Transcript of the conversation with Cyber Insurance Expert Karl Balian
Alyssa Butler
Hello, everyone. Welcome to our LinkedIn live with Careful Security. Thank you for your patience. We have an expert in the insurance field today with us since our subject is cyber insurance and cybersecurity. So Thank you Karl Ballian, who is the VP of Benbrook, Insurance Group for being here with us today. Hello, Carl. How are you?
Karl Balian
I’m doing well. Thank you so much. Happy to be here. Great.
Alyssa Butler
Thank you. And of course, we have another expert in their field, Sammy Basu the CEO of Careful Security. Hello, Sammy. Good afternoon.
Sammy Basu
Thank you. Thank you, Alisa. Happy to I’ve known called for a long time. He is an expert in the field of cyber insurance. So, let’s jump right in. Thank you. Yeah,
Alyssa Butler
I think let’s just go right in and talk about how our businesses deal with the increasing cost of cyber insurance.
Karl Balian
Absolutely. So, I’m going to share my screen and I’m going to share a few screens. But I’m going to go through some of the challenges that are in today’s environment as far as cyber insurance is concerned. So, I’m going to share here, your screen. I have multiple screens. So some of the trends that are happening right now in the cyber world. And if you guys have been listening to the news, or any of the fields that have been going on with some of the big, big, big hotels and resorts that have gotten hacked, for ransomware, a couple of things that have happened in the last 60 days, and I’ll share an email that I got because I’m part of the MGM group as well. I’m one of their clients. And so, one of the things that happened is that a cyber-attack happened on their network. And all of their data was taken hostage by two big resorts. One of them was the Caesars Resorts. The other one was MGM Resorts which controls about 80% of the gaming in the country. And in Las Vegas. One of them got up and running within two business days, which is Caesars, and they had to pay out a ransom that was over $35 million, which the insurance companies pay for. The other one decided to go the other direction and not pay the ransom, and was losing $12 million a day for close to three weeks, right? And tried to redo all their configurations and use their security systems to kind of reboot the system and get the hackers out. So that’s been in the forefront. And I’ve been getting a lot of calls and a lot of emails regarding Hey, am I secure? Am I covered? Do we want to do a review? It was something that we declined earlier when we first got all of our insurance up. And now we want to take a look at it. Right? So, we’re creatures of habit. And when we see things happen, we kind of ebb and flow with what’s going on in the marketplace. So, I’m going to go through a couple of the trends that are happening right now. So, there’s a huge attack right now on US companies. Right? Now, companies like the ones I’ve mentioned, are front and center, because there are a lot of hands in the cookie jar. They’re a big company, they’re multi-billion-dollar publicly traded companies, and so forth. But what does that mean for the smaller companies? So, we’ve seen studies that have shown us that cyber-attacks have gone up between 30 and 60%. Right? Demand for payments has gone up significantly. And there isn’t much policing going on. So if you think about 30/40 years ago, people were trying to steal money, it was the banks, right? So they would walk into the bank and say, give me all the money, and then they run out. But there was policing, and there were people that would kind of monitor whether it was the FBI, the local police, the state police, whatever it was, today with cyber-attacks, there is no policing, right? Most of the attacks were coming overseas, a lot of them were coming from Russia and Ukraine. We saw a little bit of a dip last year. And I’ll go through some of those trends. And then now we’re seeing a big spike back into a lot of the cyber attacks and ransomware. So one of the things and I’ll jump in here is you can see here from 2018 till about the second quarter of this year, where the ransom payments have been going. This is based on the insurance companies themselves. You see this huge spike towards the quarter two of 2023. And once we get into the fourth quarter, this is going to go up even higher because now they’re going to include those payments that were made to the resorts as well. So we’re seeing a lot of cash pennies are saying, well, we’re not MGM. And we’re not Caesars we don’t we’re not multi-trillion dollar companies, right? The average attack payment is under a million dollars. Right. And that’s most mid-small to mid-sized businesses towards emerging growth companies, right? Generally between 50,000,200 and 50 million in revenue. And the average payment is just under three-quarters of a million dollars, and one in three is getting paid. So that’s over 33%, as we saw on the previous slide, that they’re getting payments, then how are you insured? What are you looking at? How are you protected? Have you gone through and looked at your coverages? A lot of people think under their general liability or their commercial package that they have coverage, but they don’t. And if they do, it’s very minimal. And it’s nowhere near the $740,000 of coverage that they need to be. Generally, a lot of times the cyber attackers know exactly how much coverage you have because they’ve already hacked into your system. They haven’t come to you yet and taking control of your network. But they know exactly how much coverage you have. And that’s exactly how much they asked for. So if they see that you have $2 million in coverage for cyber ransomware, guess how much they’re asking for $10 million. If you have a million dollars of coverage, guess what they’re asking for, you’re asking for a million dollars, and they’re going to get it because you have no choice, and there’s no recourse. So how did they determine costs and so forth? So I want to jump down to this screen here. So basically, what we like to do is there’s a spectrum just like any other type of risk on insurance coverage, they look at the risk and where you’re geographically. For property. For example, if you’re in a high brush area, you’re going to pay significantly more to cover your property than if you’re down in an urban area where the risk of fires is very low. Right, it’s the same principle on insurance across the board for all types of coverage, they’re going to look at your industry. And they’re going to see where your revenues come from, and where the risks are. And based on that, they’re going to score you guys. Okay, I’m gonna write the security assessment, and then we work directly with your cybersecurity company. And we’ll ask for an application. Based on the answers that we get and the type of security that you have in place, the industry that you’re in, the type of risk that you are, and how much revenue you guys generate, will then determine a scoring for you guys, for each company. Based on that, the premiums and the coverages will be aligned. Right? So we’ll look at your company and we’ll say, you are an online sales store on Amazon, right easy example. 100% of everything you do is online, whether it’s the logistics, whether it’s direct to the customer, whether it’s ordering everybody’s order from Amazon, right, we all get online, we pick what we want, and so forth. How much data do they have? Right, Amazon? Do they have your name, address, credit card information, social security numbers, and so forth? So that would come at the very, very, very top end of the risk, versus a small clothing manufacturer that’s in an industrial area that has a smaller customer base, right, I’m giving extremes here, right? So and everybody in between. So based on that data, they’ll take it in, what we do is we work through all the carriers. And we’ll come back and there’s a big fluctuation, as far as premium is concerned based on carriers and their appetite based on your industry, your geographical location, and your risk factor. But all of that is things that we do on the back end, and then we’ll come back and see based on the recommendations, here’s the coverages with the with with the carriers. And these are the limits that you have. And then based on the demographics of your company and your total revenues. These are our recommendations, right? And we want to get that in place. And that will supersede and go above and beyond what you think you already have under a package policy that you’ve purchased. Thinking that you have this type of coverage. Another thing that we do is we work directly with your cyber security company. And what we’ll do is we’ll have packages through your cyber security company to offer coverage above and beyond what you have. Now that would be something that we would get on top of what you’ve already covered on your own. And that’s more for the MSPs, like yourselves careful to make sure that if anything, if there is a breach, or when there is a breach if it was due to the negligence of the cybersecurity company, they have additional coverage on top of what they’ve already done. So we’d like to have a little bit of redundancy. You know, it’s, I always say it’s not important until it becomes important, right?
And because I’m in this industry, and I do this, not only on the cyber side, but for all the coverages every single one of my clients, is mandated to take at least some level of the cyber suit, coverage, and insurance. Just another example, and I’m going to share some personal information here. Just jumping over here. So like I said, I’m a member of M Life, which is part of the MGM Resorts. And I did get an email directly from them. And I will share I think it’s this one, right? Yeah. So this was sent directly to me from MGM Resorts saying that there was an attack, that my data was compromised, that they have on me, and they have my credit card information, and they have my personal information. What they were willing to do for me was offer me free identity, identity protection, and credit monitoring services for one year. If I was interested in taking it reach out to their phone number and give them a call. So just an example of something that directly impacted me and my wife. So we did call, and they are going to be paying for a year of credit monitoring for us. There’s also a class action lawsuit against them above and beyond the ransom, which the cyber security and cyber insurance do cover as well. And they are going to have to go to excess. So that class action, once it’s settled, is going to go above and beyond what coverage they have. So most companies like this have what’s called excess coverage, which is what we know as an umbrella. So if the lawsuit goes above and beyond what the limits are, then the excess kicks in. And it may even go beyond that, depending on how long and how many people are in the class action. So a very good example of what we’re talking about, and it hit home to me. So, just wanted to share that. The other thing that I wanted to go over with you guys was I got to bring it up because I have it here. Just a little bit of data for you guys to give you some perspective here. And I’m just going to do this. Oops, not that screen. Sorry, have multiple screens going here we go. This one is here. So a little bit of information from the green light. Green Light is one of the largest aggregators for the industry, the IT industry cybersecurity, and cyber insurance. Insurance companies rely a lot on their data to do a lot of their analytics and costs, tables, and ratings. From 2015 to 2021, the cost of cybercrime has gone from the T stands for trillion from $3 trillion to $6 trillion. The majority of the breaches are financial over 71%. So these are the guys that walk into the bank with the mask in the gun and say give me all your money. Now they sit in the basement in some country and open their laptop and hack into the system. And we’re looking at almost three-quarters of all the financial monetary is through ransom, right? And people are like, well, this can happen to me. Cyber attacks happen every 39 seconds. What?
Sammy Basu
Every 39 seconds. Wow. Yeah.
Karl Balian
Now that’s worldwide, right? The last number is the most important one, right? The average AWS cost is almost $4 million. Wow. Right. Now, if you’re 50 100 200,000,200 50 million, half a billion dollar even a billion dollar company $4 million. Doesn’t seem like a lot. But if you Your smaller 510 $15 million company $4 million is a lot of money. Right? That can cripple you that can bankrupt you can put you out of business very, very, very quickly. I know a lot of what I’m saying sounds like a scare tactic. It is. But not, you know, it’s better to have it and not need it than need it and not have it right. And that’s something that I always tell everybody is, you’re better off having it in place. And hopefully, you never, never never have to use it. But in case you do, you don’t want it to be devastating to you. Because not only is it to you, but you have employees of the company that will be out of a job because you’re gonna go under, and then you may have long-term financial risk. The analogy I always use is we get car insurance, and we pay every month on our car insurance not to take our car and jam it into a wall and say insurance company pay me we get it to hopefully never have to use it. But God forbid, if it does, then we know what we made whole again. And it’s the same principle across the board for all types of coverage, right? Cyber just happens to be one of the topics that we’re discussing today. Because now more and more, this has become the norm. And law enforcement is always reactive and not proactive. So they haven’t figured out a way to be able to catch these hackers, much less stop them from doing what they’re doing. This is way outside their box, this is way outside their scope. And I’m not just talking about local law enforcement, I’m talking about federal law enforcement, when you’re dealing with hackers in different parts of the world. There’s little to nothing that they can do about it.
Alyssa Butler
And one reason cyber insurance is so important is it’s not like earthquake insurance, where not all parts of America have earthquakes. But I can’t think of a single industry. You know, you even said three all that doesn’t connect to a Wi-Fi at some point. So this is a totally, ever-evolving field. And you know, you were talking about the scare tactics. So let’s go into something a little bit positive, which is to give the people the people give the people some tips and tricks to lower their cost of cyber insurance because it’s a necessity. But let’s make it a good necessity. Yeah.
Karl Balian
And that’s why when Sammy and I first started talking a while back about it, I you know, especially when I first met him, I immediately ran over to him and said You and I need to sit down and talk. Because you may think our worlds don’t cross but our worlds cross tremendously. And one of the things that where I utilize cybersecurity is protecting your company as much as you can, are you going to get to 100%? Not, that is a false type of sense of security, to tell anybody that we’re going to protect you 100% If the resorts that I just spoke of, by the way, have more security in place than the federal government does, if they got hacked, there is nobody that’s not susceptible to getting attacked. But if we start putting the right things in place, and we and the insurance company see, okay, well, they do have cybersecurity, they do all these things to protect themselves, they do have more MF A’s in place, they do limit their network access, they do have protection against phishing, and, and, you know, people trying to hack into their system or coming in from the outside to them, the risk factor goes from here, down here, right, and then you can start seeing a significant reduction in the cost of the coverage. And that’s why we work hand in hand with you guys, with your clients and even my clients that I’ll recommend out to you guys as well, that I’ve sent over that I’ll send over and say hey, listen, I understand the cost is significant because you don’t have these things in place and the and the insurance companies will give you a rating and we’ll tell you why. Your premium is where it is right. And they will allow you to say hey, if you can fix these things, and if you can secure more of this information, we’re willing to either take on more risk or reduce the cost of of insuring you guys. It’s the same as I like to use car insurance a lot even though I don’t do any car insurance if you’re taking like driver safety courses or if you’re doing things to me We reduce your risk in that type of coverage, even in buildings that are like if you don’t have sprinklers in your building, we don’t want to take the risk of covering it. And if we do, it’s going to be significantly higher. So put sprinklers in your building, right? things to that nature, it’s the same thing if you’re doing things to help because you kind of are going into a partnership with the insurance company, but they’re taking on the majority of the risk, right, you may be paying a couple of $1,000 annually, to get millions of dollars of coverage. So they’re taking on all the risks. And they want to see that you guys that the companies are doing the right things. And I will recommend and say, Hey, listen, I understand this has gone up, and it’s going to keep going up. But if we put these things in place, right, then we can go back and say, Hey, here’s all the things they’ve done to correct some of those things that are out there, that can potentially be a loss. And then they’ll look at that and say, you know, what, we’re willing to take on some more of the risk, or we’re willing to reduce the premiums for the costs to kind of mitigate that kind of relationship between the two of us
Sammy Basu
car like, you know, to take the analogy of health insurance, like some people get health insurance, some people don’t. And, you know, it’s becoming, you know, more required in some scenarios. So, just in cyber, is it an optional insurance right now? And do you think it’s going to become mandatory insurance?
Karl Balian
It is optional, right now, but like I said, with my clients, because they’re like, insurance is a nonrevenue generating expense, no matter how much money I throw at it, there’s no ROI on insurance, right? So if, if I’m, if I, I
Sammy Basu
mean, you don’t want you don’t want to claim that he doesn’t want to be in the situation, right? Like, oh, I have insurance on my deck,
Karl Balian
I always tell them to listen, take at least a minimal minimum coverage, right, let’s at least get you to half a million or a million dollars of coverage, it’ll maybe cost you 5000 or $8,000 a year. Now, I understand that’s a cost. But I don’t want to leave you guys open to risk on that. And they’re like, well, nothing has ever happened. We’ve been in business for X amount of years, and so forth, I will still push cyber coverage down their throat, I’ll even tell them to listen, and we can even lower that down if you’re willing to take on some of the risks, right? And we’ll do like a, how much retention you want to take are deductible, right? We’ll see maybe take a $50,000 deductible that 1000 will go to $4,000. So at least on a catastrophic loss, you’re only in it for maybe 25, or 50,000, versus the full million dollars, right? And you’re still now we’re cutting that costs in half. And then we’ll revisit this next year on your renewals. And then we’ll have this discussion one more time. All right, either, we’ll keep it we’ll increase it will make changes, and so forth. But it isn’t mandatory, right? And some people think that they have that coverage. They’re like, well, I bought this commercial package, it has liability in the property, and it covers cyber and terrorist attacks, and so forth. If you read the fine print on there, the chances of having maybe 40 or 50 exclusions on that policy with that coverage. They don’t read it because it’s on page 250 or 400 pages of the policy. Right. And it excludes a lot of stuff. So once again,
Speaker 1
just like I showed in the graph, the cost has gone up, do you think the premium payments have also gone down because well, are more stringent? So
Karl Balian
most, if not all, insurance companies are for profit, right? And they taught this to me decades ago, when I got its license, that there’s a 6040 rule with insurance companies. And I’ll jump to the insurance companies here, the companies and what they collect in premiums, the number of accounts they have, and so forth. A lot of these companies, you’ll know who they are. Zurich, and like nationwide, and AIG and Chubb, and these are the bigger companies. They have what’s called the 6040 rule 60% of the premiums that they collect on all policies go out to pay claims. So 40% is where they make their profits and their administrative costs, right, whether it’s having claims people adjusters, their internal operations, and so forth. So Every year that they get their losses versus premiums collected, if they stay within that 6040 rule, they’re fine. When that number starts moving, right, if that 60% now becomes 70, guess what happens to everybody’s premiums, they go up to get it back to that 6040. The other way around is, if the loss is less than 60%, maybe 50, then you’ll see a big reduction in the price of the premium. Right. So, and that’s true across the board for all coverages. It’s not just for cyber, right? The last since the pandemic ended in 2022 to 2023, we saw that graph, the claims have gone up. So that number, just doing behind the napkin math is we’re going past that 6040 rule, right? We’re cutting into that 60s going to 65 70%, don’t make those adjustments to bring it back to that to those numbers, and I’ll jump back to those. Right in 2018, it was down here, there were no losses. So they’re collecting premiums, and they’re paying very little zero claims. rant on the ransom side, right, there’s like 30 lines of coverage on the cyber, this is just looking at one line of coverage. This means that come next year, everybody’s premiums are gonna go up. Wow. Right? Because they’re paying out these ransom payments. And then you see the medium ransom is down here. And now the average has gone up here. And now when you factor in those, the two big losses they just paid, that number will probably get up about here. Wow. Yeah. If they’re not in the business to lose money, if they’re losing money, then guess what, they’re not in an insurance company more they’re paid, they’ll go do something else. So that, again, it’s a shared risk. And it’s spread out just like your homeowners, right, you don’t pay a million dollars of homeowners insurance, even though your house is worth a million dollars with the spread out over hundreds of 1000s of millions of homes, right? And that’s why I only pay a couple of $1,000 to insure your home or your vehicle. But you are getting millions of dollars of coverage, right? So as long as they can keep those losses down. In this area, you can see what we call a soft market, right? All of a sudden, everybody’s fighting to get business and generate more revenue, and they’re willing to discount it to get you in. Once it becomes a hard market like we’re trending towards, you’ll see the appetites for the carriers become less and less. For example, homeowners, can’t increase their rates, because the state of California won’t allow them under the Department of Insurance, you see a lot of people getting notice of cancellation or a notice of nonrenewal further homeowner’s policy because the insurance companies can’t increase the rates to compensate for what they’ve been paying out in claims. So they said, Yeah, we just don’t want to do business in California anymore. And you’ll see people like State Farm farmers all state nationwide liberty, all leaving the state of California. And they’re like, we just don’t need the business because we’re losing money with you guys on it. And then now all of a sudden becomes a very hard market to get coverage. So when we see things like this trending in this direction, we know the first quarter, the second quarter of 2024. What you were paying in cyber coverage last year is not going to be the same as what you’re paying this year. How
Sammy Basu
to draw a parallel and we are kind of, you know, this is a great discussion, and you have so much data to back up what you’re saying. Just as you know, we are thinking about partnering with cyber insurance and cybersecurity service providers in industries, traditional industries. Do you see that partnership has happened in the past?
Karl Balian
Yes, very much. So. So for example, I’ll use because this is an easy example that I can use. It’s in our face every day. CalFire puts out a rating for the entire state of California for brushfire areas, and they share that data with the insurance companies and they say hey, based on these geographic areas, right, this is the risk for fire. And now the insurance company, you know, ebbs and flows with that. So if you live in Malibu Canyon, right for us in Southern California, the chances of getting coverage are zero right now, because the fire rating is out of control, whereas if you live in let’s say Burbank or Glendale or Pasadena down in the urban areas, your fire rating is extremely low, right and all Listen, it’s if they want, they’ll be willing to take that risk, the same will be with this type of coverage is they’re going to rely very heavily on the cybersecurity companies. And they’re going to be partnering more and more, as you saw last week or two weeks ago when they already have programs specifically for cybersecurity companies for their clients. So they’re already moving towards working with cybersecurity and placing coverage through them for their clients, versus going directly to the client. Traditionally, we go to the client, and say, hey, we need you to fill out this application. They look at that and go, I don’t know, 90% of these questions, I have to send it to my IT people to answer these. So we’ve kind of not gone around them, but said, we’re going to streamline this process, we’re going to go directly to the IP companies, and we’re going to say, Hey, give us the data on, on on the companies you’re working with. And we’ll know exactly what level of security they have and what type of risk they have. And then we can base the premiums and the coverages on that. So, to answer your long answer is absolutely 100%. We are going through, and that was one of the conversations we had last week, right? And we did a presentation directly with the wholesalers. And the carriers may even have boilerplate lines of coverage for you guys, and saying, Hey, this would be even the minimum for your clients, and we trust you more than we trust the client. So we’re willing to underwrite these policies, just based on your recommendation with fixed dollars. While
Sammy Basu
so yes. Great, Carl, this is all recorded, and we will edit it out and put all the good parts in. So yeah.
Karl Balian
Yeah, and I do reviews for everybody. I will look at it. If and believe it or not. 90% of the reviews I do are through cybersecurity companies. And they say hey, here’s our client, here’s all the information. What do you think we’re going to where we’re going to be with costs on this? So we are working very closely with you guys more so now than we probably have in the last three to five years.
Sammy Basu
There you go. Well, I’ll
Karl Balian
see you next week.
Sammy Basu
Thank you.
Alyssa Butler
Thanks, guys, so much for all that information. Appreciate it.
Karl Balian
You got it. Thank you guys.
Sammy Basu
Stay safe, and secure.
