The Precipice Episode 2

Show Notes

Introducing “The Precipice,” the podcast series dedicated to illuminating the horizon of management and professional liability. Featuring conversations with professional liability claims and underwriting executives, experts, ethicists, and leading lawyers involved in the prosecution and defense of management and professional liability claims, each episode offers a deep dive into the what is in view, what’s around the corner, and what is looming on the horizon with regard to management and professional liability risks. From risks presented by rapidly emerging technological advancements shaping how we live our lives and interact with professionals, to evolving expectations of the roles and responsibility of management and liability professionals, to changing social mores and shifting legal landscapes, we will offer provocative discussions regarding what’s next, and offer listeners proactive strategies for managing these emerging risks, and defending the coming claims.

Episode 2 of The Precipice explores the rapidly evolving and expanding cyber liability risks we face, how these constantly evolving risks are impacting society at large, the mind-boggling costs of dealing with the impacts of cyber-crime, and how the volatile risk exposure presented is being addressed by the cyber insurance community.  In the course of a thoughtful and illuminating discussion of where this is all heading with two leading national cyber liability experts, listeners will be provided with insights on the history and evolution of cyber coverage.  They will also be provided with an insider’s view on how cyber underwriting and coverages are responding to the continuing evolution and  ever growing scale of the risks.  And they will be offered guidance on what can be done to try to manage and mitigate the risk, along with a peek into the future regarding where we can anticipate things moving both with respect to the nature of the risk and the insurance options that will be available to address it, in the years ahead.   

Transcript

PLUS Staff: [00:00:00] Welcome to this PLUS podcast, the Precipice. Before we get started, we would like to remind everyone that the information and opinions expressed by our speakers today are their own, and do not necessarily represent the views of their employers, or of PLUS. The contents of these materials may not be relied upon as legal advice.

And with that, I'd like to introduce each of our speakers. We'll start with our host, Peter Biging is Partner at Goldberg Segalla, LLP. Peter is an accomplished trial and appellate attorney with more than 30 years of experience as a litigator in the state and federal courts of New York. His practice focuses on litigation involving directors and officers, financial institutions and defense of management and professional liability claims, including the defense of a variety of professionals against errors and omissions claims, labor and employment practices litigation, commercial litigation, municipal liability litigation, and professional liability coverage work.

His work as a litigator includes defending a variety of financial service professionals, including insurance agents and brokers, investment advisers, accountants, broker-dealers and their registered representatives. He also regularly represents lawyers, real estate and title agents, and a variety of miscellaneous professionals. Peter regularly handles complex, high-stakes commercial litigations and claims involving allegations of fraud or malfeasance, as well as litigations of non-solicitation/non-compete disputes. 

A partner in the firm's Manhattan offices, he heads up the Goldberg Segalla metro area Management and Professional Liability practice, and is Co-chair of the M&PL practice group nationally. Peter is widely recognized as an authority on D&O, management and professional liability, E&O, EPL, and professional liability coverage issues. 

He is regularly recognized as a New York metro area Super Lawyer in Professional Liability Defense, is AV rated by Martindale Hubbell as having the highest levels of skill and integrity, and has been [00:02:00] selected a Top 100 Bet the Company Litigator. 

Our first guest is Kelly Geary, is a Managing Principal with EPIC Insurance Brokers and Consultants based in the New York City area.  She serves as the National Practice Leader for Professional, Executive & Cyber Solutions. Kelly also serves as the Divisional Leader for Lemme, a Division of EPIC.

Kelly has spent approximately 30 years in the insurance industry.  She began her career as an insurance defense and coverage attorney in the professional lines space in New York City. After private practice, Kelly held positions within the claims, underwriting, compliance and legal departments at various NYC based insurance carriers with a focus on professional, specialty and financial lines insurance products.  Kelly also served on the Executive Leadership Team for a Specialty Lines Division of a larger insurance carrier. While on the carrier side, Kelly acquired significant experience evaluating cyber and executive risks and developing insurance products to address those [00:03:00] risks.   

Kelly is actively involved in the evaluation, analysis, and negotiation of insurance products tailored to address operational, management and cyber risks and exposures to firms and companies of all sizes, across all industry segments. In addition, Kelly provides risk management counseling, policy and contract evaluation services and claim advocacy to professional service, consulting and financial firms as well as large public and private companies in varying industry verticals.    

She is licensed to practice law in the State of New York and is certified by the International Association of Privacy Professionals as a U.S. Information Privacy Professional (CIPP/US). Kelly also serves on the Executive Council and a Faculty Member of the Claims Litigation Management Alliance Claims College, School of Cyber. Students of the School of Cyber are claims professionals from major insurance carriers offering cyber insurance products. Kelly is involved in creating standards and best practices in the handling of cyber claims in connection with stand-alone cyber as well as cyber coverage contained within other insurance products.  Kelly is also a certified Cyber Claims Professional (CCP) and Advance Claims Professional (ACP).

And our final guest is Nick Spano, a U. S. Product Leader, Turnkey Reinsurance of Beazley. With 18 years of experience in Professional Liability, Nick has participated in the development, execution, growth and maintenance of insurance products and programs nationwide in a variety of industries. As an industry leading global reinsurer, Beazley's Product Solutions division enables insurance providers across the globe to expand their product offerings to include specialty covers like Cyber Liability, EPLI, Environmental, and Workplace Violence. 

Nick is a 2005 graduate from the University of Illinois at Urbana Champaign and is an active member of PLUS and the Professional Liability Defense Federation.

 And with that, I'd like to turn it over to our host, Peter Biging. 

Peter Biging: Hello again, and welcome to Episode 2 of the [00:05:00] Precipice, the podcast devoted to discussing what's coming next in terms of management and professional liability, cyber and D&O risks.

On today's episode, we're going to discuss the evolving cyber liability risks and the new threats presented, how cyber insurance has evolved and continues to evolve, how insurers are adapting to the changes, misconceptions about what is and isn't covered, and what is on the horizon, both in terms of the threat risks presented, the available coverages and their limitations, how underwriters are dealing with the evolving risks, and how they can be anticipated to modify their underwriting requirements and practices moving forward. How the changes in cyber risks and changes in cyber coverages impacting other coverages, and the increasing risks of professionals presented by these developments and more.

My guests for today's episode are Kelly Geary, Nick Spano. I'm looking forward to this conversation very much. I want to get the [00:06:00] conversation started by offering some statistics. This is a crazy area of industry that you're involved in. I find it amazing that you're so up to date on what is a constantly evolving set of standards and issues and policy language.

I've enjoyed talking to you guys in the past about this, and I really am looking forward to this conversation for the Precipice. To get things started, let me start off with offering some statistics to try and set the stage. Some of these I found just mind boggling. According to Statista, the global cost of cyber crime is expected to surge in the next four years, rising from 9.22 trillion in 2024 to 13.82 trillion by 2028.

The amount of data in the world is expected to reach 175 zettabytes by next year. That's the number 175 followed by 21 zeros. This data includes everything [00:07:00] from information contained on document management systems, and email accounts to healthcare data, to all manner of data collected and stored regarding clients, business strategies, trade secrets, and business operations.

With the ever increasing power of computers to store, sift through, organize, and make sense of all this data, literally just about everything on this planet is run through some kind of computer operation. And with the accelerated move to either hybrid or entirely remote environments, just about everybody everywhere is connected to, or capable of connecting to business operations at any time of the day, seven days a week.

And when we aren't doing business, we're connected in our personal lives. The Skybox Security 2023 Vulnerability and Threat Trends Report reported a 25 percent year over year increase from 2021 to 2022 in the number of new vulnerabilities in the U. S. government's National [00:08:00] Vulnerability Database. At an October 18 2023 digital press briefing given by Ann Neuberger.

Deputy National Security Advisor for Cyber and Emerging Technologies, she cited to FBI and IMF data, leading the government to believe that the annual cost of cybercrime is expected to soar from 8.4 trillion dollars in 2022 to more than 23 trillion dollars in 2027. According to research presented in the javelin strategy and research 2024 identity fraud study, American adults lost a total of 43 billion dollars to identity fraud in 2023. 

According to the IBM cost of data breach report 2023. It takes an average of 277 days for security teams to identify and contain a data breach. The global average cost of a data breach in [00:09:00] 2023 was 4.45 million dollars, a 15 percent increase over three years. 

 In the U S the average cost is actually 5.09 million dollars. When remote work is a factor in causing a data breach, the average cost is 173, 074 higher. In a USA Today article published on March 27, 2024, it was noted that according to IPSOS, almost one in three Americans fell victim to online financial fraud in 2023.

Looking specifically at ransomware, I note that according to Statista, globally, 72. 7 percent of all organizations fell prey to a ransomware attack in 2023. According to cybersecurity ventures, ransomware costs are projected to reach around 265 billion dollars annually by 2031, up from just 20 billion, just 20 billion in 2021. [00:10:00] And lastly, I note that in a Forbes advisor article published on February 28, 2024, it was noted that 2023 saw a 72 percent increase in data breaches since 2021, 94 percent of organizations have reported email security incidents. And in 2023, there were 343 million victims of cyber attacks.

All right. Now that I hopefully scared the bejesus out of everybody who's listening to this. Let's start our conversation, shall we? First let me ask you both, what do these statistics tell you? 

Kelly Geary: I can chime in first. I, to me, what this really says is that cybercrime is big business, right?

Cybercrime has evolved in the last ten years or so, certainly, maybe a little bit longer, into a highly mature and profitable business. And I think Peter, you pointed to this earlier, the more we rely on technology to [00:11:00] operate professionally and personally in our personal lives, professional lives, the more vulnerable we become.

And I think that, the financial motivation behind some of these particular scams, it's just so high and the ability to really track the criminals is just not there yet anyway. And I think as a result, we're going to see continuing numbers and statistics like you've just described, Peter.

Nick Spano: Yeah, absolutely, Kelly. And the size of these numbers, Peter, that you're mentioning, are astronomical. Was it zeta? At one point you threw out a prefix too, was it 21 zeros that was in there? 

Peter Biging: Zetabytes, yeah, zetabytes. 

Nick Spano: Yeah, my brain literally cannot comprehend the size that we're talking about there.

But that also leads us into, I think one of the fallacies of the issues that we face in the cyber market is that when we see things this large, it tends to be thought that some of the bigger risk and the bigger exposure are happening in large corporations, multi-network international type organizations [00:12:00] are the targets of all these cyber threats.

And I mean what Kelly just hit it on, it's impacting individuals on an everyday basis. There is no anonymity on the Internet. So the fact that you might be working with or representing a small, retail shop organization in a remote location here in the United States, you're on the same Internet that large international corporation is, and you've got the same amount of potential exposure to these threat actors.

They have found a way to not only just monetize the large, multi million dollar ransomware extortion things that we've seen in trade publications and the news and all that kind of popping up on a regular basis, but they have also found a way to turn these into almost grassroots. Fundraising campaigns where they are able to attack and extract meaningful financial sums from organizations of all shapes and sizes, we're seeing it even heading into individual personal exposure. Individuals need to start thinking about how they themselves are protecting their [00:13:00] identity and not necessarily relying completely on someone else stepping in and doing that helpful work for them.

And what kind of impact that has not just on the commercial insurance side of things, but also, personal lines policies. Is this the kind of exposure that needs to start being directly addressed by something like a renter's policy or a homeowner's policy because there's no denying, it's one of the top exposures that everybody is going to face here in the future. 

Peter Biging: Yeah, it's funny, you tell me this, I get, I'm getting paranoid about everything, every email I get and I, and our firm is, trying to foster that, they're constantly sending us a fake phishing emails to try and get us to be paranoid, but, you get some kind of a fraud alert and I'm like, I'm not going to respond to that.

I'm going to pull out my credit card and call the number on the back of my credit card. But then you hear about things like the fact that you mentioned Nick that the internet, you're not anonymous. You hear that now that there's AI that can recreate vocal[00:14:00] intonations recreate people's voices from just a snippet of voice content they pull on the internet, and jeez, I'm all over the internet. We're all going to be on it now after this is done. And then they can find your faces. There's stuff that's going to be able to find your faces, even in crowds at concerts and things like that. And then you've got the AI creating deep fakes, it's just mind bogglingly scary to me, and you guys have to ensure this, which is just it blows my mind.

So having said that, what do you guys see as the most significant cyber threats today and why? And then my second part of that is, how does your assessment compare to say three to five years ago? 

Kelly Geary: I think you hit on it there, Peter, before. I think that from my perspective, I'm very closely watching AI, generative AI, and the impact that will have on cybercrime.

I think that changes the threat landscape quite a bit. And, how [00:15:00] we can manage that risk as organizations to next point, regardless of how large of an organization you are, or as individuals, how do we manage, or generative AI powered attacks? Whether it's deep fake audio or video I think it's going to be a real challenge for us as individuals, us, corporations, but also from an insurance perspective. How do we define it?

How do we manage it? How do we price for the increase in risk? If there really is an increase in risk, which I believe there is, that's the challenge, I think. And I think with the five years ago, difference from five years ago, I would say that generative AI was not as much of a player five years ago.

And so I do think that is going to change the severity, sophistication and frequency, perhaps, of all sorts of different types of cyber criminal attacks. 

Nick Spano: Absolutely. One of the things that really drew me into, having cyber be a big part of my practice and focus here is the dynamic nature [00:16:00] of the industry across the board.

The world it feels is moving at a clip much faster and changing quicker than ever to it. And cyber insurance to react to that has to be equally as nimble, throughout the entirety of that process. When Kelly mentions, AI as being one of the great threats that we need to look at and protect against going forward, it's equally important to realize that we need to be open minded to the benefits that AI is going to be able to provide to the cyber industry across the board from better underwriting decisions from better preemptive risk management that can be afforded and provided to people. We want to make sure that we're not relying on saying this is the way things were done and we need to just replicate that and continue to carry it on. We need to make that promise almost as an industry of saying we don't know everything. We need to keep that level of curiosity to figure out this is a threat. How can we address it?

Is there a way to take almost the same vector that's causing this change and use it as a [00:17:00] mechanism for good? And it requires there to be a huge level of communication throughout the entirety of kind of the insurance cycle for cyber cover. I sit on the reinsurance side, so I get a great, high level portfolio based overview of where trends and that might be coming, but I don't get a lot of one on one time directly with your policy holders.

And. hearing from them, not only about the threats that they're seeing in that, but how they've personally benefited from, proper advice from an expert like Kelly, or the benefits provided to them through claim services that we can make sure that we are constantly adapting that cover. And it's really just going to have to be focused on maintaining that level of communication.

The level of communication we had you know, starting in 2019 and onwards, the past five years, I think has been critical for the cyber industry to properly respond to the mass amount of changes. I think we can all agree for a number of reasons, 2019 seems like it was maybe ten years ago, if not only [00:18:00] five, if not longer from it.

The whole threat landscape changed, Peter, to that point you mentioned. I don't think anyone ever imagined the level of flexibility, remoteness that we've introduced into kind of our everyday working. And again, there are tangible, wonderful benefits that add to it. We have to be honest that that flexibility did come with a cost.

It did come with an increased exposure to it. And, the way that we need to make sure that we're handling things in the future is, again, just keeping that open mind. Because the world's going to be very different five years from now. And I don't think anybody should have the comfort level of saying they know where it's heading towards.

And we just need to keep that open and honest. 

Kelly Geary: I do think it's very important that we embrace the new technology. 

Nick Spano: Absolutely. 

Kelly Geary: It can do a lot of good, right? And I think when I am dealing with clients directly, organizations, again, in varying different industry verticals, different sizes, that is the challenge, right?

The challenge is,we want to utilize this new emerging technology to increase [00:19:00] our efficiencies and productivities and, financially, profitability and things of that sort. But we're very nervous about what that means on the other side in terms of the risk. And I think that is definitively the challenge and your point about the products, the cyber products having to evolve at a much more rapid rate than other insurance products, perhaps because of that, right? It's chasing the risk, which becomes so challenging, I think, for the insurance industry in particular. 

Peter Biging: Yeah. It's funny, when I talk to people about the insurance industry, I remember reading once where somebody described it as a legalized gambling, right?

But it's legalized gambling, which has a code, or at least had a code. You could look and you could see hundreds of years of data, actuarial data, that would give you trends and understandings of things. You're in a field that doesn't have that history and it's constantly evolving. It seems like it's particularly a [00:20:00] treacherous and difficult area of insurance to grasp hold of. 

Kelly Geary: It definitely is because as the trend solidifies, say, in year 1. By year two, the threat landscape has evolved and changed. So you can't even rely on year one's data or trend, right? Because it has changed and moved. And then the policies have changed and moved.

So it is very difficult, I think, for claims professionals. Also if I draw back on my claims days, because there's no predictability with respect to how coverage will be interpreted because the policies are constantly changing the policy wording is changing pretty frequently as well.

Nick Spano: And I was just going to push back a little bit and I've heard it throughout my career as well of insurance being legalized gambling and all that to it. And, there is a lot more methodology and that to it and I think as an industry, are we in the risk business? Yes. Is the risk in everything that we do?

Absolutely. But we are still able even [00:21:00] with the threat landscape changing and the need to be nimble and respond to a change. There are still a lot of historical lessons from portfolio management from other product lines from the insurance industry as a whole that we can still properly deploy and help manage that future for cyber liability.

The idea of a cat exposure is nothing new when it comes to property insurance, for example. And so we are able to use similar modeling that we've done for 100 plus years when it comes to aggregate exposures and properly apply that to the cyber liability risks to ensure that there is some comfort, there is some stability in regards to where we feel in the aggregate, the industry in that stands and where it can grow to be. And, we've seen just in recently or the past couple of years, some meaningful kind of shifts and changes in the marketplace to again, more directly address kind of the catastrophic risk exposure and make [00:22:00] sure that we're properly applying that going forward.

Peter Biging: All right. So I mentioned a couple of newer risks, like we were talking about AI. I remember reading a I think it was a Lloyd's of London study about the risk assessment. This may have been actually last year. And they were talking about some of the things they're most concerned about. And two, I think caught my eye.

One was like embedded malware that has been lying silent. In my mind's eye, I view it as War of the Worlds, where they sent these probes down and there's these robots sitting onto the earth, just waiting to be activated, number one. And then number two, they talked about just the speed of computing. You've got these heavy encryption and then the concern is that they can just brute force their way through that with faster computing.

So what do you guys see as the greatest or most problematic emerging threats and are they the same thing or are they something different? 

Nick Spano: One of the things that I think is important for us to [00:23:00] keep promoting in this marketplace is that technology advancement is going to have positives and negatives to it. Every time it is that cat and mouse game of trying to use cyber security and technology advancements to protect businesses as that same technology is being used in advance to try and attack businesses.

So that's always going to exist, but what I want to make sure that we're still promoting, is there are very simple risk management tips and habits that organizations from large international corporations down to small mom and pop shops can implement into their organization that no matter how much the technology changes and updates are still very applicable to it.

And I am fearful that as we become more and more reliant on technology to handle these things for us and be more. Yeah, creative in protecting us of it that we might lose sight of at the end of the day, Peter, what you mentioned earlier is still one of the most important thing.

Be [00:24:00] curious, wonder, if you get something that seems unique or someone is engaging with you, and even if it seems slightly off kilter, that is something that should be thought of and questioned. And that's why it's just so important, minimally on an annual basis, if not quarterly. Frankly, probably even as this threat landscape grows on a monthly basis, organizations should be doing some sort of training with their employees saying, "Hey, this is the threat landscape that's out there.

These are simple things you can do about pointing into an email and how to check where the email address is originating from, they can spoof so that it looks like it's coming from an internal source. You hover your mouse over it and it shows you that it actually been sent from a third party website to it."

So I want to make sure that we are still promoting the fact that there are very simple tools that all organizations can use to combat what can be a very high tech, complex kind of exposure and we can't lose sight of that. We have to continue to promote, ask [00:25:00] questions, be mindful and just, at the end of the day, don't automatically trust that everything is exactly as it appears. 

Kelly Geary: I think one of the things that I see in talking to organizations is I think the emerging technology as we talked about before is improving efficiencies for organizations, right? It's making them able to do things quicker, faster, more accurately, perhaps. But what that does, or has done, I think is really put a huge focus on customer service and being really focused on providing speedy sort of responses and things of that sort, regardless of what industry you're in. And I think that is at odds with what you've just described to some extent, Nick, is I do think organizations by and large, anyone certainly with a cyber insurance policy is doing some sort of training because they're required to essentially.

How frequent that training is, I don't know. But I think it's, at the end of the day it's hacking the human, right? It's getting to the [00:26:00] person who just wants to provide a response as quickly as possible. And they've been trained, but they're still going to try to be responsive to whether it's an internal person that's being spoofed or external client or vendor or something along those lines.

I think that's one of the biggest problems is the biggest vulnerability is the individual as a human making the mistake. 

Nick Spano: Yeah, at the end of the day, the fraud that companies are facing aren't really that different than the fraudulent attempts that were done 40, 50 years ago before the technology. It's again, threat actors using these advancements to do the same kind of spoofing and, this general fraudulent activities they were doing over telemarketing before that, or, through scam letters, even, through that. Criminals the more they change, the more that they happen to really just be staying the same, trying to exploit the same human aspects that have, effectively plagued businesses for hundreds of years.

Peter Biging: All right. So I don't know, you may have answered this already, but let me [00:27:00] ask it. Cause I, I remember we talked a little bit about the history as we're prepping for this. Nick, can you give me a little bit of a history on where things started in terms of how the insurance industry has dealt with the changing cyber risks and how they've dealt with the changing risks over time, and how you see insurers reacting to the new threat environment. 

Nick Spano: Yeah. One of the biggest curses I'd say that cyber liability has is frankly just the name in itself. It got called cyber liability because in the nineties, the question was raised as organizations started connecting computers net together over this new fangled internet.

What happens if my computer system causes damages to someone else's computer system? The question was raised, can we be sued for that action? And because it's America, of course you can be sued if you cause damage to somebody else. And, the first insuring agreements, which are still very much in the policies today, were traditional liability insuring agreements.

Something in [00:28:00] your ownership and control caused damage to somebody else and you got sued from it. And it was that very traditional general liability kind of exposure specific to those industries that we're adapting to cyber technology across the board now. The policy over the past 30 years from there has changed fairly radically.

We, as you mentioned, Peter, there's so much more data and information being collected and that really started to get turbocharged probably in the late 90s. And we saw a high level of government regulation, both at the federal down to the state to individual industry regulatory bodies saying you can collect this data and information and you can use it, but we're going to make sure that if you're taking in this personally identifiable information, you need to protect it. You're going to have a custodial duty to it. And that's really what started the next generation of the modern cyber liability policy. It's not just the liability question. What causes the damage to it?

But what happens if [00:29:00] my library of customer employee market data and information were to get hacked and it was no longer in that care custody control? And that's when the breach response ensuring agreements really started to get added to it. And it took an insurance policy that was very reactive. I caused damage and I got sued, and it turned it into a much more proactive.

We are literally in the middle of a breach in the cyber liability policy needs to kick in and start providing services right away to it. And that's really where I think it became a necessary part of every organization's toolkit, because those services that come into play immediately are probably one of, if not the most meaningful aspect of a cyber liability insurance policy, and that continued to grow into the addition of additional first party insuring agreements. The most visible in this day and age are the cyber extortion ones but it's also, we've seen an increase in what Beasley calls e [00:30:00] crime, other organizations call social engineering, or these financial crime insuring agreements that have become effectively table stakes in the vast majority of cyber policies in this day and age.

And it's that access to claim services that start on day zero. It's that once you report that insurance claim, you're going to start immediately getting access to specialty vendors, support services, claim services that are going to help your organization navigate through those rough waters and add to it.

And at the end of the day, that to me is the biggest piece of mind that cyber provides. It's not the indemnity that comes at the end to it. Although, trust me, it is very helpful for that reimbursement or that remuneration for that claim dollars. But it's that when your organization goes through one of these events and based upon the frequency stuff that we've already talked on, it's not a matter of if, it's when your company needs to go through or is going to be going through one of these events.

By having a cyber liability policy, you've got experts that are going to help walk you [00:31:00] through that entirety of the process and get your business back to doing what it wants to be doing, servicing its customers, generating revenue, moving things forward, not dealing with how to put the pieces all back together.

And that liability part, it's still in the name, but really the star of the show, in my opinion, is those immediate benefits and services that the policy brings to the policy holder. 

Kelly Geary: And I would agree with that. I think that from my perspective, that is how we talk to our clients about cyber insurance is the real value is in those sort of immediate breach response or crisis management type services that the markets will offer. Because it is a true crisis event, and I've seen a lot of very sophisticated, educated GCs and risk managers panic when there's a ransomware attack and not really know what to do.

And I think, unfortunately, people are becoming a little bit more familiar with what to do, but because as we get [00:32:00] more frequent attacks and organizations now have been through many of them have been through one or two or three or more than that, at this point. So there is real value in cyber insurance, I think, from that perspective, for sure.

Nick Spano: I assume a big part of what you're dealing with on a day to day basis is trying to get the organizations of all shapes and sizes, not only comfortable with, there is a meaningful difference between not having any cyber cover and have at least having some version of cyber coverage, helping address it, but also just the amount of cover that people need and the organizations need.

One of the things that we face as an industry is this isn't like property where there's an ISO policy form that every organization can point to and be like this is the market standard when it comes to cover. These policies from even the most meaningful players in the cyber liability market are quite nuanced and they are not standardized when it comes to vocabulary and language and that to it.

And,[00:33:00] Kelly, I know does a great job for her clients and explaining that nuance and, going through the importance level of definitions in the policy and ensuring that everybody in that chain understands really what the intent of the policy is, just because, both policy forms might have the word computer systems, it can mean something wildly different depending on whose policy form you're reading. 

Kelly Geary: No, it definitively is very challenging from that perspective because the scope of coverage does vary. Very greatly based on the way that the carrier defines certain terms and it can be, to your point, Nick very nuanced and technical in some ways that if you're not really immersed in the cyber world and understanding the different ways that a carrier might define computer network or computer system you would look at it quickly and think, "Oh, yeah, it, it covers it." Or, "it's the same."

And it's not an apples to apples of a comparison when you're talking about coverage that way. And I think the other thing I'll touch on that you brought up, which is a good point, is [00:34:00] the whole idea of benchmarking. We have a lot of a lot of clients that will ask us, how much cyber insurance should I buy?

What are my peer firms or my peer companies buying? And it's really I think, this is borrowed from other lines of insurance where you have benchmarking data and you can say, companies of this size are buying this much and limit. And it really is it. We can't do that for cyber.

Cyber insurance does not lend itself to benchmarking in the traditional sense. We approach it as risk modeling. So we go through an exercise where we look specifically, first of all, at your business interruption loss, because that's really what you've got to think about. If you're hit with a ransomware attack and your business is down for 10 days or 25 days, what is that going to mean for you financially?

Because business interruption or business income loss is one of the coverages that is provided traditionally by most carriers. So we look at that as the sort of base and then we look at [00:35:00] risk appetite and some other controls and things of that sort to try to help clients pick the right limit.

Peter Biging: Kelly, I had the good fortune to be able to utilize you as an expert in a case last year and involved, a broker being alleged to have failed to advise as to a particularly, a very wealthy individual about cyber coverages available and one of the defenses you can make is, " hey, that coverage just wouldn't have been available or there would have been a high self insured retention or there would have been sub-limited."

And it got me thinking, Nick was talking about table stakes, but I imagine just from that, maybe it's just limited to the personal lines, but I had the experience with you that we found that there were very limited options for certain types of coverages. Like personal lines, cyber-related, social engineering issues so I guess my question is you're always marketing for your [00:36:00] clients about a variety of coverages, do you see insurers reacting to certain aspects of this new threat environment in a way that's limiting or presents challenges in terms of providing the coverage that you're looking for your clients and as consumers, we would be looking for. 

Kelly Geary: Yeah, I think that, we see, and I think we touched on this before. We do see new endorsements, pop up pretty frequently in the cyber space. The cyber markets are reactive to the risk, right? So when we saw the Solar Winds attack, for example, all of a sudden, you had SolarWinds questionnaires asking the potential insured what was their exposure to that particular systemic attack. And, right now one of the things that we're watching very closely is AI, or generative AI, and tweaks to policy language that address that as a risk.

We have seen a couple of markets that are changing definitions of security event [00:37:00] to include AI security event, or tweaking the language in such a way that it is more affirmatively addressing that particular risk within the policy. And sometimes that can be considered a clarification.

And in some instances, when I look at it from the standpoint of, if you're adding a definition that wasn't there before, it might be considered a narrowing of coverage, right? So you have to really evaluate that very carefully. And then also to your question, Peter, I think that certain markets are concerned about different industry classes of business and won't offer certain things depending on the industry vertical, whether it's a law firm or health care entity.

Those differences could impact what is offered, what coverage is standardly offered. 

Nick Spano: Yeah. And bringing up the industries, it reminds me of a threat that we really haven't touched on yet, but I think is going to be something over the next couple of years that everyone in the cyber food chain has [00:38:00] to be mindful of.

And that's the changes to potential regulatory exposure that organizations are going to face. Healthcare being an industry, it has very specific rules and regulations when it comes to the collection and protection of patient health information, which, since, Cyber has been, modernized to this point, is probably one of the biggest pieces of sensitive information that threat actors attempt to go after in that, but as new regulations in that get past both federal state local levels in regards to, the use of AI and what can be done in that to it.

We also be mindful of the reinterpretations or new interpretations of old and existing statutes as it comes to what the data protection laws or the cyber liability exposure are. We've seen data issues be forced to run afoul of wiretapping statutes that were put on the books 40, 50 years ago.

It's, the regulatory picture is going to have to be one that we are keenly aware of going forward because [00:39:00] it can just take one incident or one bit of case law getting put onto the books that can have a pretty quick, widespread, kind of impact on the entirety of portfolios or the risks that individual insureds themselves are facing. So I think we just have to make sure that we are keeping our ear to the ground to what are potential litigations that might be coming. 

Peter Biging: So, you mentioned classes, insurers looking at particular classes, and I guess being mindful of that in terms of their underwriting.

Do you see underwriters giving any greater consideration to any other particular aspects of insured's handling of things that would could lead to cyber risks?

Kelly Geary: I think that, generally, there's obviously the underwriting process as a general proposition. So there's a lot of questions that are being asked in the underwriting process, and I think, obviously, the network security controls and the data privacy, the attention to data privacy.

It [00:40:00] is all important when you're talking about potential risk and trying to have the underwriter evaluate that risk, I would say that what we try to tell our clients today is, what we want, what you want to do is put together a picture that demonstrates a true commitment to network security and data privacy.

And paint that picture and tell that story to the insurance carriers, that is going to best position you. For the best possible terms and conditions in your cyber insurance placement. 

Nick Spano: As the threat landscape changes. I think those industries that are going to be labeled as more sensitive than others is going to shift and change with it.

Going into the 2000s, manufacturing risks for cyber liability were towards the bottom. It was considered fairly low hazard. They were collecting, maybe some payment information from, customers and vendors and things of that nature. When the first party insuring agreements became more and [00:41:00] more of the driver of loss to it, we did see manufacturing portfolios really start becoming one of the more highly impacted classes of business towards it.

With everything that was going on with the supply chain crisis from a few years back, it was an industry that was under an immense amount of stress for a number of reasons and threat actors use that to their advantage, knowing that organizations that were already on tight deadlines and could not stomach a delay of any kind brought to it.

We're probably going to be more likely to want to make a ransom payment quickly and without much issue and questions than that to it. You know that industries that you know are going to be under scrutiny, that is something that's going to be you know a moving target as the threat actors kind of change not only who they're targeting, but what kind of targets and what kind of tools they're going to use to deploy on it?

Kelly Geary: I agree and right now I mean, I think professional service firms seem to be the big target and I think they've even eclipsed healthcare at this point. 

Peter Biging: Yeah, that actually leads to my thought. My thought [00:42:00] was professionals particularly because it's just anecdotal evidence, but from my own experience, I've run into claims involving insurance agents and brokers, involving financial registered advisors, investment advisors. A couple of examples from my personal experience include a case involving a registered investment advisor being sued for allegedly failing to do enough to prevent a client from withdrawing her funds from an investment account.

And paying them to scam artists who had convinced her that she had been connected with money laundering activities of the major drug cartel and needed to remove all the cash from her various accounts and move it into a U. S. treasury lockbox to avoid having it frozen for years. She literally withdrew well over a million dollars, turned it into cash and was sending wires of it, but also sending boxes of cash.

And the registered investment advisor was the subject of the lawsuit because supposedly he should have done more [00:43:00] to be aware of the fact that she could be the target of some kind of a crazy scam and should have done more to prevent her from removing her funds and then doing that. And then there was an insurance broker in a case that you and I were involved with, Kelly, where that there was alleged to have failed to provide appropriate advice and guidance with regard to the purchase of insurance against cyber related social engineering risks, and thus left them with insufficient insurance to cover losses incurred as a result of a hack into a wealthy customer's email accounts and the scamming of his assistant into paying almost 3 million dollars in fake invoices.

A third common cyber risk confronting professionals involves hacks into law firm accounts and then the issuance of false instructions for the wiring of funds. So that is a case that just came to me now, and I've talked to other claims professionals who say they get a couple of those a week. And, that leads me to, back to your comment about classifications and also about professional service providers in particular.

It's fair to say that this is something, this [00:44:00] is a class, professional service providers, that are going to be subject to greater scrutiny in terms of cyber risk coverage going forward? 

Kelly Geary: It has already. We've already seen some markets that are retreating a little bit from law firms in particular, where they are reintroducing co-insurance on the ransomware.

And we saw co insurance introduced by the cyber markets back during the hard market between 2020 and 2022. And then it went away and, and there were full limits again and no coinsurance. And we very recently, maybe about 6 months ago, started to see some markets either shying away entirely from law firms, cyber for law firms, or adding co insurance back in.

Nick Spano: And it's not going to matter if you're an AMLO 100 type firm that's obviously got offices across the country and fortune 500 clientele within your roster. We've seen an uptick in claim frequency on individual solo attorneys as [00:45:00] well. Again, the thing that makes cyber such an important part to the risk landscape is again, it's going to hit all shapes and sizes.

There's no one who can sit there and go, who would worry about me? Why would anyone waste the time hacking my organization or trying to steal my data? I'm just a one or two person kind of operation. Again, there's. Binders upon binders of claim files directly at that kind of clientele to it.

And, law firms are no exception in that to it. It really is going to be, again, a requirement for firms of all shapes and sizes to be mindful of it and increase their own cyber hygiene to ensure that they're going to be able to maintain the eligibility that's always changing along with it as well.

Kelly Geary: And I'll add to that one of the nuances with law firms, not just law firms, I would say any kind of professional service firm. So you could talk about accounting firms or architects and engineers, even. It's the high profile nature of your clientele that also becomes an increased risk [00:46:00] factor, so if you are providing services to politicians or to celebrities, or musicians, you may be at higher risk because the cyber criminals can actually leverage that if they can get access to that kind of information may be worth more to you to pay.

Nick Spano: And that third party exposure, I think, is another great point that, organizations of all shapes and sizes need to be mindful of, as we get more interconnected within our industries, within our customers, within our vendors, as we share data and information, what's our liability of what is an organization going to be? 

Because we're sharing information with third party vendors, with our customers, with our clients, what kind of protections do we have in place when it comes to, business associate agreements and making sure that we're only working and partnering with people that are hitting our own internal standards when it comes to data and security?

And I think organizations, cyber insurers equally included need to be [00:47:00] mindful of what their exposure is when it comes to sharing of information, storing information of clients and just making sure that everybody's got the adequate level of cyber hygiene that you want to require for anyone you're doing business with.

Peter Biging: All right. I feel like I could talk with you guys for hours on this. This has been a really engaging and enlightening conversation for me. I really appreciate you guys coming on to talk about it. But I think this is a good place to wrap. I want to thank my wonderful guests, Kelly Geary of EPIC Insurance Brokers and Nick Spano of Beazley for, as I said, an extremely engaging and enlightening conversation about insuring against the present and coming cyber risks.

And I want to thank all who have taken the time to listen to this podcast. The goal of this podcast is to talk about what's coming around the corner in management and professional, cyber and D&O liability. Future podcasts will address issues specific to insurance agents and brokers, lawyers, accountants, financial service [00:48:00] professionals, directors and officers, and miscellaneous professionals.

Until your next episode, this is Peter Biging taking you to the Precipice. 

PLUS Staff: Thanks for listening to this PLUS podcast. If you have ideas for a future PLUS podcast, you can complete those by completing the Content Idea form on the PLUS website.