Paul Martin and Colin Rooke discuss cyberattacks, cybersecurity, global cyber liability policies and the myths surrounding cyber insurers and cyber claims.
Listen to the full episode here, or read the full transcript below.
Paul Martin:
Welcome to Risky Business, Commercial Insurance with Butler Byers. Paul Martin here, the CKOM business commentator. And as always, joining me is Colin Rooke, the commercial risk reduction expert at Butler Byers Insurance. So Colin, it just seems to never go away, this notion of cyber and cyberattacks and cybersecurity. We’ve had a couple of high-profile ones in the neighborhood here. And people are … it’s just not going away.
Paul Martin:
And I’m sure that business owners feel like, holy smokes. This is one of those things. I’m just a victim on this stuff, right? I don’t know where to go. I buy insurance, but trying to figure out how to protect myself … the IT language becomes something I don’t really understand. And you watch the movies and you see these guys able to, like in three seconds, hack into the most significant defense systems in the world or whatever.
Paul Martin:
And what are you seeing on all of this? I mean, you have to live this thing every day when you’re answering questions from your clients and prospects. What is the conversation about cyber these days?
Colin Rooke:
Yeah. So it certainly has turned into rising frequency and severity. I mean, we’re seeing a lot more, and I know I seem to always see that. But as the months go by, it really is through that looking back, gee, there’s a lot more than a few months ago and a lot more than a few months before that. And so it’s really starting to be talked about more among the businesses themselves. So it’s not the brokers, it’s not just the media, but I think it’s at the point now where everyone knows someone that’s had an incident, whether it’s major or minor. When you bring it up, this idea of data loss, like I said, it’s an ongoing concern.
The other conversation that … and it’s sort of been in the media. Is around, well, if I purchase the coverage, am I more likely to have a claim? Are we at the point now where these cyber criminals, are they just targeting me because I bought something? And I guess it’s important to discuss that. I mean, it certainly is, and the research confirms it, but it really is a myth. And yet, we’ve got several high profile hackers that have suggested, hey, this is really going well for us. The more policies with higher limits, the better off we are. So keep it up.
And I think that’s certainly being talked about, and it’s a question that we’re getting asked around cyber. As soon as I buy this thing, am I a hot target for the breach?
Paul Martin:
That has got to be ironic, isn’t it? I mean, here are hackers, criminals, basically, who have found a very profitable niche. And back to my earlier point, I think probably business owners are feeling quite disarmed in all of this. I just feel like, I don’t know how to go about protecting myself on this thing. And you always talk about step-by-step plans to protect myself so that I don’t end up in a claim. And I just thought, this one just feels different, doesn’t it?
Colin Rooke:
Yeah, it does. And on some levels, there is validity to that claim. Now, if someone enters your system, for example, and they are planning a ransom and they are able to discover insurance documents that would say, certain company has a policy in place and limits of $25 million. There is some validity to, okay, if they can confirm that there is coverage, yeah, they’re more likely to ask for a higher limit. I mean, that makes sense.
However, the real issue, and I guess the real concern … and there’s a couple here. Is if they have to enter the system prior and then sift through the files in order to determine you have the coverage, they’re already in your system. And the easiest way for that to happen is weaker controls. So possibly, the IT isn’t up to par, the internal education is not where it needs to be. You don’t have a cybersecurity plan in place, and you’re certainly not best in class, far from it, on the preparation side. And so you think, okay, well, they’re going to ask for a higher limit now that they’ve seen I have a policy. But you have to say to yourself, well, how did we get to this point?
Colin Rooke:
The other important point to make is that uptake of cyber liability policies is still globally, quite low, at around 15%. And so if you say, okay, well, they’re only targeting those people that are buying the coverage, it’s not really accurate. Because chances are, if they’re inside of a system and they’re planning a ransom, or any number of viruses, whether it’s social engineering or like a phishing scam, again, chances are, I mean, statistically, the coverage isn’t in place and yet it’s still happening to these people.
So just because an incident makes headlines doesn’t mean, one, they were targeted because they have a policy in place. And two, it does not in any way suggest they even had a policy in place. So it’s a couple of big myths that … if you’re thinking, maybe I shouldn’t buy this, because if I do, it’s going to happen to me. Again, statistically, they’re after people that probably don’t have the coverage. And again, if they’ve learned that you do, it’s really too late at that point.
Paul Martin:
It strikes me as the same sort of logic that I hear from people who say, I’m not going to get a will, because as soon as I write a will, I’ll die. It just seems like there is no sequence here, if you buy a policy, you will be attacked. You’re just saying that this is on the increase. More and more companies are being attacked and only one in six are carrying insurance. So think through that one.
Colin Rooke:
Yeah. I mean, it’s a really good point. And quite frankly, similar to the will example, you’re going to die anyway. And from my chair, being in the insurance space and spending a lot of my time on cyber crime, it’s going to happen to you, just like death.
Paul Martin:
It’s an inevitable.
Colin Rooke:
Yeah. And so another really weird … I’ll say myth. And again, another conversation that’s happening, is that cyber insurers, they want their customers … There’s a myth that cyber insurers want these huge landmark claims because more businesses will purchase policies if … again, we’re talking payouts in the millions or millions of files leaked. And so the more it’s talked about the better for the insurance companies. Which, again, it’s happening all the time, but you … So again, one, it’s completely a myth. I mean, there’s no cyber insurance market that wants to see claims rise. And really, it’s because they’re paying those claims.
Colin Rooke:
And if you look at an organization, for example, that had a $10 million ransom. Let’s call it a Canadian organization, and there’s a $10 million ransom, and there was appropriate coverage in place, and policy limits were exhausted. I mean, that could very well exceed, by five times, the total premiums collected in Canada for that insurance company. And so when you say, well, they want this to happen, this is a good thing. It allows them to sell more policies. Well, even if they sold five times the policies and collected five times the premiums to equal that, the loss ratio is still out of whack. They still have expenses. They’ve got to pay commission.
And so again, we hear that a lot and it’s just so far from true. It’s to the insurance company’s advantage that, yeah, other people have claims. But they work with you, as do the brokers, to mitigate claims as much as possible, or eliminate it altogether. And that’s how everyone wins in this scenario. Not these landmark claims being paid.
Paul Martin:
Colin, we’ve got to take a break. And I do want to pick this up when we come back, because it’s a fascinating concept. It really is, and we’ve only dabbled on the side of how the insurers are going to position themselves and react to this.
You’re listening to Colin Rooke, the commercial risk reduction specialist with Butler Byers. This is Risky Business. Back after this.
Paul Martin:
Welcome back to Risky Business, Commercial Insurance with Butler Byers. Paul Martin, your host. And joining me is Colin Rooke, the commercial risk reduction specialist at Butler Byers.
Colin, before the break, you were talking about some of the myths, I guess, that are beginning to emerge around the notion of cyber claims, cyber hacking, cyber ransoms, these kinds of things. It just strikes me as really quite interesting, the notion that we could come to the conclusion that perhaps the world has now reached a point where hackers are doing nothing more than harvesting insurance payouts. It strikes me as it’s got to be deeper than that.
Colin Rooke:
Yeah. I mean, it is. And to pick up the topic from before, I was reading an article written by one of the largest global cyber insurers. And it’s really simple, they’re not out fishing for those that have policies. They’re not out trying to determine who has appropriate limits or what areas have appropriate limits. I mean, certainly the larger the organization, you could say the more likely they are to have purchased. Or just have the ability to pay or would pay, to release the data, to avoid fines, penalties, infringements on the digital privacy act, that sort of thing.
But when it boils down to it … and this is really a quote. “Whether businesses want to believe it or not, the ones with weak security controls provide criminals with the paths of least resistance to their systems.” And it boils right down to that. Are you putting in the effort? Are you educating your staff? Are you aware of what cyber crime is? Have you talked to your IT? Are you aware … are you standard in IT security? Are you strong? Are you best in class? And you know, the difference between-
Paul Martin:
That just seems so logical, Colin. It really does. I mean, if I’m a hacker, I’m going to try and hack the ones that are the easiest to get into, right?
Colin Rooke:
Right. And like I said, it’s as simple as that. If you’re not putting the effort in, you’re the target. Policy or not. Ability to pay or not. And the effort does really pay off in this. I mean, there’s a lot of lazy people out there, and there’s a lot of people that go after low-hanging fruit. And if you have organization B with weak controls … sorry. Organization A. And organization B with fantastic controls, you say, well, I’m going to go after the one I’m most likely to be able to disrupt. And that is 100% the case.
Paul Martin:
Well, the moral of the story here is be careful what you listen to, because there are myths out there. But in reality, the basics still hold. Pay attention to what you’re doing, and actually put some focus on trying to protect yourself a little bit. Onus is on you as the business owner.
Colin Rooke:
Yeah, absolutely. Again, back to the myths and misconceptions, I want to make sure that people understand. And certainly if you’re saying to yourself, well, I’m not going to buy it because I’m going to be a target. You have to challenge that way of thinking. Again, similar to your will comment, you will die someday. And if you’ve got weak controls, this will happen to you. And to say that they’re being that specific to targeting those with a policy, I cannot stress enough, the only way they would know that is if they’re already in your system, and they got in due to weak controls.
So the argument against, makes absolutely no sense. And it’s not a matter of if, it’s when. And to take it a step further, there’s the breaches that you know about, and the breaches that you don’t.
Paul Martin:
All right. Well, listen, we’ve covered a lot of ground on this. And before we close the show out today, I did want to just touch on one other topic. So if you don’t mind, perhaps we can take a switch, as we’re starting to hear that maybe the end of this pandemic thing is in sight now.
You have any thoughts, Colin? Or what’s the industry saying, particularly in the US, where they appear to be ahead of us? What are they saying about what the post pandemic world is going to look like? And we talked in the past about hard markets, we’ve talked about all sorts challenges, has the end of the pandemic changed any of that conversation?
Colin Rooke:
Yeah. I mean, that’s a really good point. Unfortunately, I don’t have great news. If you’re in the small to medium business category, there were a lot of concessions made because of COVID. Meaning, rate increases needed to occur, and a lot, or even most were deferred due to the strain on the economy, again, due to COVID. And so coming out of the pandemic, whether it’s three months from now, nine months from now, where things are, quote-unquote, back to normal, unfortunately rate increases are probably likely to continue.
The bulk of the industry is not profitable. And again, certainly on that small to medium-sized business, there were a lot of concessions made. In Canada alone, for example, Intact, which would be Canada’s largest insurer, there was over $50 million worth of relief given to Canadian business. So rather than collect more, they actually decreased premiums or amended auto insurance rates to save their customers money. However, it’s still the same poor performing class. They’ve just deferred what they’re going to need to collect later on.
Colin Rooke:
So right from Intact, they said, once we’re out of the hot water, rate increases are going to continue. We still have to get to profitable, even though there was some relief from us. And again, depending on the industry, again, it’s not great news. But if in your category, the insurance markets … and not just in Intact, but all of them. If they weren’t profitable, but they were easier on the class, again, due to the timing, those increases are likely to continue.
Paul Martin:
Well, that’s quite an interesting. We’ve got about a minute left. I just wanted to touch on that, because people like you and I have been talking about big rate increases for small business and if, what you’re just saying now, is the insurance companies were throttling back on that.
Small business guys would say, well, I heard those guys on the radio and they said rate increases were coming, but I didn’t see it. So maybe they just don’t know what they’re talking about. You’re saying, that’s false comfort, that the rate increases are coming?
Colin Rooke:
Yeah, absolutely. I mean, there is certainly a joined effort to look at those industries that are hit hardest, whether they were closed entirely, severely reduced hours, capacity, that sort of thing. And they said, the larger organizations can handle it now or are more likely to. However, the smaller enterprise probably could not.
Again, Intact is not a sponsor of the show, however, they did a fantastic job with premium relief, or holding rates. Automatic renewals at no increase at all. I mean, they really did a great job. If you were a small or non-profit, they just issued relief checks without being asked. But again, doesn’t mean the claims went away. They just said, we’re going to do our part to help. And there’s other great insurance companies doing the same. And unfortunately, as we come out of this, you’re likely to get what was coming that was put on hold due to COVID.
Paul Martin:
Colin, we’ve run out of time. As always, very insightful stuff, so thank you. I want to thank you for that. You’ve been listening to Colin Rooke, commercial risk reduction specialist with Butler Byers. This is Risky Business. Thanks for joining us. Talk to you next time.