[inaudible]
.
This is the placing you first podcast. I'm Dan Wentz and this podcast features news and insights from CRCs fast knowledge base of 2000 plus associates who write an excess of $8 billion in premium annually and we're giving you insider access to what's happening in our company and the types of insurance we place on this edition of the podcast.
People at home, people working from home, people distracted because schools are out, they have kids or animals . It creates a situation where a, an organization could become more vulnerable.
This is the placing you first podcast. You are now by Amanda Harvey who is [inaudible]
partner at the law firm of Mollen Caughlin and she focuses her practice on providing organizations of all sizes and from every industry sector in first-party breach response and third party privacy defense legal services. You have been a great resource for us here at CRC group , so we thank you for that Amanda, and welcome to the podcast. How are you doing today? Well, happy to be here.
And we've also got a specialist from CRC groups , Sebastian Swain , who's a director with CRCs exec pro practice group responsible for placing and managing management liability insurance including cyber. What's up Sebastian? How are you? Well Dan doing well live in the quarantine dream.
You know, while a lot of us think that working from home is great because we get to spend more time with our families and our pets and we have a little more freedom without that commute into the office every single day. There really is a host of issues that comes with it from a cyber perspective. And that's why we've got Amanda and Sebastian here. What does this mean for employers and employees? Let's start with Amanda.
Well , what do you think the risks are here and what can we expect from a working from home standpoint as far as employers and employees go?
A couple of things. First and foremost is that uh , employees have a duty. Okay . That's, that's the first thing I want to make sure that everybody knows employees, not just in the employers. Everybody has a duty to make sure that the environment is secure. So with this new environment that we have is working from home, we have what I like to consider just three different things going on here. One is an increase in depending on the uh , digital infrastructure.
Okay. Two is that you have also an environment where cyber crime exploit's fear and uncertainty and three more time online equals more time for risk. Okay ? So when you have those three things going on and you have people at home, people working from home, people distracted because schools are out, they have kids who are annulled . It creates a situation where a, an organization can become more vulnerable and the employees have an obligation to understand that as well.
And the employers should be communicating that so that we can make sure that the environment is secure and you're still protecting client information.
Okay. Let's talk a little bit
about these specific cyber risks that that exists . So what are some of the things that employees and employers could be experiencing during this time? When everybody's working from home, it's some of the things that we can be experiencing is that we've seen an increase in phishing emails. It's up 350% just last month. Okay . So people are working from home and they're going to start seeing an increase in emails that are phishing emails.
All right, so that's one thing that we can actually see that we're starting to see that we need to prepare for. Another thing that we need to prepare for is the distraction element. So people are more likely to click on items without checking whether or not they are actually proper and moving forward with that. So we have people working from home, we have a distraction, and we have the cyber criminals who are taking advantage and exploiting that kind of situation.
Yeah. It seems like every time we have a situation or a vulnerability, there is someone there to take advantage of it for sure. Especially right now. And if they're not, if you don't think they're out there hunting for ways to get you to click a link or to steal your private information or somehow harm your business to their benefit, I think you would be mistaken. They certainly are doing that. Sebastian, do you feel like this is important?
Are there solutions for this from an insurance side to help help businesses who are now finding themselves with more people working from home?
Yeah, I would say , uh , you know, fortunately I'm in an unfortunate situation. Cyber coverage is broader than it ever has been before. Um, and you know, most companies haven't been prepared for this type of fully remote workforce. So whether that meant they had enough laptops that were already , uh , had the right types of software loaded and security programs loaded , um, in order to distribute that to those employees.
So when you're lacking that kind of infrastructure, now you're going to have employees that are using personal devices to connect to company systems. Um, and it's really hard to deploy the type of, you know, robust security software that you would need. Um, when, you know, employees can't bring those devices to an internal it team to get them to make sure that, you know , it's uploaded properly and that they're compatible, that type of thing.
And you know, beyond that, you know, companies weren't really prepared for this in terms of their own policies and procedures. So most never really contemplated this type of risk. So the employees were never really given maybe appropriate training on it either. And you know, cyber risk really comes down to employees. They are truly the weakest link.
You could have the best security software out there and get a robust policies and procedures, but ultimately it comes down to employees and all it takes is one employee , um , to click on something. And as Amanda was saying, you know, 350% in social engineering sort of type attacks, you know, 79% of all successful data breaches started with that type of social engineering. So at the math of risk , um, and it really comes down to employees, you know, having that security mindset.
So I think it's easier when they had that in the office setting. I think when you are at home, you know, further to what Amanda was saying, I've got all these distractions. It's hard to have that security mindset at home, but it's more important now than ever.
So what steps can, can insurance agents be telling, you know, communicating to their insureds as far as, is there anything they can be doing outside of insurance to help them better mitigate the risk?
Yeah, absolutely. Um, you know, first thing they can do is review their policies and procedures. Um, you know, another thing they can do is enable multi multifactor authentication, which is, you know, you have a text that goes through and that sort of confirms your login credentials, that type of thing. Um, you know, connecting through a VPN as opposed to an RDP is more secure. Um, you know, having some updated out of band authentication requirement for wire transfers.
You know, you have somebody's cell phone saved, whoever is doing that and accounts payable , um, that all that is going to be really important. Now.
Amanda, do you have anything to add as far as solutions or what insurance insurance agents should be talking about or communicating about right now? The types of risks out there? I think we covered fishing and personal devices, network system failure is online selling something that we should be concerned about.
Yeah, we should be concerned about online selling. We should be concerned about ransomware. There's all sorts of things that we should be concerned about and vigilant on the way that we're looking at things. I think that Sebastian's right, the first thing that we need to do is start with training.
Okay. And unfortunately in the, the world that we live in right now, we didn't have time to, I shouldn't say we, a lot of companies didn't have time to properly train their employees for what to look out for and what to do. It's not too late. Okay. So that's, that's one thing is to say, let's go ahead and start trading the employees. Let's start training them and explaining to them about online purchasing, about how , um , the fear that's coming from this kind of , uh , the coronavirus. Okay .
Uh , when you start seeing emails that says stuff like , uh , click here for your invoice or click here in order to purchase , uh , masks, that's a big one that we're seeing right now. Okay. You can get all the medical supplies that you need in order to keep yourself safe from the kurta virus. Click here. A lot of times those are actually just, they're not appropriate.
So that's absolutely something that we're saying with the online purchasing is that again, it's going to the fear of the , the person that's clicking. And the first thing that we can do is start with the training as a Sebastian saying.
And Amanda, have you heard anything about, you know, just like we're using right now, a video conferencing service, is there any of those out there? Are there any concerns around meetings, those kinds of systems?
Absolutely. That's a, that's another thing I think that a lot of people are now starting to hear about the , uh, the zoom bombing. That's a , that happens to be where , uh, someone can actually, a third party threat actor can interject themselves into a zoom meeting. And , uh, sometimes you actually know that they exist because they are yelling out, profanity making themselves known.
But other times you may actually not know that they exist and they are just looking at lurking in the background to steal client information. So that's, that's something to think about. Um, zoom had actually said that they , uh, had end-to-end , uh, encryption and they didn't.
Yeah . Wow. I mean, you shouldn't be saying that if you don't have it. Right. I mean that should be an assumption. I would think
so. So that's, that's something to think about. I mean, as we are interacting in our daily environment and we're talking about corporations, we're talking about schools, we're talking about all sorts of different environments that are using this kind of platform, like what we're doing right now, which is a secure environment. But that's something to think about, especially if you're going to be talking about anything that's confidential, proprietary, privileged information.
Um, if you're going to be providing any type of financial information, social security numbers, anything like that, make sure that you're doing it in a way that is truly secure. Uh, and not just emailing anything out. Um, just make sure it's, it's actually being protected.
Yeah. At first, look, it doesn't seem like video conferencing would be that big of a concern, but when you consider the telemedicine stuff that's going on right now, when you consider proprietary information for a business, how would you feel if your competitor or someone who was meaning to do harm to your business was listening in on a conversation that's kind of scary?
Sebastian, does insurance address these types of risks with the video conferencing and you know, losing information or getting your information stolen?
Yeah, absolutely. So, I mean, the, the origin of cyber policies was to address, you know, a data breach of personal information. They've, they've evolved beyond that now to incorporate insuring agreements that are addressing business interruption. Now that's your own systems that are going down. So, you know, with all of these companies moving towards remote workforces, the network traffic , um, is actually causing systems to crash. Whether that be email, you know, payment systems, et cetera.
So, you know, that's the big exposure now is their infrastructure wasn't set up, sort of handle that traffic. Uh, further to that if they are dependent upon others sort of say cloud providers to um, you know, continue business as usual and those cloud providers, you know, I think of you guys , it's scenic though , you know, WebEx and zoom itself , um, had been having really big issues right now with so many people moving towards these conferencing platforms.
So you know, if that causes an interruption to your , your business because your employees can't do their jobs, then you know you have a loss. But we call dependent business interruption or contingent business interruption. And that is also something that's ever policies or dressing, you know, further that you have all these crime coverages now.
So you know, whether it's social engineering that's a result of funds transfer fraud, which is when a hacker tricks a bank into issuing a wire transfer or a fraud or an instruction which is when an employee is actually trick themselves, which I think is going to be the real risk.
Now, you know , to what Amanda was saying earlier and with a lack of out-of-band authentication, you know, I think we're going to see a lot more wire transfer fraud that's falling into that slog of that instruction bucket. But that is something that you should be getting on your cyber insurance policy.
Usually that is a supplement and coverage, whether it be a hundred thousand 250,000 you know we have some markets that we'd get higher supplements as well, you know, pending some underwriting information. But I think that's going to be huge. And I'm an obviously ransomware, which has been seeing , you know , triple digit increases year over year for the last few years just because it's so easy for hackers to use. There's ransomware as a service.
You know , there's , this is an industry now, the cyber criminals and you know, we've seen in the news that they said that they weren't going to attack, you know, healthcare organizations that were going to give them a break. Well that clearly hasn't been the case because they have, there just been some recent ones reported where healthcare organizations were taken down. And if you think about it, those are going to be the most vulnerable ones because they have to be up and running.
Especially now more than ever. So they're going to pay those extortion demands or they better hope that they had a robust cyber policy in place where you have all these vendors that are part of these panels with these insurance companies they can respond to immediately.
You know, you have a law firm like Mullen problem , um, where they can get in and tell you immediately like this is, these are the steps you need to start taking to protect yourself and protect your employees and your customers, your patients that probation as well as know the storage for backups, that type of thing. So you know , for a lot of small, medium sized businesses that maybe don't have it departments, I think it's more important now than ever for them to get a cyber policy in place.
Just for the response,
and if I can just talk a little bit about that as well, is that it's expensive to actually respond to a cyber incident. Okay. We're not just talking about paying a ransomware . If that's something that you intend to do or need to do. Um , but you're also talking about the forensic investigation. Then you're also talking about having to provide notice to the individuals if there was a compromise of PII and or Phi. And then also figuring out do you need to notify any regulators because of that.
So there's a lot that goes into the , uh, the breach response incident response with it. That forensic investigation could be thousands and thousands of dollars. Uh, and there's some events without again, talking about how much of ransomware is where you're paying six figures just to do the forensic investigation, possibly data mining, all sorts of other things that come into it.
And one of the other things that we're seeing is not just if you have Bible backups, not having to pay the ransom ware or the ransom, we're also saying a different kind of ransom as well with , uh, with Mays , stuff like that. And I don't know if you've heard about that Sebastian, but it's where the threat actor is actually exfiltrating the information and posting it on social media. Okay. So it's not just holding it for , uh , for ransom and that you can get it back.
It doesn't matter at that point. Also, if you have all of the , uh, the viable backups, if you don't want your patient information, client information, anything out there on social media, then you're also being forced to pay in order to keep that information secure and sound. So it's, it's a whole different world that we're living in with the ransomwares when we're talking about that as well.
And right now especially you're talking about a time where employers aren't making as much money, so you're going to have just revenue loss and potential layoffs. I mean, you know, can, can you be a going concern if one of these, these types of events happens to your company? I don't know. But I would say that a cyber policy due to a lot of market competition over the last few years has driven these policy rates below where they should be.
You know, it's , it's a relatively cheap hedge to protect yourself.
Yeah. And more to that. What would, let's have Amanda respond to this and then maybe Sebastian, you can too. What would you say to insureds or agents who, despite all this information, despite the news stories about these different data breaches, still don't think this is a priority for them?
I would say just pick up a newspaper and I may be dating myself by saying newspaper, but I just go on the news, take a look and see what's going on. Uh , if you believe that your employee with 100% certainty won't make a mistake, and that's all it is, it just takes a mistake. Okay. If you think that, that can never happen. Uh, it, and it just a can, it can happen to just about anybody. And we're starting to see , um , cyber attacks with the , uh, health and human services.
We're seeing cyber attacks with cities. We're seeing cyber attacks with just about any type of organization. So nobody is immune from it. Uh, the , uh, especially if we're going to keep it to , right now with the current virus, what I'm seeing a lot is we keep on being told to practice good hygiene, right? Wash our hands, not put our hands on her face. There is something actually about practicing good cyber hygiene. Okay. And that's what we need to do is practice good cyber hygiene.
And that's where Sebastian comes in also is that it's a , it's something that everybody has to think about whether it's purchasing a policy, whether it's the best practices, whether it's a training the employees, what can we do to practice good cyber hygiene. And that's what I would say is that don't we want to practice good hygiene?
Yeah. And Sebastian from an insurance standpoint, a part of that solution and practicing good hygiene is really having a backup , uh , and insurance policies so that when things do go wrong and they probably will at some point if you're a large enough business. Um, and um , I'm sure this applies to small business too. Don't you need to have that insurance policy there to , to cover the response and all that?
Absolutely. And, but it's not just , uh , that , um, a lot of these top cyber markets now have a lot of pre-brief services. So they have a lot of training. They have sample policies and procedures, you know, they have, you know , the ability to report something even if they don't think something's happened. So they're offering a lot of services because it's obviously in the carrier's interest to not actually end up having to pay out on the claim to make their insurance better insurance.
So there's a lot of services that are being offered as a value add to the insurance policy as well, which is a massive benefit. And frankly there , there has been a relatively low uptake on those. So it's not enough to just have the cyber policy in place to what Amanda was saying. You really need to practice good cyber hygiene hygiene because, you know, ultimately you don't want to deal with it. I mean, the cyber policy there, if it does happen, but it's better but doesn't happen at all.
Right. And so when, when insurance agent comes to a CRC broker like yourself, Sebastian, what kind of value do you guys add to it and where can you really make yourself valuable in the placing the risk , uh , part of the process and submitting it?
A lot of it comes down to education. Cyber has gotten a bad reputation in the past because a lot of insureds thought they had cyber coverage, but really it was just a small sublimate on say a property policy or some other type of policy where you know, there was maybe a little bit of third party liability coverage, but there was no breach response coverage. And so all of a sudden you , you know , uh , an attack happens and you think you're covered but you're not.
So a lot of it comes down to educating agents on, you know, what the benefits are of a standalone robust cyber insurance policy. And then it comes down to looking at that individual insured on a case by case basis to see what their bigger exposures are and to show them how the policy is going to respond to those exposures. Um, for many small businesses, they don't have a lot of personal information.
They might have personal information on their employees, which I would argue is sometimes much more important than their customers , uh, information. Um, because then you could end up with a presenteeism issue. And if you know, all of your employees have a fraudulent tax returns filed on their back . So even if they don't carry a customer's information, you know, they have employee information, that's important.
But for a lot of them, if they get hit by ransomware, you know, and their business shuts down and they have appropriate backups, they can, they, you know, make money and survive another month. I think anything , uh, we've learned from this pandemic is that a lot of companies need task flow and if they don't have that revenue coming in, they can't survive more than 30 days. So yeah , I think it's very important that the true risks for each insured are conveyed.
Um, in terms of what the policy is actually providing for them. It's not always about responding to a breach of customer data. You know, it's about providing that extortion, demand coverage, business interruption coverage, social engineering coverage I think is huge. So I think that to me is the most important thing around educating agents and insurance about what their real risk is.
So really you can, you can tell them and you know, ask the right questions to get to a place where you go, maybe you should have this type of insurance, you know, you're at risk for this. That, that makes a lot of sense to me. Are the, is there anything specific that insurance should be considering as they prepare their cyber submissions?
Um, you know, most of the applications have very similar questions. Um, fortunately at this point a lot of carriers have a lot of data on the risks, sort of an aggregated , uh, point of point of view. They know from an industry by industry perspective what the risks are with each. And so that's kind of how a lot of them are actually charging for these policies or, you know, addressing certain other fringe coverages. Like are they providing continued bottle injury, property property damage.
It say it's a health care organization. Are they providing Pickler high tech betterment coverage of, it's a healthcare organization. You know, if it's manufacturing, are they, you know , fully excluding coverage if there's an attack on their skater systems, their industrial control software, which might interrupt actual manufacturing.
So I think it's important to have a broker who understands, you know, where the bodies are buried in different policy forms and can address those for that specific insurance.
Absolutely. And Amanda, where along the processed is Marlene Caughlin come in the law firm of Mollen Caughlin where, where, where do you meet with clients in the whole process of cybersecurity and cyber breaches and all this?
Typically, I'm hoping that we are one of the first phone calls made with any type of cyber security incident, whether it be ransomware or email interruption. Anything. Okay? Because what we're able to do , uh , the attorneys at Mullen Coughlin , this is all we do. It's a cyber boutique. This is it. This is what we do. Okay? What I explained to any insured, any client that calls us, is that we offer two things. Okay? The first thing is let's get your environment back up and running. Okay?
Let's make sure that your environment is secure. Let's make sure you haven't lost any data and make sure we get you back up and running. When you're talking about loss of business, make sure that your website is functioning. Again, you're getting phone calls, your emails not down, that you're able to actually continue to conduct business. Okay? We do all of that.
While we're doing all of that, we're also going to be doing the forensic investigation to determine, okay, was there any type of compromise of PII or Phi if it's a covered entity. Okay. PII, personally identifiable information, Phi being a health information. And that is, and then once we figure that out, okay, if there has been a compromise, then we need to start thinking about do we have regulatory obligations? Do you have notification obligations?
Uh , Sebastian had commented on how important it is to get a company, make sure that they have the policies and procedures in place. Well, if you end up having a breach and that you have to report and you have to report it to an AGS office, depending on what state is involved or to the OCR, if it's office of civil rights were recovered entity, if they open an investigation, they're going to want to see your policies and procedures.
All right, so the things that you had prior to this incident, they're going to want to see what have you done to secure people's information, what have you done to make sure that everything's being private? And if you don't have that in place, you better get it in place.
And we will help with all of that from the very start of the incident with making sure the environment sound to the very end, making sure that you are complying with all the various States , uh , regulatory obligations, legal obligations.
I think I would like to add to that as well as that, you know, that's an important consideration for brokers when reviewing , you know, quotes from different carriers is there are markets that will exclude claims if a company is not, you know, abiding by their own privacy policy.
So, you know, if those policies haven't been updated , um , for this type of remote workforce, you know, a lot could end up having claims precluded just because their employees were not following their own policies and procedures.
It's a very good point, Sebastian. That's great. Well, thank you guys very much for today. Before we wrap this up, is there anything we missed that you think we should have talked about or we should've brought up specifically about insurance? Coronavirus everything is going on right now with cyber.
Um, the only other thing I would add, and again this goes further to what Amanda was saying, is that, you know, now more than ever it is important to report, you know, make that call. If you think something has happened, you're not sure, did you kind of breach your mouth.
You know, cyber is different from a lot of other types of insurance policies where, you know , historically speaking, insurance might be wary of reporting something for fear of premium increase and it's just not really something that we see that much in the cyber space . And ultimately it's just far better for you to get ahead of something and report the incident no matter what. So you're not going to get penalized for it.
You know, a carrier is going to save a lot more money if they can get ahead of a breach at the very beginning stages as opposed to something that's lingered on months. And then you know, the extent of the damage is much worse and then then you have third party liability that's coming into play. You know, they can reduce their risks and more costs if they're able to address it in the very early stages of the breach.
And I'll follow up on that. Okay. Is that if I get brought in, if any of the attorneys get brought in and we weren't brought in at the very beginning and it has already come in and wiped the systems and tried to do everything they can to get that company back up and running, we are steps behind. Okay. Because that means that there's been a destruction of evidence.
I can't do the forensic investigation in order to rebut a presumption that there was Phi that had been compromised due to the ransomware. So that's, that's incredibly important. We need to be one of the first calls to , that's one of the first things that should be done is to go ahead, report it, get attorneys lined up so that you can get the forensics involved so they don't lose any of the evidence, any of the data.
And that we can actually go forward with the investigation and make sure that you're compliant with the regulations.
Okay. Well great. Thank you very much Amanda. Appreciate your time today. That's Amanda Harvey partner law firm of Mollen Caughlin and what's your website? Where can we find more information about you guys?
Sure. You should check out www.mullen.law .
Okay, great. On the worldwide web and of course a Sebastian Swain. Where do people find you? See you're on the CRC group website, right? They can do a search for you Subash ship .
Absolutely.
Absolutely, and we've got a nationwide network of brokers out there, so maybe if you're not around that area you want to work with somebody closer to home. You can definitely look up all of our brokers by region, by area@crcgroup.com and I should mention too, we also have a dedicated resource page, CRC group.com/ [inaudible] 19 for all the information about coven 19 the that we're seeing all the different industry sectors we're seeing in all the different risks that are out there.
We've got a lot of white papers and resources up there and all the podcasts like this one as well. I thank you guys very much for joining us today. Until next time, have a have a great week.
Thanks you too.
Well Dan , appreciate it.
So placing you first podcast as the situation with the Corona virus develops impacting normal daily life insurance across the country are in a state of uncertainty. CRC group is committed to doing whatever we can to help you and your clients@crcgroup.com we have a webpage specifically devoted to coven 19 coronavirus .
It has all of our tools, Intel podcasts and industry leading white papers on the virus visited today by clicking the link on our homepage or visiting CRC group.com/cobit 19 and also keep up with us on LinkedIn. Do a company search for CRC insurance services and follow us there. We have a YouTube channel look CRC group and also for the podcast. Make sure you hit that subscribe button so you never miss a new podcast entry. We appreciate you listening to the placing you first. This
podcast. We'll talk to you next time.