Video is a webinar with several speakers discussing what to think about when considering obtaining cybersecurity insurance.
00:01:04.000 --> 00:01:10.000
Good morning, and thank you for joining us today for our latest edition of our Pair Up webinars. Today's.
00:01:10.000 --> 00:01:19.000
Webinar is focusing on cybersecurity insurance, and we have a great group of presenters, um, waiting for you.
00:01:19.000 --> 00:01:28.000
Um, today's webinar, for any board members who are in attendance, you will automatically earn your three educational credits. You will see that in your Prosper account in approximately one week.
00:01:28.000 --> 00:01:41.000
We are going to record this webinar, so anyone who was not able to attend today can… will be able to catch it on our website in a couple of weeks, and you'll be able to get credit that way by submitting a training affidavit in part.
00:01:41.000 --> 00:01:50.000
And prosper. We will take questions as they come in, and we will try to handle as many questions as possible within the time allotted.
00:01:50.000 --> 00:01:59.000
Please submit your questions typed into the Q&A. And I will read them off as they come in. And again, as time allows.
00:01:59.000 --> 00:02:11.000
The presentations, I will drop into the chat, and you'll be able to download that momentarily, but I will also post that to the website as well, and I want to thank the presenters for allowing us to share that with you.
00:02:11.000 --> 00:02:16.000
Um, and with that, I will hand it over to Ken for an introduction of our speakers.
00:02:16.000 --> 00:02:18.000
Thank you very much.
00:02:18.000 --> 00:02:25.000
Good morning. Thank you, Natasha. I'm Ken Hill, I'm the Deputy Executive Director at PARAC.
00:02:25.000 --> 00:02:30.000
Thank you for attending this morning, and thank you for joining us in this cybersecurity webinar.
00:02:30.000 --> 00:02:37.000
We have several guest speakers today, all with relevant and, you know, relevant knowledge and experience with cybersecurity.
00:02:37.000 --> 00:02:41.000
The risks associated with, and how to minimize against those risks.
00:02:41.000 --> 00:02:48.000
Um, these speakers are industry professionals, they provide insurance coverage to retirement boards and municipalities.
00:02:48.000 --> 00:02:52.000
Um, the presentations that they're going to give are educational in nature.
00:02:52.000 --> 00:02:58.000
And we thank all the presenters for volunteering their time and services.
00:02:58.000 --> 00:03:08.000
Um, with that, let me introduce the speakers. Um, Matt Donovan will be speaking. He is the Executive Vice President at Amwins.
00:03:08.000 --> 00:03:14.000
Dave DeLugesh. The Managing Principal of Collaborative Insurance Solutions.
00:03:14.000 --> 00:03:23.000
Jeffrey Lydon, the principal owner of Leiden & Murphy Insurance. Todd Aheneishian… sorry, Todd.
00:03:23.000 --> 00:03:31.000
The Senior Account Executive for Cabot Risk Strategies, and Tom DiPaolo, the Vice President of Operations for Cabot Risk Strategies.
00:03:31.000 --> 00:03:37.000
Um, now, before I kick it to these gentlemen, I'd just like to say how timely this presentation is.
00:03:37.000 --> 00:03:45.000
Um, October is Cybersecurity Awareness Month. Um, that's per the Cybersecurity and Infrastructure Security Agency.
00:03:45.000 --> 00:03:58.000
Which bills itself as America's Cyber Defense Agency. I did not know that such an agency existed, but I'm certainly glad it does. However, yesterday, I went on their website, and there's a banner at the top that says, notice.
00:03:58.000 --> 00:04:06.000
Due to the lapse in federal funding, this website will not be actively managed. So, maybe it's bad timing that this is cybersecurity Month.
00:04:06.000 --> 00:04:18.000
Um, and before we get to the speakers, just a few PERAC housekeeping items. Thank you all who attended, and especially those who presented and organized, uh, Parek's recent Emerging Issues Forum.
00:04:18.000 --> 00:04:25.000
Uh, we had tremendous speakers. Incredible venue, and thank you again to all who participated.
00:04:25.000 --> 00:04:32.000
Most of the slides from that… the presentations given that day are available upon request to PARAC, so please contact Natasha.
00:04:32.000 --> 00:04:44.000
Also, we have an upcoming commission meeting on. October 8th, next week. The agenda includes the voting on the new fraud prevention posters. This is a bi-annual thing.
00:04:44.000 --> 00:04:49.000
The winning poster will be distributed to the boards in the municipalities later this month.
00:04:49.000 --> 00:04:57.000
So be on the lookout for that. Um, PERIC has completed its annual report, and we recently issued that. It is available on our website.
00:04:57.000 --> 00:05:06.000
Um, most recently, we issued Memorandum number 26 of 2025. Uh, this contains our quarterly four education schedule.
00:05:06.000 --> 00:05:11.000
Some highlights of that are that PERIC will be conducting a new administrative training.
00:05:11.000 --> 00:05:21.000
Uh, to be held in Danvers, Mass on November 5th. Um, another session of the Administrator's Training will be held in Norwood in March of 2026.
00:05:21.000 --> 00:05:35.000
Um, and lastly, Section 91A, Annual Statement of Earned Income for Disability Retirees. A reminder that for those who filed an IRS extension, the October 15 deadline is fast approaching.
00:05:35.000 --> 00:05:50.000
And PERIC just issued reminder letters to those affected. Um, so, um, without further ado, I would like to present Matt Donovan, Dave DeLugesch, and Jeffrey Leiden, and I thank them for the presentation they're about to give.
00:05:50.000 --> 00:05:51.000
Thank you, Ken.
00:05:51.000 --> 00:05:52.000
Thank you.
00:05:52.000 --> 00:06:05.000
Thanks, Ken. So I'm gonna jump in here. Matt Donovan here from Amwins. We're gonna run through some slides. While we run through, I am unfortunately dependent on hotel Wi-Fi at the moment, so I might turn off my camera to make sure nothing's, uh…
00:06:05.000 --> 00:06:14.000
Dragging on here as we go through. Uh, but thought I would kind of run through general cyber exposures, a couple of the buckets to think about when you think about what cyber is, what it could affect.
00:06:14.000 --> 00:06:20.000
Um, kind of generally how the cyber insurance policy is structured, and how it can help navigate some of those incidents.
00:06:20.000 --> 00:06:35.000
Um, and I really wanted to spend some time kind of getting in the weeds on social engineering, funds transfer fraud, and invoice manipulation fraud, uh, given the kind of vertical that you guys are in. I think that's of top importance. So, there's a lot of different shades across the industry.
00:06:35.000 --> 00:06:46.000
Pertaining to those coverages, so… Uh, without further ado, thanks for advancing. You can advance one more here for the data risk section.
00:06:46.000 --> 00:07:00.000
So, think about cyber in a couple different buckets. You really have data risk, and we'll move on to operational risk here in a second. Um, I think data risk is relatively understood these days compared to yesteryear, but you kind of have these big buckets of.
00:07:00.000 --> 00:07:12.000
Types of data that can govern the type of response needed, um, the regulatory, uh, its issues that might kind of ensue following an exposure to this type of information.
00:07:12.000 --> 00:07:22.000
But generally speaking, PII is kind of the catch-all term. That's going to be personally identifiable information, and then everything else can kind of fall underneath that. So, within PII, you'll have.
00:07:22.000 --> 00:07:31.000
Phi, protected health information, PCI, which can be payment card information, which introduces different exposures with the payment card industry, and.
00:07:31.000 --> 00:07:38.000
Compliance needs for a, really, a non-governmental body there. Um, and then confidential corporate information, things that are not necessarily.
00:07:38.000 --> 00:07:54.000
Personally identifiable in nature, but they're sensitive, whether it has to do with your own information, a third-party company's information, but these things are increasingly being utilized in cyber extortion events, so I'll kind of touch on that a little bit.
00:07:54.000 --> 00:08:03.000
Um, and next, if you go into the operational risk side, um, you've got data loss and extortion, um, you know, while you're down, uh, can cause.
00:08:03.000 --> 00:08:12.000
Pretty big hiccups. Um, we're seeing both… you know, the original cyber extortion threats were really threats to, you know, they were really encryption.
00:08:12.000 --> 00:08:18.000
We're also now seeing tremendous amounts of data exfiltration prior to encryption.
00:08:18.000 --> 00:08:25.000
So that you've got a threat to publish sensitive information beyond just, hey, we restore from our backup, so we don't need to pay the threat actor.
00:08:25.000 --> 00:08:36.000
Um, so some kind of new, new, uh, shades of the extortion kind of coming through there. Um, and data loss and restoration. There are different shades of coverage there, whether it's gonna, uh.
00:08:36.000 --> 00:08:46.000
You know, pay to recreate databases, or if you require, you know, existing copies or digital copies to kind of restore from. So there's various shades of that coverage within the industry as well.
00:08:46.000 --> 00:08:50.000
Um, we'll touch on social engineering and invoice manipulation fraud coverage.
00:08:50.000 --> 00:09:01.000
Um, this has to do with, you know, one, you kind of have funds transfer fraud, we'll touch on, which is a threat actor posing as you and moving your funds from a financial institution.
00:09:01.000 --> 00:09:14.000
And then you really get into social engineering, where that's the voluntary parting of title, so no one held a gun to your head, you were just kind of deceived into sending funds to a fraudster, thinking that you were sending the funds somewhere else.
00:09:14.000 --> 00:09:26.000
Um, and then invoice manipulation fraud, which is basically social engineering turned on its head, uh, kind of inverse social engineering, and that's where your business email generally, your email system, is utilized.
00:09:26.000 --> 00:09:41.000
To issue a fraudulent instruction or invoice. To a vendor, a client, some third party to pay you, but it turns out they're paying the fraudster that was in your system and issuing fraudulent instructions to that unsuspecting third party.
00:09:41.000 --> 00:09:46.000
Um, and then while really kind of a lot of this is driven by cyber extortion these days.
00:09:46.000 --> 00:09:55.000
But we've got different shades of business interruption, and then dependent business interruption pertaining to systems, hosted software, networks.
00:09:55.000 --> 00:10:01.000
That you are reliant on in order to operate. Um, so kind of the extended network concept there.
00:10:01.000 --> 00:10:08.000
Go to the next slide. I mean, this is just the title, so you can advance.
00:10:08.000 --> 00:10:16.000
So, the… these, uh, coverages are kind of broken up. The cyber insurance policy fits together like a puzzle.
00:10:16.000 --> 00:10:25.000
Um, not every incident will trigger every insuring agreement. However, generally speaking, an incident will trigger multiple insuring agreements.
00:10:25.000 --> 00:10:33.000
Um, out of the gate, when you have an actual or suspected incident, you generally trigger what's dubbed the breach cost module of the policy.
00:10:33.000 --> 00:10:43.000
And that's gonna tap in forensics, um, he's gonna cover breach notification costs, if you have to offer identity or protection services for any plan participants.
00:10:43.000 --> 00:10:58.000
Um, and then crisis management and public relations services. These are all what's considered a first-party expense, so nobody is suing you, these are just the costs for you to start addressing what happened, identifying the size and scope.
00:10:58.000 --> 00:11:04.000
And then notification obligations, credit monitoring obligations, if you've lost social security numbers, things of that nature.
00:11:04.000 --> 00:11:08.000
Um, so all first-party expenditures. When you move on to the next here.
00:11:08.000 --> 00:11:17.000
Um, if you have a… a… liability incident, where you, generally speaking, if you lose, uh, any sort of, uh.
00:11:17.000 --> 00:11:32.000
Volume of info. The plaintiff's bar seems ready to go. We have to send… I went to a conference one time, and they said we send out these nice notification letters, which are all required to send, but it helps them figure out, you know, who to identify in a class or a class action.
00:11:32.000 --> 00:11:44.000
Um, so privacy and network security is going to be coverage for true liability, whether it's from a class, whether it's from an individual who's lost information, a third-party corporation.
00:11:44.000 --> 00:11:47.000
Um, kind of baked in here, you get regulatory coverage as well.
00:11:47.000 --> 00:12:02.000
Um, important to note, whether it's in the breach costs, uh, breach response, or the defense of an actual liability action, the carriers, if you purchase a dedicated cyber policy, they provide all the vendors and all of the law firms that you will work with.
00:12:02.000 --> 00:12:08.000
You have to stay on their panel. We can try to get things endorsed on ahead of time in certain cases.
00:12:08.000 --> 00:12:13.000
But most of the time when we do that, we find that the carrier panel rates are maybe half.
00:12:13.000 --> 00:12:24.000
Of what you start finding in the open market if you were to retain an attorney to handle some of the same services, so… Sometimes if we get, you know, special approval for an attorney you want to use.
00:12:24.000 --> 00:12:40.000
The carrier will say, alright, well, we'll pay up to, you know, this partner paralegal associate rate, and any delta beyond there, you're going to have to come out of pocket and fund yourself, so… would highly recommend utilizing the carrier firms. The panel, whether it's the breach response, forensics negotiator.
00:12:40.000 --> 00:12:58.000
Ransom negotiations, the defense of these claims, the vendors that the carriers utilize, they've got pretty good rates, one, but they have those because they deal with such volume with these insurance carriers, so… Very good to put it in their hands, and the carriers also want to handle it from the onset.
00:12:58.000 --> 00:13:06.000
So, you know, we have a couple horror stories where someone taps in their brother-in-law's forensics firm, or they don't think something's gonna turn into an issue, so they don't report it.
00:13:06.000 --> 00:13:15.000
Um, fast forward, then they get a late reporting denial because the carrier wants to make sure that they are addressing all of their legal, regulatory obligations.
00:13:15.000 --> 00:13:21.000
From the onset, if you have an actual or suspected incident. Um, so important to utilize these policies quickly.
00:13:21.000 --> 00:13:35.000
Um, going to the next piece. So, cyber business interruption, that's going to cover a financial loss, uh, due to… your business being brought down, it's kind of broken up. You can actually open up a few of these boxes here. I think we've got a total of 6 on the screen.
00:13:35.000 --> 00:13:44.000
Um, the Cyber business interruption, I'll go on to kind of a different shade of this coverage, but the original shade of Cyber Business interruption was for your network.
00:13:44.000 --> 00:13:59.000
And was for a malicious act. So someone's really bringing you down. Um, this coverage is to pay for net losses, uh, during… and extra expenses experienced during that…
00:13:59.000 --> 00:14:08.000
Data restoration is going to cover the cost to recreate or repair, damage, or destroy data. It's not gonna, uh, pay for the cost of research and development, anything like that.
00:14:08.000 --> 00:14:14.000
Um, but we do see tremendous amounts of man hours required to restore databases at times following some of these events.
00:14:14.000 --> 00:14:19.000
Um, cyber extortion is going to cover the, uh, cost to make payments.
00:14:19.000 --> 00:14:30.000
Um, based on, really, network-based ransom demand. So that can be… we've encrypted your system, and in order to re-access it, we'll give you the decryption keys in response to you paying.
00:14:30.000 --> 00:14:41.000
X amount generally in Bitcoin. Um, and we also now are seeing the threat to publish. So, you know, an insured may realize that they're being ransomed.
00:14:41.000 --> 00:14:51.000
Upon the locking up of their system, but then if they go to restore, oftentimes in that communication, the threat actor will say, hey, you know, you can restore if you'd like, but we're gonna publish all this stuff that we've exfiltrated.
00:14:51.000 --> 00:14:57.000
Um, so it's just kind of a new layer of, uh, trying to figure out the best way to respond on a lot of this stuff.
00:14:57.000 --> 00:15:06.000
Um, and then these policies get bundled with multimedia liability. It's really kind of general media, claims made, not occurrence-based, and that's going to cover.
00:15:06.000 --> 00:15:14.000
Copyright, trademark, trade dress, things of that nature, generally on your website, uh, marketing communications, advertising, things like that.
00:15:14.000 --> 00:15:30.000
Next slide. And you can expand these. Yeah, so then as, uh, as the years have kind of moved on, a lot of these coverages needed to be expanded. So those first coverages were kind of the core of the original cyber policies.
00:15:30.000 --> 00:15:35.000
And these have been expanded in a number of different ways. So, first and foremost, system failure came through, where.
00:15:35.000 --> 00:15:45.000
People started saying, okay, well, what if it's not a malicious act and my network does go down? A good example of that would be what just happened recently with CrowdStrike.
00:15:45.000 --> 00:15:53.000
Um, a lot of folks had on-prem, uh, CrowdStrack instances that an update went awry, and it brought down.
00:15:53.000 --> 00:15:59.000
Uh, their systems. It was not malicious in nature, um, it was just an update gone bad.
00:15:59.000 --> 00:16:10.000
Um, that would generally be a system failure. Uh, coverage triggered, and it was important to note that that regular business interruption system failure and the next two, the dependent versions of the coverages that we're going to talk through.
00:16:10.000 --> 00:16:18.000
They're generally subject to a waiting period rather than a dollar value retention, so they'll say, hey, the first 8 to 10 hours, sometimes 12.
00:16:18.000 --> 00:16:28.000
That you're down, that basically serves as your deductible. And then we'll start paying net income and extra expense, losses from going forward, uh, after that waiting period has expired.
00:16:28.000 --> 00:16:36.000
Um, so system failure brought in the non-malicious, you know, update gone bad type of coverage.
00:16:36.000 --> 00:16:40.000
But then, uh, you know, continue to fast-forward, and tremendous amounts of businesses basically.
00:16:40.000 --> 00:16:53.000
Everyone at this point is dependent on some sort of a cloud-based offering, whether that's hosted software, your actual system hosts themselves being placed in a cloud environment versus on-premises servers.
00:16:53.000 --> 00:16:59.000
Um, so everyone kind of said, well, these business interruption coverages are great, but what about when it's not.
00:16:59.000 --> 00:17:06.000
My network, per se, it's my dependencies that suffer a ransom demand, some sort of other outage.
00:17:06.000 --> 00:17:10.000
How do we address those for my net income and extra expense losses?
00:17:10.000 --> 00:17:17.000
So then came dependent, sometimes you'll see it referred.
00:17:17.000 --> 00:17:25.000
System failure and business interruption. So, persistent failure, malicious for business interruption, but these are really covering your dependent networks that you're dependent on.
00:17:25.000 --> 00:17:34.000
Um, for the vertical that we're discussing here, I don't think this is pertinent per se, but just food for thought. There are certain insurance carriers now that have even further expanded these dependent coverages.
00:17:34.000 --> 00:17:51.000
Beyond IT providers. So, if you were a furniture manufacturer, reliant on the sawmill to bring lumber into the door, but the sawmill had a ransomware event and it ground to a halt, you can't get physical good in the door to turn it around, we can actually cover that from a cyber perspective as well.
00:17:51.000 --> 00:18:00.000
Um, and then folks kept saying, okay, this is great, we got all of our network stuff covered, but what about our money? So, how about theft of funds?
00:18:00.000 --> 00:18:13.000
A lot of these coverages are duplicative within the crime marketplace. I would say the cyber marketplace has evolved much more quickly. We've got crime policies that are still referencing teletypes, which is just a little outdated by a couple decades.
00:18:13.000 --> 00:18:21.000
Um, and we've got cyber coverages that have really evolved to cover some of these newer scams. So.
00:18:21.000 --> 00:18:26.000
Social engineering is going to be, like I said at the top, it's going to be your voluntary parting of title. You were deceived into sending funds.
00:18:26.000 --> 00:18:33.000
Generally speaking, cyber policies come with a $250,000 sublimit for this, and we'll talk through some of the shades of the coverage.
00:18:33.000 --> 00:18:43.000
Client account or invoice manipulation coverage, again, is that scam turned on its head, so that's where your likeness through your email system is used to deceive a third party into sending funds.
00:18:43.000 --> 00:18:54.000
Um, and then you have to make sure that these insuring agreements are expanded to cover funds that don't belong to you. A lot of the insuring agreements in the marketplace cover your funds, money, securities.
00:18:54.000 --> 00:19:00.000
Not those of others or funds held in escrow. So, very important, especially for you guys, to make sure that all.
00:19:00.000 --> 00:19:06.000
Parties funds that fall victim to these types of scams are covered when in possession of the insured or at the care custody control.
00:19:06.000 --> 00:19:16.000
Um, we've also got some other stuff that you rarely see triggered, but utility fraud, that's when people hack in and utilize your cloud instance for cryptocurrency mining, or your telephone system for long calls.
00:19:16.000 --> 00:19:23.000
Um, and then we've got some kind of non-breach data laws that are all burgeoning, so for the misuse of data in California.
00:19:23.000 --> 00:19:35.000
Um, there's various different acts that are kind of brewing right now, um, that's not just triggered by a breach, but rather, were you allowed to actually obtain this information in the first place?
00:19:35.000 --> 00:19:43.000
Should you be purging this information? So, just something to keep an eye on, um, as kind of legal, uh, barriers start to expand.
00:19:43.000 --> 00:19:56.000
Next slide. So, cost to risk, we'll run through these ones quickly. These are just some incidents that we see. This was from earlier in the year, so you can kind of ignore the 2025 numbers, but I wanted to put this out here.
00:19:56.000 --> 00:20:01.000
This is data from Mullen Coughlin, who serves as the breach coach for the vast majority of the good cyber carriers.
00:20:01.000 --> 00:20:13.000
Um, in 2024, if you look at that data, the average ransom paid was almost $1.9 million, or, I'm sorry, demand was $1.9 million. The average paid was $520,000.
00:20:13.000 --> 00:20:19.000
Better than almost half of the prior year in 2023, where the average paid was $937.
00:20:19.000 --> 00:20:26.000
So, I only put this out there just to say we can get limits chewed through quite quickly if we have a stout ransom demand.
00:20:26.000 --> 00:20:32.000
So, as you're choosing some of the policy limits, it's kind of good to think about a bucket that could vanish.
00:20:32.000 --> 00:20:43.000
Pretty quickly in some of these ransom incidents. Go to the next slide.
00:20:43.000 --> 00:20:51.000
Okay, and this is, uh, resulting from business email compromise, so it's still one of the most frequent types of incidents that we see.
00:20:51.000 --> 00:21:01.000
They generally result in fraudulent wire transactions. So you can see the amount fraudulently wired and the medians that are thrown there. I mean, we're getting into pretty decent six-figure numbers.
00:21:01.000 --> 00:21:07.000
Um, a lot of the wire transfer fraud, it really emanates from the compromise of business email systems.
00:21:07.000 --> 00:21:12.000
It's why there's a really enhanced focus on getting multi-factor authentication on these systems.
00:21:12.000 --> 00:21:21.000
Next slide. I'll touch these fraud coverages, because there's a lot of these different variances throughout the business. So.
00:21:21.000 --> 00:21:30.000
Social engineering, voluntary parting. The middle one, uh, invoice fraud, insurance computer systems utilized to deceive a vendor or client in paying an invoice.
00:21:30.000 --> 00:21:35.000
Um, and then funds transfer fraud, True Blue Funds Transfer Fraud is really the threat actor posing as you.
00:21:35.000 --> 00:21:42.000
And issuing a fraudulent transfer instruction to a financial institution. Go to the next slide.
00:21:42.000 --> 00:21:46.000
An employee theft would be covered on your true crime policy, not on this side.
00:21:46.000 --> 00:21:55.000
Um, and then we can expand this as well. You have to make sure, uh, really how the insuring agreements are crafted, or how the exclusions, uh, are kind of added at the end.
00:21:55.000 --> 00:22:01.000
Um, to make sure that you've got customer funds, physical property, not just funds, money, securities.
00:22:01.000 --> 00:22:12.000
And then, oftentimes, we see coverages now expanding into the control group, which is really the C-suite, or employee funds, if they are also stolen as a result of an attack on the business.
00:22:12.000 --> 00:22:24.000
Next slide. Here are a number of exclusions, and this is what I really wanted to call attention to in this presentation, because these policies are so, so different. So, uh, the first one here is a common one from Chubb's base language.
00:22:24.000 --> 00:22:36.000
So, pertaining to the social engineering, they say no coverage will be available for a loss in excess of $50,000 unless the transferring payment or delivery of money or securities, note that there's no property coverage there.
00:22:36.000 --> 00:22:43.000
Is made by a control group member, which is really your C-suite, an employee agent, independent contractor, other representative.
00:22:43.000 --> 00:22:49.000
Authorization from a control… so, basically, if you have an employee, they need to get dual sign-off.
00:22:49.000 --> 00:22:53.000
For any transfer made over $50,000, or Chubb will deny the claim.
00:22:53.000 --> 00:23:00.000
And this is buried, you know, I kind of joke around on page 72 in Braille is usually where these exclusions lie.
00:23:00.000 --> 00:23:18.000
Um, so important to really comb through with a fine-tooth comb here. Uh, the next one here, uh, computer fraud cost means the amount fraudulently obtained from the insured. Computer fraud costs include the direct financial loss only. Computer fraud costs do not include any portion of such amount that can reasonably expect to be reimbursed by a third party.
00:23:18.000 --> 00:23:35.000
Um, I believe that one is from HSB. Um, so one direct financial loss, not covering any customer funds, any employee funds, anything like that, right? And then they leave kind of a caveat out there if they think you should be able to get your money back, they may not want to cut the check.
00:23:35.000 --> 00:23:52.000
Uh, the next one here, fraudulent instruction, means the transfer payment of money securities by an insured as a result of a fraudulent written electronic telegraphic cable teletype or telephone instructions provided by a third party that is intended to mislead an insured through the misrepresentation of a material fact.
00:23:52.000 --> 00:23:59.000
Which is relied upon in good faith by the insured. So, a lot of words there, but again, fun… money or securities.
00:23:59.000 --> 00:24:06.000
And then you have to, in certain policies, look how those are defined to make sure it doesn't restrict it to just the insured's money or securities.
00:24:06.000 --> 00:24:12.000
But also no physical property. If you're shipping any equipment, anything like that, to other locations.
00:24:12.000 --> 00:24:27.000
Uh, next one here, fraudulent instruction will not include loss arising out of fraudulent instructions received by the insured, which are not first authenticated via a method other than the original means of the request to verify the authenticity or validity of the request.
00:24:27.000 --> 00:24:34.000
This is your callback provision. So, if you did not call a known number for this particular insurance policy.
00:24:34.000 --> 00:24:40.000
Prior to sending that, uh, that transfer, they'll deny the claim. So these are all things we're looking when we place policies.
00:24:40.000 --> 00:24:50.000
To knock out via mandatory endorsements or specialized coverage enhancements. To tweak these base form restrictions that we find pretty untenable.
00:24:50.000 --> 00:25:05.000
Um, the next one here, this is a funky one that comes from Tokyo Marine HCC. So, they deny any claim based upon arising from or any way involving the giving or surrendering of money, securities, or other property. They included other property, that's nice.
00:25:05.000 --> 00:25:11.000
In exchange for or purchase of goods or services that are not yet delivered.
00:25:11.000 --> 00:25:28.000
Whether fraudulent or not. So, if you've not… perform, I guess, maybe a cash-on delivery, 1990s, uh, type of situation, where you're… you're only paying at the time of delivery, but generally speaking, services or products have not been delivered yet when money is being exchanged.
00:25:28.000 --> 00:25:36.000
And we see TMHCC trying to dig in on this exclusion to say, hey, you know, you hadn't delivered the services yet.
00:25:36.000 --> 00:25:41.000
They don't really seem to understand that someone's left holding the bag, and that person's gonna be looking to our insured.
00:25:41.000 --> 00:25:46.000
Um, but this is one that, you know, through Amwins, we have changed through an amendatory endorsement.
00:25:46.000 --> 00:25:51.000
But it's just lurking in their base wording for any off-the-rack policy from DMHCC.
00:25:51.000 --> 00:25:57.000
Um, and then you can look, too, in the definition section. So, computer rocks, you know, computer crimes, and this policy I was reviewing.
00:25:57.000 --> 00:26:07.000
Um, sometimes they'll use invoice manipulation as a different defined term. It means the intentional fraudulent or unauthorized input, destruction, or modification of electronic data into computer systems.
00:26:07.000 --> 00:26:13.000
Um, by an entity which is not an insured organization or person who is not an insured person.
00:26:13.000 --> 00:26:27.000
Um, so again, these things can be defined in various exchange definitions throughout the policy. You can't just do a search for invoice manipulation. Unfortunately, the verbiage used varies pretty greatly from policy to policy.
00:26:27.000 --> 00:26:43.000
Uh, go next. And then again, invoice cost means that direct net costs incurred by the insured organization to provide the transfer of goods, products, or services to a third party. This one comes from AtBay, I think Crum and Forester also still has this.
00:26:43.000 --> 00:27:03.000
Where they basically say, social engineering will cover on a gross basis, but the reverse social engineering, or invoice fraud, we want to strip out any kind of profit margin, and we only want to reimburse net amounts that were lost. So something that we're absolutely working to remove from those policy wordings as well.
00:27:03.000 --> 00:27:15.000
Next slide. Okay? So, important to note, too, that a lot of these coverages are duplicative in the crime, and it's something that you have to take into account.
00:27:15.000 --> 00:27:32.000
Both policies will have what are called mutually repugnant exclusions. So they'll both have some shade of… this policy will be excess over and will not contribute with any other valid and collectible insurance, providing any other coverage afforded under this policy, unless.
00:27:32.000 --> 00:27:36.000
Such other insurance is specifically written as excess over this policy.
00:27:36.000 --> 00:27:42.000
So, for this reason, we really try to offer our insureds standalone excess social engineering.
00:27:42.000 --> 00:27:48.000
Because then we can get one self-insured retention or deductible on the cyber policy to apply.
00:27:48.000 --> 00:27:55.000
And then it automatically flows straight through the excess social engineering limits. So, if you have a cyber policy and a crime policy.
00:27:55.000 --> 00:28:02.000
You'll have both carriers pointing fingers at one another. They both are not allowed to deny the claim, but you really get into some tough.
00:28:02.000 --> 00:28:17.000
Okay, what's the deductible on one side? What's the deductible on the other side? How much limit is on the crime versus on the cyber? We should proportionally prorate that, subject to the retentions applying. It really just gets messy in adjusting the claim.
00:28:17.000 --> 00:28:25.000
So as best you can, you want to try to get the social engineering and any crime or other additional limits pertained.
00:28:25.000 --> 00:28:33.000
To… pertaining to the social engineering, to kind of stack nicely without having these mutually repugnant exclusions apply.
00:28:33.000 --> 00:28:39.000
Next slide. And I just kind of point out here, you can hit, uh…
00:28:39.000 --> 00:28:45.000
The next one more time, yeah. So in the blue part, just kind of be aware with your third-party providers that you're working with.
00:28:45.000 --> 00:28:53.000
Really, every cloud provider worth their salt has some sort of limitation of liabilities like this, so if you are reliant on hosted software.
00:28:53.000 --> 00:29:09.000
Um, hosted cloud platforms. They basically all don't warrant that their services will be error-free and completely secure in some way, shape, or form. And then in a limitation of liability, they'll say liability whether in contract toward strict liability or otherwise, will not exceed the total amount you actually paid for us through the cloud services.
00:29:09.000 --> 00:29:14.000
So generally speaking, if you have data parked in a cloud or in a third-party host environment.
00:29:14.000 --> 00:29:22.000
Best-case scenario, they might offer you service credits for future services if they suffer a breach or some kind of downtime.
00:29:22.000 --> 00:29:31.000
And those credits will be limited to the amount that you've paid them for services, so… Um, that's where the insurance policy kicks in to, uh…
00:29:31.000 --> 00:29:39.000
To make sure that you don't get dented too bad on a situation like this, but it's just important to note that it's basically impossible to outsource this stuff.
00:29:39.000 --> 00:29:48.000
To cloud providers or third-party hosts. There's a big misnomer out there saying, hey, you know, I'm in AWS or Google Cloud or whatever, you know, I'm good.
00:29:48.000 --> 00:29:52.000
Um, the contract terms are really not on the insured side.
00:29:52.000 --> 00:29:59.000
There's just a couple more things to touch on. I don't have to get into this slide here. It's available for everyone to look at.
00:29:59.000 --> 00:30:06.000
Um, it's just kind of noting that there are a number of stakeholders that may or may not be tapped in.
00:30:06.000 --> 00:30:12.000
Um, based on the type of event that happens, and if you go to the next slide, it's kind of a flavor of.
00:30:12.000 --> 00:30:20.000
The roadmap of how that goes down. So, from the time of detection, you generally mobilize your incident response team.
00:30:20.000 --> 00:30:27.000
Um, you'll get engagement of the breach coach. All of these policies, if you buy a standalone cyber policy, they come with a breach coach.
00:30:27.000 --> 00:30:36.000
Man, 24-7, Mullen Coughlin had the data at the beginning of the presentation here that they're kind of the preeminent firm. Lewis Brisboy is another one that's out there a lot.
00:30:36.000 --> 00:30:52.000
Um, you get a veil of attorney-client privilege if you have to air out some dirty laundry. You had a rogue employee event, you, uh… Didn't update something that you should have, and they'll kind of be empowered by the carrier to run point between the claims group and you, um, to get the appropriate vendors tapped in.
00:30:52.000 --> 00:31:01.000
Um, you'll generally engage law enforcement, financial institutions. You might have a specialized forensics investigation firm, or a PFI if it's credit card incidents.
00:31:01.000 --> 00:31:17.000
It's a specialized forensics firm. You gotta develop your communication strategy, you gotta negotiate negotiation of a ransom payment firm, perhaps, if someone needs to make that payment for you, clear what's called OFAC, Office of Foreign Assets and Controls, to make sure that we're not making a payment to a.
00:31:17.000 --> 00:31:25.000
A sanctioned country, which would be funding terrorism. Um, you might have, you know, restoration, uh, from backups or keys.
00:31:25.000 --> 00:31:34.000
Pr firm, uh, engagement of mail and call center to provide credit monitoring for plan participants, uh, notify folks of a data breach.
00:31:34.000 --> 00:31:42.000
Data mining, regulatory interaction, disclosures as required by law, contract, or just by courtesy for PR reasons, really.
00:31:42.000 --> 00:31:50.000
And then finally, litigation and claims, if you finally get sued or people come after you, so… The prior slide showed kind of all the stakeholders.
00:31:50.000 --> 00:32:01.000
The carrier really holds all of these folks on retainer for you. So, I always say that the cyber policy is a lot more than just a checkbook. It's very much.
00:32:01.000 --> 00:32:16.000
Uh, the roadmap to respond to these types of incidents. With panel vendors and carriers at your beck and call, rather than trying to get out the phone book at the time of incident.
00:32:16.000 --> 00:32:21.000
So I think that's, uh, the end of my slides, I believe, here.
00:32:21.000 --> 00:32:25.000
I don't know if there were any questions that are popping up.
00:32:25.000 --> 00:32:30.000
No, we've got a quiet group this morning.
00:32:30.000 --> 00:32:37.000
Fair enough.
00:32:37.000 --> 00:32:58.000
Okay, I will, uh, transition to the next presentation, if you can bear with me for one second.
00:32:58.000 --> 00:33:01.000
Jeff and David, I don't know if you wanted to add?
00:33:01.000 --> 00:33:04.000
To the, uh, presentation.
00:33:04.000 --> 00:33:15.000
No, I think, Matt, uh, Matt summed it up very well, but I would just say, if anyone has any questions and wants to just discuss offline, don't be afraid to reach out to Jeff or I directly.
00:33:15.000 --> 00:33:16.000
Okay, great.
00:33:16.000 --> 00:33:21.000
Same thing, Matt, I think, did a fantastic job. I think the key point Matt pointed out.
00:33:21.000 --> 00:33:34.000
Is, um, not every policy is the same. You need to make sure you're getting the correct policy for the risk, and um… with the retirement system, so that I think they need to make sure that, you know.
00:33:34.000 --> 00:33:39.000
Policies that they have in place have the correct endorsements and don't have some of the coverage restrictions.
00:33:39.000 --> 00:33:43.000
That Matt talked about.
00:33:43.000 --> 00:33:51.000
Okay, great, thank you so much. So I'm going to transition now and share my screen with the, um… second presentation, I'll turn it over.
00:33:51.000 --> 00:33:57.000
To Tom and Tom.
00:33:57.000 --> 00:34:03.000
Okay, thank you, Natasha. Good morning, everybody. It is a pleasure to be here and present to you folks.
00:34:03.000 --> 00:34:09.000
Um, that was a fantastic presentation by the first team with Matt.
00:34:09.000 --> 00:34:17.000
Um, and there was a lot of very good information in there, which I hope there's quite a bit of takeaways for the whole audience today.
00:34:17.000 --> 00:34:23.000
Um, I think what Todd and I will do, um, because we are all in the same space as we will go through our.
00:34:23.000 --> 00:34:29.000
Presentation today, there is some overlap and redundancy, so rather than go really deep in.
00:34:29.000 --> 00:34:35.000
And, uh, reiterate a lot of the great information that Matt had provided for you.
00:34:35.000 --> 00:34:41.000
We will take approach and concentrate on some other areas which all circle around the exposure to cyber.
00:34:41.000 --> 00:34:51.000
So, I guess to lead off the conversation, the one important takeaway I would recommend that everybody walks away understanding is that cyber is much more complex than what it.
00:34:51.000 --> 00:35:01.000
That, what, little five-letter word is, right? And the way we approach cyber, it's like a three-prong approach to making sure you are properly protected.
00:35:01.000 --> 00:35:12.000
As far as cyber event. So, there are 3 things that you should be, uh, actively and knowingly involved with to provide that protection to you. First, obviously, Matt did a great job.
00:35:12.000 --> 00:35:22.000
Uh, discussing the insurance, and that is… Number one protection when you are experiencing, obviously, any kind of a cyber breach, and that's going to be.
00:35:22.000 --> 00:35:28.000
You are thinking that that helps make you whole and get you back before the position you're in before the claim happened.
00:35:28.000 --> 00:35:37.000
Um, physical protections are what we consider more tactical approach. Are the things that I'm sure you're all aware of, firewalls, um…
00:35:37.000 --> 00:35:43.000
Endpoint detection and response, uh, MFA, you always hear these buzzwords and these buzz terms.
00:35:43.000 --> 00:35:51.000
As Todd and I talked to you today. We find some of these are probably taken a little bit too lightly, and maybe not engaged.
00:35:51.000 --> 00:35:56.000
But that is another layer of protection to keep your system and your company safe.
00:35:56.000 --> 00:36:01.000
And then lastly, which is probably one of the most, uh.
00:36:01.000 --> 00:36:21.000
Underrated portion to protections against cyber is training. And this first slide that we have really speaks to, um, and will segue into the whole training piece. So, um, it's really important to understand that you can have the strongest firewalls, all the mechanisms in place to protect your system.
00:36:21.000 --> 00:36:27.000
But we are humans, and the human error is a huge contributor to any cyber exposure.
00:36:27.000 --> 00:36:33.000
So just some data over the last year that we came, you know, thought we would bring to your attention, which were causes of breaches.
00:36:33.000 --> 00:36:39.000
Just in the last year, hacking, which includes skimming, phishing, malware, ransomware type of claims.
00:36:39.000 --> 00:36:51.000
They resulted 59.5% of all claims. Employee negligence was another 10%. Accident exposure, and so forth and so on. It shows you the breakdown.
00:36:51.000 --> 00:37:01.000
But most of claims come through some form of a phishing, hacking, exposure, which really relates back to it's almost one together with the employee negligence.
00:37:01.000 --> 00:37:09.000
It has to do with some, uh, human error. So, having said that, um, we should really talk about.
00:37:09.000 --> 00:37:20.000
What… with the trainings that… that are available. Now, as we go out and obviously contribute to it, we deal with a lot of, uh, the municipal members.
00:37:20.000 --> 00:37:29.000
Um, we're trying to get this out in front of them. There are a lot of resources that are available to folks now, um, through the math forever, uh, grant.
00:37:29.000 --> 00:37:35.000
And certain programs that will provide those resources to you. Um, without any.
00:37:35.000 --> 00:37:44.000
I'm just gonna give it as an example. This is not a promotion or a plug for any particular company, but I know for the math cyber, um, grant, um.
00:37:44.000 --> 00:37:51.000
If you are participating in that, there is a… there's access to Know Before, which is one of the very great vendors that are out there.
00:37:51.000 --> 00:37:57.000
Which provide regular training on a monthly basis to all your employees.
00:37:57.000 --> 00:38:06.000
Um, and that, to me, it is probably. One of, um, one of the most important things that you can do. You know, I'll…
00:38:06.000 --> 00:38:14.000
Really impress upon everybody that cyber training is not a one-and-done type of event. It's not, oh, we have our annual training, it's done once a year.
00:38:14.000 --> 00:38:22.000
Um, there are many different vendors that provide different levels of training, but it's something that should be repeated. It's like learning a language.
00:38:22.000 --> 00:38:31.000
You know, as we, you know, go through life every day, we're all multitasking, we're all short-staffed, we're handling many, many jobs and many things across our desk.
00:38:31.000 --> 00:38:41.000
We don't always take heed to the things… the signs or some of the, um… things that we can catch, which would prevent these claims. These…
00:38:41.000 --> 00:38:53.000
Small trainings on a regular basis. Really drive home to all your average employees every day what they should be looking at, how to read an email, how to look at who the email sender is.
00:38:53.000 --> 00:38:58.000
What a link, you know, the signs or the warnings that.
00:38:58.000 --> 00:39:08.000
The tone of an email, um… would be, you know, issues that would obviously, um, create a cyber… a cyber event.
00:39:08.000 --> 00:39:11.000
Alright, so we can go on to the next, uh, slide.
00:39:11.000 --> 00:39:21.000
Which would be, uh, types of breaches. Todd, you want to kind of talk about this a little bit? Yeah, so just the different types of breaches that affect folks, and we went over some of them previously.
00:39:21.000 --> 00:39:26.000
Um, but, you know, it would include employee… the fishing, the, uh.
00:39:26.000 --> 00:39:38.000
The ransomware, or the extortion attempts. The lost or stolen devices, that's another one you lose your cell phone or your laptop, and then now that's… you gotta report that to the carrier, and it's gonna be a response.
00:39:38.000 --> 00:39:57.000
Um, and I think we've already hit them both. We have. So, you know, that's… that's… Um, a good point to bring up, you know, it's interesting, people think of fiber, and they just think of a hacking, you know, exposure. Someone, you know, broke into your system and stole data.
00:39:57.000 --> 00:40:09.000
The… the actors today that are actually masterminding all these. These, uh, ways of coming and getting into your systems or whatever, it's taken a very broad.
00:40:09.000 --> 00:40:24.000
Now, approach. It's not just an email. It can be done through social media, online shopping, even through snail mail now, you can get letters in the mail which will prompt you to do something, which will lead eventually to.
00:40:24.000 --> 00:40:37.000
You know, an online cyber attack. The 15 scams that are going on, they're getting so complicated and so sophisticated, they're starting to name them. You know, in the last year, one of the most common ones that we was.
00:40:37.000 --> 00:40:47.000
Seeing that we're coming across our desk was this grandfather scheme where, um, the bad actors were pretending to be a family member, or a member that.
00:40:47.000 --> 00:40:54.000
Was trying to help someone, and this whole. Scenario in, in, um…
00:40:54.000 --> 00:41:01.000
And roles and evolves into. Making an employee or a person respond to whatever the.
00:41:01.000 --> 00:41:20.000
The, uh, the situations that they're creating. And again, it ends up in a ransom attack or some kind of breach of your information. Even text messages. You know, you'll get a text message from the CEO or executive director saying, I need you to send me some gift cards, or this person's retirement party.
00:41:20.000 --> 00:41:30.000
We're gonna get together, but can you… I won't have time, can you please go pick up a gift card, or send… send some money here, um, so they're very… they're always changing, they're always evolving.
00:41:30.000 --> 00:41:34.000
Just when you kind of figure out one scam, they're on to the next one.
00:41:34.000 --> 00:41:46.000
So it is really staying on your feet on that. And that's to Tom's point about the cyber training is very helpful. When you partner with a group like KnowBe4, or… and there's other groups out there, too, it doesn't have to be Know Before.
00:41:46.000 --> 00:41:55.000
Um, they're gonna train your employees just to be mindful of those red flags, those little triggers that are… that say, hey, wait a second.
00:41:55.000 --> 00:41:59.000
You know, let me slow down for a minute. And that… and a lot of the employee error.
00:41:59.000 --> 00:42:05.000
You know, no one's doing it intentionally, it's that, you know, everyone gets so many emails, they're so busy.
00:42:05.000 --> 00:42:11.000
Um, they're overstressed, and so you get these emails that are high pressure, they look legitimate.
00:42:11.000 --> 00:42:17.000
You know, you're going about your day, and you can have all, like Tom said, you can have the best, you know, multi-factor authentication.
00:42:17.000 --> 00:42:24.000
You can have the endpoint detection and response, a great firewall, but all it takes is that one click. You know, someone moving a little too quickly.
00:42:24.000 --> 00:42:33.000
Not keyed into those red flags. And then making the error of… Um, you know, opening up the company to a separate, you know, attack.
00:42:33.000 --> 00:42:34.000
So, Tom and Todd, I have… I do have a couple of questions that came in.
00:42:34.000 --> 00:42:38.000
Thank you. Sure.
00:42:38.000 --> 00:42:46.000
If Retirement Board staff members participate in cybersecurity training, our staff does the know-before training.
00:42:46.000 --> 00:42:51.000
Are there discounts offered on the yearly premium?
00:42:51.000 --> 00:42:57.000
That would probably depend on where the… who the insurance carrier is. Um, I know in…
00:42:57.000 --> 00:43:05.000
In the product that we provide, uh, because we take a loss control risk management approach to the insurance, so there are credits that are.
00:43:05.000 --> 00:43:11.000
Provided when, um. When there is, uh, proper.
00:43:11.000 --> 00:43:28.000
Cyber prevention, um, in play, including, and I know, um. Update definitely touched upon this in his presentation, and it goes without saying, he did a great job really detailing what a response plan is.
00:43:28.000 --> 00:43:35.000
But the most important takeaway about what he explains is that you do have a response plan.
00:43:35.000 --> 00:43:44.000
Um, as Todd and I were listening, we were listening to the presentation, saying, you know, we… We bring this up to our members all the time, that you really do not.
00:43:44.000 --> 00:44:00.000
I will just start with this. I'm hoping that many of you out there listening have not experienced a cyber loss. Maybe some of you have, so this will really ring home, but, you know, the way they refer to cyber today, it's not a matter of if, it's just really a matter of when.
00:44:00.000 --> 00:44:08.000
Because these… these cyber schemes are getting so, so sophisticated, uh, with all the training in the world, best.
00:44:08.000 --> 00:44:18.000
Mfa, EDR solutions and insurance, um, they still sometimes get through, and they are getting so sophisticated that you want to make sure you have all these things in play.
00:44:18.000 --> 00:44:25.000
We really make sure that you don't want to go this alone. You want to have the insurance in place for you, because all the things that.
00:44:25.000 --> 00:44:33.000
Happened during that response timeline, a very trying… they're very complicated, not something you'd ever want to go alone.
00:44:33.000 --> 00:44:49.000
So, having the response plan in place is very, very important, along with the training. And yes, most carriers would provide some kind of a credit. And, you know, a lot of the training and, you know, a lot of carriers now, you're going to have to fill out an application. They're fairly extensive, to be honest.
00:44:49.000 --> 00:44:57.000
I would not recommend any… unless you are the IT department for your retirement board, but if you use a third party, you're going to want their assistance.
00:44:57.000 --> 00:45:02.000
Or your IT department, if you have one, to complete those applications. But the applications.
00:45:02.000 --> 00:45:07.000
Are going to ask those type of questions. So, if you don't have multi-factor authentication.
00:45:07.000 --> 00:45:14.000
Chances are, they won't even offer you a quote. Um, if you don't have endpoint detection and response, chances are you can't even get a policy.
00:45:14.000 --> 00:45:21.000
But some of the triggers, or the questions they'll ask on the application are, what type of training do the employees do? Do you have a program that you use.
00:45:21.000 --> 00:45:26.000
To give education to the employees. And then that's where the underwriting credits, so to speak.
00:45:26.000 --> 00:45:34.000
Would come from, is that you have a… you have a lesser loss profile, so they're gonna give… price you according to that.
00:45:34.000 --> 00:45:42.000
Right? And so I think that's more of where you get the credits. Um, but… The credits, even if they gave you a 10% credit, most of these premiums are not.
00:45:42.000 --> 00:45:50.000
You wouldn't be doing… like, you would want to do these trainings regardless of whether you had the credit or not, and the credits are going to be relatively small.
00:45:50.000 --> 00:46:07.000
If they are available for most of these carriers. And I will… exactly what Todd just said. Absolutely, you want to mitigate, obviously, you know, your costs, your operating budget, and credits are very much welcome, and they should be provided and rewarded for taking those efforts and.
00:46:07.000 --> 00:46:12.000
Protecting yourself. But regardless. Again, as I said earlier, it, you know.
00:46:12.000 --> 00:46:20.000
If you've never experienced a cyber, um. Experience, you don't want to, so I would put all these things into play.
00:46:20.000 --> 00:46:25.000
Regardless of what you are going to be credited on your policy.
00:46:25.000 --> 00:46:34.000
Was that the same, say, an ounce of prevention is worth more than a pound of cure, it would… to mitigate any exposure to a cybercrime.
00:46:34.000 --> 00:46:36.000
Would be well worth it.
00:46:36.000 --> 00:46:47.000
Okay, and speaking of prevention, this one's a little unrelated, or could be unrelated, but someone asked, um, should, uh… Should we have RFID cards?
00:46:47.000 --> 00:46:48.000
Are those helpful?
00:46:48.000 --> 00:46:58.000
We… so… yeah, those are great, um, alter… so, not an alternative, but they're another mechanism to do multi-factor authentication. So, as they call it, 2FA, a two-factor authentication, but yes.
00:46:58.000 --> 00:47:06.000
An RFID card, um… can be helpful as a way to do that second authentication to prove that it's you.
00:47:06.000 --> 00:47:13.000
Yeah, you know, the only… The only, um, negative there is that if it were to be stolen, then that person has the same key.
00:47:13.000 --> 00:47:21.000
To potentially breach into the system, but yes, a lot of… a lot of the Maya members do use those. They have little key fobs.
00:47:21.000 --> 00:47:29.000
And those are great ways to do the multi-factor. But to expand on what Todd's saying, back to one of the previous points he made.
00:47:29.000 --> 00:47:37.000
Um, insurance carriers definitely want to see that there are, uh, safety, uh, laws control precautions in place.
00:47:37.000 --> 00:47:44.000
Mfa, your multi-factor authentication, is something that is extremely important and would have a severe impact on.
00:47:44.000 --> 00:47:47.000
Whether you could even be quoted, or what that quote would look like.
00:47:47.000 --> 00:48:00.000
Um, when you're dealing in the municipal space, I know there are challenges and hurdles to get around with MFA, uh, especially when you're trying to do the multi-factor authentication off of a, you know, code that comes up on your cell phone.
00:48:00.000 --> 00:48:09.000
And the whole use of cell phones, but to Todd's point, in using those cards, fobs, whatever, there's many different ways that you can implement.
00:48:09.000 --> 00:48:14.000
Um, MFA to get around those challenges, so don't let those challenges ever.
00:48:14.000 --> 00:48:22.000
Be the preventative cause why you did not. Institutional NFA.
00:48:22.000 --> 00:48:23.000
And how do you determine the level of insurance you should get?
00:48:23.000 --> 00:48:28.000
That's very important.
00:48:28.000 --> 00:48:36.000
That's a $64,000 question. But what I would… what I would tell you is, you know, you kind of look to what the industry is providing. It has come a long way.
00:48:36.000 --> 00:48:43.000
Um, you know, back in the day, the differences between carriers were very extreme. There has… there has kind of been a standardized.
00:48:43.000 --> 00:48:57.000
Um, coverage form that's kind of come about, and I think that's… you know, Matt's presentation highlighted that, for the most part, most policies you're going to have, that you do want to… to Jeff's point, you do want to be mindful of the exclusions and maybe the endorsements you can add.
00:48:57.000 --> 00:49:02.000
To pick up some, um, maybe gray areas, or sure up some of the gray areas.
00:49:02.000 --> 00:49:12.000
But as a general rule, most folks… we quote everyone at a million, just… right out of the gate, we're gonna definitely quote a million across the board. There are some sublimits, and sometimes.
00:49:12.000 --> 00:49:18.000
You know, Matt mentioned that as well. Most cyber extortion or ransomware and cyber crime tends to be capped.
00:49:18.000 --> 00:49:27.000
Maybe $250, $500. But if you're maybe a smaller retirement board, you could consider a half a million, um, potentially, but…
00:49:27.000 --> 00:49:34.000
For any quote we would ever do, and I'm sure Jeff would be in the same… in the same arena, you're gonna… we typically would start at a million.
00:49:34.000 --> 00:49:43.000
But if you're a much larger retirement board, we'd look at your exposures, you know, how much assets you're protecting and the revenue, and we would maybe.
00:49:43.000 --> 00:49:49.000
Suggest higher limits, but typically you would just quote options and then see how it comes from a pricing standpoint.
00:49:49.000 --> 00:49:54.000
And that might dictate, you know, where you land as well.
00:49:54.000 --> 00:50:02.000
But that's also a question too, Natasha, that I would just say that, um, no matter what line of coverage you're trying… you're quoting.
00:50:02.000 --> 00:50:07.000
Um, you… every… every entity is different. Their financial thresholds are different.
00:50:07.000 --> 00:50:14.000
So, those kind of… limits should be customized to what your… what your needs are. Any good agent will give you probably as charged.
00:50:14.000 --> 00:50:22.000
Trying to point out that we would provide. What a recommendation from at least the minimum coverage, you shouldn't go below this threshold.
00:50:22.000 --> 00:50:33.000
But ultimately, what limits you would need would really need to be customized and suited to your entity and financial threshold. And another thing that goes in line with that.
00:50:33.000 --> 00:50:43.000
Is, um, is deductibles, right? You may say, you know what, we want a million dollar policy, but at this deductible, a $2,500 deductible, we can't really afford it, but when it gets to $10,000.
00:50:43.000 --> 00:50:51.000
We can't afford that. It makes it more palatable. So there's multiple ways to play that, um, those options to come up with a customized solution.
00:50:51.000 --> 00:50:52.000
Okay, I have a couple more questions, and then we can… move on. Yeah.
00:50:52.000 --> 00:50:57.000
Yeah. The questions are great. The questions are great. Please, you know, this is… this meeting's for you guys, so please, uh, send as many questions as you have.
00:50:57.000 --> 00:51:01.000
So, the…
00:51:01.000 --> 00:51:03.000
We'll try to get through them.
00:51:03.000 --> 00:51:11.000
Yes, so does the municipality insurance cover any of this if we use their IT department? And then the second question I have is related.
00:51:11.000 --> 00:51:19.000
Um… do we need a separate policy from the town if they have their own cyber insurance policy?
00:51:19.000 --> 00:51:21.000
So it's kind of the same question.
00:51:21.000 --> 00:51:27.000
Great, it's a great question. Yeah, that's a common question that we're seeing, too. So, um…
00:51:27.000 --> 00:51:38.000
Yeah, and then also, I just wanted to, um, jump in for, uh, Jeff and Dave and Matt, if you're still on, you can feel free to jump in to answer any of these as well.
00:51:38.000 --> 00:51:40.000
Sorry, go ahead.
00:51:40.000 --> 00:51:50.000
Okay, so we got regarding if the municipal. Coverage blankets over to, I guess, the Retirement Board. Um…
00:51:50.000 --> 00:51:56.000
That's a common question that's being asked. So, um, it's understood, and correct me if I'm wrong.
00:51:56.000 --> 00:52:01.000
Retirement boards are a complete and separate entity from the actual municipality.
00:52:01.000 --> 00:52:12.000
So, if you have a town. That you're not a… you're not a… county or district retirement board, the other retirement board, just for a specific town.
00:52:12.000 --> 00:52:19.000
And even though you are in that town hall. Um, and you may be using their network.
00:52:19.000 --> 00:52:25.000
Um, we would have to look at that, but you would need your own separate policy.
00:52:25.000 --> 00:52:32.000
Yeah, I agree with what Tom's saying. Unless you have it in writing, you know, verbal is great, but.
00:52:32.000 --> 00:52:37.000
Doesn't hold much water, unless you have an, you know, a certificate of insurance.
00:52:37.000 --> 00:52:47.000
A policy naming you as an additional named insured. You know, unless you have one of those in hand, I can't say for sure you'd be covered by the municipality's policy.
00:52:47.000 --> 00:52:53.000
Yeah, yeah, so… so we do, you know, with… within Maya, which, you know, Tom and I.
00:52:53.000 --> 00:53:04.000
Or… Cabot is a third-party administrator for the Maya program, so under that, we insure about 380 municipal-based entities, including… for a lot of them, the cyber insurance.
00:53:04.000 --> 00:53:12.000
Um, to Jeff's point. That you are a legal separate entity, separate legal entity.
00:53:12.000 --> 00:53:16.000
And so the policy, unless it was endorsed to add the retirement award, which we will not do.
00:53:16.000 --> 00:53:20.000
So we will not add retirement ports as additional insured to the cyber policies.
00:53:20.000 --> 00:53:25.000
There may be a few gray areas where, because you're on their system.
00:53:25.000 --> 00:53:33.000
Their policy may respond to help out a little bit here and there, but I would not want to rely on that if you had a day to reach. And certainly.
00:53:33.000 --> 00:53:53.000
We would not respond, or the Maya program would not respond to any lawsuits that only named or were just naming the Retirement Board. So I do… we do… it is our… strong recommendation that every retirement board has their own separate cyber policy.
00:53:53.000 --> 00:53:57.000
Great, thank you.
00:53:57.000 --> 00:54:02.000
Are there any other questions, Tasha?
00:54:02.000 --> 00:54:04.000
That's it for now, but I'll keep jumping in if any more come in.
00:54:04.000 --> 00:54:13.000
I… yeah? Alright. So, this brings us… so we're going to continue through our slides. I don't know… Todd, we can talk about this, uh, again.
00:54:13.000 --> 00:54:24.000
Uh, Davidson does a great job outlining and walking you through these coverages. I don't know if we need to spend any more time on anything in particular. As Todd said.
00:54:24.000 --> 00:54:32.000
The Iran wants us to… every carrier's policy, um, but generally, there are similar coverages that are provided.
00:54:32.000 --> 00:54:38.000
From, you know, we talked earlier through Dave's presentation, multimedia liability, the security, privacy liability.
00:54:38.000 --> 00:54:51.000
Um, PCI, you know. They are all the same. Limits would be different, there are nuances how maybe crime and ransomware is an approach. I know our policy has.
00:54:51.000 --> 00:54:57.000
One particular set of conditions when it comes to ransom coverage, but again.
00:54:57.000 --> 00:55:02.000
All very important coverages that I guess the biggest takeaway in discussing coverage is that.
00:55:02.000 --> 00:55:08.000
You would not want to go through a cyber loss alone without a carrier stepping in.
00:55:08.000 --> 00:55:14.000
When you do experience a cyber event. There was a deluge of folks that.
00:55:14.000 --> 00:55:31.000
Open and automatically start, uh, getting involved and responding and. Counseling and providing you all the resources you need in order to start the event and obviously move forward and to recover from that event.
00:55:31.000 --> 00:55:45.000
Even IT directors, you know, have experience with IT, but to actually respond to a cyber claim is a… different whole, uh, set of playing rules and games that you just would not want to do. So, um, I…
00:55:45.000 --> 00:55:52.000
I would imagine, I don't want to make any assumptions, because we know what that does, but I would imagine, um.
00:55:52.000 --> 00:56:00.000
All the participants today do have a cyber policy, so I guess we should try to outline just some takeaways for today, if you needed.
00:56:00.000 --> 00:56:07.000
A to-do list on what you need to go back to your offices and figure out what next steps would be.
00:56:07.000 --> 00:56:12.000
Um, would be the three areas that we talked about. So, certainly, cyber coverage.
00:56:12.000 --> 00:56:17.000
I know we just talked about if you are on the same network as a municipality, do you have that coverage?
00:56:17.000 --> 00:56:25.000
Um, we are telling you. Collectively, basically, you would need your own policy, but I would definitely go back.
00:56:25.000 --> 00:56:39.000
Through the municipality that you're working with, get the policy. Have a review done to make sure that if there is coverage, it is in writing. I wouldn't… and that it's been interpreted by whoever the insurance professional is. I wouldn't just make.
00:56:39.000 --> 00:56:44.000
Those interpretations yourself, so… definitely make sure you've got a cyber policy.
00:56:44.000 --> 00:56:49.000
You know, locked and loaded, that is, um, that is enforced.
00:56:49.000 --> 00:56:56.000
Um, check with your IT director. A lot of this stuff, they already handle without you even knowing, because.
00:56:56.000 --> 00:57:02.000
I wouldn't even… I've learned more about IT than I ever thought I would know, uh, just dealing with this line of coverage.
00:57:02.000 --> 00:57:08.000
But when it comes to endpoint detection and response, and you all may not even be familiar with what that is.
00:57:08.000 --> 00:57:15.000
Your IT directors have probably already have that in play, because they're doing what they are paid to do to protect your network.
00:57:15.000 --> 00:57:22.000
And that's already in place. Edr is something that is a requirement for our coverage, so…
00:57:22.000 --> 00:57:28.000
Go, you know, you should have routine meetings. That's the other thing I will add, as we talk to a lot of our members.
00:57:28.000 --> 00:57:37.000
It shouldn't be an island unto itself. Your IT folks should be a regular conversation and meeting with you, so that you are always aware.
00:57:37.000 --> 00:57:48.000
Of what's happened with U.S. Systems and your network. But definitely make sure you've got all the checks and balances in place, such as EDI, MFA.
00:57:48.000 --> 00:57:52.000
Um, I know that was a lift, especially in the municipal space.
00:57:52.000 --> 00:57:59.000
Um, some municipalities did a better job and a quicker job at getting that implemented than others.
00:57:59.000 --> 00:58:03.000
You know where you are on that spectrum. If you don't have MFA.
00:58:03.000 --> 00:58:15.000
Fully implemented, every employee, then that's certainly another. Check on your to-do list, I would make sure that that is, uh.
00:58:15.000 --> 00:58:20.000
Underway if it's not fully implemented. And then lastly, the training.
00:58:20.000 --> 00:58:25.000
Cannot express enough how important it is to have regularly scheduled training.
00:58:25.000 --> 00:58:36.000
On a monthly basis, there's a plethora of topics that. You know, again, I'm just using Noble 4, because we have experience with them. Um, they handle.
00:58:36.000 --> 00:58:47.000
All… all areas and aspects of cyber training, um, and… different exposures to the cyber event. So, definitely make sure that is, uh, happening.
00:58:47.000 --> 00:58:57.000
Folks are checking it. I will tell you this, we… we have training here. If you don't do your training, you lose access to the system, but you're so expected to do your job, right?
00:58:57.000 --> 00:59:03.000
So that's how important this is. That we take this serious, that, you know, that everyone is trained.
00:59:03.000 --> 00:59:07.000
And to know how to be at the ready and respond when there is.
00:59:07.000 --> 00:59:12.000
Some kind of a fifth scheme, or whatever it might be, uh, that's, that's, um.
00:59:12.000 --> 00:59:24.000
Being presented to an employee. Um, so that's… that's very key. So those are my two things. Yeah, and the only thing I would… I would add two things. One is just, you know, one thing I don't know if we touched on it.
00:59:24.000 --> 00:59:30.000
Um, with just the impact of artificial intelligence, so just to have that on your, on your, um.
00:59:30.000 --> 00:59:38.000
You know, on the Verizon, I think that's gonna only increase ways for people to kind of find new ways to have reaches.
00:59:38.000 --> 00:59:47.000
Um, and find new ways to slip in. And the other thing, um, if… do you mind going to the first page, or actually, you can go to the last page of the presentation.
00:59:47.000 --> 00:59:57.000
Might be better. And there's a big QR code.
00:59:57.000 --> 01:00:02.000
There you go. All right, so this… this is a link to, um… it actually has our slide deck up.
01:00:02.000 --> 01:00:05.000
So that has… it's a… it's a link to our slide.
01:00:05.000 --> 01:00:11.000
Um, but it also has sample incident, and it's actually a slide we did for Maya.
01:00:11.000 --> 01:00:18.000
Base group, so it might have some of my things in there, but it's similar, very similar to what we did here today. But it also includes a glossary of, kind of.
01:00:18.000 --> 01:00:24.000
Important terms around cyber insurance, and then it also has an incident response checklist.
01:00:24.000 --> 01:00:40.000
In a sample incident response plan. And so… and you can… you don't have to use those ones, those are just examples. You could Google, you know, in… cyber incident response plan or cyber incident response checklist, and you'll find similar ones.
01:00:40.000 --> 01:00:46.000
But that's also a really nice piece to have, because once it happens, you don't want to be figuring out what your next moves are.
01:00:46.000 --> 01:00:56.000
In the middle of an event. So I do think, you know, you don't have to have that thing all filled out and perfectly done, but if you just get a head start, or you fill in the main pieces.
01:00:56.000 --> 01:01:06.000
That way, if something happens, you know, okay, this happened, this is my next move. And then these… this is the timeline of events that I can expect, and the people and the resources I need to bring in.
01:01:06.000 --> 01:01:22.000
To respond to this effectively. Because you do want to be, you know, timely with these. This isn't like… you know, our car got damaged, and, you know, they can come next week to look at it, nothing's gonna change. Um, you gotta be fast moving when these events occur to limit any future, uh, detailed, you know, uh.
01:01:22.000 --> 01:01:29.000
Future damages, um, as well. So the sooner you can… you can shut it down and stop the infiltration.
01:01:29.000 --> 01:01:34.000
You might be limiting greatly the actual claim you have, so please make use of those resources.
01:01:34.000 --> 01:01:44.000
With your IT team, too.
01:01:44.000 --> 01:01:54.000
Any other questions that maybe came up, or…
01:01:54.000 --> 01:02:09.000
There was one that came in earlier, let me get… go back through the chat. Um, so you did touch on the coverage other… coverages, or the different types. Are there ones that are most important for retirement boards?
01:02:09.000 --> 01:02:16.000
There's probably a long list on the policy. I mean, I'm sure everybody would agree.
01:02:16.000 --> 01:02:21.000
You know, the ransomware is obviously a large component, the funds transfer.
01:02:21.000 --> 01:02:30.000
Regulatory, I mean, Massachusetts requires that you pay for 18 months of credit monitoring for every party's information that was exposed.
01:02:30.000 --> 01:02:36.000
I mean, that could run $10 to $40 a month for each one of those parties. That's a staggering figure.
01:02:36.000 --> 01:02:47.000
Um, you know, the privacy liability, AT&T just settled a class action suit for their breach. That was $177 million settlement.
01:02:47.000 --> 01:02:57.000
I'm sure Tom… you know. Tom and Dave could add more to this, and Todd…
01:02:57.000 --> 01:03:06.000
Yeah, you know, when this coverage first started coming out, you used to be able to… and you still can buy it a la carte. So, right, we went through all, you know, match.
01:03:06.000 --> 01:03:17.000
Showed all the different coverage forms that are available, and theoretically, you could get them a la carte, but it typically just doesn't make sense. You know, the amount of money you're saving to pull out.
01:03:17.000 --> 01:03:24.000
You know, maybe brand protection. You know, you save $50 on $2,000 or $3,000 of premium.
01:03:24.000 --> 01:03:30.000
I don't… I don't think it's worth it. I think nowadays it's become a relatively standardized offering from carriers.
01:03:30.000 --> 01:03:34.000
Um, again, there are some differences. You do want to pay attention to those.
01:03:34.000 --> 01:03:37.000
But for all intents and purposes, you're going to want to take.
01:03:37.000 --> 01:03:47.000
The offering that the carrier prevents, or presents, um. Probably all of it, not just, you know, pieces of it, yeah. So I don't think it would make sense to…
01:03:47.000 --> 01:03:50.000
Cherry-pick your coverages. I would… I would go with what they offer, and then.
01:03:50.000 --> 01:03:56.000
You know, either you have a half a million, a million, or, you know, two million, or whatever you… whatever you might need.
01:03:56.000 --> 01:04:05.000
But, you know, on that note, I would recommend that we don't… We don't know exactly what coverages you all have, but depending on how your other coverages line up.
01:04:05.000 --> 01:04:10.000
Some carriers will provide some cyber coverage under your package faults and whatnot.
01:04:10.000 --> 01:04:17.000
We really would recommend that you have a. Full, comprehensive cyber policy.
01:04:17.000 --> 01:04:24.000
To Jeff's point, a lot of the coverage that he outlined, they… they are usually baked in as.
01:04:24.000 --> 01:04:32.000
I know on our demonstration, like, we let them A through J, a lot of those standard coverages will come in. Your limits, you probably have.
01:04:32.000 --> 01:04:51.000
Some flexibility on what you would. You would choose the limits, but, um, I wouldn't just rely on a throw-in that's on the package. I would make sure you have a comprehensive plan policy. That's a great point. We've talked to so many folks before where they're like, oh, we have cyber, and then they send us a copy of it, and it's just an endorsement on their general liability policy for.
01:04:51.000 --> 01:04:52.000
Yeah.
01:04:52.000 --> 01:05:01.000
5 or 50,000 of data breach. That's not… it's… that's not worth anything. That's just enough to let you know how in trouble you're gonna be.
01:05:01.000 --> 01:05:02.000
That's not to get you in trouble. Well, right.
01:05:02.000 --> 01:05:07.000
Agreed. That 50,000 endorsement's not going to get you much, uh.
01:05:07.000 --> 01:05:08.000
Right. Right. Right.
01:05:08.000 --> 01:05:15.000
You know.
01:05:15.000 --> 01:05:24.000
So, understanding there are many variables. What's the ballpark range for premium costs?
01:05:24.000 --> 01:05:25.000
That's a dollar question.
01:05:25.000 --> 01:05:33.000
Yikes. Um… That's a tough question. It's gonna, you know, some of the determining factors, you know, are gonna be…
01:05:33.000 --> 01:05:38.000
The size of the board, obviously, funds under management, number of employees.
01:05:38.000 --> 01:05:45.000
I mean, you could look at a policy on the low end from, you know, $3,000 to $4,000 to, you know.
01:05:45.000 --> 01:05:48.000
Onward and upward, depending on the size of the board.
01:05:48.000 --> 01:05:52.000
Yeah, and then, obviously, what controls are in place, what limits you're buying, so there's just… it's a tough question, Bill. I think there's too many variables to kind of give you.
01:05:52.000 --> 01:05:57.000
Right.
01:05:57.000 --> 01:05:59.000
And answer responsibly.
01:05:59.000 --> 01:06:13.000
Right. But I will tell you, to expand on that, and not to sound like a broken record, you know, there should be budgetary line items for… for this. I mean, I'm sure the insurance piece would be rolled out under your insurance budget.
01:06:13.000 --> 01:06:27.000
But there are costs to being, you know. Very diligent and protective with cyber, so all the things that we had named, you know, MFA, EDI, those don't come for free. They're all costs associated with putting those.
01:06:27.000 --> 01:06:48.000
Preventive, um, things in place, including insurance. So, you know, if you have… your IT person would be a good person to start with. I don't know how detailed any of you get involved with budgeting thought IT and cyber, but if not, that may be a new exercise for you, um, and this should be all part of it.
01:06:48.000 --> 01:06:56.000
Always try to mitigate, you know, bottom line dollar, but there's just certain things. I'm not saying you should just throw any money at a cyber policy.
01:06:56.000 --> 01:07:02.000
But you're not… you almost get what you're paying for. I don't know, Jeff, you and Dave may want to kind of chime in and agree, um, and this is… Yeah.
01:07:02.000 --> 01:07:03.000
Yeah.
01:07:03.000 --> 01:07:09.000
I know, you hit that… hit the nail on the head, right? I mean, you can get a cheap, cheap policy, and then when you have a loss, you have no coverage, right? So it's… you get what you pay for, and I think.
01:07:09.000 --> 01:07:12.000
Right.
01:07:12.000 --> 01:07:21.000
You had a great point. You're investing in the policy, right? So if you have the procedures and policies in place, so you're spending money from an IT perspective.
01:07:21.000 --> 01:07:27.000
It will correlate to, you know, a reduction or a better premium, you know, for subsequent years. So.
01:07:27.000 --> 01:07:32.000
It's kind of a total cost, right? You have your IT cost, then you have your policy cost.
01:07:32.000 --> 01:07:42.000
But it's a… really like a co-investment. So you make that investment in your IT, it's going to help you on the premium side.
01:07:42.000 --> 01:07:45.000
And one thing I thought, Tom, you guys had a great point about.
01:07:45.000 --> 01:07:53.000
Training and, you know, I think one thing people are afraid of is asking, you know, if they get an email from somebody, they don't want to seem stupid and call them.
01:07:53.000 --> 01:07:59.000
I would say don't be afraid. I mean, I… my wife works with me. If she sends me an email asking for money, I don't trust it.
01:07:59.000 --> 01:08:07.000
You know, I would go into the office, I'll verify it, I'll do all the things I would do with anyone, so… I would say don't be afraid to make that extra call.
01:08:07.000 --> 01:08:09.000
Just to make sure that it's not fraudulent. There's just, you know, these… the… they're getting so sophisticated, and it looks so normal.
01:08:09.000 --> 01:08:10.000
Yeah.
01:08:10.000 --> 01:08:14.000
Right.
01:08:14.000 --> 01:08:23.000
That, you know, make that extra call. Just don't take anything, like, you know, at par, right? Assume everything's a scam until you… until it's not.
01:08:23.000 --> 01:08:24.000
Well, and that was… Yeah.
01:08:24.000 --> 01:08:26.000
And don't… and don't use the phone number in the email. Use the call from another source that you have, yeah. Yeah.
01:08:26.000 --> 01:08:29.000
Yes. Yes, yes. Yeah, I know it sounds funny, and it sounds… it sounds basic, but I think…
01:08:29.000 --> 01:08:32.000
Okay.
01:08:32.000 --> 01:08:38.000
You know, a lot of people, because we're rushing, we're so busy in our lives, right? We're so stressed out that we just… we act.
01:08:38.000 --> 01:08:41.000
And we don't take our time to really, you know, vet these things out.
01:08:41.000 --> 01:08:42.000
Right, right.
01:08:42.000 --> 01:08:53.000
Yeah. And you made a good point earlier, too, with the AI component. I mean, that's… that's where this is going to even get further scary, is as far as their ability to reproduce voices and calls, even.
01:08:53.000 --> 01:09:01.000
And, you know, there… there has been a couple incidents with boards this summer, you know, where people are poking and prodding and trying small.
01:09:01.000 --> 01:09:06.000
Anything from a big to a small incident. So, um, and I think that's occurring.
01:09:06.000 --> 01:09:15.000
And every business… every business is probably being poked and prod for vulnerabilities, but, um, you know, it's happening across all spectrums.
01:09:15.000 --> 01:09:16.000
And, you know, one other thing… oh, sorry, Tom, go ahead.
01:09:16.000 --> 01:09:21.000
Yeah, that… Right, no, just to just extend that, I know, you know.
01:09:21.000 --> 01:09:37.000
We're seeing different industries. I don't know if you saw recently, Hollywood is up in arms right now. If you folks are any of this, that… Um, they're up and downs because they're talking about AI, using AI, rather than actually actors in certain movies for cameos and whatnot.
01:09:37.000 --> 01:09:48.000
That's how sophisticated. This simulation has become where they can just take a small sample of your voice, a piece of your voicemail, that's why I said earlier.
01:09:48.000 --> 01:10:14.000
In that presentation that, you know, it's not just you got hacked through an email. They will… You know, when you get texts that these weird texts that come in that just, hey, this is Joe, how you doing? You're like, where'd this come from? They're prompting you for a response for a reason. They're trying to get to know you. The same thing, you may, you know, be left a voicemail, or asked to leave a voicemail. In fact, they want your voice so they can take a clip of that voice.
01:10:14.000 --> 01:10:25.000
And actually duplicate it and create this whole scheme. So, AI, we had just scratching the surface of where that is actually going to go.
01:10:25.000 --> 01:10:31.000
Which, again, I will sound like a broken record, especially the point that Bill just brought up about, you know.
01:10:31.000 --> 01:10:39.000
Make that phone call, that's why trainings are so important. The ongoing training will.
01:10:39.000 --> 01:10:50.000
Walk you through this regularly, and they will keep you apprised of every kind of step that this is evolving, um, because we have not seen… there's no endpoint where this is gonna go.
01:10:50.000 --> 01:10:58.000
Um, it's… Unfortunately, you wish these bad actors took all that energy and put it into good.
01:10:58.000 --> 01:11:05.000
Things, but… they've decided to go in this direction, so we just need to be visual.
01:11:05.000 --> 01:11:06.000
Every day.
01:11:06.000 --> 01:11:12.000
No. No, they're making money, and they're gonna keep on doing it until… maybe something occurs that's going to determine, but I don't know when that's gonna happen.
01:11:12.000 --> 01:11:14.000
Exactly.
01:11:14.000 --> 01:11:28.000
Yeah, and um, to your point, when we met earlier, I think it was Tom who brought up the point that these are not just some random folks sitting in someone's basement. These are sophisticated individuals with advanced degrees who know how to.
01:11:28.000 --> 01:11:30.000
Mimic the system.
01:11:30.000 --> 01:11:37.000
Yeah, and they're generally foreign parties, and that's, you know, going back to something Tom said and Matt said.
01:11:37.000 --> 01:11:46.000
I think, you know, having that incident response team that's gonna step in and really do the heavy lifting for you, I mean, obviously, if there's a breach.
01:11:46.000 --> 01:11:52.000
There's gonna be a process. But to have that incident response team that's going to deal with these other parties.
01:11:52.000 --> 01:12:00.000
They have the legal expertise that's gonna come in, you know, the IT teams that are going to help with everything. It's key.
01:12:00.000 --> 01:12:03.000
Yeah, and I think to echo both of those statements, when.
01:12:03.000 --> 01:12:10.000
Something may happen that, you know, could be an issue, right? I think make sure that everyone who works at your organizations.
01:12:10.000 --> 01:12:15.000
Tell you about it, right? So if they click on a link and they, you know, they're not sure if it's a.
01:12:15.000 --> 01:12:23.000
A scam or not, just report it. You know, let the teams that know what they're doing look into it, so that way, if there is something that happened, they can get ahead of it.
01:12:23.000 --> 01:12:33.000
And, you know, make a, uh… you know, make it a distraction, not a disaster, right? So if somebody hits something, have them not be afraid of repercussions.
01:12:33.000 --> 01:12:36.000
Go report it, and tackle that issue right away.
01:12:36.000 --> 01:12:42.000
I did get one question that just came in. Uh, 4K seems low for a quote.
01:12:42.000 --> 01:12:55.000
Do you currently insure Massachusetts retirement systems, and can you give anonymously an example of a board size in asset value and the cost of their policy?
01:12:55.000 --> 01:13:00.000
We do… we do insure a number of retirement assessments now.
01:13:00.000 --> 01:13:08.000
And we do have some boards at that price point.
01:13:08.000 --> 01:13:14.000
The ones we insure through the Maya program. Um, Maya… Maya covers the cost.
01:13:14.000 --> 01:13:20.000
For all members currently, so there is no premium. We've basically purchased one large Aussie for all members.
01:13:20.000 --> 01:13:29.000
And so there's no individual cost just yet, but we could… we could look into that and maybe get back to you with a few of the ones that are outside of that program.
01:13:29.000 --> 01:13:36.000
Yeah. If you go into the standard market, though, 4000 is probably on the very low side. I would say. Would you agree, Jeff?
01:13:36.000 --> 01:13:37.000
Yes. Yeah.
01:13:37.000 --> 01:13:43.000
Yeah, then it goes to your limit, right? That would probably be… we tend to try to start with a $2 million limit, just because the difference in premium between 1 and 2 million is pretty nominal.
01:13:43.000 --> 01:13:46.000
Yeah.
01:13:46.000 --> 01:13:54.000
So it just feels like that's a… you know, to offer $1 million, it just seems too low, so we'll start with 2, and then kind of go up from there, depending on the size.
01:13:54.000 --> 01:14:03.000
Okay, this next question, my impression is that municipalities do not have cyber insurance. Is that your understanding?
01:14:03.000 --> 01:14:21.000
Well, if you're in the Maya program for all lines of coverage, we have it for every single member. And actually, that's a great point. So, we started our cyber program started in 2018 in Maya, and the reason why we started it was because we could not convince members to buy a policy on their own.
01:14:21.000 --> 01:14:25.000
And we kept seeing claims happening throughout the country, and we were saying.
01:14:25.000 --> 01:14:33.000
We're gonna get hit, and it's gonna make us look bad because we can't convince them to buy it, so we just went out and bought it for every single member.
01:14:33.000 --> 01:14:42.000
Uh, we partnered with an insurance carrier. Um, for that, one of the… one of the leading insurance… there's a lot of leading insurance carriers, but we partnered with one that we found.
01:14:42.000 --> 01:14:49.000
To be a good fit, and so we forced it on every member, and now that we've had it, we just… There's no… it's not going away.
01:14:49.000 --> 01:15:00.000
Um, so every, every Maya member at least has cyber insurance. That's over 380 in this country. Let me just interject. That's a very interesting question, but to what Todd is saying.
01:15:00.000 --> 01:15:09.000
Um, there's nobody… on this green planet that has a computer that is immune to a cyber attack. Remember I told you earlier on.
01:15:09.000 --> 01:15:16.000
They really say now, it's not a matter of if. It's just a matter of when. So, um…
01:15:16.000 --> 01:15:26.000
Again, cyber, it's not a tangible thing, like a fire or frozen pipes, where you know how to put certain basic things in place to prevent them.
01:15:26.000 --> 01:15:40.000
Thyava is still, for a lot of folks, in its infancy stage. It's been around for a long time. You know, folks like Jeff and Dave, myself and Todd, we've been dealing for a lot longer than maybe you folks are, but it's really starting to come to the forefront now.
01:15:40.000 --> 01:15:52.000
Because it's at a magnitude that it is, um. But no one, absolutely no one, is immune to cyber exposure. Towns, honestly, municipalities.
01:15:52.000 --> 01:16:11.000
Are extremely vulnerable. They're one of the most vulnerable parties that, um, these cyber… bad actors like to go after, so, um… Again, to Todd's point, it was a lift trying to get municipalities to understand the cyber risk and the needs for cyber coverage, and even the training.
01:16:11.000 --> 01:16:16.000
The coverage is one thing, getting folks to get… to buy into the training was another whole layer.
01:16:16.000 --> 01:16:24.000
Um, but yeah, no. Everybody needs cyber policy, unless you're still doing things by…
01:16:24.000 --> 01:16:28.000
Male, and even then, I shouldn't say that, everybody needs cyber coverage.
01:16:28.000 --> 01:16:33.000
And I think part of the, uh, when the coverage first came out, it was very expensive.
01:16:33.000 --> 01:16:34.000
Yes.
01:16:34.000 --> 01:16:40.000
Right? And so people didn't want to buy it, and then with more and more carriers got into the market, right, just supply and demand, pricing has come down.
01:16:40.000 --> 01:16:45.000
So now, I think people who haven't maybe looked at it in 2, 3, 4 years.
01:16:45.000 --> 01:16:51.000
They'll be surprised the premium today versus, you know. 2020, or 2021.
01:16:51.000 --> 01:16:52.000
Yeah, there…
01:16:52.000 --> 01:16:57.000
So I think that's… I think that's been a hindrance for people, because they think it's a cost-prohibitive coverage.
01:16:57.000 --> 01:17:00.000
And now they'll find that it's not the case.
01:17:00.000 --> 01:17:01.000
Yeah. Now, there's a lot more carriers in the space, so obviously with that, you know, costs have become.
01:17:01.000 --> 01:17:05.000
Right.
01:17:05.000 --> 01:17:11.000
More palatable, so to speak. I mean, depending on the size of the board, obviously.
01:17:11.000 --> 01:17:16.000
Whatever the number the premium is, obviously, you know, can vary depending on.
01:17:16.000 --> 01:17:21.000
Who you are, but, um… And as Tom said.
01:17:21.000 --> 01:17:32.000
And then there's boards out there doing all the right things, but at the end of this… at the end of the day, you still have a vulnerability, and having a policy in place in case.
01:17:32.000 --> 01:17:39.000
Something does happen, uh, not enough good things can be said about what's gonna… what's gonna happen.
01:17:39.000 --> 01:17:53.000
The incident response team, the coverage. Um, the premiums, you know, they're gonna cover such a large chunk of a possible loss for you, um, that the price point for the premium is going to seem small.
01:17:53.000 --> 01:17:59.000
Absolutely. When you have a loss, you're gonna realize you made a great investment in buying the policy.
01:17:59.000 --> 01:18:04.000
Oh, yeah. You would have paid triple what we… what the charge would be if you had a loss, with no problems.
01:18:04.000 --> 01:18:12.000
Yeah, I mean, just a quick, quick funny story on Cyber. I had a client who… they had their, you know, in-house operations person who was adamant.
01:18:12.000 --> 01:18:19.000
They didn't need the coverage. Fought me, fought me, fought me, basically said I was just trying to make money. It was a $4,000 policy.
01:18:19.000 --> 01:18:21.000
Right? So we're not making a lot of money on these.
01:18:21.000 --> 01:18:26.000
Within the first year, we paid $485,000 in claims. Right? So this is just an example, and this is somebody who never had a policy, who did not think he would need one.
01:18:26.000 --> 01:18:27.000
Oh, yeah.
01:18:27.000 --> 01:18:31.000
Wow.
01:18:31.000 --> 01:18:36.000
So it's just, again, you know, now he's as loyal as they come, right? So it's just one of these situations where.
01:18:36.000 --> 01:18:46.000
You have to trust the reason that they have the coverage is because there's going to be a loss.
01:18:46.000 --> 01:18:47.000
Yes. Yes. Yeah.
01:18:47.000 --> 01:18:55.000
Yeah, cyber falls into that category. It's either go big or go home, right? There's no little… I'm her claim, so… You know, I saw a question come up while we were talking, and it said, why are municipalities.
01:18:55.000 --> 01:19:09.000
Or municipal-based entities more, um… more vulnerable than maybe the commercial marketplace. And part of that is lack of resources, and maybe not the same type of resources that for-profit areas and commercial industries can attract.
01:19:09.000 --> 01:19:17.000
But even then, I mean, you know, when Dave hears that, we've all heard that from potential clients or folks we're talking with.
01:19:17.000 --> 01:19:22.000
And it's like, Target just got hit. You're telling me your IT is better than Target?
01:19:22.000 --> 01:19:34.000
Place, you know, Sony just got hacked. You're saying that… now, I know the same actors probably are… that are going after Sony probably aren't going after you, but you are… you were prime targets because they know your vulnerabilities.
01:19:34.000 --> 01:19:39.000
Um, and you're removing more vulnerable than the standard, you know, market would be.
01:19:39.000 --> 01:19:44.000
And yeah, in municipalities, I mean, just, you have to step back and look at the whole.
01:19:44.000 --> 01:19:51.000
Just the entity itself, right? So you're dealing… usually within a municipality, you're dealing with a school system.
01:19:51.000 --> 01:19:59.000
Public records and town hall, police. Where there's a lot of, you know, where there's all this private information, um.
01:19:59.000 --> 01:20:15.000
There's a lot of, as we say, low-hanging fruit when it comes to municipalities, which would attract these bad actors, so… They're not… well, to Todd's point, you know, sometimes, you know, budgetary restraints and resources are limited.
01:20:15.000 --> 01:20:25.000
On a tongue, on a municipality level, rather than in, you know, a private sector, but it's not even just so much that, it's just there's… there's a lot of information.
01:20:25.000 --> 01:20:36.000
That makes you attractive to these bad actors. I think there was an event in Texas a few years back where something like 19, or maybe even more municipalities all got hit within the same.
01:20:36.000 --> 01:20:44.000
One to maybe three-day period. And they all had it because they were all using probably very similar systems, so once they got in one, they just, boom, boom, boom, right down the line.
01:20:44.000 --> 01:20:50.000
Yep.
01:20:50.000 --> 01:20:57.000
Well, that looks like it was the… Last of our questions, um, any final points, gentlemen?
01:20:57.000 --> 01:21:08.000
Just buy a cyber policy. I think it's, you know, it's one of these things where, again, it's not a, you know, as Tom said multiple times, it's not a matter of when, it's a matter of, you know, not a matter of if, it's a matter of when.
01:21:08.000 --> 01:21:12.000
And I think that's, you know, the way to looking at it.
01:21:12.000 --> 01:21:15.000
You have to protect yourself in the event of a loss, and.
01:21:15.000 --> 01:21:20.000
Rely, when you do have a policy, you know, rely on the carrier to provide the resources that you're paying for.
01:21:20.000 --> 01:21:29.000
You know, you have a partner. It's not, you know, you're not on an island trying to figure the claim out. You know, rely on the partner.
01:21:29.000 --> 01:21:34.000
Yeah, Natasha, I just want to say thank you. You know what, I guess I'm kind of an insurance geek.
01:21:34.000 --> 01:21:42.000
I know this isn't the most sexy topic, so I think… I think I can speak for all of us collectively as the insurance professionals.
01:21:42.000 --> 01:21:48.000
If everybody walked away with maybe one thing from this today, this webinar, we've done some good.
01:21:48.000 --> 01:21:59.000
Uh, because this is a really difficult subject matter to get people to get the… had an arms wrapped around, so we thank you for that opportunity.
01:21:59.000 --> 01:22:00.000
I want to thank all of you. Oh, Jeff, sorry, go ahead.
01:22:00.000 --> 01:22:01.000
Black dots do that.
01:22:01.000 --> 01:22:06.000
Yeah. No, I was just gonna say the same, and as we heard earlier, the coverage and the pricing.
01:22:06.000 --> 01:22:14.000
Has gotten better than where we were. Years ago. And so, it's a… it's a better product, and I think.
01:22:14.000 --> 01:22:23.000
Speaking for Tom. Todd and Dave, it's a product that I think we feel very good about presenting to people now.
01:22:23.000 --> 01:22:27.000
Um, and so… and thank you, thank you for all for being here and listening.
01:22:27.000 --> 01:22:29.000
Thank you, everyone.
01:22:29.000 --> 01:22:34.000
All right, great. Well, again, yes, thank you everyone for attending and listening to.
01:22:34.000 --> 01:22:43.000
All of this great information. I am going to… this webinar, as I mentioned before, was recorded, so it will be available, um.
01:22:43.000 --> 01:22:48.000
To rewatch on our website, anyone who wasn't able to attend can get… still get credit for it.
01:22:48.000 --> 01:23:03.000
Um, there will be a survey that will pop up on your screen when I close the webinar. Please submit your feedback. We always read your feedback and listen to you. We're always trying to improve these webinars and provide you.
01:23:03.000 --> 01:23:09.000
With the information that you want, so just let us know what you, uh, would like to hear next from us.
01:23:09.000 --> 01:23:12.000
Ken, I don't know if you wanted any last words.
01:23:12.000 --> 01:23:17.000
My last words are just to thank our speakers. We appreciate it very much.
01:23:17.000 --> 01:23:18.000
Thanks for having us. Appreciate it.
01:23:18.000 --> 01:23:22.000
YesThank youOkay