AI Wisdom Ep. 16: Managing Cyber Risk with a Remote Work Force

Digital Transformation, Insurance Industry News & Views - August 26 2020

On this episode of the “AI Wisdom – Talking Innovation in Insurance” podcast, host Ron Glozman speaks with Garrett Droege, Executive Director and CEO, TechAssure, about the importance of cyber insurance and how it plays an essential part in protecting a company’s remote work force, valuable data assets and infrastructure. Click the play button to listen or read the full transcript below.

Full Transcript

Ron Glozman: Hello, and welcome to “AI Wisdom – Talking Innovation in Insurance.” On this podcast, we talk to business and insurtech leaders about how artificial intelligence is transforming the way we buy and sell insurance. I'm your host Ron Glozman, Founder and CEO of Chisel AI, and a strong believer in the power of AI to help people work smart and enrich their lives. So, let's get into it.

Cyberattacks are no longer something that happens somewhere else or to someone else. New methods of cyberattacks continue to evolve. Cybercriminals are always lying in wait, honing their skills, and spinning their web of deceit for the next attack, whether it’s a ransomware attack, a data breach, a phishing email, or a malicious attack. Even with the best protection efforts in place, organizations can still be at risk and fall prey to these cyber menaces. I’m very pleased to have with us Garrett Droege, Executive Director and CEO, TechAssure, join me today as we discuss the importance of cyber insurance and how it plays an essential part in protecting a company’s remote workforce, which as we all know, today is probably how most of us are working how to protect the valuable data assets and their infrastructure. Garrett, welcome. So, pleased to have you here. Before we jump in, can you please introduce yourself?

Garrett: Sure. Thanks, Ron. My name is Garrett Droege. I am the Executive Director and CEO of TechAssure. TechAssure is a global network of insurance brokers that specialize in what we call tech risk. Obviously cyber is a major tech risk. We were founded in 2000 by some specialist brokers that wanted to have a regular dialogue with their peers and trading partners. Today we are a network of about 30 brokerages that all specialize in technology, life sciences, cyber risk, anything in the innovation ecosystem. We have members all over North and South America, as well as Europe, Southeast Asia, Australia. Prior to me leading TechAssure, I was a retail broker. I spent my entire retail career focused on tech and cyber risk.

Ron: That’s why we’re so happy to have you here today. So, let’s jump right into it. I think, you know, and maybe you have the statistics, cybercrime is increasing. I don’t think I’m wrong to say that in any means. And criminals are getting smarter and smarter. And we’re seeing more malicious scams come out over time. And, you know, I’ve heard this said before, as an engineer, like no matter how well you build a security system, if somebody wants to get into it, they’ll get into it. And we’ve seen that even companies like the Pentagon, which, you know, you would imagine as some of the most secure companies in the world, "company/government organization," still get hacked, and have data breaches, and leaks. And we’ve seen these attacks cost roughly $2,300 per victim in 2019, based on some statistics up about 10% or $200, over 4 years. What is your experience? And why is it so important for businesses of all sizes to protect themselves from cyber risks?

Garrett: Yeah, you know, I actually think those numbers may be low. Ransomware claims are already up 100% in Q1 of 2020, which is crazy. According to Coveware, the average paid ransomware in Q1 of this year was over $110,000.00, which, you know, you think back a few years ago, and we were seeing claims in the tens of thousands. You see seven-figure ransomware events all the time now, which was just not something that we used to see. You mentioned governments and there’s a great example with Baltimore. You know, they famously had a ransomware event, and the demand was $80,000 USD. And they chose to be heroes and not pay it. They also did not have cyber insurance, which would have very likely covered that claim. To date, I haven’t seen the latest figures, but late in 2019, they were over $18 million in remediation cost in restoring their systems. So, you know, not a good day in Maryland for them. Wrong choice. They have since purchased $20 million in cyber insurance. I know this because they issued a press release about it. So, I fully expect their next ransomware demand to be $20 million. I don’t know why they would ever advertise what they went out and bought because that’s just putting a big target on your back.

Ron: I was going to say I’m fairly certain at least, you know, based on a policy that we may or may not hold, we may or may not disclose the amount of that policy. So, I feel like they may actually be in breach there. But please go on.

Garrett: Yeah, I questioned the entire strategy from start to finish. You know, it’s not just large municipalities or big box stores. That’s a real problem. That’s what gets picked up in the news, you know, Target, Home Depot because it gives smaller companies a false sense of security, and they start to think that’s who’s getting targeted. And in actuality, 80% of cyber claims are for small to mid-sized businesses. Ransomware and social engineering claims account for the vast majority of those claims, especially in the last few years. So, yeah, it’s a matter of time.

Ron: And is that a percentage based on dollar value or simply number of claims?

Garrett: Well, it’s both. Yeah, you can look at the data for amounts paid as well as total number of claims. Larger companies, you know, not surprisingly, tend to face larger cyber events, but they’re also better equipped to manage them. So, the claims tend to be better controlled, the larger the company is, versus small companies, midsize companies. You know, a lot of them don’t even have in house IT departments. They don’t have strong cybersecurity policies in the first place. A lot of them don’t have cyber insurance. So, they get hit with a breach and they don’t even have the first idea what to do. That’s what causes the claims to spiral out of control and it causes them to make bad decisions, like, we’re not going to pay you this claim when it’s $80,000 versus $18 million. You know, I think you should have paid the claim.

Ron: That’s right. Hindsight, $18,080,000.

Garrett: Exactly.

Ron: So, when you think about excellence, when it comes to cyber risk management, what does that mean?

Garrett: It’s actually a hard thing to define because, as you said earlier, what’s excellent today is out of date tomorrow. You can have the latest and greatest technology, defense systems, and loopholes discovered, and it’s always discovered, and you’re hacked.

I’d say excellence in cyber risk management is a commitment to ongoing proactive measures that evolve rapidly. So, committing the time and resources to understand your industry’s risks, working with smart cybersecurity partners that are continuously monitoring the threat environment and tweaking, making changes along the way.

You know, being open-minded and not arrogant is pretty important. And a lot of companies have this false sense of security due to arrogance and ignorance.

Ron: I love that. And on the flip side, I’ve heard the saying, you know, do the crime, do the time. And that relates well to what you’re saying, which is, you know, you’ve got to stay up to the times. You’ve got to make sure that your systems are following best procedures. And, you know, I can name a few of them off the top of my head, but to your credit, that change is very rapid. And the best companies are the one that change ideally, you know, on day zero. There’s zero-day exploit attacks and the best companies are the ones that patch those right away.

Garrett: One hundred percent.

Ron: So, let’s talk a little bit about the importance of and volumes of personal and corporate data that insurance companies specifically are collecting on a daily basis just due to the line of work that they do. How can brokers work with their clients to ensure that they have the appropriate safeguards in place to protect those valuable data assets?

Garrett: This isn’t going to be a popular answer, I don’t think. But I think most brokers are actually pretty bad at protecting their client data. You have too many people with their hands in the cookie jar in a brokerage. You know, some of the critical measures you can take to protect data, like segmentation and restricted access don’t exist in most brokerages because you’ve got producers, account managers, the finance department, you know, all needing access to client data. And, you know, a lot of times they don’t even know where that data resides. They assume it’s protected in the cloud, which, you know, is a problem for a lot of businesses. You get sold on a tech platform that, you know, this sales guy spits a bunch of tech jargon at you that makes you feel like it’s safe, it’s monitored, and everything’s protected because it’s up in the cloud. And, you know, the tech company knows you’re the liable party, not them. So, it’s on you to protect that data.

Unfortunately, a lot of agencies and brokerages just rely on their agency management systems and a firewall. And that’s a time bomb. It’s just a really bad approach, especially when you consider that financial services is actually one of the most targeted sectors for cybercrime.

So, fortifying your IT systems and protecting client data is essential for brokerages. It’s not easy. You have to work with a partner who understands that space and how to do that, but it’s not done well, I’ll say on average.

Ron: So, you know, it’s a little surprising to me as you were talking there because at least as an outside party because I work with the company, sorry, as a vendor but I’ve never actually been as you have been like a retail broker myself. But aren’t there, like, compliance and measures in place? Guidewire and Salesforce both come with compliance tracking and you can set access levels so that, yes, account managers need access. But, if it’s not an account that you manage, you shouldn’t have access to that set of accounts. All of that, like, technology exists to enforce it. So is it like they’re not purchasing the technology, which is one thing, they’re purchasing the technology but not correctly implementing it, which is partially what you were, talking about with the sales example in the cloud implementation or is it the third bucket, which is, like, they are doing it, but it’s still not enough?

Garrett: Yeah, I think they are not optimizing the systems that they have because to your point, yeah, the technology is available. It’s just it requires proper configuration and brokers are not... they’re very tech reluctant. I’ll probably talk about that in a little bit.

But it’s not something that they really understand very well in terms of setting up a lot of these procedures to properly limit exposure to data. A lot of times you have people working other people’s desks. There are legitimate reasons why you can’t set some security protocols that would, you know, only allow you to touch certain accounts. A lot of times, you have multiple people that get pulled in for one reason or another. There’s a claim. There’s a billing issue. I just think it’s the combination of not really optimizing their systems and not really understanding. Yeah, there are absolutely regulations and things that brokers have to comply with and certainly, things like HIPAA, HITECH, those are legitimate regulations to comply with. But I’ve worked in a retail broker and I currently work with a lot of broker partners. It’s just not an easy thing to do. I will say the larger the brokerage, the focus tends to be a little bit more...I guess they’re a little bit more committed to actually doing that. Smaller brokers just don’t have the bandwidth.

Ron: That’s a good way to look at it. It takes a lot to get some of these systems in place and it’s not a small task for anyone. So considering everything that’s happening right now – COVID-19 and the macroeconomic impacts and everybody working from home – companies are finding themselves in a unique position of needing to protect a primarily remote workforce, as well as their infrastructure from random and planned attacks. What safeguards can they actually be putting in place to combat these things?

Garrett: Yeah, it’s a huge problem right now. The FBI recently said that cybercrime quadrupled in April, which is, clearly because of the work from home mandate that most companies had during April. And cybercriminals know that everyone’s working from home. And a lot of times using unencrypted devices that many times are out of date, easily hackable devices. And I think the smartest companies are providing constant training to their employees, what to look for in phishing emails, how to do system tests on their home networks, ensuring their home Wi-Fi is secure, their devices are all up to date, security patches run. Any device that’s hitting a company’s internal system needs to be scanned and checked to see if it’s been compromised. And, you know, here’s the opposite of what I was just describing. I think it’s pretty easy to do if you just have a few employees, but when you have thousands of employees all working from different environments, it’s really tough.

Things like remote desktop protocol, which is one of the top ways that criminals get into a company’s network and it’s also one of the ways that employees get on to their company network, that’s just a problem. 

So yeah, you really have to be proactive. The best companies that I know have partnered with cybersecurity companies that are doing this as a third-party service. So, they are requiring employees to check in sometimes on a weekly basis with this third-party and get re-verified because, you know, kids are grabbing iPads and downloading something from the App Store and suddenly, the iPad that dad uses to get into the office is compromised. So yes, you’ve got to stay diligent. You’ve got to constantly look for changes in the device, in the network.

Ron: That’s so true. When you know, little kids come on, I’ve read about this, especially with... In this particular instance, it was the Apple App Store and a game where a child got ahold of the parent’s iPad or whatever you may have and installed the game or the game was already pre-installed, and they played it, and they didn’t realize when they were buying those things that they were spending real money, and the bill was in the thousands of dollars. But, you know, that’s an example of, in some sense, something less malicious, sort of financially very costly, versus imagine a much worse case scenario, somebody doing that but also giving access to your phone and all the private sensitive information that’s on there to a malicious party. So, on the flip side, when you’re a purchaser of a cyber insurance policy, what are some of the top considerations you should be taking into mind?

Garrett: The thing to remember is that you’re not buying a personal auto policy. You know, where, again, some people will be angry that I’m framing it this way. But basically, insurance company A and insurance company B’s personal auto policy are essentially the same thing. They have the same language; they have the same insuring agreements. They’re very similar. They’re based off a standardized language that most companies use. With cyber insurance, each policy you get is completely unique.

There are literally hundreds of cyber insurance policies out in the marketplace, and none of them are the same. So, the terminology is different, the insuring agreements are different. Sometimes the claims triggers are different. So, unless you know what you’re doing, it’s the Wild West.

So, I think working with a broker that specializes in cyber is probably step one. You can’t work with someone who took a two-hour continuing education class on cyber and feels pretty good about their abilities. You need to work with a professional. So that’s one.

Two, get the right policy for your cyber risk profile. So, you know, credit card processing, for example, if that’s your major risk, if you’re a retailer, you need a policy with the most robust PCI insuring agreement available. It needs to be built specifically for you. Finally, I’d look at all of the preventative tools offered by the policy. Cyber is kind of cool this way. Instead of just getting a big boring stack of paper that you’re probably not going to read, you get that same stack of paper along with a set of pre- and post-breach services. So, you get specific law firms, access to draft, strong vendor contracts, pre-selected post-breach roadmaps. You know, some even offer actual cybersecurity tech platforms. So, things that sit on your network and bounce malicious IP addresses. So being very proactive. And, you know, the insurance company is giving you free protection services, which obviously helps you. It also helps them avoid cyber claims in the first place. So, it’s pretty neat that it comes with a set of tools and resources that actually help you prevent a claim from occurring in the first place.

Ron: So well put. Now many people might be wondering, what is silent cyber? It seems to be a very common word today.

Garrett: Shh, Ron, we don’t talk about silent cyber.

Ron: Shh, it’s the first rule of silent cyber, we don’t talk about silent cyber.

Garrett: Right. That’s a silent cyber dad joke. The problem is what it is. And basically, what it means is you have a non-cyber insurance policy, like a property policy that gets triggered by a cyber event. If hackers somehow get into internal control systems and cause actual physical damage to property, that’s something that the property insurance company likely never foresaw, never contemplated in their underwriting models. And, you know, cyber insurers don’t want to cover property any more than property insurers want to cover cyber. So, it can get really messy. And, you know, there are examples of silent cyber in all different types of commercial insurance policies, not just property, you know, general liability, D&O, crime, virtually every commercial policy has some element that there’s some concern about silent cyber. It’s the murkiness that makes insurers uncomfortable. They like black and white spelled out, so they know what to expect. In this case, it’s not explicitly covered, but it’s not explicitly excluded either. So, it’s a gray area. Some people you’ll hear it referred to as non-affirmative cyber. And I think that’s a little bit better. It’s a little bit clearer what you’re talking about.

But now what you’re seeing is a lot of insurers are revising coverage to specifically exclude cyber from your policies. So, you do need to check, you know, especially if that’s part of your cyber risk profile. So, manufacturers, for example, they have a high exposure to silent cyber risk in potentially property, general liability, and pollution. There’s a lot there. So you really need as an organization to go through your cyber risk profile and figure out which policy is going to respond in the event a system, you know, gets penetrated, if it’s from a cyber event, and who’s going to pick up and run with the claim? You need to know that before it happens because, you know, in the middle is a bad time to learn that both companies are going to point the finger at each other and deny the claim. And you’re left with potentially millions of dollars of uncovered claims.

Ron: That would be so scary. I don’t think anybody wants to get in that position.

Garrett: No. Bad day for sure.

Ron: So as the landscape continues to evolve over time, how can brokers better address the risks that affect them personally and their customers?

Garrett: I would say stay educated. You know, cyber insurance changes faster than any other product line in the industry. And being pretty good today is just not going to be good enough for tomorrow. So, stay educated or stay out of the way. Just don’t do it if you’re not committed to staying ahead of the curve. You know, it’s like ensuring condominiums and HOAs. When I first got into the industry, I was told, “Avoid that at all costs, unless you’re going to really master it. And you either do it really well or you let the professionals do it.” There’s no dabbling. So, you know, if you’re going to do cyber, you have to read every single day about claims, about coverage, about, the marketplace in general. I think there’s a resource called The Betterley Report and they produce an annual report on cyber, the market, the coverages. And I think it’s a great resource. You have to pay for the report, but they do an excellent job providing a complete market overview, detailed coverage comparisons. So, I think that’s a good way to stay educated.

I think also brokers need to go outside their typical go-to insurance carriers. Most brokers have two or three carriers that if it fits their box for underwriting, that’s who’s going to get the business because it’s just the ease of doing business with a handful of partners and trying to build up volume. But with cyber, you really need to understand the entire market because like I said, different companies are going to be better suited with different cyber insurers. So, you know, looking at London based markets that might offer you different coverage options that might be more suitable than domestic P&C carriers, or vice versa. So, you need to explore the entire market. Don’t just simply pick one market and place all of your cyber business there. Different markets for different clients.

Ron: Different markets for different clients. So, we’re going to take a quick 20-second break to tell you where you can find more information and insights about insurance innovation. We’ll be right back.

[If you liked this episode of AI Wisdom, subscribe to our blog, Writing the Future: AI in Commercial Insurance at www.chisel.ai/blog for feature articles, interviews, opinions, and more.]

We’re back with our featured guest, Garrett Droege. Let’s jump right into the next question. What trends do you think are going to have the biggest impact on the industry in the next little bit?

Garrett: Well, you know, we’re back to COVID again because I think COVID-19 is projected to have a dramatic effect on the insurance market. But, you know, we’re not going to know for some time to what degree. Rates were already up almost 15% in Q1 of this year. So, the rate increases people are seeing not likely due to COVID yet. That’s been due to a trend over the past few years, the professional liability market, the D&O market. Rates are sky high, just due to litigation and a lot of factors there. Property rates are also rising very, very quickly. I’ve seen 100% increases multiple times this year, which, you know, obviously not ideal if you’re a property owner or a broker who has to deliver, you know, a policy that does exactly the same thing it did last year, but this year cost twice as much. And we’ll see whether COVID business interruption claims are covered, to what degree. That’s the thing to watch.

You know, I think if insurers were forced to pay all the business interruption claims from COVID, they all would go bankrupt. I mean, the industry would completely collapse.

So, it’s not really possible. But there’s likely some that are going to be on the hook for something. I think cyber rates are also something to watch. For a long time, cyber insurance has been just dirt cheap, comparatively speaking to other lines. It’s really been a deal. But with ransomware claims now getting into the millions, suddenly cyber insurers are starting to be more selective in underwriting. They’re not offering the capacity they used to even a couple of years ago. So, businesses should really start outlining their cybersecurity measures and highlighting their proactive risk management now. So, when they’re up for renewal, they have a solid renewal submission that they can give to a carrier to say, “Look, we understand the landscape’s changed, we’re doing everything we can to be a good insured, you know, be kind.”

Ron: I love that. We just had Dr. Robert Hartwig on the show a couple of weeks ago, who’s a very well-known economist, and he was sharing with us some of the staggering numbers.

You hit the nail on the head, the industry would be bankrupt if it was liable to pay all of these things because contractually, they never budgeted it into the cost of the premium. And so, if the court were to rule that the wording is not to be upheld as written, it would be catastrophic, at least for the industry.

So, let’s talk a little bit about AI because we believe AI is a game-changer for the insurance industry because it really enables companies to embrace automation. And at times like this when a lot of companies are realizing that processes where they have to file paperwork into a filing cabinet are no longer being able to be accomplished, you know, automation is the way forward. So, in your opinion, where do you feel like AI has the most or could have the most impact in the value chain?

Garrett: I think AI has the potential to be the biggest disruptor in the insurance industry. I think so many repetitive tasks, like, you know, policy checking, certificates of insurance management can just be easily done with AI. And as it gets smarter, AI can even be used to predict underwriting outcomes by forecasting losses based on hundreds of years of claims data and market trends in a way that no human could ever do that in real-time. So, you know, I also think claims is an interesting area for AI. Knowing how to manage claims most expeditiously will reduce cost overall, and lead to more favorable outcomes. And humans just slow the process down tremendously. We need time to gather the facts, interpret the data, consult with the team. I think AI could do a lot of that work in seconds. I think what Chisel is doing is really interesting.

The hypothesis that human error results in coverage mistakes is absolutely correct. AI can be taught the rules of policy checking and it’s not going to make those same mistakes.

So, I will say I’m not an advocate for AI to replace the entire industry or disrupt, you know, people’s livelihoods in that way. I think this is a people industry, no question. But I think people can and should use the best tools available. And I think AI and blockchain are right up there with what we can do. And yeah, I think it’s pretty cool.

Ron: Agreed. I don’t think people should be worried about it taking away their jobs. They should think about it as working hand-in-hand and figuring out the inefficiencies so that people can get some time back to work on the things that really matter.

Garrett: Absolutely.

Ron: So, as we wrap up, what is one piece of wisdom that you would give to the listeners? And the context for this question is this doesn’t necessarily have to be business-related. It doesn’t have to be insurance related. You know, anything that’s top of mind that you’ve been thinking about that you’d like to share, we’d love to hear it.

Garrett: Well, you know, I’m not sure I’m the Elon Musk of the insurance world. But I’ll say this, I think it’s a really exciting time for the innovators. I think COVID made us all look at the systems in place, all of them in every industry and in society, in general, and realize, you know, how broken many of those were. And I think the innovators out there are going to find ways to strengthen those weaknesses and build a better future.

I don’t think we’re going back to how things were. I think we’re going to come out of this with a better understanding of what’s important and how to do things more efficiently.

I think we’ll all be better at Zoom meetings for sure. And that’s a plus. I think it’s given time to the innovators to go and build and tinker. You know, pre-COVID, we were all so busy. I was traveling every other week, at least. And, I didn’t have time to build anything. But since March, I’ve built a new website, I’ve built a mobile app, I’ve built a tech insurance benchmarking database. I mean, these projects would have dragged out all year, but we got it done in two months. So, I’m confident there’s some very smart people working away in their garages on something better right now. So, I’m optimistic. I mean, I think the next few months may be rough, but I think we’re going to come out of it stronger, smarter, and more aware of the world that we wanna live in than ever before. Certainly, more so than any point in my lifetime. So yeah, let’s end it there on a super positive note.

Ron: Love it. So, on that note, Garrett, if people wanna find out more about you, TechAssure, stay up to date, where can they find you?

Garrett: The best place would be the website – www.techassure.org. And you can find our members there, and find out about our organization, and the mission, and everything. So, Ron, thanks for having me on.

Ron: My pleasure. And as always, you can find out more about Chisel on our website, www.chisel.ai, find us @ChiselAI on LinkedIn, on Facebook, and of course, wherever you might be listening to this. Thank you and hope everybody stays safe.

That’s a wrap for this episode of “AI Wisdom” hosted by Chisel AI and me, Ron Glozman. Thanks for listening.

If you like our podcast and want to hear more, check us out at www.chisel.ai or tune in and subscribe wherever you get your podcasts: SoundCloud, Spotify, iTunes, Google Podcast, or Stitcher

Join us next time for more expert insights and straight talk on how AI and insurtech innovations are transforming the insurance value chain. See you on the next episode!

Browse different topics

Recent Posts