S3 EP 05 Insured or Exposed? The Truth About Cyber Insurance in 2025

Show Notes

Cyber insurance has evolved—have you kept up?

In this episode, we reconnect with Joseph Cook from The Arizona Group for an in-depth look at how cyber liability insurance has changed over the past two years. From rising claim costs to policy exclusions and shifting underwriting standards, we unpack what business leaders need to know to stay covered—and stay ahead.

We dive into:

• How cyber insurance conversations have shifted since 2023
• Why many businesses still misunderstand what’s actually covered
• The growing list of requirements and what insurers expect in 2025
• The fine print: exclusions, clauses, and claims timing
• How to align your cybersecurity posture with your policy terms

Whether you're renewing soon or reconsidering your entire strategy, this episode serves as your crash course in navigating today’s cyber insurance.

Podcast Video One Step Secure IT - YouTube
Learn about our services  https://www.onestepsecureit.com/

Host by: 
Scott Kreisberg - CEO & Founder of One Step

Produced by One Step Secure IT

----
LinkedIn:
https://www.linkedin.com/company/onestepsecureit/mycompany/

Facebook:
https://www.facebook.com/OneStepSecureIT

Twitter:
https://twitter.com/onestepsecureit

Chapters

• 0:56: How has the conversation around cyber liability insurance evolved over the past two years?
• 3:44: Have businesses become more proactive in integrating cybersecurity measures with their insurance policies, or are they still playing catch-up?
• 6:00: What are the biggest misconceptions businesses still have about cyber insurance in 2025?
• 8:58: Have the terms and conditions of cyber insurance policies shifted in response to the rising costs of cyber claims?
• 11:36: Have new coverage options or limitations emerged as a result of evolving cyber threats (e.g., ransomware, data breaches, supply chain attacks)?
• 15:40: What do businesses need to know about policy exclusions or clauses that have become more prevalent in the current insurance environment?
• 18:30: If something happens, does it matter how quickly you submit a claim?
• 19:45: When it comes to cyber insurance in 2025, what should businesses know about changes to coverage limits and exclusions?
• 21:54: Are businesses facing more requirements now when applying for cyber liability coverage?
• 23:21: Are there any coverage exclusions that might catch businesses off guard in 2025?
• 25:18: With cyber threats evolving, how often should businesses be reassessing their cyber insurance policies and cybersecurity posture?

Transcript

00:00:00 [Speaker 1]
Cyber liability insurance has changed a lot in the past two years.
00:00:03 [Speaker 1]
In this episode, we welcome back Joseph Cook, who's a cyber liability insurance expert from the Arizona group.
00:00:09 [Speaker 1]
So if you're looking for a straightforward update on the state of cyber insurance today, this episode breaks down how we got here and what businesses need to know moving forward.
00:00:21 [Speaker 1]
Joseph first joined us in season one, and since then, the cybersecurity insurance industry has evolved a lot.
00:00:30 [Speaker 1]
My job?

00:00:31 [Speaker 1]
It's gonna be to break it all down in a clear nonsense way so you know exactly what matters for you and your business.
00:00:38 [Speaker 1]
Now welcome back, Joseph.
00:00:39 [Speaker 1]
It's great to have you on the show, and I look forward to learning what has changed these past two years.

00:00:47 [Speaker 2]
Thanks, Scott.
00:00:48 [Speaker 2]
Appreciate being here.

00:00:49 [Speaker 1]
Yeah.
00:00:49 [Speaker 1]
I know.
00:00:50 [Speaker 1]
It's always great to see you.
00:00:51 [Speaker 1]
Yeah.
00:00:52 [Speaker 1]
Let's just dive right in.

00:00:53 [Speaker 1]
So, has the conversation around cyber liability insurance evolved over these past two years?

00:01:01 [Speaker 2]
So so, yes, it's changed quite a bit.
00:01:03 [Speaker 2]
You you've seen a lot of activity in terms of of reinsurance, dollars either giving more capacity to existing carriers or new carriers entering the space.
00:01:14 [Speaker 2]
So, overall, the cyber liability market has actually softened right now.
00:01:18 [Speaker 2]
And when I say soften, I mean, either there's been a reduction in in base rates or potentially on your renewal, you're actually seeing a reduction, on a year over year basis.
00:01:27 [Speaker 2]
So unlike most areas of insurance, that's that's good news.

00:01:31 [Speaker 2]
Right?
00:01:31 [Speaker 2]
Property remains hard.
00:01:33 [Speaker 2]
Auto remains hard.
00:01:34 [Speaker 2]
But cyber is soft right now.

00:01:37 [Speaker 1]
So we need to kind of explain what what do you mean by reinsurance?
00:01:41 [Speaker 1]
And and then is soft meaning downward pressure?
00:01:44 [Speaker 1]
Or Yeah.
00:01:46 [Speaker 1]
Yeah.
00:01:46 [Speaker 1]
So reinsurance,

00:01:48 [Speaker 2]
silly as it sounds, insurance carriers buy insurance on the insurance that they sell, and that's called reinsurance.
00:01:53 [Speaker 2]
So just like, you as a customer may buy an insurance policy and that policy has a set of terms and conditions, When insurance carriers buy reinsurance, they have what's called a reinsurance treaty, and that also has a set of terms and conditions.
00:02:06 [Speaker 2]
So as things have evolved in the cyber liability marketplace, there's been enough of a positive change that reinsurance carriers are either investing more dollars into, the existing carrier contracts they have or treaties that they have and or are onboarding or entertaining new contracts with new cyber liability insurance providers.
00:02:26 [Speaker 2]
Wow.
00:02:26 [Speaker 2]
So the this influx of of dollars from reinsurance carriers ultimately lessens liability at a direct basis to the insurance carrier, which means they're gonna get more aggressive.

00:02:37 [Speaker 2]
Right?
00:02:37 [Speaker 2]
So they're going to either, a, open up terms and conditions, b, they're gonna reduce pricing, c, they're going to offer their product to more classes or industries, or, d, any combination of the above.
00:02:51 [Speaker 2]
So when I say soft, I mean, there's more appetite for it, and pricing is is more advantageous.
00:02:56 [Speaker 2]
Right?

00:02:57 [Speaker 1]
That's incredible.
00:02:58 [Speaker 1]
That's incredible.
00:02:59 [Speaker 1]
Yeah.
00:03:00 [Speaker 1]
Because, I just had to renew my, my my auto home, you know, all these different policies.
00:03:06 [Speaker 1]
And I I think I'd be gracious to say they went up only 20%.

00:03:10 [Speaker 1]
I think they went up significantly more.
00:03:12 [Speaker 1]
I probably need you to quote those out.

00:03:14 [Speaker 2]
We we can talk about that offline, but, yes, that's a that's a different experience.
00:03:18 [Speaker 2]
Right?
00:03:18 [Speaker 2]
So many areas of insurance right now are what we would call hardening or or have remained hard, meaning there's less appetite for it and premiums are going up.
00:03:27 [Speaker 2]
Whereas cyber is one of the few areas, particular to commercial insurance, where it's actually soft.
00:03:32 [Speaker 2]
So there's more appetite and premiums are going down.

00:03:34 [Speaker 1]
Right.
00:03:35 [Speaker 1]
And, you know, as certain areas of the country have fires or something like that, that's going to probably decrease appetite.
00:03:42 [Speaker 1]
Right?
00:03:43 [Speaker 1]
So, you know, in your opinion, have have businesses become, more proactive in, integrating cybersecurity measures with their insurance policies, or are they still sort of playing, catch up?
00:03:56 [Speaker 1]
It it's a little

00:03:57 [Speaker 2]
bit of both.
00:03:57 [Speaker 2]
Right?
00:03:58 [Speaker 2]
I I certainly think that if you were to look at, you know, the overall hardening of environments, pre COVID, post COVID, they are better now than they were pre COVID.
00:04:07 [Speaker 2]
I think, you you would probably agree that as everybody went to work from home during COVID, that you you had a lot of exposure created where there was many small, medium, even large enterprises that were just not set up from a cybersecurity standpoint to manage that kind of work from home approach.
00:04:24 [Speaker 2]
Over the last five years, I think there's been a pretty good, effort by most entities to harden their their cybersecurity environment in some way.

00:04:32 [Speaker 2]
Right?
00:04:33 [Speaker 2]
And holistically, I think we're in a better place now than we were before.
00:04:37 [Speaker 2]
I I think the challenge, of course, is is the challenge that will always remain in your space, which is it's an ever evolving attack vector.
00:04:45 [Speaker 2]
It's an ever evolving marketplace of as a service for ransomware or fraud or whatever it may be.
00:04:51 [Speaker 2]
Right.

00:04:52 [Speaker 2]
So so how do you how do you keep up with that dynamic environment from from a cybersecurity perspective?
00:04:58 [Speaker 2]
Right?
00:04:59 [Speaker 2]
And that that's a couple of things in my opinion.
00:05:01 [Speaker 2]
One, you you know, the answers aren't permanent, so you have to learn how to ask good questions.
00:05:05 [Speaker 2]
Two, you have to have a real relationship with your cybersecurity provider.

00:05:09 [Speaker 2]
And if you don't have a cybersecurity provider, you you probably need one at this point.
00:05:13 [Speaker 2]
Right?
00:05:14 [Speaker 2]
There's an ongoing closed feedback loop where you need to constantly be reassessing and then readdress.

00:05:21 [Speaker 1]
It.
00:05:21 [Speaker 1]
Yeah.
00:05:22 [Speaker 1]
It's still it's still from from our perspective, from a general cybersecurity perspective, it's still mostly an uphill battle.
00:05:30 [Speaker 1]
Definitely, there is more, willingness for owners to have this conversation.
00:05:37 [Speaker 1]
But for the most part, most people think they're fine.

00:05:42 [Speaker 1]
So, I kinda have this analogy with health.
00:05:45 [Speaker 1]
You know?
00:05:45 [Speaker 1]
Like, I don't feel bad, so I must be healthy.
00:05:47 [Speaker 1]
Could be identified and and resolved, if if they were to, let's say, get an annual physical or something like that.
00:05:55 [Speaker 1]
But, but, yeah, definitely, their willingness to have the conversation has improved.

00:06:01 [Speaker 1]
But, you know, so what are, what would you say are some of the biggest misconceptions businesses still have about cyber liability insurance in 2025, if any?

00:06:12 [Speaker 2]
Yeah.
00:06:12 [Speaker 2]
I'm gonna I'm gonna tie back to the last question because I think there's a salient point there.
00:06:16 [Speaker 2]
You know, one of the biggest misconceptions that people still have is that outsource outsourcing products or services is outsourcing liability, and that's not necessarily specific to cybersecurity.
00:06:26 [Speaker 2]
It it's really a general operational business perspective.
00:06:29 [Speaker 2]
But I'm sure you've heard retorts of, well, it's in the cloud, so it's not my problem, or PayPal processes my my payment, so it's not my problem.

00:06:38 [Speaker 2]
You know, I'm sure if you look at the contract, PayPal is not agreeing to make you whole if there's a problem with a a payment that they process.
00:06:45 [Speaker 2]
If you look at the contract with Microsoft because you use Azure, Microsoft is not gonna make you whole if there's an issue with the cloud.
00:06:54 [Speaker 2]
Never mind, you you know, regulation as it relates to state laws or, you know, GDPR or whatever it may be.
00:07:00 [Speaker 2]
Right?
00:07:00 [Speaker 2]
So Right.

00:07:01 [Speaker 2]
I think there's a general misunderstanding that just because you outsource a product or service, you've outsourced the liability, and that's just fundamentally untrue.
00:07:08 [Speaker 2]
Right?
00:07:09 [Speaker 2]
100%.
00:07:10 [Speaker 2]
As it relates to cyber liability insurance specifically, I I think the biggest misconception is that all products are still created equal.
00:07:19 [Speaker 2]
So so let's just chase the bottom line premium, and that also is fundamentally untrue.

00:07:24 [Speaker 2]
There's a wide variance in product spectrum.
00:07:27 [Speaker 2]
There's a wide variance in what product may be relevant to your business size or business type.
00:07:32 [Speaker 2]
So so these folks that are just seeking out the the lowest premium they can possibly find may be exposed in ways they they don't understand.

00:07:42 [Speaker 1]
Yep.
00:07:42 [Speaker 1]
So true.
00:07:43 [Speaker 1]
Same in our industry.
00:07:44 [Speaker 1]
Exactly.
00:07:45 [Speaker 1]
It must must be a pretty universal thing, and, but, I think it's very critical here that, they they really do understand those terms and the and the conditions, not just the the price.

00:08:00 [Speaker 1]
When I tell you that that we recently, you know, had to do this for our personal insurance, I I was very cognizant.
00:08:11 [Speaker 1]
Like, you know, there one of the insurance companies was much cheaper on on on the on the auto, the same on home, but significantly cheaper on another component, maybe an umbrella policy or something like that.
00:08:24 [Speaker 1]
Mhmm.
00:08:25 [Speaker 1]
But then when we dove into each policy, you know, each respective policy and you see what those things are that they include or don't include, it makes all the difference in the world.
00:08:35 [Speaker 1]
So

00:08:37 [Speaker 2]
Yeah.
00:08:37 [Speaker 2]
Absolutely.
00:08:38 [Speaker 2]
You you know, I I think that there's no better time than now with the market being soft from a premium perspective to try to lock in good terms and conditions.
00:08:47 [Speaker 2]
Right?
00:08:47 [Speaker 2]
So so prices are good across the board with most carriers at this point.

00:08:51 [Speaker 2]
It's probably the best time you could take the opportunity to explore a better set of terms and conditions when everything's low at this point.

00:08:58 [Speaker 1]
So yeah.
00:08:59 [Speaker 1]
And that there's still music to my ears.
00:09:00 [Speaker 1]
So so with, the cyber policies actually having, a a a moment of of competition in this regard, are insurance companies experiencing, rising cost in this particular area or or what?
00:09:16 [Speaker 1]
Like, what what's driving that, competitive, openness to taking on these claims?
00:09:23 [Speaker 1]
Because last year or two years ago, certainly, when we spoke, it wasn't that way.

00:09:27 [Speaker 2]
Yeah.
00:09:27 [Speaker 2]
There there's a variety of things.
00:09:29 [Speaker 2]
Again, the the reinsurance reinvestment is is huge because that takes direct, you know, balance sheet risk off of the insurance carriers.
00:09:37 [Speaker 2]
But beyond that okay.
00:09:39 [Speaker 2]
The the, you know, the the true underwriting has entered the picture, which has allowed them to, you know, identify better risks from worse risks to give better pricing to better risks, to give, you know, more accurate or reflective pricing of the risk to worse risks.

00:09:55 [Speaker 2]
I mean, we

00:09:55 [Speaker 1]
Would it be like sorry.
00:09:56 [Speaker 1]
Like, maturity of those market?

00:09:59 [Speaker 2]
Yes.
00:10:00 [Speaker 2]
Yeah.
00:10:00 [Speaker 2]
The the market is maturing away from an artificial process, away from a a inelegant or lack of underwriting process to a real underwriting process.
00:10:09 [Speaker 2]
You've got a lot of activity as it relates to value added services that are coming into the picture.
00:10:16 [Speaker 2]
Right?

00:10:16 [Speaker 2]
So so much like, if you had an older insurance product, say, you know, general liability or employment practices, where carriers would have national or regional agreements with good companies to be response teams or even preclaim assistance teams as it relates to a potential claim scenario, you're seeing that develop in cyber as well.
00:10:37 [Speaker 2]
Right?
00:10:37 [Speaker 2]
So you've got contracted forensic IT firms regionally or nationally.
00:10:41 [Speaker 2]
You've got contracted, penetration test companies regionally or nationally.
00:10:45 [Speaker 2]
They're all now being inclusive on a fully subsidized or partially subsidized basis through your cyber liability insurance carrier, which is helping them harden their their client base, their book from a cybersecurity posture perspective, which, of course, decreases their risk.

00:11:00 [Speaker 2]
Right?
00:11:01 [Speaker 2]
The the biggest, you know, vector right now is is push payment fraud, funds transfer fraud, invoice manipulation, all your cybercrime type areas.
00:11:13 [Speaker 2]
80% of businesses experience that in some form or fashion in 2024 in The United States.

00:11:19 [Speaker 1]
Yep.
00:11:19 [Speaker 1]
Yep.
00:11:20 [Speaker 1]
Absolutely.
00:11:20 [Speaker 1]
Yep.
00:11:21 [Speaker 1]
That's the that one and, you know, any kind of fishing, which is probably in in the same category that you're talking.

00:11:27 [Speaker 2]
Correct.
00:11:27 [Speaker 2]
Yep.
00:11:28 [Speaker 2]
Social engineering is also in in in cybercrime.
00:11:31 [Speaker 2]
But there's there's good news on that front as well, which I'll save for a later question.

00:11:35 [Speaker 1]
Sounds good.
00:11:36 [Speaker 1]
So this one here is a little bit, you know, I I, you know, I was thinking about this question, last night, and, most people probably have had, experience with a claim, with with an insurance company regardless medical.
00:11:51 [Speaker 1]
Right?
00:11:51 [Speaker 1]
We all have medical and all that.
00:11:54 [Speaker 1]
Yeah.

00:11:54 [Speaker 1]
But when it comes to this type of insurance, if a claim is made, and I don't I might not word this the best way, but if a claim is made for, you know, a cyber issue, an event, what effort will the insurance companies typically, make to make sure that any policy requirements where you've checked off boxes, you've signed, you know, that you've, you know, met the this criteria.
00:12:25 [Speaker 1]
An event occurs and the insurance company is contacted.
00:12:29 [Speaker 1]
And, are they going to now, like, send somebody in, like you said, a forensic person as well as somebody that's gonna go, here's what they agreed to.
00:12:39 [Speaker 1]
Can you Sure.
00:12:40 [Speaker 1]
Make sure that these all really are in?

00:12:42 [Speaker 1]
Because if they're not, here's what we might do.

00:12:45 [Speaker 2]
Yeah.
00:12:46 [Speaker 2]
I'm a restate it just for the benefit of the listeners.
00:12:48 [Speaker 2]
Right?

00:12:49 [Speaker 1]
Okay.

00:12:49 [Speaker 2]
So so, essentially, you're saying, you know, I, as a customer, maybe filled out an application to apply for a cyber liability insurance policy.
00:12:57 [Speaker 2]
In that application, I said I had certain cybersecurity controls and x amount of records, and I spent so much on IT, so on and so forth.
00:13:04 [Speaker 2]
And I signed it, and then I bought a policy based on that application.
00:13:09 [Speaker 2]
In the event I have a claim, how does the carrier treat the information in the application against the management of my claim?
00:13:16 [Speaker 2]
Right?

00:13:17 [Speaker 1]
Yep.

00:13:17 [Speaker 2]
Okay.
00:13:18 [Speaker 2]
So, that that's not a secret.
00:13:22 [Speaker 2]
It's published within each policy.
00:13:24 [Speaker 2]
Right?
00:13:25 [Speaker 2]
And and what you're looking for is called the representations or warranties clause.

00:13:29 [Speaker 2]
Different carriers name it differently, but it's the same clause.
00:13:32 [Speaker 2]
So, essentially, within that portion of your policy, and this is always in every policy that's ever existed, cyber liability or otherwise, The insurance carrier states how they feel about the information they collected from you, how they applied that to underwriting, and what their position is at time of claim regarding that information.
00:13:52 [Speaker 2]
So this is what I'm talking about as it relates to not all policies are equal.
00:13:57 [Speaker 2]
There's a carrier in existence that has innocent nondisclosure as their representation or warranties clause.
00:14:03 [Speaker 2]
That's the most favorable to the customer that there can be.

00:14:06 [Speaker 2]
So innocent nondisclosure effectively reads as, unless we can prove that you were reckless and deliberate in your misrepresentation and knowing in that recklessness or deliberation that it would harm us, we cannot seek to deny your claim.
00:14:25 [Speaker 2]
That's pretty favorable to you.
00:14:27 [Speaker 2]
You they have to be able to show a causal link from your misrepresentation that that allowed them to or allowed them to determine that you knew they would be harmed by that misrepresentation.
00:14:39 [Speaker 2]
So in the absence of doing that, they cannot seek to deny your claim.
00:14:42 [Speaker 2]
That's very favorable to you.

00:14:44 [Speaker 2]
Right?
00:14:45 [Speaker 2]
Conversely, you could have a representation or warranty clause that reads something to the effect of, we took your application.
00:14:53 [Speaker 2]
We took any emails we received from you and or your agent.
00:14:56 [Speaker 2]
And if any of that information happens to be inaccurate, we can void your policy ab initio, so add inception, and return you your premium, and we have no duty to defend you or pay any claim on your

00:15:09 [Speaker 1]
behalf.
00:15:09 [Speaker 1]
So that's the other stream.

00:15:10 [Speaker 2]
Yes.
00:15:11 [Speaker 2]
So so very wide spectrum.
00:15:13 [Speaker 2]
Right?
00:15:13 [Speaker 2]
So when we talk about, you you know, how they're gonna manage that, it's not a secret.
00:15:17 [Speaker 2]
It's right there in your reps and warranties clause.

00:15:19 [Speaker 2]
And if you have an agent that does this for a living, they'll know what those reps and warranties clauses are by carriers, and they'll be keeping track of them.
00:15:26 [Speaker 2]
And they'll be driving you towards products that have better reps and warranties clauses because with the the risk being so dynamic, that that is a key component of your policy language.

00:15:36 [Speaker 1]
And and so from your experience, do you see insurance companies, making or do they just abide by what those conditions are?
00:15:51 [Speaker 1]
Is what you're seeing?
00:15:52 [Speaker 1]
Or even if you had one of the more, stricter ones, are they, like do they work with their their their clients, or do they just pretty much go you you said you had two FA.
00:16:05 [Speaker 1]
We don't see two FA, two factor authentication.
00:16:07 [Speaker 1]
Your policy is void.

00:16:08 [Speaker 1]
Here's your premium back.

00:16:10 [Speaker 2]
Yeah.
00:16:10 [Speaker 2]
So so, you know, first off, insurance is extremely regulated.
00:16:14 [Speaker 2]
Right?
00:16:14 [Speaker 2]
So so if they have policy language that they have to, that they built in, they they do have to abide by that.
00:16:20 [Speaker 2]
Okay.

00:16:21 [Speaker 2]
And there there certainly is, you know, the opportunity for some gray area.
00:16:25 [Speaker 2]
So so one of the challenges of insurance legal legalese is that it's often not affirmative.
00:16:31 [Speaker 2]
Right?
00:16:31 [Speaker 2]
That there there's some level of interpretation there.
00:16:36 [Speaker 2]
Most of the carriers that that you're gonna work with, particularly any carriers that we would represent, a rated carriers, are certainly going to try to be flexible.

00:16:44 [Speaker 2]
So if you represented that you had MFA and it turns out maybe you had MFA in some places, but on all the places that you thought you had it, they're gonna try to work with you on that.
00:16:57 [Speaker 2]
There's only been one case since cyber liability has been a hot button issue where it was taken to court on a lack of MFA, and and the carrier did receive the favorable ruling to decline the claim.
00:17:11 [Speaker 2]
But that's one case out of thousands and tens of thousands of claims.
00:17:15 [Speaker 2]
Right?
00:17:16 [Speaker 2]
So it's certainly not the the the precedence or what's to be expected.

00:17:20 [Speaker 2]
That was a pretty egregious case, on behalf of the the small manufacturing company in the Midwest They'd indicated that they had MFA fully deployed and and enabled, and they didn't have it anywhere, much less fully deployed and enabled.
00:17:33 [Speaker 2]
But, yes, they're they're very agreeable to working with you within the confines of the policy language that they're regulated by.

00:17:39 [Speaker 1]
So it's it's so it is vital.
00:17:41 [Speaker 1]
You you really do need to, know I think this section pretty is just as important as what your limits might be.
00:17:47 [Speaker 1]
But, it's more important.
00:17:50 [Speaker 1]
Right?
00:17:50 [Speaker 1]
So Okay.

00:17:51 [Speaker 2]
One of one of the things that we often talk to folks about is is, look, limits are important and you do wanna right size them.
00:17:59 [Speaker 2]
But if you can't access your limit, your limit doesn't matter.
00:18:02 [Speaker 2]
Right?
00:18:03 [Speaker 2]
So so if someone wanted to sell you a billion dollar limit on an insurance policy, they could, and they just exclude everything.
00:18:10 [Speaker 2]
So it looks shiny on a piece of paper, but you'll never get to that money versus if you had a million dollar limit, maybe that's a lower limit than than is right size for you.

00:18:20 [Speaker 2]
But if you can actually access it, a million dollars might get you somewhere or keep you operating.
00:18:25 [Speaker 2]
Right?

00:18:25 [Speaker 1]
Yep.
00:18:25 [Speaker 1]
So, yes, limit is important, but the ability to access limit is probably even more important.
00:18:32 [Speaker 1]
Yeah.
00:18:32 [Speaker 1]
And so have you seen you've obviously seen claims come through over the Mhmm.
00:18:38 [Speaker 1]
Real quick site question here is is for our audience, I think it would be, interesting for them is, if an event occurs in which you feel you're going to reach out to your insurance company, so let's say you're the person that sold it, they reach out to you.

00:18:56 [Speaker 1]
Do do the insurance companies, are they fast?

00:19:01 [Speaker 2]
Helping?
00:19:02 [Speaker 2]
Yes.
00:19:03 [Speaker 2]
And particularly in this arena be because of the dynamic nature of the risk, because of, you you know, how the the risk will unfold.
00:19:12 [Speaker 2]
Think of a ransomware event.
00:19:13 [Speaker 2]
Right?

00:19:14 [Speaker 2]
Timing is is so critical in being able to potentially evict and recover and being able to negotiate on the ransomware, or anything in between, you know, partial recovery with negotiation, all these different things.
00:19:29 [Speaker 2]
So timing is critical.
00:19:31 [Speaker 2]
So so, yes.
00:19:31 [Speaker 2]
Right?
00:19:32 [Speaker 2]
They have a vested interest in being timely because not only are they protecting you, but they're also protecting the claims dollars they may have to pay out on your behalf.

00:19:42 [Speaker 2]
So they're definitely timely.

00:19:44 [Speaker 1]
Okay.
00:19:44 [Speaker 1]
Cool.
00:19:44 [Speaker 1]
That's great.
00:19:46 [Speaker 1]
Alright.
00:19:46 [Speaker 1]
Well, let's let's move on.

00:19:47 [Speaker 1]
So, we've talked about, the the different changes, so far in in these type of policies.
00:19:53 [Speaker 1]
Are has there been any, changes to the limitations or options that they're involve, that they're offering today because of maybe the current threat landscape?

00:20:05 [Speaker 2]
Sure.
00:20:05 [Speaker 2]
Again, with the market softening, a lot of the changes are positive.
00:20:09 [Speaker 2]
Right?
00:20:09 [Speaker 2]
There are expansions on coverage, things of that nature.
00:20:12 [Speaker 2]
So, we we talked about, you know, social engineering.

00:20:15 [Speaker 2]
We talked about funds transfer fraud, invoice manipulation, all these types of things.
00:20:19 [Speaker 2]
Those fall into the bucket of cybercrime.
00:20:21 [Speaker 2]
Right.
00:20:21 [Speaker 2]
So on on a traditional policy, you'll see cybercrime limits be somewhere between a 100,000 and 250,000 in limit.
00:20:28 [Speaker 2]
And in some cases, depending on what your product is, you may be able to buy more than that on a primary basis, but in some cases, you may not.

00:20:35 [Speaker 2]
There's now a whole subsector of of the market that's that's produced itself for excess cybercrime.
00:20:41 [Speaker 2]
So let's say, you're an operational business and you move money.
00:20:46 [Speaker 2]
So maybe you're an accounting firm.
00:20:48 [Speaker 2]
Right?
00:20:49 [Speaker 2]
Maybe you're just a larger entity that has large bills to pay or or, you know, vendors you work with that you transact money frequently.

00:20:57 [Speaker 2]
You can now buy specific limit just over the cybercrime.
00:21:01 [Speaker 2]
So if you're okay with a million dollars first party and a million dollars third party, but you're not okay with 250,000 in cybercrime, you can go get $2.50 over $2.50.
00:21:10 [Speaker 2]
You can get 500 over $2.50.
00:21:13 [Speaker 2]
You can get $7.50 over $2.50 or more if you need it.
00:21:17 [Speaker 2]
So excess cybercrime is really interesting.

00:21:20 [Speaker 2]
There's a couple of products that have availed themselves that are that are true you know, essentially a true umbrella product.
00:21:26 [Speaker 2]
So difference in condition and difference in limit.
00:21:28 [Speaker 2]
So they sit over the top of a primary policy, and they make up any difference in condition, and they make up any difference in limit with with an with an own limit applied.
00:21:39 [Speaker 2]
So, yes, there are changes, but right now, with the aggressive nature of the marketplace, the changes are good.
00:21:44 [Speaker 2]
There's more affordable coverage.

00:21:46 [Speaker 2]
There's more flexibility in coverage.
00:21:48 [Speaker 2]
There's an excess marketplace that's availing itself.
00:21:51 [Speaker 2]
It's it's a good time.

00:21:52 [Speaker 1]
Awesome.
00:21:52 [Speaker 1]
That's great news.
00:21:53 [Speaker 1]
Yeah.
00:21:54 [Speaker 1]
So, so I know that I know we had to renew ours, a few months back.
00:22:01 [Speaker 1]
The the requirements, although you're talking about a more favorable environment, but the requirements grew year over year.

00:22:10 [Speaker 1]
So, so not sure how that correlates to this more aggressive market.
00:22:15 [Speaker 1]
But, is that what you're seeing, what we experienced that although maybe pricing is better or terms and are better maybe and all that, but the insurance companies aren't letting up on on what the the requirements are.

00:22:28 [Speaker 2]
Sure.
00:22:29 [Speaker 2]
So so part of the underwriting process is to try to more more accurately provide better rates to those with with a better cybersecurity posture.
00:22:37 [Speaker 2]
So they're gonna retain the more true underwriting process because that does allow them to price more aggressively where they where they should versus, you know, if there is a bad risk out there.
00:22:46 [Speaker 2]
And by bad risk, I mean, less of a cybersecurity posture.
00:22:49 [Speaker 2]
They wanna price that appropriately.

00:22:50 [Speaker 2]
Right?
00:22:52 [Speaker 2]
In your case, you know, being a cybersecurity provider, there is inherent risk to that.
00:22:56 [Speaker 2]
Right?
00:22:56 [Speaker 2]
So some of that is is class oriented, class of business oriented.
00:23:00 [Speaker 2]
So if you're, you know, a cybersecurity provider, if you're a a SaaS company in fintech or medtech, if if you're a legal firm or an accounting firm, you have a lot of sensitivity of information.

00:23:11 [Speaker 2]
So they're still going to have a lot of requirements because there is inherent risk to your business model as it relates to cyber liability.

00:23:18 [Speaker 1]
Got it.
00:23:19 [Speaker 1]
Makes sense.
00:23:19 [Speaker 1]
Absolutely makes sense.
00:23:20 [Speaker 1]
Okay.
00:23:21 [Speaker 1]
And so we talk about, policy terms and and and how, you know, there's these two spectrums and whatnot.

00:23:28 [Speaker 1]
Are there any other policy, let's say, exclusions or clauses that that our listeners should be more aware of?

00:23:35 [Speaker 2]
Yeah.
00:23:36 [Speaker 2]
So, obviously, representations and warranties clauses.
00:23:38 [Speaker 2]
I know we talked about it earlier, but I wanna bring it up again because that is absolutely critical to accessing your limit at time of claim and when you're your most vulnerable and most needy.
00:23:46 [Speaker 2]
Right?
00:23:46 [Speaker 2]
Beyond representation and warranty clauses, sublimits are something to pay attention to.

00:23:52 [Speaker 2]
If you have exposure to things like the California Privacy Act or GDPR, there can be exclusions or limitations related to those acts, so you certainly wanna be aware of those.
00:24:02 [Speaker 2]
Whether or not breach costs are considered inside or outside the limit is something to be aware of.
00:24:08 [Speaker 2]
Time deductibles on your business income as it relates to a cyber liability event.
00:24:12 [Speaker 2]
So if you have a ransomware event and you lose the ability to generate income, are you waiting eight hours, zero hours, twenty four hours, seventy two hours?
00:24:21 [Speaker 2]
When do you access that business income limit?

00:24:23 [Speaker 2]
And as you become a medium enterprise or a large enterprise and your daily income becomes significant, waiting three days before you can access that limit may not be something you wanna do.
00:24:33 [Speaker 2]
You might want a zero hour time deductible or an eight hour time deductible or something more reasonable.
00:24:37 [Speaker 2]
Right?
00:24:38 [Speaker 2]
So there's a lot of nuance to the policies, and and the nuance will change based on your business model.
00:24:43 [Speaker 2]
If you're a call center, you might be more concerned about bricking and the limit you have for bricking because your hardware right?

00:24:51 [Speaker 2]
If you're not hard little heavy, but you have a lot of third party vendors that are large enterprises, you might be much more concerned about things like reputational harm or privacy liability due to you owe to those third parties.
00:25:02 [Speaker 2]
So it will be context driven, but certainly a lot of nuance.
00:25:05 [Speaker 2]
Yes.

00:25:06 [Speaker 1]
Absolutely.
00:25:06 [Speaker 1]
That's great.
00:25:07 [Speaker 1]
Yeah.
00:25:09 [Speaker 1]
Wow.
00:25:09 [Speaker 1]
I didn't even know about some of that stuff.

00:25:11 [Speaker 1]
That's great.
00:25:12 [Speaker 1]
So I hope it's, helpful to our our listeners.
00:25:15 [Speaker 1]
So let's wrap it up here.
00:25:18 [Speaker 1]
You know, you mentioned earlier, that that, you know, my business, what we do for a living, cyber you know, cybersecurity is is ever evolving.
00:25:27 [Speaker 1]
The threat landscape is changing.

00:25:29 [Speaker 1]
The bad actors are always thinking up new schemes, which is, you know, you know, the the the the challenge that we're faced with because we have to educate and then continuously educate, our clients on what they're doing.
00:25:43 [Speaker 1]
But, when it comes to, you know, this type of insurance, is there any recommended, time frame that that somebody should, reassess what they've got?
00:25:54 [Speaker 1]
I mean, is it just on policy renewal, or is there anything else there?

00:25:59 [Speaker 2]
There's certainly be no less than policy renewal.
00:26:02 [Speaker 2]
Right?
00:26:03 [Speaker 2]
But but I would encourage people, develop a relationship with your insurance provider, with your broker or agent.
00:26:09 [Speaker 2]
And and in developing that relationship, make this a priority because this this is, you know, a number one risk for a lot of business models, and it's a top five or top three risk for any business model you can think of.
00:26:20 [Speaker 2]
So this does need to be a part of your conversation beyond just the renewal.

00:26:25 [Speaker 2]
And and things that should, you know, cause you to think about maybe I should talk to my agent or my broker are changes in operations, whether that be, you know, the clients you work with, the geography you work in, the types of contracts you're entering into, you know, any any of the above.
00:26:43 [Speaker 2]
Right?
00:26:44 [Speaker 2]
Any any change in business operations could be reflected within the insurance policy.
00:26:49 [Speaker 2]
So unless you are a a very static business and you've stayed static since the last time you talked about it, if you have changes that are either in consideration or have occurred, call your agent and make sure that the coverage is still reflective of the operations.

00:27:04 [Speaker 1]
Yeah.
00:27:04 [Speaker 1]
That's great advice.
00:27:05 [Speaker 1]
And, at any point, if a, a business, owner or manager executive feels that they're uncomfortable with their current provider in between renewals, is that an acceptable practice to still, you know, go ahead and do some research then?
00:27:26 [Speaker 1]
Oh, absolutely.

00:27:27 [Speaker 2]
Yeah.
00:27:27 [Speaker 2]
So so if your current solution is not working for you and you're in the middle of the term, don't wait.
00:27:31 [Speaker 2]
It's your business.
00:27:32 [Speaker 2]
Right?
00:27:33 [Speaker 2]
It's your balance sheet that's at risk.

00:27:35 [Speaker 2]
Don't wait.
00:27:36 [Speaker 2]
If you need to find a new relationship, find that new relationship.

00:27:39 [Speaker 1]
Yep.
00:27:39 [Speaker 1]
Absolutely.
00:27:40 [Speaker 1]
That's what I was hoping to hear.
00:27:42 [Speaker 1]
Joseph, two years, man.
00:27:43 [Speaker 1]
That's been great.

00:27:44 [Speaker 1]
What a change.
00:27:45 [Speaker 1]
So there's been drastic changes.
00:27:48 [Speaker 1]
Sounds like mostly for the better for the consumer, which is which is rare, but incredibly great news.
00:27:57 [Speaker 1]
Really wanna thank you for your time, today, and, let's have you back in, you know, another another year or two so you can tell us, what's changed then.
00:28:08 [Speaker 1]
And that's a wrap for today's episode.

00:28:10 [Speaker 1]
Cyber liability insurance is changing fast.
00:28:12 [Speaker 1]
And if there's one thing we've learned, it's that businesses can't afford to ignore it.
00:28:17 [Speaker 1]
Staying ahead of policy updates, security requirements, and potential exclusions can make all the difference in protecting your company.
00:28:25 [Speaker 1]
Connect with us on social media at one step secure IT, and we'd love to hear from you.
00:28:31 [Speaker 1]
Until next time, stay safe, stay informed, and we'll catch you the next time.