Cybersecurity Insurance - Too many questions and not enough answers!

Blake B. (00:00)

Check the boxes, do the things cybersecurity insurance forms. Let's talk about them. Welcome back to Brain Bites. I'm Blake Boyd. And joining me, as always, is James Green. James, how are we doing today?

James G. (00:18)

Doing well as always as well.

Blake B. (00:21)

Always as always.

James G. (00:22)

Always as well.

Blake B. (00:23)

Always as well.

James G. (00:23)

Always as well.

Blake B. (00:24)

Great to have you back here again on another episode of Brain Bites. Today we're talking about something that I guess, again, not a lot of people outside of business owners have to deal with, but James and I and my team have to hear it. Becca have to deal with it quite a bit. So today we're talking about cybersecurity insurance, more specifically, cybersecurity liability insurance and the forms that come with them prior to signing a policy document. Right. So one of the things that the client success Department here at Becca does is assist our clients with filling out these forms that come in for cybersecurity liability insurance. And it's basically just a questionnaire from your insurer looking to see what safeguards or what practices you're taking to protect yourself from some sort of cybersecurity event.

James G. (01:14)

Right.

Blake B. (01:15)

And in the past, they were, I guess, loose questionnaires, just kind of they tell us what you're doing.

James G. (01:24)

You have passwords, right? You're good on passwords? All right, cool.

Blake B. (01:28)

I guess what we were seeing is they didn't really make a huge impact on the policy decision from the insurer. It was more just sort of like the exact same stuff they ask you with life insurance or with health insurance. Right. If you want a life insurance policy, you have to do the interview or they're like, hey, do you skydive and juggle machetes?

James G. (01:50)

Do you smoke? How often do you drink? All the different variables in your daily life that could affect your life insurance policy.

Blake B. (01:58)

Right. Because they're trying to determine if you're going to be a high risk, where they're going to have to pay out this life insurance policy more if they're going to have to pay it out sooner than they would expect or if it's a term policy ever at all. Right. So they're trying to gauge whether your business is a high or low risk when it comes to cybersecurity and this kind of thing with auto insurance, you don't necessarily have to do because your driving record speaks for itself. Right. The underwriting of auto insurance, it takes into account a lot of statistics on the particular car you drive, which is why it's more expensive to ensure sports cars versus not sports cars because statistically people drive them faster and get them more crashes. Right. But then your driving record also States whether you get a lot of speeding tickets. If you're in a lot of accidents, there's not necessarily a driving record for companies. Now, it would be great if we could build some sort of, like, crypto record, whether your company gets cryptoed a lot or not. But today doesn't exist. James and I called a patent on that.

Blake B. (02:58)

No one else go invent that yet. So these forms, like I said before, a couple of years ago, they were just kind of loose generalizations of tell us what you do about cybersecurity defense right now. I'd say in the last eight months.

James G. (03:14)

These forms that we're getting are incredibly specific and they range the gamut from file format. Some are still PDF with a few checkboxes, some are Word documents, some are Excel files that you have to fill out.

Blake B. (03:26)

Yeah, that can be very frustrating, but they are incredibly specific when it comes to the questions that they're asking you. We not only get do you have multi factor authentication enabled? Some of these insurers actually have full addendums to the original form for MFA. We have a whole second form and we have to ask questions on and fill out about what MFA policies do you have? Do you have MFA on all external access, on all privileged accounts? Do you have it on nonprivileged accounts?

James G. (03:54)

Internal, external.

Blake B. (03:55)

So many specific questions and we're answering them. And as the providers, as the service providers at Becca, we have to answer them.

James G. (04:06)

Obviously truthfully real quick to that point. Never lie on a cyber security insurance form. Right. I mean, it's period.

Blake B. (04:14)

I would call it worse than lying on a resume. Right. You lie on a resume and you might get a job you're not qualified for and you could fake it till you make it right. You lie on your cyber security liability insurance forms. They write you a policy under the guys, under the assumption that you have these safeguards in place and then you have a cyber security event, you're not going to get insurance to help you at all. Because when they come in to do their forensic analysis and they see that you are compromised because you didn't have MFA on external access and you said you did.

James G. (04:43)

I pay the policy.

Blake B. (04:44)

They're not paying anything for you there.

James G. (04:46)

And I feel like they're starting to understand that a lot of times business owners are thinking about this for the very first time when looking at these forms. So it's not just black and white, not just yes and no. There's the yes, there's the no. And there are some of the forms. No, but these are the steps we're taking or yes, we're thinking about it. Yes, it's going to be implemented, things like that.

Blake B. (05:08)

Yeah, we've seen a couple that have an in progress box that you can check, and then they obviously want some clarification on that. When do you think it'll be done? When you know what all that is. But we've actually started to see insurers deny policies because they didn't like the answers they got. We're starting to see in the industry, in the It industry that insurance agencies are starting to drive the behaviors of companies when it comes to cybersecurity. And thankfully, they do tend to be in line with what Becca and other It service providers out there see as best practices. But it's been very helpful for us because now we're able to start going to our clients and saying, hey, based on the information we saw at these other clients, insurance providers are starting to deny claims or deny policies based on this information. Maybe we need to start focusing on this and we're able to help our clients be ahead of that form when they get it. But it's interesting to see that insurance agencies are starting to deny policies or not even write the policy in the first place based on your answers to these questions.

James G. (06:14)

Yeah. And I think obviously a lot of these forms are getting a little bit beefier, a little more questions based on what has publicly been made public as far as cyber security incidents. If you watch the news, you hear more and more high profile companies that are getting cryptoed or infiltrated somehow. And so it's becoming more of a hot button item. And therefore, insurance companies are saying, oh, we really need to make sure that we're taking proper steps here.

Blake B. (06:47)

Right? Again, the stuff they're asking for isn't super hard stuff to do necessarily. Now, some of it is definitely user impacting and is inconvenient at times and just changes workflows a bit. But what they're asking for is pretty generalized. It best practice, right? Mfa, multi factor authentication on pretty much everything.

James G. (07:14)

Security awareness training, what's your backup look like, what's your continuity plan look like, what's your disaster recovery look like?

Blake B. (07:21)

Password policies, all that kind of stuff.

James G. (07:23)

Yeah. Honestly, these are all foundational items that should be a part of a business, right?

Blake B. (07:30)

Honestly, you go through the brain bites backlog. I think we've done an episode on pretty much everything that a cybersecurity liability insurance due diligence form asks. But again, like I said, it's interesting to see that insurance is starting to drive behavior of companies. And I think this goes into the broader conversation that's happening in the It industry right now. That regulation is definitely coming to it soon. We joke all the time that the person who cuts your hair has to have more state regulation completed than any of our engineers or techs that hold the keys to all of your data. Right. We have the ability to remote into customer servers, and some of our clients are publicly traded firms. We have the ability to remote into their servers and don't technically require any sort of state regulation or state certificate or anything like that. Yet you go to great clips, and the person who's cutting your hair is legally required to have their license displayed, their Cosmetology license displayed before they're allowed to cut your hair, which is just comical in this sense. There's obviously reasons behind that. And it is a much newer industry than Cosmetology.

Blake B. (08:46)

But the fact that insurance, which is a government regulated industry, heavily government regulated industry, is starting to drive behaviors in a non regulated industry. It's starting to show the fact that regulation coming to it is very close to happening.

James G. (09:04)

It's just a matter of time at this point and honestly.

Blake B. (09:07)

It'S probably not a bad thing.

James G. (09:08)

No, not at all.

Blake B. (09:09)

The fact that companies are able to control into your it and have access to it without any sort of formal process. I mean, obviously we have onboarding and processes here to background check employees and we do everything possible to make sure that we're not putting anybody at risk, but having that extra level of oversight is probably not a bad thing. Thank you again for tuning in to this episode of Brain Bites. We hope you learned a little bit and if you do happen to find yourself staring down a cybersecurity liability insurance horribly formatted excel document at any point, we hope that you can refer back to this kind of understand why they're asking for it and then maybe scroll back through the backlog and get some answers as to specifically what some of that stuff is. Thanks.

James G. (09:54)

See you next time.