At the start of Day 2 of NERCOMP 2018, Envision Technology Advisors‘ Todd Knapp talks about Cybersecurity Liability and insurance with John Grise of Worldwide Facilities, LLC.

Todd Knapp: Good morning everybody! It is day 2 here at the NERCOMP Conference 2018 and this morning I ran a panel discussion and it was a ton of fun. We spent about 45 minutes talking about cyber security and risky obligations and cloud. A couple of weeks ago I happened to have my insurer, who is The Egis Group based out of Rhode Island with me, they were in my office. We were talking about the same thing and I thought “Wouldn’t it be awesome to have somebody who actually talks to the insurers directly be part of the panel and give us that kind of view. Look at it through that lens.” And so John Grise is here.  John is from Worldwide Facilities. John tell us what Worldwide Facilities does.

John Grise: Yes Todd, thanks for having me. It was a great time and a great discussion. Worldwide Facilities is a specialty lines wholesaler with 17 offices across the country and we work and distribute our products through strategic business partners like The Egis Group.

TK: Fantastic! So today we were talking about cyber liability and I was coming at it, of course, from the perception of an IT professional and also a business consultant, thinking about liability and risk. And one of the best things about the panel, I thought there was a lot of good debate about where risk really is. You mentioned something called risk aggregation. Explain to everybody what you were talking about there.

JG: So with the Internet of things and the aggregation risks into cloud environments, one of the things we look at in the insurance concept is “Where do all of our limits reside?” So, it’s very possible that we have certain accounts or certain carriers that will insure the Cloud provider and then they will insure thousands of people who utilize that Cloud provider. And when we talk about Data Risk, the regulatory environment is such that if you own the data, which you do as a member of that Cloud environment, you’re responsible. And potentially one breach at that Cloud environment level could ultimately impact not only their limits, but everybody else who’s on that Cloud. And we start looking at how many limits each one of those people have. And at the end of it, it could be something that’s quite possibly more than the ultimate amount of capacity that the insurance company has.

TK: You know what I really took away from it is that when we think, in the IT world, about Risk Mitigation, one of the things that we talk about all the time is “Hey, aren’t we safer at Amazon or at Microsoft because of the resources they have to protect our environment?” And what I took from the panel is that in your world you guys are kind of blind to that.  You guys don’t really see it that way. You look at risk is risk is risk. And it all comes down to what’s my data? How much of my data is vulnerable? And what am I doing overall to protect that? Yes?

JG: Yes. I mean we really have taken the underwriting process and tried to simplify it. So, it looks at the number of records, it looks at how it’s stored in some form of fashion. And it’s great that it’s in the Cloud environment because of the securities and protections that you might not otherwise have. But the risk for us is the same. There’s a presumption that you’re going to have minimum standards anyway. And, from an underwriting level, it almost doesn’t really matter whether you’re in the Cloud or in hosted services.

TK: I was talking to Roy Finkelman from The Egis Group. And Roy was asking me, we were talking about what Envision is doing, he was asking me about some of those things. And I then asked him, you know, do all insurers look for the same things when they’re deciding whether or not to underwrite a company like Envision or one of my clients? What are your thoughts on that?

JG: I think that if we can standardize it’s useful but at the end of the day the insurance marketplace for data security is so ultra competitive that there are so many markets out there, so much capacity. The upside to the number of transactions expected to be 25 billion in the next 5 to 10 years, from the current premium values of 2 billion. People really started to grade their underwriting process to try to grab market share. So, as much as we still like to say the risk mitigation is so important. It’s not necessarily a crucial underwriting component today.

TK: Wow!

JG: It’s not to say that it won’t be. But it’s really not a major consideration.

TK: So, it’s a land grab for 25 billion in market share

JG: Yeah. And honestly, we would expect to see, as the losses pile up, it will change and evolve, but right now, it’s new, it’s exciting and it’s a land grab.  

TK: So one of the things that was a big eye-opener for me in my conversation with Roy was when we were talking about if you’re an organization that stores, for example, credit card information and you had 5,000 credit card numbers on your system and you had a compromise, it’s possible that some insurers might look at each credit card number as its own unique incident. Is that true or false?

JG: No, that is definitely true. And even to the point where you could have one incident, like a breach of your system that would compromise credit cards and bring in PCI, which is a contractual obligation. It could have regulatory implications on the liability section. And then you certainly have breach response services, which are a proactive coverage, once you discover it, of forensics, notification, credit monitoring. And, in a lot of policies, will even have additional limits or additional retentions applied for each one of those triggers.

We really focus on best in quality, best practices and we’ve reviewed a variety of the forms. It’s not an exciting business as you can imagine. But, we review the forms to make sure that those are the things you don’t get caught in because there are no two policies written the same.

TK: I got news for you. Everybody thinks their business is not an exciting business, right? I go home and start talking to my wife about IT and she is awesome but I always wonder in her head if she’s like “This is the most boring thing in the world”.

So, thinking about those individual incidents that we were talking about earlier, what really hit home for me with that was the notion that, hey, if you have a $50,000 deductible per incident and you had insured that you looked at every card as its own incident you might potentially have 2,000 incidents with a $50,000 deductible. Is there any way to actually protect against all of that stuff? Or is it a ‘do the best you can with what you’ve got’?

JG: No.  I think there is a way. It’s so important in, obviously with technology and the purchasing of online products – It’s quick, it’s easy and it’s simple. But you don’t have the appreciation of the language.  So, when you engage an insurance professional like The Egis Group, you can really offer the consultation, right. And I think that’s what it is. Whether you buy the coverage or you don’t buy the coverage, making an informed business decision is one of the most important things.

TK: So, I kind of suspected that I knew what the answer would be but I thought it was important for everybody to hear this. This is why, I’m a guy who owns and runs a technology company, I don’t buy my policies online. I don’t do that for this exact reason, because I want to talk to guys like John who are gonna tell me things that I might not otherwise know. And it’s my local carrier, Roy over at The Egis Group that connected me. I still think there’s some things that you just, especially in risk mitigation and cyber liability, that you just can’t outsource to the Internet solely. You need good advice. Good guidance.

JG: I think more importantly to insurance, as much as we’re insuring new technology, it’s a very old business. And relationships are really fundamentally important in advocating on behalf of your client is something that you can’t really do through email, you have to pick up your phone and talk to people.

TK: Well, John. I can’t thank you enough for taking the time to talk to me today. If you guys want to learn more about this kind of stuff, talk to Roy. Talk to somebody like Roy. But if you wanna talk to Roy, you can find him at www.egisgroup.com. And if you want to of learn more about your organization, what’s the website for a consultant?

JG: Website is www.wwfi.com

TK: www. wwfi.com. Alright. Well, John, thanks again.

JG: Thank you. Take care.