David Mitchell [00:00:02]:
Well, welcome to everyone this morning to our executive briefing on cyber insurance. Today is going to be an informal conversation with Tim, who I’d like to introduce now. Hi, everybody, Tim, I’ll just throw up to you to introduce yourself, actually.

David Mitchell [00:00:24]:
Yeah.

Tim Stephenson [00:00:24]:
Thanks very much for having us here today, David. So my name is Tim Stevenson. I work at Sherpa Tech Insurance. So we’re an insurance specialist, predominantly for tech and it, but we also help other customers with specific cyber insurance programs. My background is I’ve worked across a number of technology and construction organizations. I worked in the construction industry for about ten years initially, and it really gave me a good grasp for how to manage risk, and I have a love for technology, and that’s sort of taken me in the direction of the wonderful world of insurance as well. So here I am now and get to consult and talk to a number of businesses about how they can manage risk better with technology. And one of those mitigations is insurance. Definitely not the only one. So thanks, David, back to you.

David Mitchell [00:01:13]:
Great.

David Mitchell [00:01:13]:
And for those who don’t know me, I’m David Mitchell, CEO of Grassroots it. I have a business background and my special interest is helping business to leverage technology to deliver meaningful results. So, Tim, I see that there’s an obligatory notice that we’ve got to give here. Would you like to take this one?

Tim Stephenson [00:01:35]:
Absolutely. The insurance disclaimers or the public and products. I always joke about this one, saying past performance may not guarantee future performance, but it’s not that disclosure, it’s a general advice for insurance disclosure. So any advice we’re giving here today is just general in nature, and we really encourage everyone to talk to their brokers about anything that we raise today. A lot of what we’re trying to do is help demystify insurance, and insurance brokers are the best people to talk to about those policies and.

David Mitchell [00:02:08]:
Yeah, great.

David Mitchell [00:02:12]:
So I first met Tim earlier this year when grassroots started to unpack our own cyber insurance journey. We do have cyber insurance, but when I spoke to Tim, he was providing some insights to me that no other broker nor insurance provider was talking about. So I thought it’d be a good opportunity to share some of these insights with our clients and fellow business managers today. So, Tim, can we start there again? This is pretty informal.

Tim Stephenson [00:02:39]:
Yeah.

David Mitchell [00:02:40]:
You’re going to give us a little bit of background on what insurance is. Sorry, what the environment of the insurance is. What is insurance? And then we’re just going to start throwing some questions around.

Tim Stephenson [00:02:49]:
Yeah. Before we talk cyber insurance. The cyber environment is something that has changed dramatically over the last 15 years. When we talk to MSPs, they used to be more IT consultants, and now the managed service providers are wrapping together so many more products, and that’s where we help them with a lot of advice around how they can better risk mitigate their programs. But the cyber damages market is now the third largest revenue base behind China and us. So the statistics out there for so many different aspects of this, but these were some ones that came from a presentation we did with another vendor recently, beyond trust, that does privileged access management. And it was just staggering, the growth that you can see in the size of this. I mean, from 2015 at 300 million damages to projected 265,000,000,000 in 2030. So there’s a lot that businesses have to do in this area, and it used to be risk mitigation for an outlier. Now it’s very much business as usual. And how do we approach that as we go through these different.

David Mitchell [00:04:07]:
Yeah, and I understand that the cybercrime economy is larger now than the combined economies of Japan and Germany, which staggering. Is huge.

Tim Stephenson [00:04:20]:
Yeah.

David Mitchell [00:04:21]:
Okay, so what about the breaches? What are our latest statistics?

Tim Stephenson [00:04:25]:
So this, again, was from beyond trust as well. But the one that really jumped out to me in this slide when we did this presentation was that your average time to detect a breach is 277 days. So we’re almost approaching a year there in some instances before breaches are even unpacked or discovered. And so the unknown factor here is one of the biggest risk areas that we see. And so making sure that you have the right, we always talk technology stacks, and every company has a different provider for a different solution. But when we’re looking at this, we actually focus in before we even talk insurance on the people, process and technology. And that’s what can help protect in these areas. And there’s a few other little takeaway stats there as. So I started to, I suppose, get into the people, process and technology, but this is an area that we help customers with as well. And I mean, David, it’s your bread and butter, I suppose, technology and process. You’re managing a lot of that for many of your clients.

David Mitchell [00:05:27]:
Yep.

David Mitchell [00:05:28]:
In the past, it has been more about the technology, but certainly the people in the process are much more important now. Policies, we certainly work with our clients, with our people and their people. So it’s the combination of people that are the important things there.

David Mitchell [00:05:45]:
Yeah.

Tim Stephenson [00:05:46]:
So we talk about those three as really, they’re all great catch words, and everyone throws them around a lot, but we see that as being extremely important to get that right even before you look at insurance, because you’ve got to make sure you’ve got the right foundation to insure against. And insurance is so much better when it’s a known quantity for what you’re trying to actually cover. Many people, I think, sometimes just buy what we call a CoC, and they’re ticking a box to get compliance with insurance for contractual reasons. But more and more, we see when people need to call on their insurance program, we want to make sure that all the off ramps for underwriters are reduced and so that, you know, you can rely on the policy that you actually.

David Mitchell [00:06:32]:
You. What do you mean by off ramps there?

Tim Stephenson [00:06:34]:
So we’ll get to this a little bit later. But the insurance contract is made up of, say, three elements, and if there’s something that’s left off there, you may not actually have insurance cover for that. So what we like to do is test that. But basically, on this slide, the point we’re trying to make is if you hold insurance, or if you don’t hold insurance, what do you do? And I suppose if you don’t hold insurance, you have to rely on your bank balance or you have to rely on cash to actually mitigate what breaks through the people process and technology. And in many instances, businesses self insure in this area, they might say, we accept we don’t hold insurance and we’re going to cover it via other means. But we try to do that with an eyes wide open approach and not approaching this, where you don’t know what you’re not covered for in that sense.

David Mitchell [00:07:29]:
And I might be a little bit out of sequence here, but in terms of insurance, what is the benefit of insurance? Is it just financial?

Tim Stephenson [00:07:39]:
No.

David Mitchell [00:07:42]:
Therefore, if you’re self insuring, what are you missing out on from the insurance?

Tim Stephenson [00:07:46]:
Yeah, exactly. We actually help people with a data breach checklist where we try to sort of highlight for businesses what is the procedure of events, what is the sequence of events that you’ll go through in the event of a data breach. And many customers haven’t considered their insurer in this process. And the insurer, in most cases, for cyber, offers 24 hours help desks. Experts support many other areas there that I always think about it, it’s like trying to access the knee specialist. If you don’t hold private health insurance, you can find other people to deliver it, but if you want the specialist, you can get them at a time for a fee by holding insurance in that place as well. So we see that as a big benefit.

David Mitchell [00:08:32]:
Okay, so I’ll put a pin in.

David Mitchell [00:08:33]:
That for a bit, but I will come back to who they are acting for when they are providing that service. Are they acting for themselves? Are they acting for the insured?

Tim Stephenson [00:08:45]:
Yeah, we’ll come back to that one. It’s a good one. So this is something I was sort of just touching on previously. What makes up an insurance contract? And this is really important because the proposal, the first leg of the insurance contract is the forms that you complete to send to your broker that go into the underwriter. And these are painful, no one likes them, but they’re your opportunity as a business to insert into that proposal many factors that the insurance is then based on. An insurance is a contract of mutual honesty. An insurer is guaranteeing to pay in the event that the risk they’re covering matches the conditions you’ve put down. And this only gets tested at a claim usually. And so what we like to do is really expose this area and challenge the proposal, because quite often, especially in a larger business, different areas of the proposal can be pulled from different parts of the business, and the CFO will go out to the head of it and compliance and different areas and then bring it all together. But it’s also your chance to look at your business and ask, can we improve any of the situations here? So for example, they might ask if you do XDR or antivirus, but you might do, I don’t know, grassroots uses the Sophos products, so MDR is their top tier product. The underwriter may not ask for that, but you can tell them about that. And that actually improves your operational maturity as a business in their eyes. And you might get better premiums or if you have a challenging risk, you then might be of appetite for the underwriter. So it’s a real chance to, we try to say, disclose everything. And if you have then the right underwriter, you’ll then find the right product that covers all of your risk or limits the amount of exclusions or areas that it doesn’t cover. It’s the area you can do the most to actually help your insurance program. The next area is the schedule. So this is the information that comes back from the underwriter that confirms everything you’ve told them in the proposal and also then puts the terms and conditions on that insurance. So in this area you can have, and I’ll talk about this a little bit later as well, but endorsements, exclusions and other customizations for your own insurance program. So sometimes the insurers, and we’re seeing this a lot now, will put a ransomware, either exclusion in there or a coinsurance. So they’re basically trying to limit their exposure to particular circumstances so they can provide you cover. And if you’re expecting to rely on your insurance to do a particular outcome, you then really need to understand what’s in the schedule and what the insurer may have excluded from your cover.

David Mitchell [00:11:33]:
And how obvious would that be in the paperwork for those non lawyers of us? How hard is that going to find? Going to be to find?

Tim Stephenson [00:11:44]:
It’s pretty easy to find, but you’ve actually got to read it to find it. And look, a good broker should call out any endorsements or any exclusions to you, but it’s a good question to ask your broker, does this policy have any exclusions? It’s a really simple one. And then if it’s a standard policy, it follows all the terms of the normal wording. That is the third part, and we see the wording very much as the rules for the game. So to simplify it, you have those three pillars that all wrap together and collectively make up your insurance contract. And so with those three documents, if you need to then test or challenge your insurance program in a court of law, it relies on those three pillars.

David Mitchell [00:12:31]:
Okay, so we’ll get to professional indemnity a little bit later, but your professional indemnity, if we’re relying on you for advice here and you miss something.

Tim Stephenson [00:12:43]:
Yes, we are, and we’re licensed insurance brokers and we’re licensed to do that. We operate under an AFSL financial services license and our compliance is very heavy in that space. But what we do is help our clients understand why different elements are important here. But ultimately it’s up to the client. The accountability is on the client to complete these documents to the accuracy of their businesses. But what we find is sometimes people don’t understand the importance of clearly articulating business activities, because the business activities section on a proposal can be sometimes quite vague. And if you’re doing something that doesn’t quite fit in the box, it’s good to expose that to the underwriters, because then they can accurately price the risk and you can feel confident that it’s actually covered.

David Mitchell [00:13:40]:
So I suppose the worst case scenario.

David Mitchell [00:13:42]:
Would be that you have been paying insurance premiums for quite some time and then not be covered for the whole time, and you’ve lost out on both ends of the equation.

Tim Stephenson [00:13:51]:
Yeah, we very much encourage people to challenge these processes and we find the best time to do that is not at renewal, because if you’re trying to tweak an insurance program with 30 days to go and insurance premiums are due. But we like to review this with a number of our clients at six monthly intervals. We’re seeing changing conditions for underwriters at the moment, we’re not lawyers, but with contracts that our clients engage under, insurers are very conscious of things like unfair contract terms and areas that can leave them exposed. So they’re quite often requesting MSA contracts that come from clients like yourselves, so that they can better ensure that they’re covered and you’re covered from a legal perspective.

David Mitchell [00:14:43]:
So what you’re talking about there is the contracts between the insurance client and their clients or their customers.

Tim Stephenson [00:14:51]:
Yeah, correct.

David Mitchell [00:14:52]:
So, for example, if a client has an engineering firm, the cyber insurer would be interested in the contract between the engineering firm and their end clients.

Tim Stephenson [00:15:03]:
Yeah, depending on the areas of COVID that the cyber or the professional indemnity policy is covering. And we see in a lot of cases, cyber and professional indemnity get grouped together, so they’ll operate under one proposal, one schedule, and one wording. And the good thing about that is then you limit the finger pointing in the event that you have two insurance providers sitting, one on professional indemnity and one on cyber, and they tend to point the finger at each other. Again, that’s trying to limit the chance of something being more challenging if you need to make a claim.

David Mitchell [00:15:41]:
Yeah. Okay.

David Mitchell [00:15:42]:
Something I don’t think we’ll cover down the track. So I’ll cover it. Now, why would I go to a broker as opposed to. Directly to an insurance company?

David Mitchell [00:15:51]:
Yeah.

Tim Stephenson [00:15:52]:
So the advantage with a broker is the nuances of the market. Insurance is actually still very, I was going to say very outdated, but it’s not a very technology first world. So insurance is still a lot of personal relationships between brokers and underwriters, and also knowing where to go to find particular homes for risks. We still go to London on many larger programs and get cover directly out of Lloyds. And there’s a number of players in the local insurance markets that, depending on their risk appetite, for example, in the tech space chubb, are now pulling back cover a little bit for tech and it companies. They’re limiting the levels they’re going to, and they’re also restricting some of the business activities. Some other providers have now basically excluded tech and it companies. And so that’s always a bit of a moving feast. So a good broker who specializes in a particular area will usually know where to go to find homes for things.

David Mitchell [00:17:01]:
Okay, that’s a good point.

David Mitchell [00:17:02]:
And something that you have mentioned in the past that I’ll quickly bring up is that the loss ratio last year for insurance companies was 120%.

Tim Stephenson [00:17:16]:
So that was for cyber insurance particularly. So for every dollar in premium they take, they were paying out a dollar 20 in premium. So the way that they try to mitigate that is they reduce the COVID by inserting exclusions or denying to take on policies in those areas that are higher risk. So that’s where we try to advocate that customers really want to package themselves up and make them look attractive to insurers by things like ISO 27,001 for data security, showing good management controls and processes sharing. If you do have a robust data management environment, sharing that with the underwriters, even if they don’t ask the question you think addresses it, share with them or share with your broker how you’re addressing those concerns proactively.

David Mitchell [00:18:07]:
So you have a checklist or some form of guide there as to what to put together for.

Tim Stephenson [00:18:17]:
It does depend. It’s a bit case by cases. We’ll approach something slightly differently for a software vendor to an MST or a hardware supplier in that sense. But it’s a case of, I think, developing a good relationship with your broker so they understand your business, and then they can also articulate that to the underwriting community as to why they should want your risk.

David Mitchell [00:18:41]:
Okay.

David Mitchell [00:18:43]:
And there are different insurances.

Tim Stephenson [00:18:47]:
Absolutely. There’s a lot of different insurances. I mean, you can pretty much insure for anything. Yes. And it’s an amazing place. And I mean, you can even cover for a hole in one on a golf day if you like. But when it comes to business insurance, there’s a couple of main categories. So professional indemnity, this is the big one. For professional services, doctors, lawyers, it’s the COVID for bad advice that can lead to financial loss or perceived bad advice. And the biggest exposure we see for a lot of companies now in professional indemnity is actually being drawn into a claim. So because you’re giving advice in a particular area and a company may suffer financial loss in that area, you may not have caused it, but the other insurance providers, when there is a claim, will try to scoop up as many people as possible to spread the loss. So we see a lot of people getting drawn into claims. Cyber insurance used to be part of professional indemnity. It’s an interesting fact about professional indemnity versus cyber insurance. Professional indemnity has been around for over 100 years. Cyber insurance has been around for about 15. And so the legal wordings that both these products are built on are very different from different providers. So professional indemnity is all consistent? Well, majority is very consistent. Cyber insurance, we see huge variations from different underwriters, and they tweak their wordings depending on where they’re suffering losses. So some providers have very robust covers, some providers exclude areas. We’ll see. And cyber insurance, one thing to really hone in on here is it’s first party cover, predominantly, so it’s protection for the holder. So your engineering example previously, the engineering firm needs to hold their own cyber insurance to protect their own cyber environment, and that their clients, they should encourage to hold cyber insurance as well to protect them in the case of a claim. Cyber insurance also includes third party defense costs, which is then the defense protection for if somebody tried to blame you for infecting them with a breach or a claim in that area.

David Mitchell [00:21:11]:
Yeah.

David Mitchell [00:21:11]:
Because there’s a lot of cooperation going on in the world with intercompany teams now delivering projects.

Tim Stephenson [00:21:18]:
Yeah.

David Mitchell [00:21:20]:
How would you unwind that in an example of a breach?

Tim Stephenson [00:21:24]:
So the privacy act is something that we lean on a lot to try and understand or unpack this. And what we try to do is say to our clients, if you have a particular scenario that you’re concerned about, let’s document that and take it to the underwriter when we’re trying to get a policy and ask them questions about how would this policy respond in this instance. So you start to get a feel for who’s accountable for the data. Personal identifiable information is one of the biggest costs in these policies. So if you hold PiI, a name, first name, last name, email address, and that gets breached, there’s a cost that you have to notify all those people who’ve had their data taken. The changes to the privacy act are coming very shortly, and that will see. Currently, the cap on that is, I think, businesses turning over under $3 million are exempt. We believe that’s going to be removed. And then you need to consider how will you actually manage that piece in the event that you are breached. And Australia with those changes, is just catching up to GDPR and others at the moment.

David Mitchell [00:22:33]:
Okay, very good.

David Mitchell [00:22:34]:
Well, there are a few questions around that, but I think we’ll get through a few bit more information first, and then we’ll go through the questions.

Tim Stephenson [00:22:41]:
Yeah, no, that’s all good. I think we’ll have a little bit of time there. So this is just a screenshot of a cyber proposal from one of the providers. We deal with a lot called emergence. They’re an excellent local cyber insurer, they do cyber only, so they’re very focused on the cyber cover.

David Mitchell [00:23:03]:
But first, part of your three components of insurance, is that correct?

Tim Stephenson [00:23:08]:
Yeah. So they ask a number of questions here, but they also give you opportunities to expand further, and they don’t know what you don’t tell them. And the reason I put this extract here is it’s actually for your estimated revenue is over 75 million. So you’re dealing with quite a sophisticated company there. However, if you’re a mid tier business but you still have a lot of those controls or measures in place, it’s in your best interest to tell the underwriter that you actually do have that operational maturity. And then they’ll say, oh, actually, maybe we can offer you cover for an industry that might have been challenging or a set of data that might have been higher risk. So we had this with a particular company that holds a lot of personal health records. So health records are a lot more costly because you have to hold them for a longer period of time for compliance. And so when you come to insure for that, it’s a higher premium. So in this case, with this customer, we answered the full question, set all the way up to the 75 million sort of level of understanding, and that allowed the underwriter to offer us terms for a business that maybe didn’t have the turnover to justify the limit they needed. But the contract they needed was requesting that limit. So we were able to explain away and show maturity within the business to achieve that.

David Mitchell [00:24:38]:
And how long does this process take? If you need to organize insurance like this, what sort of time frame should you leave?

Tim Stephenson [00:24:47]:
The more the better. In most cases, what happens typically is there’s usually a reason that drives it. It’s a contractual requirement, or it’s a step change within the business where you might be going through some other compliance areas, and then it becomes a consideration of why you need it. But we can usually find a home for a policy within about a week. But again, we rely on the information that our clients give us, and it needs to be accurate, because if you provide information that says you have a certain risk mitigator in place, and then you have a claim and that doesn’t exist, that provides an off ramp for the insurer to say, this wasn’t what we provided you cover on.

David Mitchell [00:25:32]:
And have you seen examples where the insurance company just disallows? I’m not sure what the right term is.

Tim Stephenson [00:25:42]:
Yeah, definitely. We talk about the policy not responding. So we’ve seen this with some tech companies where a couple of years ago, many of these underwriters asked one or two questions in regards to do you do cloud? It’s such a generalization, but now there’s so many specialities from providing products in the cloud, SaaS services, hosting all these other areas. And this particular customer said they did cloud. But then the underwriter asked subsequent questions about cloud, which weren’t answered. And then when there was a claim, they said, well, it was in these areas that you indicated you didn’t operate. So if you do make substantial changes within your business over the year, you can actually call up your broker and say, hey, we’d like to endorse our policy, which means to include new information and then adjust that. Sometimes there’s a charge for that, sometimes there’s not. But it’s always good to have the conversation with the underwriter, and we like to do that with clients even well before they make those changes within their business, is talk about insurance or talk about the impact. Even in mergers and acquisitions, you might be bringing on a business that has different activities to yours. And it’s not until you roll them together that you realize you might have an increased premium you need to allow for. But a good broker will be able to give you indications on that before you get to that point.

David Mitchell [00:27:06]:
And if your business is going into expanding into newer areas or a different specialty, it may change the risk profile as well.

Tim Stephenson [00:27:14]:
Yeah, and so again, they can’t insure for what they don’t know.

Tim Stephenson [00:27:19]:
So you’ve really got to tell them.

David Mitchell [00:27:23]:
Okay, so this was a question that I was going to ask. What does it cover?

Tim Stephenson [00:27:28]:
Yeah, so the areas of COVID.

David Mitchell [00:27:32]:
All.

Tim Stephenson [00:27:33]:
Policies have different inclusions and exclusions. So we’re just looking at one of the emergence policies here today. So the first party cover is broken up into a few sections, so you can adjust these on the policy when you’re actually looking at it. So the first is the cyber event costs. So this is all about containing and stopping the breach or the losses. So there’s it, forensics, virus extraction, customer notification costs. So that’s all about the personal identifiable information. PR also, negotiations with regulators and other.

Tim Stephenson [00:28:15]:
Parts can come into that as well.

Tim Stephenson [00:28:17]:
Although that sits in losses to others. But losses to your business is your business interruption and impact costs. So most businesses on their bizpac policy, which is their building or office insurance, will hold a small amount or a degree of business interruption insurance, so that.

Tim Stephenson [00:28:35]:
If they can’t continue their business, there’s a little bit of COVID there.

Tim Stephenson [00:28:38]:
We see that one of the biggest.

Tim Stephenson [00:28:40]:
Areas of business interruption is from lack of tech or tech infrastructure being locked up. I know in my day to day, when my laptop stops working, I become very unproductive. So it’s just one of those risk mitigators where you consider which policy would it sit best in?

David Mitchell [00:29:04]:
So again, we might address this a little later, but wallet comes to mind. What does it look like for the insurance for you getting money from the insurance company for these sorts of things, timing wise, and also percentage of a loss. Is it a percentage of a loss or is it like a car insurance.

Tim Stephenson [00:29:22]:
Where there’s an excess, it depends what.

Tim Stephenson [00:29:24]:
You’Re actually covered for, and there’s a number of sections there. But one thing that’s changing with cyber insurance now is instead of the insurers handing it off to third parties to manage, which is legal firms and forensic teams, a lot of them are managing them internally, and this is all about limiting the losses to themselves. So they want to get this claim and deal with it as quickly as possible for the least amount of money.

Tim Stephenson [00:29:48]:
So the best way to do that.

Tim Stephenson [00:29:49]:
Is to step in early. And that’s why with like emergence, we see them having a 24/7 help desk access line. We’ve had a couple of claims that have gone through emergence, and they’ll have a team of ten people on a Friday afternoon on a call getting access to a system to try and first of all, contain the breach, understand it, and then mitigate the losses. So the payment side, everything is a case by case basis. It depends on what the breach is and what the coverage is. And a lot of these costs are legal. Insurance gets very legal very fast. And that’s why we come back to those three pillars of the contract there, to sort of start with that understanding that if you appreciate how legal that proposal ends up being, it has its biggest effect when you come to a claim, because that’s what everything is built on.

David Mitchell [00:30:46]:
I’m hearing a lot of this information needs to be in the disaster recovery plan. Absolutely. So you’re not thinking about it at the time you’ve pre thought your contacts for insurances, contacts for your it. So insurance and it can come together. Okay, good to know.

Tim Stephenson [00:31:04]:
Well, with everyone on the call, I’m more than happy, David, if you just.

Tim Stephenson [00:31:07]:
Share our data breach checklist with them.

Tim Stephenson [00:31:11]:
It’s tailored for tech businesses, but it’ll give everyone the sort of high level takeaways of things to consider in that process.

David Mitchell [00:31:19]:
Great.

David Mitchell [00:31:21]:
Anything else on this page that you wanted to?

Tim Stephenson [00:31:24]:
No, but I suppose one big thing to consider with cyber insurance is all cyber insurance from different providers is very different. So if we have three quotes from three providers, they can vary in price by 100, 200%, even in some cases. So it does pay to seek multiple quotes and also understand what are the inclusions and exclusions of those quotes. Some cyber policies will not include the losses to others section. Most criminal and financial loss sections are sublimited. So social engineering and theft is a really easy one, which is, say, business email compromise. So someone tricks your accounts department to pay away a sum of money to a third party, they’ll sublimit that to 50 or 100 grand, because usually you’ll pick that up in your processes before you lose the million dollar limit. So it’s quite an expensive cover. So they limit that down. But in some policies, it may not even be included at all. So it’s just, again, un.

David Mitchell [00:32:36]:
That’s a big checklist to go through that’s quite detailed, because I would assume all of this would be covered in our policy.

David Mitchell [00:32:45]:
But it may not be.

Tim Stephenson [00:32:46]:
It may not be, and I think that’s an important one to everybody. When they ask for somebody’s insurances, they ask for a CoC or a certificate of currency, and all that is, is proof of insurance at a particular point in time that that insurance is current. It actually doesn’t tell you what the.

Tim Stephenson [00:33:02]:
Levels of coverage are.

David Mitchell [00:33:05]:
Okay, there’s one question as we go. You mentioned the forensic teams. Rowan’s asked whether they have to be managed by the insurer or can they be managed by the client. I think there’s a little bit of a control tug of war here.

David Mitchell [00:33:23]:
Yeah.

Tim Stephenson [00:33:24]:
So in the examples that we’ve been part of, the forensic teams, I suppose the insurers actually work for you. They’re first party cover, so you’re their client. They’re wanting to help you.

Tim Stephenson [00:33:39]:
That’s what you’ve paid for the service for.

Tim Stephenson [00:33:41]:
Their forensic teams are actually, if there’s anything that subsequently follows from, I don’t.

Tim Stephenson [00:33:49]:
Know, recovery of costs or other areas.

Tim Stephenson [00:33:52]:
They’Re there to do that on your behalf. So we encourage, I think, the use of the insurers services that you’re paying for, because it gives you an entire program that is managed for you that you paid for.

David Mitchell [00:34:10]:
So that’s probably a good point that it’s not just technical forensics we’re talking about here. We are talking about compliance with regulators, reports to regulators, and things like that. So if we’re not insured, we would have to be paying, usually lawyers or someone to do that on our behalf.

Tim Stephenson [00:34:30]:
Yeah.

Tim Stephenson [00:34:32]:
And that’s where the fines and penalties and the regulatory investigations. And so this is in the losses to others section, the notifiable data breach side. Depending on your business or the framework that you need to align to, depending on which government category that you fall into in that level, there can be some pretty significant penalties. And with the recent public breaches by some larger organizations, we feel that the changes to the privacy act will really shine a light on the fines and penalties on the regulatory side. So those government agencies that haven’t really.

Tim Stephenson [00:35:09]:
Pursued some of these areas previously, we.

Tim Stephenson [00:35:12]:
Think over the next couple of years we’ll see a significant change there. So the forensics teams supplied by the insurers are really a contributor to the overall program, but they obviously work in conjunction with your people as well. You’ll have to grant access, you’ll have to give them, and ultimately you can decline services from the insurer. You don’t have to give them everything. But we would see that.

David Mitchell [00:35:43]:
You wouldn’t see that an insurer would lock you out of your systems, for example.

Tim Stephenson [00:35:47]:
No, not at all. Their intention is to get you back up and running as quickly as possible.

David Mitchell [00:35:52]:
Yeah.

David Mitchell [00:35:53]:
They wouldn’t do like a vehicle and say it’s a write off, it’s now ours. No, they’re there more to help you.

Tim Stephenson [00:35:59]:
Absolutely. Yeah. Okay.

David Mitchell [00:36:02]:
Very good.

Tim Stephenson [00:36:06]:
We’ve sort of touched on this, I suppose, but yeah, these were just the four kind of areas that for everybody when they consider professional indemnity and cyber insurance, and we see you need to consider them together, is look for your exclusions, look for your endorsements. And the biggest one of those we’re seeing is the ransomware. So I suppose we would then ask a question of a policy or a client. Sorry, we’d ask a question of a client to say you’ve now got a policy that has a ransomware exclusion in it. In the event that you get ransomware, how do you return to your people process and technology to better mitigate that risk? So that might be increasing the maturity of the backup system you’re using. It might be using something like privileged access management to reduce the chance of somebody actually being within your system. Unknown. There’s a number of technology solutions that are purpose built to get you up and running in the event that you’re ransomware. So if your insurance policy doesn’t cover it, return to the people process and technology and have a stronger solution. There is kind of what we advocate for.

David Mitchell [00:37:18]:
How much detail does the insurance company go into the technology that we use? I have heard that especially in the US, they are starting to move towards.

Tim Stephenson [00:37:30]:
Being very particular, prescriptive almost around the. Yeah, so we’ve definitely seen that in the US. The australian market hasn’t particularly gone in that direction yet, but we’re seeing the insurers have a much deeper understanding of the technology stack. What we do see is when they suffer losses from a particular supplier, they would then exclude that supplier from future risks. The solarwinds one is a good example of that from a number of years ago. And we see a couple of underwriters in their wordings say, if you’re using SolarWinds, we can’t provide you cover, but that only comes when they suffer losses. You might have another underwriter who has had no exposure to that example, and then they don’t mind.

Tim Stephenson [00:38:22]:
You could use those products all day.

Tim Stephenson [00:38:23]:
And that’s where the broker comes down to knowing that market and sort of where to place the right risk there as well. Another one just on the ransomware is the act of war exclusion. So you and I were speaking that bit earlier, but the act of war exclusion comes into play in the event that a ransomware attack, and this is being challenged by a large company in the US at the moment, where it appears to be a state based attack, and therefore it would be excluded from the policy.

David Mitchell [00:38:59]:
So obviously it’s open for discussion in the courts. But what you’re saying then, there’s a lot of state based allegations.

Tim Stephenson [00:39:09]:
Yes.

David Mitchell [00:39:12]:
How confident can we be that insurance.

Tim Stephenson [00:39:14]:
Is just going to not pay out, potentially. And that’s where, I suppose, if you’re in a business where you feel you might have exposure to either an industry or a geographic region that could be susceptible to that. Well, then you want to look at your insurance policy through that lens to say, well, maybe this area, it won’t respond in that sense. So what other steps can we take to mitigate that risk?

David Mitchell [00:39:43]:
Okay, yeah, that’s a huge minefield to unpack that act of think.

Tim Stephenson [00:39:49]:
But again, look, regular, I was going to say locally based businesses in Australia that do general services, I don’t think that’s an area that they need to be concerned with, but it’s just something that highlights you want to consider what your policy excludes?

David Mitchell [00:40:06]:
Well, I was thinking more about if I’m using a SaaS product software as a service product that is based in Israel, for example, that if something happens to that due to a conflict, and I incur a loss because of that service stops, that’s an act of war.

Tim Stephenson [00:40:24]:
And therefore I can’t claim could be, but that’s probably more of a supply chain issue. So one thing to look at as well with a lot of the vendor products is they need to follow the chain of supply. So as an MSP, you will have engaged with your engineering company your contract for delivery. But if your supplier fails to deliver to you, the engineering company’s recourse is back through you to them, because it follows the line of contract. And that’s where, I suppose professional indemnity.

Tim Stephenson [00:41:02]:
Is possibly the right cover there, because.

Tim Stephenson [00:41:04]:
If you couldn’t deliver the service to your customer and they made a claim against you, professional indemnity is the COVID that would protect you in most cases. That’s where it gets a little bit gray, though, when it goes into a vendor stack. And that’s why cyber insurance is needed alongside professional indemnity, because if it falls between the cracks of one, the other should pick it up, and that’s where both insurers are in. Both covers are important there.

David Mitchell [00:41:31]:
Okay, so we’re just talking about global questions. There is cyber insurance cover global? So if we’re an australian company, for example.

Tim Stephenson [00:41:42]:
Yeah, depending on the policy. So there’s two lines on a policy, territory and jurisdiction. And so they talk to the areas of COVID for the policy and.

David Mitchell [00:41:58]:
The.

Tim Stephenson [00:41:58]:
Legal jurisdiction that the policy is written in, so that if it’s challenged in a court, it would be in that jurisdiction. The interesting thing is, obviously, we all know the US is very litigious, and so any policy that covers costs in the US is definitely more expensive than most policies we see here are Australia and New Zealand coverage areas.

David Mitchell [00:42:23]:
So if we have clients in the US, we’ve got to be well aware that that needs to be a different.

Tim Stephenson [00:42:31]:
Definitely.

Tim Stephenson [00:42:31]:
So, you know, us exposure is something that should be unpacked in the proposal stage as to where your revenue is coming from.

David Mitchell [00:42:40]:
So we definitely are aware of clients who would operate in Southeast Asia, Papua New guinea, north of us. So what I’m hearing don’t treat this just like an australian business. We need to make sure that the insurance company is aware of where the business is being conducted.

David Mitchell [00:43:00]:
Yeah, absolutely.

Tim Stephenson [00:43:01]:
And we’re also seeing that with some.

Tim Stephenson [00:43:03]:
Of the data requirements for where even.

Tim Stephenson [00:43:06]:
Contractually, now, this is a little bit outside of the insurance space, but contractually.

Tim Stephenson [00:43:10]:
Where people are acquiring their data is.

Tim Stephenson [00:43:12]:
Held for many government contracts, they’re insisting.

Tim Stephenson [00:43:14]:
On local data centers and those sort of areas.

Tim Stephenson [00:43:18]:
So those considerations also need to be shared.

David Mitchell [00:43:23]:
We definitely have those. Definitely have those. Okay, very good.

Tim Stephenson [00:43:29]:
We’ve covered some pretty good ground here.

David Mitchell [00:43:31]:
We have indeed. It’s gone quick. I’m going to throw it open to the floor now just to see if we haven’t covered any questions. But whilst people have a chance to think, can I ask a couple more that I have? Definition of a cyber event or a data breach? What is that?

Tim Stephenson [00:43:49]:
Okay, so that’s a great question. Any questions like that, you need to refer to the policy wording. So the policy wording are the rules for any individual policy.

Tim Stephenson [00:44:00]:
So when you’re asked, that’s number two.

David Mitchell [00:44:03]:
In the three pillars of what makes up a contract?

Tim Stephenson [00:44:06]:
Yes, number three.

Tim Stephenson [00:44:09]:
The policy wording is number three. So every insurer will define those terms in the policy wording. So, for example, when I get asked that question by a customer, hang on.

Tim Stephenson [00:44:18]:
What am I covered here for?

Tim Stephenson [00:44:19]:
What is a cyber incident? I literally go to the policy wording, I take a screen grab of that and I say, in this particular policy, this is what the wording defines that as. And that’s where I come back to the different nuances between different cyber products, because they all describe those events slightly differently in some cases. But, yeah, it’s a bit of a minefield when you start to go into the nuances of those areas. But we like to then look at those individual situations and unpack those.

David Mitchell [00:44:52]:
Something we definitely need to know. Okay, I have a couple more here. You’ve already answered a few of those. Are there limitations of the choice of legal, PR or cybersecurity firms during a breach response? I think we.

Tim Stephenson [00:45:07]:
Yeah, we do see that.

Tim Stephenson [00:45:10]:
And if that’s something that is important to you, you can ask that of the insurer at the time. There’s a couple of insurers that we use that provide the panel of the people who respond in a breach. So it’s a little bit of a selling point for them to say in a breach. Here are the brands that we use to actually mitigate your know, if, again, these are things that it’s worth asking.

Tim Stephenson [00:45:36]:
Your broker for, your specific areas of.

Tim Stephenson [00:45:38]:
COVID and understanding that even just who to call in that breach for your cyber insurance provider. One of the insurers, CFC, use technology very heavily and they have an app that you can actually notify your breach on. Many of them as well will give you a period of time that you can call their support services before you’re actually declaring a breach, because they don’t.

Tim Stephenson [00:46:02]:
Want to put barriers up to you.

Tim Stephenson [00:46:04]:
Actually trying to get access to the experts in those crucial hours when you think there might be a breach.

David Mitchell [00:46:12]:
So that’s an interesting question, because my next one was, can you walk us through the claims process in the event of a cyber incident, what happens? Like, do I think I have one? I mean, we obviously call your MSP or grassroots, whoever that might be, to confirm or deny or give some advice. But what’s the critical time frame?

Tim Stephenson [00:46:35]:
Yeah, so there’s a couple of, actually, I’ll just make a note of that, that you can share as well. There’s a really good document from emergence about their process. In a breach, when you call what happens, who gets on it. And so those kind of areas, again, it’s different for each underwriter. And I think that’s a really big takeaway here, is insurance is not consistent across the different providers. Some will require you ring their hotlines, some have specific technology that help you in those areas. But it’s a good thing to have in your data.

Tim Stephenson [00:47:11]:
Sorry.

Tim Stephenson [00:47:11]:
In your incident response plan is whichever insurer you hold and the services they’re offering in that point.

David Mitchell [00:47:18]:
Yeah.

David Mitchell [00:47:20]:
Okay. And response time after an incident is reported, you’re working very closely, very quickly with your insurance company, aren’t you?

Tim Stephenson [00:47:31]:
Yeah, definitely. And they want to step in as quickly as possible because they know that that’s how they can help mitigate your losses.

David Mitchell [00:47:42]:
What sort of insurance pays cash to the business for losses that the insurance company can’t provide services to cover? And how long does it take to get the cash?

David Mitchell [00:47:52]:
Yeah.

Tim Stephenson [00:47:52]:
So that’s business interruption insurance. And look, it depends on a number of factors. With business interruption, you need to, in most cases, record and show the financial loss.

Tim Stephenson [00:48:06]:
So it’s not like you go, I’ve.

Tim Stephenson [00:48:08]:
Suffered a claim, do I get 100 grand? So it’s proportionate to the losses that you suffer in that business. So if cash is a consideration in the event of a breach, you also might want to look at other funding considerations to be able to get through those times as well. Again, unpacking it within the individual policy as well.

David Mitchell [00:48:34]:
Great. Ben’s asked a question.

David Mitchell [00:48:39]:
Who should the very first call be to? Insurer MSP lawyer.

Tim Stephenson [00:48:47]:
Yep.

Tim Stephenson [00:48:48]:
So containing the breach is always the first step, but the insurers like to be one of the airline. I like that.

Tim Stephenson [00:49:00]:
Insurers like to be first because they need the forensics to protect so many other things. We’ve heard of msps jumping in in certain cases and doing what they think is best practice and removing the evidence to allow the insurer to go either after a third party or actually validate the losses. Again, the insurance policy provides a number of services in that area, and understanding that incident response service, again helps you inform your data breach plan as well as a business, you might need to verify that the breach is real. That’s a very fundamental first step.

David Mitchell [00:49:49]:
And that’s not your insurance company, that’s your technology provider generally, yeah. And I think it would depend on your relationship with the technology advisor too. If it’s an ad hoc and you call somebody in the event you flick through the yellow pages and have a look at for a name at the time, that’s probably too late. But if you’ve got a good relationship, it’s probably a conversation, then a call to the insurance company.

Tim Stephenson [00:50:14]:
Yeah, but this is a plan that you need to come up with between the technology provider and the company who holds that first party insurance. Again, it comes back, know if it was the engineering firm they hold that first party cover, the response plan is theirs. The MSP should be a contributor to that plan. They might verify that the breach is real and then away notify the insurer or the client notified. Yeah, the EMSP is a person to open the doors, but you also want to contractually make sure it’s very clear with your customer whose responsibility is what in the event of a breach. And in many cases we see it as the first party’s responsibility because it’s their data.

David Mitchell [00:51:03]:
Yes.

David Mitchell [00:51:05]:
Okay, we’re starting to get closer to time. Do you have a war story you could share with us without disclosing names of a good or bad scenario through an insurance company? Something that’s worked well and maybe something that hasn’t, just so we understand the lay of the land here.

Tim Stephenson [00:51:24]:
So we have a number, but the biggest takeaway is the mutual honesty for us. So we are an advocate for our clients. So we provide insurance for many businesses. And brokers, I think in general should be advocates for their clients. And so in the event of a claim, your broker should be across that claim as well and be able to help you in that process and be.

Tim Stephenson [00:51:56]:
Across that as well.

Tim Stephenson [00:51:57]:
We do a lot of claims management, so the problems come from when things don’t match what the expectations are that have been set. And so it’s important to check those documents. It’s important to cover off those areas. War stories are hard, I suppose, but it’s when people actually lose real money and real stress as well. And there ends up being a lot of finger pointing. And so good documentation is one of the biggest things we find that helps in those situations to have clear, concise communication and good customer records as well.

David Mitchell [00:52:37]:
I’m hearing the takeaways being start early in the process research, choose a broker or your method of getting the insurance work through it in detail, prepare your defenses to work before insurance is needed, and have a good plan. And definitely prepare the plan.

David Mitchell [00:53:02]:
Yeah.

Tim Stephenson [00:53:03]:
And also have people within your organization.

Tim Stephenson [00:53:06]:
Empowered and aware of what those plans are.

Tim Stephenson [00:53:10]:
So if it’s a Friday afternoon and something happens, the training’s in place, that they know who to call and who to respond. Yeah, a plan helps. That’s been fantastic, David. I’ve really enjoyed unpacking all those little bits and bobs, so me too. I’ll definitely share with you a couple of our checklists and a little bit more information. I’m on LinkedIn as well, so if anybody would like to either email me directly or reach out myself, my colleague Andrew and others are always happy to help. And yeah, that’s been good.

David Mitchell [00:53:47]:
Terrific. And same with me.

David Mitchell [00:53:49]:
Anyone can give me a call, send me an email, click on LinkedIn, and we’ll certainly be sending all of this information out to all our participants today.

David Mitchell [00:53:59]:
Thank you all. We’ll see you next time.

Tim Stephenson [00:54:02]:
Thanks. Bye.