Paul Martin and Colin Rooke dive into cybersecurity and incidence planning once again, discussing the right insurance plan to protect your business from cybercrime.
Listen to the full episode here, or read the full transcript below.
Paul Martin:
Welcome to Risky Business, Commercial Insurance with Butler Byers. This is Paul Martin, the host, and also the business commentator on CKOM. You hear me every day on the airwaves here, and joining me today as always, our expert, Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers.
Colin, we’re going to talk about a topic that, well, we’ve talked about a lot, but you know, we do it because it’s always changing. It’s always updating. And we’ve got more information on the world of cyber, cybersecurity, cyberattacks, and how business needs to be taking a look at this. This has been one of those things that’s always been a presence. I guess we’ve always thought about it, we’ve talked about it, but clearly it’s getting to be much, much more important in terms of how you run your business, how you treat your customers, all that stuff. Data is now king, and protecting that data becomes ultimately important. So we’re going to talk about cyber today, and are there some things that are new on this front that we need to talk about? And that’s why we’re bringing up the subject today.
Colin Rooke:
Yeah. We have talked a lot of cyber, and really the purpose of this show is to educate businesses on what’s new and emerging, how it’s going to impact them, what preventative steps can be taken to mitigate the risk, and transfer the risk, avoid the risk altogether. And so, when you look at how rapidly cybercrime is changing, it’s pertinent to discuss, okay, well, how has the risk changed? How has the insurance market adjusted due to the increased risk? And then, what do businesses need to know so they can get ahead of what’s coming, what the requirements are, and certainly how to mitigate, as best as possible, any future losses.
By the end of 2022, about 65% of the global GDP will be digitized. It just shows that the more we push to a digital world, digital platforms, the more incentive there is for criminals to capitalize on that. And so, a big trend in cyber crime is now small business. I’ve touched on this before, but three to five years ago, you say, “Well, this is a large organization. If we put a lot of work in, we can go for the big fish, the whale, and we can extract as much data, or maybe there’s a ransomware incident, we can get as much money out as possible.”
Now the focus really seems to be on the masses. It’s small business that’s being attacked. Overall claims severity has rose by 56%. We’re seeing 40% increase in ransomware for small business, 54% increase in funds transfer fraud, and so it’s now the low-hanging fruit. It’s more profitable to cover the masses rather than the select few, and so that’s why I think this discussion is so important. And we’ve got new requirements in the market, and then we’ve got a tool that you can use that really, anyone can implement very quickly to satisfy some of those requirements.
Paul Martin:
I wanted to talk about that. You always had tools available. I mean, we’ve always told people on this program, give Colin a call. He’ll give you a step-by-step kind of program to help put some best practices in place. But you’ve now got one that is really related to, suppose you’ve had an incident, now what? This is kind of an easy-to-use guide, a step-by-step plan on that one.
Colin Rooke:
Yeah. We’ve talked about the value in having an incident response plan in the past, and it was really good to have, or call it a wish list item. And for those larger clients, we would really push to get that in place, and we would use that to negotiate with the insurance markets and overall just mitigate the level of risk. And with the increase in frequency and severity towards small business, and these are organizations under 25 million in revenue as a classification, our older plan or our other plans call it, are pretty involved in this one is, call it a small business incident response plan that really anyone can use and can implement it quite quickly.
What I like about it is, a lot of the hard work is done for you. All the wording around how to recognize a security incident, it’s done. You don’t have to figure it out yourselves. And for every organization, you have to have key roles. You have to have, well, who do I contact if this happens? Who’s our IT person? Who’s our information security officer? And we’ve got a great template for that. But then where businesses get hung up, the smaller enterprise, and again, under 25 million, is building out the job description, the roles, and we have that done. I mean, you can nip and tuck, you can change, really, you can do whatever you want, but we’ve taken out all the legwork. And really, I don’t want to say it’s plug and play, but you could do that, and after that, you just have to review quarterly. We can say with confidence, “This is in place. They’re following it. It’s being reviewed, and they know what to do in the event of an incident.”
Paul Martin:
And when you say, “We can, with confidence, say this,” you mean that when you’re going to talk to the insurance company about the possibility of putting a plan or a policy in place for that client, right?
Colin Rooke:
Yeah, absolutely. We spend a lot of time working with underwriters and their cybersecurity departments to say, “Okay, well, what constitutes a plan? What do you need to see? How often does it need to be reviewed? How complex does it have to be?” And so, we know this plan works. We know that it’s, from their perspective, well written. It checks all the boxes. And as long as we’re saying, “Okay, this is implemented and it’s being reviewed,” that we can say, “They’ve got a full and complete incident response plan in place designed for small business.” We do have the more involved, larger as well, but this works.
And then when we’re asked, when looking for cyber liability coverage, “Is this in place?” we can say “Yes,” or get to the point where we’re at the point now, where they’ll say, “Are you planning on using your plan?” And we can say, “Okay, it’s not done, but we guarantee by X time, it will be done.” And it’s working very well for us, and it’s not a lot of work for the end user because we’ve done all the complex portions.
Paul Martin:
Colin, I’m assuming the insurance companies are probably getting tired of these kinds of claims. And so, when you come forward representing your client as the broker, and you say, “We have this in place and it’s being reviewed quarterly,” and there’s the pre-event planning and then the post- event steps that you take, how does the insurance industry respond to that? I mean, you come forward and you say, “Here’s the case we’re making on behalf of the client.” How do they react?
Colin Rooke:
Really good point, and so due to the global increase in frequency and severity of claims, we’ve got underwriters looking for any reason not to offer the coverage. They’re looking for no, and lack of incident response plan is a big box. You don’t have it, we’re not going to look at it. And so when we say, “Look, we know what you’re thinking, and we know what you’re going to ask in advance, and we have either done that, or we’re working on it,” it provides incentive to say, “Okay, this is a good risk, and so we want to work with them. We want to even offer coverage.”
You know, it’s no longer sort of a fight to say, “Well, who’s going to offer similar coverage for the least amount of premium?” It’s reasons to offer it at all. Right now, one of the largest global cyber insurers is not taking any new business from anyone anywhere due to losses. And so, if we can go to those remaining markets and say, again, “I know what you’re thinking, it’s bad, but this client is already working on it,” you’re going to get the coverage.
Paul Martin:
All right, Colin, we’ve got to take a little break. I’m finding this really quite intriguing, so I want to pick it up after we come back. You’re listening to Risky Business, Commercial Insurance with Butler Byers. Back after this.
Welcome back to Risky Business, Commercial Insurance with Butler Byers. Paul Martin here, and joining me, Colin Rooke, Commercial Risk Reduction Specialist with Butler Byers. Colin, before the break we were talking about some of this new small business incidence response plan that you’ve got that kind of is a post-fact thing. You’ve already been attacked, and here’s how you cope with it. What is changing on the front in the preventative side, if I could do that? I mean, insurance companies, they spend, as you said, lots of money on this thing in paying out claims. They’re probably upping the bar too, in order for you to get in. What are some of the things that business owners need to know about?
Colin Rooke:
Yeah, great question. In addition to having some sort of incident response plan, I mean, we’re hearing all the time about multi-factor or two-factor authentication. Again, this used to be a sort of a wish list type item, or sometimes the markets would say, “We would like to see this happen by X amount or X day.” Now it’s a hard no for organizations of any size, other than the very small. If it’s not in place, they’re not offering terms. And if they’re offering terms, you’re paying a sizeable premium if this is not in place. And so, it’s really important that we discuss what multi-factor authentication is and why you would do that. But again, if you’re looking at cyber, if you fall into a category where there’s an exposure, which I would say, every business has one, if this isn’t done in advance, it’s just not a possibility for you.
Paul Martin:
That’s a fairly recent development, isn’t it? I mean, would we categorize that as being part of news? Here’s something new you need to be aware of as a business owner, looking to buy some insurance?
Colin Rooke:
Yeah. It started in 2021 and it was really, for the most part, around 2021. And it was all, if you were in a high risk category, they’d say, “We need you to have multi-factor.” And from there, it has expanded to, it could be a hot dog stand, and they want you to have multi-factor.
And it’s really quite simple. When it comes to password and password protection, you’ve got your username and password to get into your email, to get into your server, to get into anything. And all this does, all multi-factor does, is add one more factor, one more step, when trying to log in. In most cases, it would be a text message with a randomly generated code that you would plug in, or when trying to log in, to just show, okay, one more step that this is probably the individual trying to log in. It’s very, very simple to crack usernames and passwords. It’s a very, very simple loop that almost any hacker can develop, and therefore, this is just one more step to thwart, certainly, fishing scams, ransomware, malicious code, a lot of these sort of hot button incidents.
Paul Martin:
What kind of response are you getting from business owners now when you go and talk to them and you say, “Listen, this is now part of the requirement plan. If we can’t check this box, in all likelihood, we’re going to get declined or it won’t be very appealing, the insurance company’s response,” are they surprised to see this? I mean, these developments … Are people sort of, “Holy, I really didn’t realize this was really serious stuff, I guess.”
Colin Rooke:
Yeah. I think you get a lot of eye rolling. It sounds onerous to implement. It’s just one more thing we have to do. It’s tedious. Yeah, it’s going to take time. It’s going to be costly. And the funny thing about multi-factor, I mean, when logging in, we’re talking another three-second step, depending on which form. It could be facial recognition software, where you log in, you quickly look at your phone and you’re in, or you quickly type in a password.
But to dispel a myth out there, most multi-factor is completely free. We’re not talking about, go get a quote and add it to the budget. It is totally free. I mean, Google has free multi-factor, and anyone using Microsoft products, depending, I’ll say, on how current your software is, again, free. And so, a little bit of time to implement some … But otherwise, very, very useful, very, very beneficial, regardless of whether or not you carry the coverage. Nobody wants to go through ransomware. I can personally guarantee, nobody wants to go through ransomware, and so one little step that after two or three days becomes second nature, and that’s it, you’re done. It’s taken care of.
Paul Martin:
Reminiscent of that debate we had some years back about buckling your seatbelt. Now, nobody even thinks about it, right?
Colin Rooke:
Exactly.
Paul Martin:
We’ve got a couple of minutes left before we run out of time, but what we’re talking about here is insurance companies are starting to say, “Hey, I’ve got to up the standard for my client’s performance.” What’s causing that? I mean, you alluded to payouts are big. I mean, do you have some stats on that? I mean, why are insurance companies doing this stuff?
Colin Rooke:
We’ve talked about the hard markets and weather-related events and claims being paid from ’18 and ’19 sort of hitting the books in ’21 and ’22. But when it comes to cyber itself, it’s just not a profitable line of business. And there’s no end in sight. We’re in a scenario where insurers cannot collect enough premium at this point, and so anything they can do to get what they would deem bad risks off the books, they’re going to do that.
To talk about, sort of quickly, what’s going to come next, it’s going to be encryption. So, I’m going to say it now that large organizations, again, it went from a wish list to a must-have, medium and small, give it a year. And we’re going to be recording this show, and I’m going to be talking all about encryption and the fact that it’s also now mandatory.
Paul Martin:
The numbers, though, on the claims have been going up, haven’t they? I mean, it’s no longer just anecdotal. We’ve actually got stats on this stuff.
Colin Rooke:
Yeah. It is. Like I said, claims severity rising 56% for small business, so how often incidents are occurring, it’s increasing, but then the cost of those incidents are skyrocketing as well. And I’ve said this before, but I do want to say again, there’s an attitude out there that, I buy cyber liability insurance, so then therefore I’m a target. But there’s no relationship to whether or not you purchased it or not when it comes to incidents. It’s just whether or not you’re able to transfer some of your losses to an insurance company, or you’re self-insuring that in-house. I mean, that’s really the only differentiator.
Paul Martin:
Colin, as always, very insightful. I want to thank you for this. You’ve been listening to Colin Rooke, Commercial Risk Reduction Specialist with Butler Byers, and feel free to call him anytime. If you have any questions, he’d be more than pleased. Colin or any member of his team would be pleased to have a conversation with you. Thanks for joining us. I’m Paul Martin. Talk to you next time.