Is Insurance Cyber Security’s Missing Piece?
Be the first to hear about new releases!
Episode Summary
Adam is joined by Andrew Brett from Infosure Insurance to help Australian SMBs navigate cyber insurance and risk mitigation strategies. Learn more about the logic of combined effort to ensure your risks are managed effectively and your financial losses are covered.
Highlights
- Introduction
- Why do businesses need cyber insurance?
- What's the uptake of cyber insurance for SMBs in Australia currently?
- Where would you see the insurance part fitting into the incident response plan?
- Are you seeing a difference in risk profile between different sectors?
- What is the main obstacle or hurdle as to why these businesses aren't prioritising cyber insurance?
- What should businesses be looking out for in terms of cyber insurance policies?
- What does an insurer look out for [in terms of a company's cyber security posture]?
- What do you see the next year looking like? Trends? Predictions?
Transcript
Introduction
Adam Cliffe: Only 15% of Australian small and medium businesses currently have a cyber insurance policy. On today's episode of ADITS Unplugged, I was joined by Andrew Brett, the director of Infosure Insurance. We discussed the common misconceptions and traps to avoid, key factors when reviewing policies. We also shared some real-life examples and if and how businesses can bounce back from a cyber incident. I really hope you enjoy this episode as much as I did. Now let's dive into it.
[music]
Why do businesses need cyber insurance?
Adam Cliffe: Look, I'll just get into it straight away. Like, you know, why do businesses even need cyber insurance? And, you know, what's the uptake of cyber insurance for small and medium businesses in Australia currently?
Andrew Brett: So, the major reason a business should have cyber insurance is the same premise as any other type of insurance that they carry. So, if you look at a traditional property policy, you know, when you have something happen to your property, you need professionals to come in and rectify that or bring you back to where you were before.
And just sort of like everything, those professionals, they’re not free, but they also have specialised expertise where they do this every day. So, there are usually panellists, members of insurance companies, that this isn't a once-off event for them. It’s what they do every single day, and they come in, just like we all do in whatever profession we choose and this is just a normal day for them. It’s not a normal day for you, but it's a normal day for them.
So, the major thing I've been bringing up with companies as we move into this, more awareness around having a cyber incident plan. So, we're moving into the territory or the realm of business ownership in 2024 where people are saying, “Well, you're going to need to have a plan, what's called an incident response plan.”
So, you need to understand that, you might have a cyber incident and you actually need to know what you're going to do. As much as it's not a nice conversation, it's a lot easier to sort of give it the old “she’ll be right”, the Australian way. But I'm pushing back on those incident response plans, saying, “You need to have a separate column for what are these things going to cost.”
You know, if it’s a live incident, you might need white hat hacker, which by layman's terms is just an ethical hacker who's hacking on your behalf, and that might be to defend against the live hack or, in some cases, to re-hack the hacker. If you get a really good one and start, you know, getting on the front foot, but if it's been a hit and run, they're already gone. They've done it. It becomes a digital crime scene. So, then we move into – well, you need a digital forensics analysis to go in and, actually, like a true physical detective, would go in and look at the crime scene and work out, “Right. This is what's happened. I'm going to make my report because you've had a crime.”
So again, that's the first two things I would suggest you're going to need, whether you have cyber insurance or not. So, let's take a minute. You’re going to need this anyway. I'm just saying to you that these guys could cost $400, $500 an hour. And they are true professionals, true specialists. They do quite fairly, like everyone in life that's studied and gotten a skill. They charge you for their time and they are in high demand.
You know, I know people don’t want to talk about it. But there's a lot of cyber incidents going on in Australia and they are not sitting on the couch waiting for a phone call. So, they're not going to drop their prices for you if you tell them, “I didn’t know this is expensive.” They have the skills. You need them, and so we start – if we use the insurance or the incident response plan and we attribute it to insurance, as in what insurance can pay for – you start calculating those costs and you very quickly or businesses very quickly, like most insurance, look at the cost versus the premium they're going to pay and go right, “Is this value for our business?”
What's the uptake of cyber insurance for SMBs in Australia currently?
Andrew Brett: Now, to answer the second half of that question, at the moment, SME businesses in Australia, less than 15% take out cyber insurance. So, you have an 85% gap of businesses that currently do not have any financial assistance. And that's what I put it down to. It's the financial assistance.
So, you can speak to anyone and get those services so you could go out. But the one thing that none of these services, and you, unless you've got it, can produce the capital or the financial assistance to pay for them, and that is any type of insurance, whether it's property, motor vehicle, that we’re all aware of. You’re trading a bit of premium for a promise – a promise to pay.
Where would you see the insurance part fitting into the incident response plan?
Adam Cliffe: Yes. You mentioned about the incident response plan, and, you know, having, like, more of a holistic sort of approach to this. So, where would you actually see the insurance part fitting into that incident response plan? Would that be, like, purely reactive? And is it to actually pay for the, sort of like, you know, deep forensic or, you know, incident response people, you know these high level specialists. Is that kind of where it's at, or is it is there any sort of like proactive element towards it as well?
Andrew Brett: So, again, this will come down to who you partner with, the insurer you partner with, and it will come down to paying, putting it bluntly, the insurance professional you choose to engage and how many specialists they know. So, there's some cyber insurance policies that it's literally just sort of transactional relationship. There's your piece of paper and we'll come to you if you need it from us, all the way up to the insurance partners at the other end, which, will they actively throughout the policy period, will assist you with the, you know, education content. They can do vulnerability scans, to advise you, “Okay, so we’ve picked up something in our ecosystem. We want to let you or your MSP know this is out there.” They actively, and it may sound kind of mature, but it's not because you really don't want to have a cyber incident, that even though they've given you that promise to pay for the incident, they're really actively trying to stop you from having one in the first place.
So, whilst they are never going to, they're never going to replace your MSP or your need for a cyber security team, depending on the size of the company, they are trying to sort of provide that additional layer of assistance, or they're getting more involved and essentially waiting for you to call them.
Are you seeing a difference in risk profile between different sectors?
Adam Cliffe: Yeah, okay. So, on that, are you seeing a difference in risk profile between different sectors, like, you know, say for example, medical versus your typical professional services, and how insurance treats that?
Andrew Brett: Yes. So, there's a few things to look at. I mean, some professionals in Australia or anywhere in the world really are more regulated than others. They have a lot more stringent parameters in how they can operate and what, you know, essentially what they do, how they conduct their business, what they touch, you know, what they choose to engage in.
So, you know, I'll be completely honest, the average Infosure client at the moment is probably a lawyer or an accountant. We have health and medical professionals. These businesses tend to understand more, and that's around, just, I guess they're more aware of the requirements or commitments to what they do as a business and they are probably more around.
When I go and talk to a business, we really need to do a blueprint of: (A) How much technology you rely on every day? and (B) How big would taking away that technology be? So, you look at one incident, let’s say DDOS or, for those out there, it's, you know, Distributed Denial of Service attack. And that's just me essentially flooding you, your track, flooding your computer system so much so that you, yourself can't get into it. So, I'm just, it's a very effective way for me to shut down, you know, say your whole staff, right? Your whole staff in one CRM. You know, they all use one software, piece of software. And then all of a sudden, they can't use it anymore. You really need to look at it and go, right, well, either you find them really quickly, pay them, and we have 60% of our business runs on, I guess you talked about tax services and you know, they use 60% of our business could be taken away tomorrow, and you might have someone on the other end of the line saying to you “Give me a million bucks or a bitcoin or through whatever I'm asking for.” You’re looking at that but that goes, you probably touched on it, goes into also with cyber insurances. You know, that's one of those instances that I talked about where you need white hat hacker, you need an ethical hacker to come in and start going, “Right, you know, let's go. I'm now going to try and hack the hacker and stop this DDOS.” And that might be the portion of your client, it’s just to pay for that team, and you might have three ethical hackers. The other thing is you don’t know what you don’t know. You don't know what the actual hacks they’re going to require until someone has triaged it, assessed it, and go, “Right, this is what we’re going to need.”Adam Cliffe: Yeah. So, like some type of mediation services or whatever. So, yeah, it could involve many, many people across many different teams. Yeah.
What is the main obstacle or hurdle as to why these businesses aren't prioritising cyber insurance?
Adam Cliffe: I wanted to go back just quickly, just around that 15% uptake in cyber insurance and like, that is that is a massive gap in the SMB market in terms of customers that don't have cyber insurance. To me, that's quite surprising. I thought it would be a lot higher than that. What are you seeing as the main sort of obstacle or hurdle as to why these businesses aren't either prioritising it or seeing it as a necessity?
Andrew Brett: Yeah, so first of all, I can validate you there. So, there was a recent parliamentary inquiry around cyber that actually quoted one conversation around cyber insurance and they were also shocked at the uptake. The person involved in that particular parliamentary inquiry used the number at 10% to 12%. So, I used 15%. I'll round it up, happy to do that, but there's a few answers to that, I believe. I mean the attitude in Australia, and I'll be completely blunt, around cybersecurity is also not that high. You know, you just take the Medicare details that come out and say they're spending $0.10 per customer on cybersecurity.
Adam Cliffe: And they didn't even have any insurance. So, you know, they cancelled their insurance. So that says it all, doesn't it?
Andrew Brett: Correct, and you're looking at, you know, someone put it this way and said, when you're spending 0.14% of the revenue, you take off a customer, just to protect their data that they have given you and paid for. That reveals the whole problem with cybersecurity, is that no one is investing, reinvesting to protect, and the saddest part is, okay, so let's say they spent 10 cents per customer. If they had a little thing, a tick box on your invoice of, you know, let's say it’s, I know what mine is. It’s in the hundreds of dollars, could be in thousands. You know, a little tick box that said, “Hey, for an extra dollar, we will up the whole cybersecurity thing you’re in 10 times.” Most of them do, but that's sad. Why should we pay more? Who would?
So that's, it's not, you know, I find them interesting, those ones, because, yeah, they're good for public exposure. But your average SME business goes, “Well, that's not me. No one's going to target me.” But the majority of cyber incidents in Australia are in SME businesses, which makes that sort of thing scary.
Now let's go back to why I don't think they're purchasing. That's another, I'm pretty passionate on this one because I'm not coming from the point of someone who owns a business, trying to just wave my little flag around and say that I think everyone else is doing it wrong. So, you come to me. I was in general insurance for eight years. Every single day, I did what I'm talking about. Now, I could do anything between five to seven different policies for a business. You know, you’re looking at traditional property, liability management, liability, professional indemnity, commercial mode, and you might do their personal homes, their personal cars. We talk about time. I only do cyber insurance now. That's all I do all day, right, and I still can't keep up with what I need to know. So, I look at what I did for eight years. I never touched cyber insurance for eight years. If I had a conversation with a client, it was very shallow, very, and again it’s going on a lot right now. It's very sort of like, “Oh, you know, there's this new thing called cyber insurance. What does it cover? It covers hacks. It pays ransoms.” That's about the depth of the conversation I've had.
Now, we've also got a situation where I'm dealing with five to seven other of their policies. So, whether I even get time to bring up cyber insurance because they're asking me to make midterm endorsements with a new car or a new building. We've made a change. So, I'm actually already extremely time poor, and you can look this up. Very rarely will a general insurance broker in Australia have a specialist cyber insurance broker in there within their brokerage or someone that is just focusing on cyber insurance. So, you sort of have a situation where everyone's doing the general stuff and it's sort of an onus on everyone. Well, if you want to go learn cyber, go learn.
So, the bit that I'm passionate on is, I genuinely don't think the 85% of people that don't have cyber insurance are making educated decisions or making, I guess, to not be so blunt, informed decisions. They're not getting the information, and they go, right, “Well, that has absolutely no value to my business, so I'm going to pass on that one.” I just don't think they understand what's available and you know it's, you know, I don't want to talk about sort of what shocked me, but in general insurance we might have 15%, 20% new business strike rate. I'm operating over 60%. It's around 67%. So, the data is telling me I'm three times more successful than I was when I was in general insurance and that is purely because most of my conversations are education. I don't come in and start tearing apart an existing policy. I don't come in and start looking for cracks in an original broker's program that's already in place. My biggest competitor, in fact, in the last year of owning Infosure, was non-purchase. My biggest competitor is that they just don't purchase anything and the educational piece I've been following is purely because I'll just explain to them the options. "This is what you get in the policy. This is the kind of exposure you're going to have.” These are the kind of, and I'll use the word “clarity”, because when you have a cyber insurance policy, you really have an incident response plan on retainer. So, we talk about having these services and I said before, they're not sitting on the couch waiting for you. If you don't have them on retainer or you haven't engaged them. If you're cold calling a lot of these services, you're going to struggle to get them because they're so busy, that you know if you get one that's, and also you know, I compare cyber insurance to a missing persons case. The first 24 hours is crucial. So, if you're spending the first hour or two just trying to find someone to help you, you're losing time, and so I talk about the importance of having to have it already there. If you don't, even if you don't have a cyber insurance policy, that's fine, it's your problem. You literally should be having all these services on retainer, or at least have a relationship with them already, because you're going to need them, and I think we've passed the point of head in the sand with whatever happened to us, and if we're not, that's another conversation. But you sort of, what I'm saying, and I'm an advocate for MSP cybersecurity relationships existing is, you already need to be having these conversations, regardless of whether you call me. You already should be planning for a cyber incident. It's just when you talk to me, I'm going to say, right, well, you're going to get these services on retainer because the insurance company uses them every day. So, they're already your priority. You're a priority of someone who doesn't have insurance, but then also, they're going to pick up the tab on you because that's part of the promise and as long as you get the right insurance policy, I will say that, you do have to get the right carrier, you are going to get, you know, the process is going to look like as soon as you call that number, which they run 24-7. They operate on a full-on sun approach, so they have offices so that you get someone fresh. You’re going to get someone at two in the morning, so they usually run one in Australia, one in Europe, one in America. So whatever time you call them, they've got someone fresh. It's 10 am there. They're fresh as they've had their morning coffee. They're ready to go, and then if it goes to their close off time, they can move you to the next country, which is not getting passed around. You're just getting they all know the notes. They're all very highly organised because of the area they work in. You're getting passed through on a 24-7 basis. Now again, going back to my original, point. I don't know how long it's going to take you to find those services and or get those services to help you, because you're not the first person who's calling.Adam Cliffe: Yeah, exactly. You're absolutely scrambling.
Andrew Brett: To make an analogy of it, you're not scrambling in a beautiful air-conditioned office. You're scrambling in the ring with Mike Tyson. You're getting beat up because every phone's calling, the computers are flashing. Just remember, your employees too, they are going to go, “What the hell is going on? I don't have any access to my system. I have work.” Your clients are calling. “Hey, mate, I asked you for this three hours ago. You haven't sent it through to me. Also, I'm emailing you an email bouncing back saying I can't get through.” So, all these things are going on. And if you don't believe me, there's a guy who does simulated cyber incident attacks. He said, “Look, 5-10 years ago, everything I did was terrorism.” So, he does a simulation. He gets actors, because now majority of my work is cyber incidents and he goes, “The average CEO taps out in three hours.” And I say tap out, like they are going sweating, “I can't stand the stress anymore. It's too stressful.” They simulate everything, and so I guess, when you go back to that, why aren't people purchasing? I just don't think they understand. They're not being told what's going to happen.
Adam Cliffe: So, it's an education piece, really.
Andrew Brett: It's a complete education piece, Adam. I'm not going around saying, you know, freely state every cyber insurance policy. I don't even need to get to that point, because once I explain to you what the incident's going to look like, also explain to you that even if you don't purchase a cyber insurance policy, you need to go get these services anyway. You need to make sure, and if you don't, then you're going to have a very bad time.
I'm not going to use scare tactics of you going insolvent, because I think I don't need to. You may or you may not. There's no point in me inducing fear for that reason. I'm just explaining to people how you need to respond to these incidents and how it is going to be hard. And if you don't think it's hard, go call a lawyer right now or go find a digital forensics company and call them up and say, “Hey, if I needed to get you to come out or start working on my account within half an hour.” I mean, in cyber insurance you should usually be triaged in five minutes, so yeah, it's again, I'm not trying to create hysteria.Adam Cliffe: Look, I have very similar thoughts and experiences to you. You know, what I'm seeing a lot is, you know, businesses are just blindly piggybacking off the existing insurance, you know, whether it's the general business and that, like, we're seeing the forms come through. It's the same insurer as what they've got their business, you know, PI, PL, all those types of stuff. So, I'm yet to see some, you know, apart from yourself and I and a couple others, I'm yet to see some very specialist cyber.
What should businesses be looking out for in terms of cyber insurance policies?
Adam Cliffe: But I did want to ask you, you know, on the topic of promises and policies and the right policy, what should they actually be looking out for in terms of the policy? Like, is there stuff in there that policies aren't covering?
Andrew Brett: So, I'll give you a very, very good example. I think this will just sum it up perfectly. Of the 15% that have a cyber insurance policy, I've had a few come across my desk and one of them, so what will happen is cyber insurance, first of all, is not like any other liability. Well, sorry, it's a bit like private professional indemnity, but if you look at a traditional public liability, it'll say 20 million dollars should any one event, and that means that if you have six claims in your policy period, you get $20 million each time.
Cyber insurance policies are set up as an aggregate, what's called an aggregate limit. So that means you get one bucket. Whatever limit you place, you have five incidents during the year, you get the same bucket. It also means the majority of the time, all your services come out of the same bucket. That's the big, sexy number. That's the big, beautiful number that every policy is going to go. That's your number. Then you've got a thing called sub-limits, which isn't that foreign to most insurance policies, but they're the ones in cyber that I don't think, given the premise of the insurance, and I'll use this analogy: No matter who you are in Australia, you know what a building is, you know what a car is, you know what the premise of legal liability is. How many people in Australia can talk in IT language? Because I can tell you that's about you know 5% to 10% max.
So, you're already dealing, you're already on the back foot, you're already dealing with a product that even if you like, Adam, you could go talk about something about property insurance, because you know the premise of a fire, you know the premise of, you know, property damage. It's pretty simple. But if I went to a standard business owner and someone said, “Okay, well, you know we're going to have to talk about, you know IT language.” Jeez, it's up there with public speaking.Adam Cliffe: Well, they do that or they refer it back to, you know, organisations like us, you know, where they go, “Hey, MSP, please help. Like, what do we put for this?”
And I think where I'm seeing, you know, those policies and I definitely have seen the global, the overall figure, aggregate figure and then the sub-limits and for some of the sub-limits that I've seen, a lot of them are quite actually small for things like, you know, data breach and around that, sensitive and personally identifiable information, and there's a lot of grey area in the wording of these policies and, to be honest, you almost need to be a lawyer to decipher what is actually covered and what's not covered. It's very confusing.Andrew Brett: Yeah, you're not far off there, because in insurance policy most people maybe don't respect that. It's a legal document. It's a contract. I say to people, “Once you have a claim, that's the contract you've got, that's the one you're in. It doesn't matter if it's unfair, that's the one you entered into.”
Now I'll give you two examples of what you just said about or what I can tell you, maybe the listeners, about what to look out for. I got one on my desk the other day. He had a three million dollar aggregate limit. Real beauty, it's great. Yeah, page three, social engineering fraud sub-limit: $25,000 with a $5,000 excess. Now, I guarantee you, and I didn't get this far because it was actually a broker that sent it to me and said what do you think of this? And I said “Well, I don't know if you've ever seen the biggest red flag in the world, but you've got one in your hand.” I said, “This is a client who, I guarantee, thinks they have $3 million for a cyber incident. They are going to get a very rude shock when they get told that not even $25,000, they have $20,000 for social engineering fraud. I can also tell you because it wasn't his policy. So, he was attacking it, and I speak to some, general brokers want to speak to me, I don't have a problem. As long as they do it the right way, I'm happy to help. So, I said to him, “Mate, I can guarantee you that client has no idea they have 20 grand of social engineering for after excess.”Adam Cliffe: Considering that's one of the biggest attack vectors, you know, out there. You know, the social engineering and stuff like that. So, the fact that, you know, out of that $3 million bucket, only $25,000 is…
Andrew Brett: And the scariest part was that was a brokerage-placed policy. So, that is not even a business that went direct to an insurer and the owner should be on the business owner. That was through a brokerage, that's through an insurance broker who's taken the money. Let's be honest, they've taken the money to place the policy, and they have a $3 million promise with a $20,000 limit. And that is probably the one example, let's leave that for a business to stew on, is that, just because you've got a policy doesn't mean you have coverage. You know, it's the same as, I guess in cyber security MSP land. Compliant does not mean covered or compliant does not mean…
Adam Cliffe: …does not equal security. That’s the same mantra I stand by as well.
Andrew Brett: It’s the same in my world. Just because you've got a policy, which only 15% do, it doesn't mean you have coverage, because that contract will dictate, as you said, of your $3 million, you only get $20,000 for social engineering forward. And that's where the attitudes may be around the negativity of cyber insurance, because I think so many people in my world are transacting it and not advising on it. There's a lot of bad policies out there and a lot of the claims, you know, look, don't get me wrong. The game of insurance, and that's why I exist, is the insurance company wants to take as much premium as they can and pay out as little coverage as they can. That's the game.
Don't hate the player, don't hate the game. So, people employ me or any broker to play the game. They go, “Right, I'm trying to run my business. I sell grain and feed, I sell pool toys. You're the one that needs to help me out.” And I just don't think that's happening in cyber because there's not enough awareness from both sides, the broking side and the business side, around what is right, what is wrong. But that's a great example. Look at your sub-limits. Remember that your coverage limit at the top doesn't mean what sub-limit or coverage you're going to get for that specific cover. And also remember that whatever coverage you take is what you're going to have to deal with in a claim and for the rest of that year.
So, the second one I'll say, and this is a little bit of a more of a non-obvious one, is a lot of insurers have different coverages when it comes to what they will and won't cover. Probably the biggest one I've seen is a lot of coverages, they limit a cyber incident to happening in your system, so the business system or their cloud provider. Now, that excludes coverage if the cyber incident stemmed from your lawyer, so I hate to pick on them, but HWL, for example, there was a few people that had cyber incidents because they went through HWL systems and they went through all the way through to that business and, theoretically, that cyber incident, even though the company suffered from it, didn't stem from their system; that stemmed from their lawyer. Now, the coverage didn't cover it because it wasn't in their wording.Adam Cliffe: Is it just narrowed to the lawyer or is it more of a supply chain?
Andrew Brett: No, no, no, yeah, the lawyer is just one example. It's basically saying anything outside of your system or your cloud provider – any other service, your accountant, your lawyer, anything like that – if they have a cyber incident and they get through the back door through to your business, some of the policy wordings will say, “Well, no, it's not.” What they'll say, “You need to go sue that person.”
Now I don't know about you, but most people I know know a lawyer. A lawyer will tell you, “Mate, that might take 6 to 12 months to get in front of a justice system or get to progress that.” So, until that happens, you're still going to have to defend your cyber incident. It's all good and well to say that, but what the other insurance companies are doing is saying, look, we'll take like, mate. So okay, for example, someone rearends you in a car accident. Even though you're not at fault, most of the time you pay your excess, and your insurance company will sort it out. But then, once that's done, they'll go recover from the other person and then they'll refund. You know, go off your claims history and you get your excess refunded. That's not to say that you're being helped out in that situation. Yeah, you pay the excess, but that's only because insurance can't guarantee they can recover off the other person. They might not have insurance, they might not be in a position to do that. So, they take the excess. But they’ll still say, “We'll give you the loan car. We'll fix your 50 grand car. We'll help you out.” At least you don't have to stress. But then we'll go sue them. The insurance company will sue them in our time after. That's the big one inside that I think a lot of people aren't seeing is that unless you have a coverage wording that will cover outside of the system or cloud, because the cloud's obvious, everyone's smartened up on that and you know cloud's going to be included. But you know sneaky, I guess, if it comes from your lawyer or accountant, if they come through the back door, it's not our incident. You've got to go sue them. That's your problem. You know lawyer up, it's not going to help the business. That could still, I don't want to be, again, I don't fearmonger but I had a really good analogy said to me. The difference between solvent and insolvent after a cyber incident could be the cyber insurance policy because it may crush you. You know, not all businesses have 100 grand, 200 grand, you know, even 50 grand cash reserves to put straight into a cyber incident. Some businesses are running lean, they're running lean you know.Adam Cliffe: Yeah, and I think there's a stat from the SME ombudsman that I think 60% of businesses don't even recover after a cyber-attack. So, it'd be interesting to know, out of those 60% that don't come back, how many of them had cyber insurance, and I think it'd be a…
Andrew Brett: We know 15% of all SMEs are covered, so…
Adam Cliffe: Yeah, it'd be almost zero, I think.
Andrew Brett: Yeah, and there's other things to touch on. With cyber insurance, I don't think people understand is everyone in their property insurance has what's called “business interruption”. Most do, but they use it for tangible stuff. So, it's like, right, so you have fire, you have flood, you have property damage, right? You know, things like that. That is, and it used to be a bit ambiguous, but there was a case in America where an insurer got stung for hundreds of millions of dollars because they didn't wrap it up. All of those now have a cyber exclusion. It's basically saying anything to do with cyber, not this policy.
So, I think what I've sort of explained to businesses, you already understand the premise of business interruption. You've got it. You don't have cover for cyber. Now, let's do a little calculation work here. How much of your business revenues derive from your cyber activity? How much of your business needs? If I did a DDoS, the Distributed Denial of Service attack, and took down that CRM, if that's 60% of your revenues derived from that, however long I keep that thing denied, you don't have any money coming in. So, you might have three contracts worth $200,000 each. Well, you can't deliver them to the client. The client says, “I'm not paying for them, you haven't done anything.”
So now you're sitting there with someone's DDoS on your software system, and they're sitting there going, “Oh, $1 million on one, you know one, 55 Bitcoin.” So, you've got that. You don't have the money coming in from the contracts. And then you've also got 10 to 15 employees going, “Excuse me, my mortgage is due. I want my money. Excuse me. It's payday, hello!” And all of a sudden, you're like, “Oh, my God, I've got this trying situation. I need to pay someone a lot of money, the hacker. I need to pay my employees, but I also, I don't have any money coming in the door.”
And so, when you talk about cash reserves, how long do you have? Don't even think about if you can do it once. What about if this thing lasts two or three months? Yeah, can you withstand not having money coming in because you're not delivering a service to your clients and they're not going to pay you. Then you've got to pay your employees or else you've got a real problem. And then you've got this person who is like, “I've got time, I've got more, plenty of time,” you know, the hackers. “I've got plenty of time. I'm happy to keep your business down.”Adam Cliffe: Yeah, the average dwell time too, you know, within a customer's environment, is astronomical, like they'll sit there and play the long game.
Andrew Brett: And this circles back to the educational piece. All you and I have done today, and I hope you have a lot of business owners that listen to this podcast, is we're just educating people. We're just letting them know what's, you know what's out there and what could happen to them, and I think that is priceless in what's happening currently. I think a lot of them haven't got a clue, not to their fault, just because they don't have the advice or they don't have someone speaking to them.
What does an insurer look out for [in terms of a company's cyber security posture]?
Adam Cliffe: Yeah, and I think the insurance game too, has been a very close field and, like there's actually one question, I really want to ask you about it and I suspect I'll know the answer, but I'm going to ask you anyway. And that's like, if you had two very similar businesses, you know that came to you wanting cyber insurance and, let's just say, one had done a lot of work on their cyber, like they'd partnered with a really good MSP or MSSP that aligned with a good framework, whether that be NIST, Essential Eight, SMB 1001, whatever it is, and they came to you and they said look, “As part of our cyber strategy, we understand that we need cyber insurance. You know, go out and get us some options.” And then on the flip side, say you have another company, similar industry. They've done nothing but they've come to you, you know, saying the same thing, but they've got no framework. They've got no strategy. They've done nothing. They're at a bare bones. Like, what does an insurer look out for? Like, do they take that into consideration?
Andrew Brett: A hundred percent. So, we're in a stage with insurance, not just cyber, at the moment, you speak to any insurance professional. We're in a hard market. So, insurance companies are not as, think about it like this, Adam: It's like a nightclub. The security comes at the moment acting like a bouncer. They're very, the club's almost full capacity, so they're very restrictive on who they let in. They've got a great people in the club. They're spending money. They've got the turnover. They already know who's in there. So, we're in a market that, there's hard markets and there's soft markets. Soft markets are the insurers that are literally banging on your door going, “Come on, guys, come in please. No one in the club.” We're in a hard market. So, we're already in a situation where insurance brokers' jobs, no matter what insurance you place. We need to package that insurance risk up for a client and sell the heck out of it to the insurance company and say, “You really need this client. This is a really good client.”
So, going to your example, if they have a client that's done nothing, well I personally won't even work with them, and that is in the sense that if you're not, if you want, I'll push them back into, say, their MSP or their cybersecurity team, or I'll identify a few things I might, either you're not listening to your MSP, which is usually the case, to be perfectly honest, and that's why I'm an MSP partner and a cybersecurity advocate, because they are so important for it to help me, because I'm trying to package a really good risk, and I'll say, “You need to go back and you know what, that's where your money should be spent.” Or if they have, like I said, a decent risk, then we'll actually and this goes back to two things what one insurance provider you choose to submit them to, and also what broker they're working with. Now, it's like everything. If you can't understand what's good and bad, then again this goes back to how many people can understand IT language. How do you present it to the insurer? So, if I'm doing a business owner and they've got monitored CCTV and they've got monitored smoke, so monitored fire alarm is going back to a fully automated office that as soon as it triggers, they call the fire engine.
If I don't identify that or don't ask the question as an insurance broker and I tell the insurance company they just have a non-monitored fire alarm. I saw something on the roof that looked like it was a fire alarm. I haven't asked the question. I haven't identified that. It's monitored back to base, fully dialled. It's going to trigger the thing. The insurance company will give me a worse premium so they can only go off the information that the insurance broker has packaged up and given to them. They don't go and check themselves. So, I say the same thing.
There's actually three levels to your answers. One, if you've got nothing, I won't even work with you. I'm not being negative, I'm saying come back. It's almost like pushing back the MSP cyber security. I'll come back if you need, but this is the kind of stuff we need to do minimum, minimum, minimum standards. Now, if you want to look at what those are, small examples, MFA across where an MFA needs to be. A lot of the time, you know, if you have remote workers, remote access, you're dialling in, you're remote, your server, you don't have an MFA on that, you're not going to get past the first step. If you don't have an offline backup, so completely offline to your system, your network, you're probably also in a lot of trouble.
Then the middle part is the people are doing well and they might go to a general broker and the general broker, you know, gets the MSP to fill out the prop. But apart from that, the general broker's like I don't actually, there you go, hands it to the insurance company. I actually don't. That's kind of what I've got.
And then you've got the specialist who goes right, you know, they have this, they have this. They have SentinelOne and CrowdStrike, not WebRoot, and that’s not saying, I'm just saying WebRoot's $2 a seat, SentinelOne and CrowdStrike's $7. They have invested an extra $5 per seat for their environment. You know, they've got BitLocker. They've got the Duo Push MFA. You're now starting to really, you know, you're putting some bones in this.Adam Cliffe: Putting some tangible things around it.
Andrew Brett: You're right, Mr Insurer, or Mrs Insurer. This is exactly what we want to do. Well then, now you're actually a broker. Now you're an adviser. Now you're knuckling down, whereas you know, yeah, that part, I think, is very, very rare in the Australian market. That's probably too high level, even. We're not even at that point, once we get to a 30% 40% uptake of cyber insurance, we can start talking about the actual quality of that. I think we're so far back here where most people don't even understand their options. Business owners don't understand their options in cyber insurance and actually, you know, if we want to talk, I can't tell you how much premium is going to be, but I'll give you an example. I wrote finance company, pretty good practices, we bundled it up, they got a million dollars’ worth of coverage, and they paid, actually they got two million. Yeah, that's the other thing I stress to people, the difference between a million, two million won't be, won't be as much premium as you think it is yeah, so we actually, when we started at one, I said look, the extra two, I think it was like $600, $700 for an extra million. I said, look, even if you had a million and $10,000 claims, you're still $9,300 ahead. And that's the other thing. I'm not an audit taker, I will tell you. So, they got $2 million aggregate limit and I think they paid $4,000, that $4,500, $4,000. So, let's do the math, for them. I mean, what's that? Every 10 years they're paying $40,000 to $45,000. They've got $2 million promise. Now I will explain some sub-limits. So, we go back to the social engineering fraud. They got a $250,000 sublimit, but I will explain that. And that is not 20 grand, but it's also not 2 million. You will not get $2 million social engineering forward. It's just not the way it's going to work. But they get 250 grand. But I will ask them like.
Is there any situation where you think that would affect you? Now, sometimes, and I'm not a magician, I can't push an insurer to do something I won't do. So, we do have to play in the space we have. But 250 grand is market leading. That's not going to be, you know, I won't because I'll get held up to this, but I can put my life on it. That $3 million policy with $20,000 settlement didn't even know that there was a sub-limit. They just, “There's your $3 million. I'll take my commissions.” Real beauty. I'll have that conversation with them and say, look, this is market leading, so it is the best of the best. You're not going to get $2 million for social engineering fraud, not going to happen, that's just…Adam Cliffe: But $250,000 is, you know, it's pretty respectable, especially from what I've seen in recent months. I've seen a lot less than that.
Andrew Brett: Yeah, and that's the whole point. Is that, even just that one supplement? If you look at the $4.5 grand premium, even just for that $250 grand, let's take it down even a step there. What's that? That's 60 years of premium if you had one full $250 grand claim.
So, when I talk about value, because that's the other, thing, you know I'm wary of time, but we're talking. It gets thrown around a lot. “Oh, cyber insurance is too expensive. There's no value in it.” No, there's no value in what you know of cyber insurance. What you know of what it does and the premium, guarantee you, I think there's no value in it either. But once you actually understand, and if you're partnering with the right insurer, once you, I know I'm biased, but insurance, man, it's such an unfair exchange. Even look at your traditional property insurance. Most people will do a $2 million building and they'll pay $3,000 premium. Look at that promise. That's a promise. And if you've got the right policy, it is a promise. That's a promise. And if you've got the right policy, it is a promise. That's a legal binding contract. You're going to pay about $2 million in a worst-case scenario and you've only got $3,000 off it.
But that goes back to the major problem with cyber insurance is when you have a 15% uptake. The premise of insurance is that everyone in Australia pays their premium and whoever needs it at that one time gets their payout. And that's how it works. We all put in a little so that someone in Australia who had a really bad day can get their payout, and the insurance company will hang around because they're getting, they reinvest premiums for interest rate. You know, they get money after investing all that money at the same time, super fund. They're investing it. They're making money off it, but they're also they've got so much pool of premium that they're willing to pay out your $1 million here, your $1 million there. As we know, the floods in Queensland and New South Wales, hailstorms, they paid $10 billion out there over the last decade. That's fine, but when you actually look at the issue of cyber insurance only having 15% premium pool, it means that insurers are more receptive to a claim because they're like, “We don't have as much premium, they're pulling premium out of other lines. Oh shit, we've got to use our property premium. We've got to use all this premium to pay out these claims.” So, unless Australian businesses support each other, I'll get, you know, it's cliche, but support each other. If you all buy the policy, you'll all get the chance to claim on it if you need it. At the moment, it’s becoming, it’s actually quite hard, so people who are the 15% doing it are probably more susceptible to swings, like higher premium increases one year, the insurer is pulling back cover because they have such a minimum scarcity of premium from the premium they get in, that they’re addressing in different vision to property liability management because they got so much premium in that pool.
So, it really, you know, biasedly, “Yeah, cool, I'm going to do more cyber insurance if you guys buy, if businesses buy more policies.” But it's like the whole ecosystem needs more premium. It really does, and that, in a way, is that Australian businesses need more education from us. People like Infosure and that's why I started Infosure because, like I said, this is my ninth year in insurance. I've learned more about cyber insurance in the last year than I did in the whole eight years before. I couldn't have educated a client on cyber insurance before at all. They would have, and you know what? To be honest with my workload, if they gave me a quick pushback and said, “Oh no, it's not for us.” I'd say, “It's fine, it's cool, it's fine.” Because I don't even know what, I don't have a passionate enough case and I think that's, I'm not having a dig at general brokers. I know I'm provocative on LinkedIn. For anyone listening, go check me out, Andrew Brett. You'll see the way I conduct myself. I’m not having a dig at general brokers. I'm addressing the problem that's out in Australia at the moment and if people don't want to accept that problem, then I'll keep pushing.
What do you see the next year looking like? Trends? Predictions?
Adam Cliffe: Yep. So okay, with all that said and done, just before we wrap up, you know, new financial year. What do you see the next year looking like? Trends? Predictions? The floor is yours.
Andrew Brett: So, I can already tell you the major one. There’s a lot more business tenders or new business tenders requiring a cyber insurance certificate. So traditionally, most businesses will understand that we have public liability when we do a contract with new supplier. I’m seeing it a lot more lines underneath public liability saying we also want a cyber insurance certificate. So, I wouldn’t be surprised if more companies over the next 12 months come to me or whoever they use, and again, that opens up a whole new can of worms with, as I said, about, what advice you're going to get. It's going to be taken out of their hands. They're going to need to get something in place before they can initiate a new contract.
Adam Cliffe: Are you saying that just like government specifically, or is that in a certain industry?
Andrew Brett: It's either, you're right. The person asking for the certificate is usually more mature. Yeah, but your average five business $2 million, $1 million, $500,000 turnover still might do a small section of government contract. They might provide some subcontracting services, but you'll also, I'm also seeing it at a higher and more mature ASX listed company. They might only derive $40,000 or $50,000 of their whole revenue from that one contract. But that contract says and it's still a valuable contract, it says you need to give us a cyber insurance certificate and, to be quite frank, it's a test. The way I see it is, if that company testing you and saying look, don't get me wrong, not everyone can get cyber insurance at the moment, as we said before, if you don't have minimum standards or you're not doing anything around your cyber security. Cyber insurance is not a band-aid for crap cyber security posture and I'm very passionate on that. It's not to be used in that way. So, it's a good way for a business to test and go right, “Well, if you couldn't get cyber insurance, gee, you're a real risk to us.”
And they're using it in that way. It's the same sort of thing as public liability. If you, if you don't pass the insurer's test then you don't pass ours.
The second one, not as big as that, is I do think the government is now aware of the problem around cyber insurance. That parliamentary inquiry came out and, basically, I've read it and it said, they were like, “Wow, what do you mean it's 12% uptake?” They were a bit like most things, no offence to the government, but they weren't over it, they just weren't. They weren't aware of how bad the problem was. And I think this was only about four or five months ago. They're now aware, they're very well aware that not many businesses are purchasing cyber insurance and they're so far, with their 2023 to 30 2030 cyber security goal, they're very aware of how much change is going to happen in the cyber security landscape, that they're realising how important cyber insurance is going to be to that because, like everything, you know, you might have a fancy incident response plan, but if you're not aware of how you're going to pay for it, then you still got the same problem, you know.Adam Cliffe: Yeah, exactly. All right, mate. Well, thank you so much for joining us today on ADITS Unplugged. Really appreciate your time and your insights. Thank you!
Andrew Brett: Perfect, thanks!