so you think, well, why is that and why would some insurers bear better than others? And that’s really the lesson of today’s show. So there are savings on reinsurance, meaning there are savings out there for a lot of policy holders, certainly in the property space, not all lines of business, but certainly if you’re just looking at property insurance, there is room to move.

But the industry was very quick to reference that. Those that had a diversified book with proper risk management plans that are keeping track and working through claims and working on mitigation techniques, keeping loss ratios manageable, they are seeing premium relief. So you think about it, you’ve got insurance company putting in the work, steering their story, how they’re going to get better to the reinsurance market. The reinsurance market is now listening, and they’re saying, we can give you a renewal that’s less than what you’ve seen in years, in fact, lesser than your competition. Then on the flip side, they’re going to those that are saying claims are out of control. We don’t see those coming down. Proper risk management protocols are not in place, and the book is not diversified enough. Those insurers are getting, I don’t really have a better term than walloped, meaning they’re just sizeable 50, 60, 70% increases. So the industry itself is rewarding those putting in the work and punishing those that aren’t at the highest level, the reinsurance side.

Paul Martin:

It’s kind of music to the ears to hear that there is some premium relief in the year ahead. But as you’re very quick to point out, it’s not for everyone. And when I’m hearing this, what do I hear as a buyer? I hear lower, lower. I don’t hear all the caveats that are attached to it. So let’s focus on that for a second. And as a buyer, obviously I want to be in that getting the lower rates with the better coverage and all of that stuff. So what do I need to do to qualify or to get myself into that elite of the elite, if I can use that terminology?

Colin Rooke:

Yeah, it’s a good point. And what I’m not trying to suggest is you say on this show there are lower rates out there. I should immediately remarket and try to find the insurer that has lesser rates. It is not going to work in this case. What you need to take away from this is say, okay, so the insurance companies that understand proactive risk management that are telling proper stories themselves and have favoured or weathered the storm better than their competition, they have more flexibility, but they only have that flexibility because they’ve been placing insurance the right way. So those companies have room to move, but they’re not going to move for everyone. They are going to also in turn be looking for businesses that are looking to place insurance the right way, and that involves face-to-face delivery of the story. So we’ve talked about the art of storytelling at Butler Byers Insurance and why building relationships and really selling the risk matters so much, and how do you do that?

You explain where the business was, where they are now, where they’re going. We talk about new and emerging risks, and we talk about education and the approach our clients are taking to better prepare themselves. We talk about deductible management and their view on claims. We talk about educating the staff from employment practices perspective or cyber liability perspective. And so to answer your question, what can we do? Get your story straight, work on your relationship you have with the insurance market, and if you’re one of the lucky, there is a ton of room to deviate, probably more than you’ve seen years and years, but for the right story and the right plan.

Paul Martin:

Well, you’ve tweaked that age old adage that is the harder I work, the luckier I get because you used the word lucky and I want to explore that a bit, but we’ve got to take a bit of a break, so hold that thought. We’ll come back to that, Colin. You’re listening to Risky Business Commercial Insurance with Butler Byers, I’m Paul Martin. We’ll be back after this.

Welcome back to Risky Business Commercial Insurance with Butler Byers, Paul Martin here, and joining me, Colin Rook, the Commercial Risk Reduction Specialist at Butler Byers. Just before the break, Colin, we referenced that old adage about the harder I worked, the luckier I get, and I think you used the word lucky in saying that people who obviously are trying to be budget conscious or trying to figure out how do I get more for less? And you’re saying it’s not out there for everybody, but it is out there for some who are willing to do what it takes to get it. So let’s talk about that and doing what it takes to be in that small group of people that may see some benefit this year in terms of perhaps lower rates or better deductibles or better coverage. What do we need to do to get them there? And I guess I’m alluding to something we talk about fairly frequently in this program, which is your step-by-step programs.

Colin Rooke:

So if you’re saying, okay, well, how do I take advantage of room to move amongst insurance companies that haven’t been profitable for a while have seen their own costs increase, but now they have room. These are the ones that learned their lesson. They took drastic measures, and in fact, I would argue these are the companies that were the leaders in refusing to write certain lines of businesses. They’re the ones saying as a whole, this group is bad and we’re not going to renew. And they may say, okay, there are some diamonds in the rough out there. We are prepared to look at these high risk categories, but we need to know everything and we need to know everything because our reinsurance needs to know everything. The industry itself is telling the insurers that you have to leverage relationships that you have to tell your story. And so if we can’t pass that story along, if you can’t find someone that really understands the why behind the businesses that you are working with and it has the ability or a new approach to selling that risk, these credits aren’t going to be available to you.

There are certainly people out there that through no fault of their own will see less lessened increases, but again, if we’re really talking about going the other way, taking advantage of some relief and additional capacity markets that have said not a chance to your business for years that may look at it again, we need that proper proactive plan. You need to be working with someone that could sell your business in a way only the owner or the management team could. And that involves skipping the typical application, spending time with the broker, talking about everything, educating both yourselves and those around you in order to sell yourselves effectively to the insurance market.

Paul Martin:

It almost, I don’t think it’s humorous, but it really peaks your, it catches your ear when you say one of the primary tools is storytelling is you got to be able to tell your story, and a that means start with having something to talk about. So you’ve got to actually have some action or facts or something that you can then craft into a narrative that an insurance company can hang their hat on. But historically, I would say that is not the way most people have the impression of the way insurance industry works. It’s mostly about, it’s a financial play, not certainly not a storytelling play, but you’re saying no, this is about your ability to explain why you’re different.

Colin Rooke:

Yeah, I need to stress that working with the broker, there’s always an underwriter. I mean, for outside of small, simple commercial, you have a human being that is making a judgment call on your company, and they have their own book to manage. They have their own loss ratios to manage, and they are compensated based on the performance of their book, and they have room to move and they have room to expand, and they have larger premium quotas they need to hit. And the best way to do so, and to grow in a low risk fashion is to hunt for best in class. And it’s a term that every single marketing rep in the insurance industry uses best in class, best in class, but we know that they don’t stick to their guns. We know that they can’t only insure best in class, but what they can do is reserve the rate deviations, reserve the broadest coverage, reserve the deductible relief, and write down to their approach to claims.

They can do that for those that truly are best in class. But if there’s no vehicle to explain that, if you’re just relying on your broker to say, oh yeah, they’re good, no claims in the last five years, or I know them personally, it’s not good enough because every broker’s job is to place their client somewhere and the insurance market knows, but they all know when they truly uncover a real best in class example. The problem is getting that information out of them, and so you have a conversation around risk if you approach it the right way, put together a plan that is agreeable to both parties and you understand that your company’s being presented to the insurance market. That’s how you can open doors that have been closed for a while. That’s how you can get an underwriter excited about the prospect of adding your company to their book of business

Paul Martin:

In the beginning of 2024. There’s no better time than now to do that because there is on the edges and marginal amounts, some increased capacity available where there are wins to be had if you are one of those very select customers that can qualify for that win.

Colin Rooke:

And you actually made a really good point without, I don’t even think it was your intent, but February, March renewals are probably the best, especially in a good year, some of the best times to have your insurance renewal because it’s a new year, the underwriters haven’t used any capacity yet. It gets a lot more challenging October, November, December. Whereas you ask any broker, when are your busiest months? And they’re going to say, October, November, December. And so we can maybe say that for a different show, but there’s certainly a strategy around when you renew. And so for those listening saying, I’m up in March, I’m up mid-February, great timing for you because there’s more room, whether you look at moving markets or even staying within, but it’s a new year. The mistakes of the past have been wiped away, so to speak.

Paul Martin:

Sounds like another book for Malcolm Gladwell. But listen, we’ve got just a minute left. So put it to you this way. If you had to give advice to a business owner or someone managing a business, what would be your objective for 2024 on the insurance front? What should I be thinking of as my objective this year?

Colin Rooke:

I mean, if we’re thinking working on best in class, it’s really thinking about new and emerging risk and what you’ve done. So cyber liability, cyber crime is not new and emerging anymore, but do you have a plan? And if you have a plan, who knows that plan? And so with all things risk related, do you have a plan? And if there is a plan in place, are you sharing that plan? And so if you need help working on it, reach out to one of us at Butler Buyers and we’ll take care of that for you.

Paul Martin:

Colin, as always, very insightful and very interesting. Thank you for this. You’ve been listening to Colin Rooke, Commercial Risk Reduction Specialist with Butler Byers. I’m Paul Martin. Thanks for joining us for Risky Business. Talk to you next time.

Underwriter Shortage

Home • (Page 2)

Paul Martin and Colin Rooke discuss the underwriter shortage happening in Canada.

RiskyBusiness · Butler Byers Risky Business – Underwriter Shortage

Listen to the full episode here, or read the full transcript below.

Paul Martin:

Welcome to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin, the CKOM business commentator. Joining me today, Colin Rooke, commercial risk reduction specialist with Butler Byers. Colin, this is going to sound a bit like a common refrain, but we have baby boomers retiring and not as many people coming up behind them in every silo or work category, and as a consequence, we’re starting to see shortages particularly of experienced people, but people just plain simple headcount in many job categories and insurance is not immune to this. You’ve got lots of veterans who are calling it a career and we don’t have the requisite number of people to replace them. Is that a fair observation?

Colin Rooke:

Yeah, absolutely. There’s a lot of industries out there that are obviously struggling for people and insurance employs about 60,000 people across Canada. And just on the insurer side, actually, I’m not talking brokers or suppliers, and so certainly not immune. And we are inundated with articles about the shortage of claims handlers. And again, they’re not even in that 60,000, but there’s a lot of talk around commercial lines, underwriters, so very, very specific to commercial lines, underwriters. And not to take anything away from personal lines, but on the underwriting side. So not talking about your broker’s ability, but on the underwriting side, personal lines is easier to do and it’s easier because it’s more of a blanket approach. You can get quotes in a 5 to 10 questions answered and a lot of the information is already supplied. So commercial is particularly difficult. We’ve talked about our process, we’ve talked about our risk reduction workshops and our plans and the point of those plans.

So we can tell a story to the market. And the reason why we do that is because if you’re a commercial client that doesn’t fit into a very narrow box, a package, your account is going to be individually underwritten by an individual. And so that means a real human being is asking real questions. They’re putting in their own info into the system, their own take on the risk. They have questions they need answered, and the experience of the commercial underwriter is key because if they don’t know what questions to ask or if they don’t have experience in the industry, it’s not going to work out well for the client that we are submitting an application to. And so when you hear stats that eight, almost 9% of all commercial underwriting staff, or sorry, senior commercial underwriting staff intends to retire in the next three years and the mass exited over Covid at the senior level just saying, you know what?

It’s been a good career. We’re all working from home. I’m just going to call it a career. It is more important than ever that your submission, your story is told. The submission is top-notch. So we talk about top of stack submission, and that just means we present a client in a way that the underwriter wants to get to it first. And we do that simply because, and as evidenced by the fact that we are inundated with these articles, commercial lines, underwriters are out of time, they’re overworked, there
are new entrants into the industry, but you now have a 35, 40-year-old veteran trying to train someone who just joined no experience right out of school. They don’t have the time for the crap, they don’t have time for the subpar risks, I’ll say. And so you aren’t going to get what’s owed to you. There is no asking for a favour. These people are overworked. They were overworked throughout covid, and they’re overworked now. And your submission matters.

Paul Martin:

That’s a very valid point because it takes us to one of the underlying themes that we’ve had in this show over the past few years, which is when you are making an application to get commercial insurance coverage, it’s pretty straightforward when you’re in business, and this is who we’re talking to, business people here. So if you’re a business owner or a manager, listen up. You know how you prefer to deal with your favourite customers because they get what you’re doing. I mean, what you want to be is a better customer of the insurance company so that they will treat you better, give you better rates, give you better terms, whatever, answer your questions. And that the underwriter who you’re talking about, maybe we should just be clear about what that role is, but that’s the actual adjudicator who will field your application from your broker and make a decision about yes or no on coverage. And then if yes, here are the terms. Is that correct?

Colin Rooke:

Absolutely. So they are the final say as to whether or not you get terms and insurance companies do not have to quote you. It is totally up to the underwriter.

Paul Martin:

So we’re back to that point of how do you become a better customer of your supplier of the insurance company? And we’ve argued on this program, and you most articulately of anyone I’ve ever heard, say, if you want good insurance coverage, give them a good story and give them the information. So make it easy for them to make a decision in your favour. And you’re saying right now they don’t have time to get a cup of coffee, never mind train the next generation. So they’re grumpy, they’re overworked, they’re probably not. They’re looking for the easy files. And how do we, what’s Butler Byer’s slogan “Insurance made easy”. Well, how do we make this easy? That’s your point here, I think.

Colin Rooke:

Yeah, it’s a really good point. The easy file. And you have to say, okay, what is an easy file? So you’ve got one individual with 350 submissions all for the upcoming months sitting beside the desk, and they do have to siphon through, sift through and determine what are they going to work on? Well, how do we make your submission glow? And it’s the approach of we narrow down the markets to a very select view. We make personal phone calls to the market to say, we have this fantastic risk that we’re going to send your way. You have a few minutes to hear the backstory. And then we determine then and there if they want the risk. So already they’re looking for it. If they say I do, that means there is a ton of submissions that aren’t going to get a look.

And so we already have a leg up by having that conversation. Then we say, we are going to make your life easy. We’ve done a detailed assessment on the client and most of the questions you are going to have for us about where the client was, where they are now, where they’re going, all the factors that are going help you to determine whether or not you want this risk. It’s already been answered, it’s already been presented, we already know you’re interested. That’s how your submission stands out. And
unfortunately the rest remain. So if you’ve ever been through a traditional remarketing exercise and the broker says, we went to all your markets, but we only received three quotes, well, that broker could have 30, 40, 50, 60 contracts and it just means all the rest did not ever get to it because they never saw any incentive to do that.

Paul Martin:

You didn’t make it easy for them. Their files were the pile in their desk was too big. And they looked at it and said, that’s not an easy one. Too much work. I got too many others to do here. And so when you go back to market and you’re hoping to effectively remarket, and I’ll see if I can find a better rate from a different company, that’s getting harder to do when there’s fewer people that will actually have the capacity to take a look at your file or your application.

Colin Rooke:

And that’s a really good point as well. So you’ve got new applications or you’ve got even a remarket and without additional info, the underwriters, they’ve all been burned thousands of times, thousands and thousands of times where they quote, and there’s no fish on the line, no new business. And frankly, our industry is really bad for never getting back to underwriters ever. So they send out a quote and you just go silent. And the underwriter knows, I guess I didn’t get it. And so you have overworked mid-market commercial underwriters that are saying, I’m already skeptical. Because often the quoting itself is an exercise to price check the existing market. And so again, you’re in this position where they may not put the effort in if you have the appropriate submission, if you have the appropriate story and the appropriate approach, you can explain why are we looking to move it, what went well, what didn’t go well, and why we think the new market is a better fit. And again, we’re adding excitement to the possibility of this prospect moving to that insurer, but the old way cannot work moving forward. There is such a talent gap in the middle. And again, certainly for mid-market. So larger enterprises, more than 50 employees, that type of thing, you might have operations in different provinces or one company that’s involved in different lines of business, US sales, international sales, that takes expertise. And so again, for those remaining in the industry that know what they’re doing, you have to make it easy for them.

Paul Martin:

Alright, Colin, we’ve got to take a break and I want to pick this up for just a minute or two after because you’ve left me with a couple more questions. You’re listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers, this is Risky Business. We’ll be back after this break.

Welcome back to Risky Business Commercial Insurance. Paul Martin here, your host. And joining me is Colin Rooke, the Commercial Risk Reduction specialist with Butler Byers. And just before we get off this topic, Colin, just a couple of thoughts that came from before the break that you left me with. I mean, we’re really in a situation where you’ve got a much tighter supply growing demand and you have to figure out how do I make myself look appealing enough that an underwriter who probably feels a little bit used anyway because you’re just price checking, how do I move to the top of the parade? One of the things you talk about is your step-by-step risk reduction plans and that this is a tool that’s for free to any business owner that contacts you, that you will give them the guide on how to actually fill out the forms and make themselves look more presentable.

Colin Rooke:

Absolutely. And like I said, if you want the credits or discounts or to open up doors that previously weren’t open, you have to do more. You have to show the market what you are doing to become a better customer of the insurance market. Why are you a good risk? The forms, the submissions, the typical submission that the insurance companies generate themselves, so they generate the form and yet the form doesn’t work for them. But there’s no changes to the forms and they all do it. There’s not any one company, and it’s not the broker’s fault. I mean, they’re passing on the forms that were sent to them, but they don’t work. There’s not enough there. And when you’re overworked, you don’t have time to call the broker back and say, “Hey, Paul, the broker, I’m interested in this risk you’ve presented. But as you know, the forums don’t tell any of the story. Do you have time to go through with me?” They don’t have time to do that. They may want to. So you have to present it to them. It has to go to them or they’re not going to reach out.

Paul Martin:

Well, I guess it’s in the hands of the insurance buyer to be your own best friend here. I mean, do the work you can improve your chances, you’ll get a better outcome. And I suppose also, you’re listening to this and you’ve got kids that are graduating from high school and wondering about career options. Here’s a place where there’s shorter people.

Colin Rooke:

Yeah, absolutely. They will train. It’s a great industry, especially if you love to travel. I mean, you could work anywhere in the world depending on the insurer and obviously I love it. But yeah, you’re right. Great point. If you’re listening to this or if you’re a parent with children, have a look. In fact, reach out to me. I can help connect you with insurers if anyone’s interested in a career in underwriting.

Paul Martin:

Yeah, my guess is high school guidance counsellors have probably not got this one on their list, so you have to get it from us here. Yeah, I agree. Anyway, listen, we’ve got four or five minutes left before we have to, we run out of time. And another topic I wanted to talk about, I think there was a report that came out the other day that sort of lists stolen vehicles and you’ve got that ranking, sort of one of the most vehicles most likely to be stolen. And yeah, it’s not really necessarily a commercial topic, but it’s an important one nonetheless.

Colin Rooke:

So every year around this time that we get a summary of all the claims from the previous year. And if you’re wondering, okay, why am I discussing 2022 at the tail end of 2023? It’s because it can take that long to pay out the claims. So then they don’t have accurate data until the year is almost over. But it is funny. So I really like these stats, but if you drive and it gets very specific, so it’s not just a global, the Honda CRV, it gets right down to the year. But if you drive a 2022 Honda CRV, hopefully you’re parking in the garage because it’s the number one most stolen vehicle in Canada and there’s 5,620 of them, and that’s 1.2% of all CRVs of that year on the road were stolen. And so again, I don’t really have any great advice on what you can do, but I make sure you’re watching for those. But another really interesting statistic is, and they’re number eight on the list. So the way they’re ranked is overall amount, but I like the percentages. So if you have a 2020 Range Rover a Land Rover Range Rover 2020, 4% were stolen last year.

That a crazy, that’s a lot. That’s a lot. You’re standing around with a group of your Land Rover friends and you’re at some cars and coffee Land Rover Edition. Well, a lot of those are going to go missing in the year. And like I said, these stats are just kind of fun. A lot of Toyotas, a lot of Hondas. And another thing to note is each and every one of these vehicles can typically be stolen in under 15 seconds. I don’t know how they do it, but it takes about 15 seconds. So with these stats, with the most stolen cars, we also get. the least stolen cars. And really interesting, almost all of the least stolen cars are EVs, which I just find really interesting. Now, you could say, well, maybe there’s less on the road, but that can’t be it they, they’re clearly also hard to steal.

For example, the Chevrolet Volt was one of the least stolen vehicles in Canada, in fact, yeah, it was the least stolen vehicle in all of Canada. But Hyundai Ionic seven thefts, and that’s number nine. I think the Bolt had one in total. And so kind of neat that if you are driving an EV, I don’t know if that means you’re parking in the garage because you’re charging at home or the tech just, maybe there’s a mobilizer. The tech’s pretty good, but looks like you don’t want your car to go missing EV if you do drive a Jeep Wrangler, a Chevy Silverado, a Range Rover, Honda Civic, and certainly the CRV.

Paul Martin:

Well, I’m guessing that what do thieves do with these vehicles? They don’t just use ’em for a joy ride. They chop ’em and sell ’em to somebody who’s going to move them to Nigeria or flip ’em for parts or something. So there’s no market for parts for electric cars yet because there isn’t enough of them on the road. My guess is if you’ve got an EV, you’re probably going to see that increase as time goes by when there’s an end user form at the other end.

Colin Rooke:

Good point. There’s less parts less to take out. Huge batteries, difficult to ship, way too heavy. So we have a really good point.

Paul Martin:

Well, Colin, I’m always intrigued by this stuff, and for a car guy, you probably enjoy these stats. They probably are something you look forward to, but I want to thank you for that and for the insights on where we are in terms of just HR and human resource support in the commercial insurance industry. It’s something that probably most of us don’t think about. You’ve been listening to Colin Rooke, Commercial Risk Reduction Specialist with Butler Byers. I’m Paul Martin, this is Risky Business. Thanks for joining us and we’ll talk to you next time.