In today’s post, I want to introduce Dan Burke who recently joined Woodruff Sawyer as Vice President and Cyber Specialist, and share with you some of his important insights on cyber risk, the insurance market and where it’s headed.
In this new role, Dan will focus on expanding our cyber liability services for clients, including developing new vendor relationships, loss control tools and benchmarking resources.
Lauri: Tell us a little about your background.
Dan: Prior to joining Woodruff Sawyer, I spent 12 years on the underwriting side of the business, most recently running cyber and technology E&O products in the US for the past three years at Hiscox, one of the leading cyber insurance carriers in the market.
There, I was responsible for all product development, strategy, vendor relationships and, ultimately, production and profitability of the cyber line of business.
Prior to that, I was with ACE, which is now Chubb, both in their Chicago and San Francisco offices, working on all types of errors and omissions and cyber liability insurance.
Lauri: In your time running the Hiscox cyber product in the US, how did you see the market evolve?
Dan: Cyber insurance originally started as what amounted to data breach insurance, and that’s how it was sold in the beginning of the cyber insurance market.
Companies that had personally identifiable information had a responsibility to not only protect that data, but also notify consumers if their data was lost. This was a result of state laws that require notification, which were put into place starting with California—now all 50 states have them.
Cyber insurance policies would respond to these state law requirements and were sold to organizations that had a significant personal data exposure.
Increasingly over the past few years, companies weren’t identifying with that exposure anymore. They didn’t have a lot of personal data, and didn’t see the need to actually transfer their cyber risk through insurance.
But cyber risk started changing and became more about companies’ dependence on technology. As cyber risk evolved, so did the insurance market. Coverage for business interruption and data restoration services became available through the cyber insurance marketplace, and really started driving a lot of purchasing decisions.
For example, most cyber polices now include business interruption coverage to reduce the impact on a company’s profits and expenses as a result of a cyber event like a system outage or security breach.
There are other factors that make cyber risk more of an operational risk for companies. Many companies today are migrating to the cloud and becoming dependent on cloud service providers to operate their business.
But what recourse is available contractually in a situation where the cloud provider goes down? Often, it is minimal or non-existent; however, now you can actually recover insurance payouts as a result of the impact on your business from those cloud service providers going down.
So cyber coverage has really broadened from a coverage perspective over the last few years. And I expect that it will continue to evolve to cover things like physical property damage and bodily injury as a result of cyber events.
Lauri: How pervasive is cyber risk throughout organizations today?
Dan: Cyber risk is extremely pervasive—and growing. Cyber risk is now an operational risk. Any organization that depends on technology to operate has a cyber exposure. That dependence on technology is driving a lot of organizations to consider cyber insurance these days.
All insurers today are concerned with “silent cyber”—how a cyber event might affect lines of coverage other than cyber insurance. Organizations should be thinking about cyber in a very similar way.
If you have a cyber event, whether it be a system outage or a security event that leads to something bad happening, what’s the big-picture view of how your business is impacted? Are you able to keep operating? How will your customers be impacted? Could there be physical damage to your facilities or bodily injury or property damage impacting others?
All of these scenarios could lead to claims under your E&O, property or liability insurance policies. Will coverage apply if damages arise out of a cyber event?
Or, think about cyber risk in the context of a mergers and acquisitions scenario. When you acquire a company, you also acquire their cyber liability as well. Part of the M&A due diligence process should be a security audit of the company’s network to see what’s been happening, how secure they’ve been and how secure they will be during the transition time.
We’ve seen a high frequency of cyber claims that are discovered after an acquisition closes.
So there’s a very pervasive cyber risk that I don’t think is quite appreciated by every organization today. I really look forward to helping educate our clients and others on this.
Lauri: What about errors and omissions risk, and how that ties into cyber?
Dan: The way that I encourage clients to think about errors & omissions exposure is through the aggregation of the risk that they face.
When I think about the typical E&O policy, I think about a contract with an individual customer that’s gone wrong, for example. Typically, contractual remedies or insurance limits are sufficient to mitigate the risk from an issue with a single client.
But when I think about E&O from the cyber perspective, if there’s a cyber event that prevents your company from providing services, now you don’t just have a single claim; you potentially have claims from all of your customers.
What would happen if all your clients alleged E&O claims at the same time due to a cyber incident? Would you have enough insurance limits to handle that type of event?
So, the aggregation of that E&O exposure can be massive. Errors and omissions insurance and cyber insurance are very much linked when you think about the exposure that a cyber event can create on your E&O policies. That is how carriers are thinking about it, and companies should be as well.
Lauri: What should organizations be most concerned about right now?
Dan: There’s a lot happening in the cyber space that certainly is eye opening for a lot of organizations. Most notably GDPR [General Data Protection Regulation], just implemented in May in the EU, which has a number of very strict controls that need to be in place, and gives consumers a lot of control over their data.
For companies, that impacts how they’re collecting data, what they’re doing with that data, how they’re notifying customers of what they’re doing with that data and also how they’re going to dispose of that data when they no longer need it.
The concept of a consumer’s “right to be forgotten” is very complex and it changes the way companies need to operate.
I expect that regulatory scrutiny is just going to keep increasing. We’ve seen calls for more regulation with the recent Facebook data scandal. We see it with recent legislation in California, and at a federal level in the US that adopts a lot of the similar principles that are included within GDPR.
We see it with a Colorado law, which was passed in June and goes into effect September 1 that requires appropriate disposal of consumer data once it’s no longer needed.
Companies should be aware that regulatory scrutiny is only going to keep increasing as the public starts to realize how much data is collected on them, what is done with it and the lack of transparency in that whole process.
Lauri: Putting your underwriter hat back on for a second, what do you think clients most need to understand about their cyber policy?
Dan: Cyber insurance carriers have spent a lot of time over the past few years really innovating on a few different fronts. One is around coverage. So it would be important to know the most recent coverage enhancements that are available around dependent business interruption, dependent system failure and property damage.
Further, carriers have innovated on cyber crime coverage, and the social engineering attacks targeting the humans within the organization.
There’s a lot of value being provided in coverage today, but there’s also a lot of value in the services that carriers can provide. This comes in two different forms: One is around pre-breach and the other is incident response.
Carriers can help organizations become more secure before they have a cyber event. Oftentimes, the uptake on these services is very low because clients aren’t aware that it’s available or how they can implement it in their own organization.
The other service of note is incident response, and taking advantage of the vendors that carriers have lined up to offer a turnkey solution to companies that have experienced a cyber event.
The fact of the matter is most companies will experience a cyber event at some point. Being ready to respond when that happens really makes a big difference, not only in the costs incurred to respond and recover, but also to the reputational impact that it has on your organization.
So, preparing for that event, and taking advantage of a cyber insurance policy and the services carriers offer is a huge opportunity.
Lauri: Why Woodruff Sawyer?
Dan: The team is absolutely fantastic, and this always stood out to me from working with them on the underwriting side. They’re very clearly experts in the specialized field that is cyber insurance.
I’ve also seen an executive-level commitment to cyber from Woodruff Sawyer that is unparalleled. That commitment is what really attracted me to joining the team here.
Woodruff Sawyer is always open to new ideas is committed to finding unique and creative solutions that can help their clients, both through value-add services or risk transfer (insurance).
And I’m excited to be joining them and continuing to innovate in the cyber insurance space. I’m looking forward to creating some great partnerships and finding cyber solutions for the variety of clients Woodruff Sawyer already services.