Welcome to this episode of our podcast, where we will be diving into the world of cyber insurance.
Mat discusses what cyber insurance is, how it works, and the pros and cons of having it. We will also cover the key factors you should consider when completing your questionnaire, to ensure that you don't get claims rejected.
Our guest for this episode, Brendan Goddard of Macey Insurance Brokers, is an expert in the field of cyber insurance and provides insights and advice on how to navigate this complex and rapidly evolving area.
Join Mat and Brendan as they explore the world of cyber insurance and learn how to protect yourself and your business from the growing threat of cyberattacks.
Brendon, let's dive straight in. Tell us what is cyber insurance.
Thank you, Mat. I guess in broad terms, it's insurance protection against anything that happens to do with your internet connection or anything that goes on in the world wide web. So I guess to break it down a little bit, there are generally three components to the insurance policy. One is what we call, I guess the first-party coverage, which is covering your own business, for its own financial losses that could be from damaged hardware because of the hack. It could be from fines or penalties for breaching data legislation, it could be any sort of ransomware payments, those types of things that the business itself will incur, and the insurance policy will cover you for those losses.
Then there's the third-party liability aspect. So that's for third-party losses. So that's where if someone
suffers a loss because of your unintentional breach of data, or your system gets hacked, and then they use your data against you to maybe
try to expose money out of another person or one of your customers through the use of their data, then they can sue you for that, and the policy covers those third party liability claims.
And then the third component is the loss of income that your business might incur, as well as part of an interruption to your business for when your system is down and you're unable to trade. Those losses to your revenue are also insured under the policy.
That sounds pretty comprehensive, actually. But is that not just part of normal business insurance? Now? Well, that's the misconception, a lot of the insured general property insurance policies have various exclusions now and in their policy wordings that don't cover cyber-related losses. So that's why the development of the cyber liability policy was invented. And, basically, it provides that coverage around a very sort of unique area of a business's exposures to risk which is that cyber element, there are so many moving parts to that piece, that it doesn't sort of seamlessly fit under a business insurance policy, or, of course, an ISR property type policy, and as well as a traditional business interruption insurance policy. They don't cover those losses related to your own IT infrastructure, or the holding of customers' data and those types of exposures that the business might have. Yeah, sure. Now,
for any business owners or managers who are watching this or listening to this,
there could be at sort of rolling of the eyes, and it's just another insurance premium.
I mean, you've laid out what it covers. Who are there? Is there anyone in particular? Who should consider this? Or is it relevant to every business, look at what I've always advised is, if you've got the little blue data cable plugged into the Internet, and you've got devices hooked up to that, then you're susceptible to some sort of cyber loss. Basically, once you are connected to the Internet,
there is some element that you could get hacked. And there could be some financial losses resulting from that hack. But as businesses get more, more comprehensive, or larger business, they might have a large database of client information, or they might store of confidential information on hard disks, or they've got a lot of financial transactions running through internet-based websites, or, or payment portals, or even just the use of online banking and paying your own bills, puts you at risk of some sort of cybercrime situation. So ultimately, in today's age, it's pretty much every business
has an exposure, and it's really up to the business owner to assess whether the exposure is great enough for them to work within an insurance coverage or insurance protection. Yeah, absolutely. Look, we often we regularly each week, we get asked by different clients and actually even non-clients to help them complete their business insurance questionnaire. And in particular, they're coming to us to help them answer the sort of cybersecurity component of that questionnaire, which in our experience has been getting longer,
more complex. And it's no surprise to us that some clients don't really understand the questions or some of the questions, because we also sometimes read the questions go, wow, okay. That's really quite specific. And it seems that the insurance companies are becoming more alert to and educated around and specific therefore
about the type of requirements that they have of the business owners if they are indeed to provide even just the most basic insurance, not so specifically cyber insurance per se.
What what's your experience with that? I mean, those are our observations. I guess a better question, perhaps is, what advice would you give to business owners? Who is completing those questionnaires? In terms of accuracy and completeness? Yeah, well, I guess, go back to the start of the question. The reason they're becoming more detailed is basically that the insurers are seeing far more claims coming through cyber insurance is is relatively young. I mean, it's it has been around for some time, probably, almost 10 years. But it's beginning to get more traction, as more businesses see that there is exposure without traction. So more policyholders mean that more, there are more claims coming through for the insurers.
What's interesting is it's not always the fact that there's more incidents happening, but it's more the fact that there's these businesses now have insurance. So those incidents and are covered by insurance, and insurance companies are paying the bill, instead of the business owners, I guess, absorbing those costs, historically. So with that, then the insurers are getting more data, they're getting more information from those losses, they are then able to work out okay, well, what additional information do we need? Now? How do we understand that exposure and a bit more in order to underwrite the risk properly? Which means how do we calculate the correct premium? And what sort of coverage do we provide to each business based on their own exposures? So then that brings us back to the proposal form, which which you've seen coming to you, because that's essentially what we advise as the insurance broker we say, to the business owner, there's some very technical questions in this form. A lot of them, you're probably not going to know the answers to so we recommend you send them to your IT consultants, who are the ones that are looking after your, you know, your firewall protection, your VPN access, the way that your backup server managed, any sort of dual factor authentification systems and you might have in place for those technical questions that a lot of business owners don't understand. So we say, Look, don't guess them, because guessing the answers is more detrimental to your business than probably not even having the cover at all. So it's always important that we get the accurate information, so that we can then do our job as a broker to ensure that we can negotiate in the marketplace, the appropriate insurance coverage that meets the needs of that particular business based on what what protection they've already got.
During that process, as well, we then look at advising and providing advice and liaising with their IT people around maybe increasing their security measures. And it's a real good starting point to talk about how their business is actually managing their own exposures before they take out the insurance policy in the first place.
Did I answer your question? Absolutely. Say thank you. Yeah, you did? Absolutely. Thank you. I mean, basically, don't wing it.
Just tick the box, ask the question. For, for sure. And in the same way that if you're not sure, if your current insurance coverage, you ask the question, there's no point living in a state of hope. And then in the event, you have to make a claim, then find out that actually, you're not covered for that specific thing, or you've talked before about there being exclusions placed on policies. Yeah. And so it's what kind of exclusions I mean, so I guess the thing is, that, you know, a probably a common one is that, if you don't have dual factor authentification, then there's
possible limitations in the cover in relation to where third parties can gain access to your, your system, and, you know, hide around in your, in your business and check emails and those sorts of things. So they will put limitations on the cover around that, or particularly with banking requirements, if you don't have dual authorization on banking transactions, they will exclude coverage for financial losses through the internet banking transactions.
So that's why if you answer yes, on the fall, they'll provide you with the cover. But then when you have a claim and you weren't doing it, they will say, Well, you you didn't disclose that you disclosed incorrectly than you were doing it. So therefore, it's called non disclosure. And therefore the insurer has got a right to decline. The cover, even though you're the head, the cover in the policy, because you've misled the insurer at the time and time again, the policy and so they're entitled to decline decline on that basis, not dissimilar from
the driver not disclosing their driving history when they take out motor vehicle insurance. And then if they've got a bad history, the insurer is entitled to decline a client
because they're so valuable, clean history, when in fact it was not played at all. Yeah, right. And it's safe to assume that the insurer as they would with a driver's history. In the event of a cyber related claim, they will check that the information provided was accurate. The protections were in place that you said were in place. churros, most certainly, and particularly as the losses get larger. So if you're talking like a $50,000 claim, then the insurer is going to check all the relevant information around what you disclosed at the time. And then and then make a decision on that basis as to whether I'll pay the client. So yeah, so it's extremely important that that, that the correct information is put down on the phone. Yeah, absolutely. And you mentioned before that one of the areas of cover with cyber insurance related policies relates to fines and penalties, for example.
But one of the areas, I think is not well understood, are the legal responsibilities for different types of organisations. As you know, we focus quite heavily with cyber heroes on professional service providers.
And by default, they are handling sensitive, personally identifiable information,
and often are operating above the threshold of 3 million Australian dollars turnover, and therefore have more strict requirements around how they handle the protection of that sensitive information. But
do you have any general advice for how businesses can be better educated for for any business owners or managers can better educate themselves? Because I'm guessing that an insurance company or an insurance policy will only support a final penalty if it can be shown that you've been compliant? You've taken all the steps you're compliant with the law and so on. So therefore, it's really important
to ensure that you are compliant, correct? Yeah, that's right. And I think,
yeah, when when they're paying fines and penalties, it has to be an unintentional breach of the of the after of the legislation that they're finding your lender. So yes, ensuring that you're up to date with the relevant legislation, under the data, data breaches at ensuring that your compliance is extremely important of just for your own business. But yeah, for insurance policy protection as well at the end of the day. So those people that are holding personal identify for both identifiable information, do need to make sure that they get their heads around what for what their obligations are.
And I think you guys are at Basecamp, have done some good blogs on that particular topic. So I'd probably recommend they reach out to the rt base Care website and have a look at the historical blogs and have a read up on it. Because there's this nice information on that. Yeah, thank you. And we'll certainly put those links to those in the show notes below wherever you're watching or listening to this. For the
when it comes to ransomware, a ransom attack, let's say because that certainly phishing attacks are one of the most common at the moment at the time recording is one of the most common forms of attack for gaining access to a company's network.
From there, the most
prolific actual attack, let's say, is a ransomware. Attack.
With with regular business insurance, let's say just to clarify
ransomware type attacks are not generally covered under just sort of normal business insurance. Yeah, that's correct. So
once again, there's there's a couple of policies where you may think there might be some cover under what we call fidelity cover, which is, which is around misappropriation of funds, generally, is internally with regards to staff theft of money through fraudulent means those type of things. But when it comes to a cyber hack, where the cyber criminals have got in and they've stolen the money, then there's the general policies don't cover that. So it's not covered under your ordinary theft, theft or money cover.
And it's not covered under any sort of business interruption insurance. And that's why the once again, the cyber insurance policy sits there to cover those types of those types of losses from adding to the ransom, where type attacks where they they, you know, essentially lock up your system and ask for a payout before they release your data. There's also where they gain access to your system and sit in within your network and then change the bank account details on your invoices so that you send your invoice of invoices again to customers and they're paying the the actual payment into the wrong bank account into the criminals bank account. So that's another very common type of
claim that we see the round
You know, smaller businesses, because they do affect smaller entities where, where then they're,
you know, generally smaller amounts of maybe 20 or $30,000. But if you do that three or four times, and it can add up to quite a bit, and absolutely, I mean, sometimes there's a risk that business owners fall into the small business owners fall into the trap of thinking, they hear about cybercrime this hear about cyber attacks like Optus, like Medibank, and all the big ones. And then just in the news, it's something you hear in the news that affects other people. The reality is a huge percentage of sort of day to day cyber attacks and cyber crimes actually targeting small to medium sized businesses, which is kind of logical when you think about it, because they typically don't have the huge amount of resources that the corporations have to throw at cybersecurity and digital security. They typically don't have the team, they don't have the budget for the team, and therefore, are more likely target. Actually, they're a softer target for the cyber criminals. And as you say, it doesn't have to be a multimillion dollar attack, it can be 510 1520 50,000, done multiple times. It's very lucrative for cyber criminals. And for a lot of small businesses, those kinds of attacks, they can hurt. And for some actually can be even
the end even for some businesses. Not not not to use fear as a tactic here, but it's just a discussion at the end of the day. But if I mean, you and I know locally, there have been examples of 50 or $100,000 cyber crimes that have occurred, and for some businesses, they they can't stomach that,
that they couldn't suffer that and survive and say, That's right.
glad you're no, go ahead, please. No, you're no, you're well, one of the I wonder it's a misnomer or not. But one of the one of the things that we hear quite often is from a liability perspective, for from a protection of data perspective, as well. Or all of that informations if they're doing online, sort of online financial transactions using a service like Stripe, for example, which is one of the most prolific or using a CRM like MailChimp, you know, where all of the data is actually contained within those platforms? So it's not my responsibility.
But the customer is in question have provided that information to the business owner, who is then choosing to use the platform? Is it as simple if you outsource your merchant facilities and sort of email capabilities? Is it a symbol to say that you're also outsourcing your liability and responsibility? No, it's not, it's not as simple as that. In some cases, it would depend on the SLA agreement that you've got with the host. And this goes through to, you know, backup of data as well. So backing up your system on a cloud hosted platform, I guess ensuring that firstly, ensuring that they do have some type of protection, as well as some sort of guarantee that that they are they'll cover any costs imposed if you were to have a data breach or if sorry, if they were to have a data breach if the hosts were to be implicated in some sort of packet or data breach. But that doesn't absolve you from your liability as you are that still the customer is the customer is still your customer. So some of your hosts customers. So there is still a contractual obligation between you and your customer, to ensure that new any data that you take from them that you are responsibly caring for that data and keeping it secure within whether it's within your own infrastructure or with posted third parties. So in the first instance, if those customers are going to come to you, alternatively, in the first instance, those third parties that may not be your customer, but have had some sort of loss, financial loss, because of the way you've handled the data, than they're going to come to you as well. So it's important that even though you may still be able to recover some costs from the hosts or from the third party payment platforms, that doesn't mean that it's not going to cost you an arm and a leg to to try and work through the process. You probably need your own legal counsel to work through those things. You will need possibly your own public relations assistance because the smearing is going to be over your brand name. So there's a lot of components of the policy that are going to still protect you, even though it's not necessarily the case that you're going to cop the bill for the total cost of maybe recovering the data or, or any other sort of legal obligations that you might have in the process. Yeah, absolutely not, not to mention the reputational damage. Yeah, you could which
the reputational damage is covered under the policy with this this coverage for public relations expenses.
And there's there's coverage there for a whole raft of different things that assist your business in the event of an incident occurring around the access to the forensic accountants for lens of IT professionals who can dig into IT systems to try and uncover data. So there's always third party components to the policy that the IT specialists and professionals or PR specialists that that assist you and your business in the event that you are in a situation where it's going to impact on your business through some sort of data breach or hack or whatever, Monday. And that really matters. I mean, statistically, history has shown that around 30% of customers will leave, they become non customers, because of the loss of trust. Yeah, and even if you're pointing and while it wasn't us, it was it was stripe, it was MailChimp just pick your examples that people know
that that's not going to wash. And yeah, 30%, which is an incredible statistic, isn't it? So imagine, let's call it a third, third of your customers just leave.
I'm not comfortable here anymore. I'll go somewhere else.
And I guess that leads you to another point of the facts. Sorry, that the
that that a lot of businesses have a disaster recovery plan for you know, for a physical catastrophe or fire or some sort of damage, which which renders the business inoperable. But a lot of the time, they're not factoring in the their IT components or a cyber threat to that. So I think it's important for businesses to look at the whole cyber threat as as just as important to a possible disruption in your business. And how would you have a plan in place is how would you how would you react if you your whole system was down, you had a brand
smearing campaign due to a loss of data, those sorts of exposures that your business will have now with these cyber cyber risks, that businesses should be looking at how they respond in the event, because you can have insurance, but you still need to have a plan in place in the event that it occurs so that you can ensure that that 30% doesn't come to your business so that you can try and retain as many clients through some sort of strategy and how to make sure that that jacket that the customers don't get too offended, and you can retain as many as you can. Yeah, absolutely. We certainly have a resource available free resources available about how to create your cyber incident response plan, which includes exactly that disaster recovery, as well as business continuity,
which subtly different things will certainly put the
link to that rather in the show notes, which is
conscious of time, Brendan?
I mean, the bottom line is, what would you suggest is the best form of protection against cybercrime, and you're obviously in the business of
providing appropriate insurance policies for your client.
But an insurance policy doesn't provide protection from actually being subjected of attack, does it?
Get out? No. And I guess, I guess, my main advice, whether it's cyber or any insurance is prevention is is better than insurance. So you want you can have insurance, but going through an insurance five is very stressful, it's It's difficult. It's emotionally taxing.
It can, it can break our families, if it if it doesn't go certainly, you know, if you have large, large property losses, those sorts of things, there's a lot of pain and, and stress that that that people can feel, and they go through a large a large loss scenario. So like with property insurance, we talked about having sprinklers and fire extinguishers and fire alarm, smoke alarms, all these sort of things that are prevent preventative measures to assure that that you know that we can try and stop the loss from happening in the first place. No different to cyber insurance. I think it's important that the businesses really take this seriously in relation to how do they manage the protection of these these threats? And how can they put in place within their business procedures and systems to help minimise the possibility of something like a cyber hack or some type of cyber crime happening within their business. So as I said at the start, it's if you're connected to the internet, you should be thinking about preventative measures around how to keep your data safe, how to conserve cash, how to ensure that you've got, you know, backups and correct systems in place to ensure that you can survive in the event of a an attack or to stop it from happening in the first place. So I think prevention is always the best, the best form and and then the insurance that the back end is if they do get through and you do suffer financial loss then you know you've got the protection of the back end to pay for the bills after the
You know, after the unfortunate event has occurred, but that's really what the insurance is there for is to pay for the damage after the events not to try and prevent it from happening in the first place. Absolutely, thank you. And I guess we're all we're living in interesting times, aren't we in as much as
at the time of recording this, we've all had the first taste of democratisation of artists, artificial intelligence in the form of chat GPT, which seems, is the main platform that's gaining headlines at the moment, and
there's no doubt that AI whilst it can be used for good and predominantly is used for good and that its intended use, of course, unfortunately, it's also accessible to the cyber criminals who can use it for, for bad.
And that's going to have it you know, as you say, not connected to the internet. And that's very real. We talked about phishing attacks, historically, the days of, well look for the bad English, look for the spelling mistakes, and so on, in grammerly, was already a step in that direction, which is ultimately a AI powered, but I mean, GPT just takes it to a whole new level.
So we are revamping, we're updating our training for sure we're updating our messaging and, and talking about how the context of communications that you receive is going to become more and more important, were you expecting to receive that email or message from that person, if it needed is that person, and so on. And as you know, we were not leading with the fear based approach at all. But we also can't hide from the reality that AI for as amazing as it is, and it is amazing, will ultimately have an impact on the exponential growth of cyberattacks as well as the sophistication and
the smartness of those attacks, that same detection will, will become harder and harder, and therefore, their books are Yes. For our ever increasing at the end of the day for all ever evolving needed. Yes. Yes, yeah, it's forever evolving and becoming Yeah.
And so it's becoming, it's becoming one of the primary exposures of not just businesses, but even your own household. So I think the old days have been worried about locking the front door in case you got your computer stolen, have changed. So I mean, being aware of it at the end of the day, as you know, we're not, we're not in the business of selling insurance policies. And that's not the purpose of this podcast. But what we are trying to do is raise awareness around
these topics, so that business owners and managers can make more informed decisions and trying to erode away this belief
from some who just assume that their business insurance cavesson for this and it'll be fine, or they tick the box, they're not really sure, but they tick the box to say, yes, we do that in their business insurance forms we just want to avoid, ultimately, I mean, as you know, ultimate we're doing is helping people prevent becoming victims of cyber crime. But
in the event that someone does become a victim of cybercrime, they've made an informed decision around whether they want to be insured for that. And if they do want to be insured for that to ensure that they are completing those questionnaires for historically accurate Yeah, to avoid the rejection of a claim at the end of the day. And he gets to read. With that said, Brendan, thank you so much for your time today. For sure, we'll be putting all of your various links into the show notes, maybe we can reach out to you directly, which we would encourage them to do and we look forward to chatting with you next time.