Those are the table stakes for today's coverage, as companies struggle to keep up with the constantly evolving landscape of attacks.
In some cases, it feels like it's no longer a matter of "if" but rather "when" your clients will have to deal with some form of a cyber-threat.
As a result, policies can no longer be issued without serious efforts to create protection.
Tim Foody, an RPS area senior vice president, talks about the best ways to prepare your client's business to be eligible for the type of cyber coverage it needs.
Joey Giangola: Mr. Tim Foody. How you doing today, sir?
Tim Foody: I'm doing good, Joey. How are you?
Joey Giangola: Tim, I'm doing fantastic, I think. I want to know this before we really get to anything too important. And that is, is there a conversation, an argument, possibly a discussion that you found yourself on the wrong side of history of at some point in your life and you just ultimately regret it now?
Tim Foody: Wow. That's a tough one. This is hopefully not a... Well, maybe it's controversial, but not going to get me in any real hot water. One of the things that I like about being in the office is that we have a lot of these debates where you can argue both sides pretty vehemently, debates like, is a hot dog a sandwich? Is chili considered soup? And if it is, what's your definition that makes cereal not a soup? I don't think I've been on the wrong side of those though. I think I usually can bring folks over to my camp, but it's funny, those are the hot topics that we get to enjoy in the office on break times.
Joey Giangola: I think the answers to all of those is no, but I could just have offended a lot of people. Personally, for me, Tim, there was a point in my life where I thought physical keyboards on phones needed to be a thing, and I'm embarrassed by it because that clearly did not need to be a thing.
Tim Foody: I was ready to die on that hill with my Blackberry Bold.
Joey Giangola: Yeah.
Tim Foody: It was, to this day, still my favorite phone. I didn't trust that everything could be a touchscreen, but you're right. I was definitely on the wrong side of that one too.
Joey Giangola: Yeah. It's just, you think about the foolishness and how we've grown and how we've educated ourselves since then. Well, so I think the thing that I wanted to talk about, and as it relates to insurance, and I guess this topic in general is, how many people do you think are currently on the wrong side of just where cyber threats and security and coverage are just as it relates to their business? Because I think we're sort of in a similar parallel where it's slowly coming, but I think there's still a lot of people that haven't quite really realized what's out there.
Tim Foody: Yeah. That's a good point. We're definitely heading in the right direction and the last year or two have accelerated that, but I don't think we're close. I would argue most folks are probably, if we flip a coin, we might be close, maybe half the popular out there sort of recognizes where they are and where they need to be. And our conversations every day are, we know this is what you had in the past and we know that nothing has really changed with your operation, but unfortunately the world at large in the environment in the market has changed dramatically. So we're having to adapt to that. But I would venture a guess, we're right around the halfway point now. A year ago, we were probably not even a quarter of the way there, but it's evolved pretty quickly.
Joey Giangola: Well, and I guess what has the urgency level been, getting maybe to the halfway point and what conversations are you hearing from agents in terms of the conversations that they want to have with their clients that maybe are starting to come up. What are the things that are starting this and how is it going for everybody?
Tim Foody: It's a really difficult transitional time right now. And every renewal is feeling some pain. And I think that's because what we're seeing in the insurance base is not only additional requirements to be able to get the insurance in the first place. And your insurance is becoming more expensive, but also you've got to spend more money to make yourself attractive to insurers. So it's a difficult kind of double whammy versus the previous 10 or 20 years in this market where we had to have insurance companies fighting for us, or fighting to make themselves attractive to us. Now it's kind of the other way around. So things around their head a little bit, but for the broker side, what's really become evident, and what wasn't there, I think, for a few years, is what emphasis there is on just being here as an educational resource, as much as anything else.
Joey Giangola: Going to that education piece. There is a lot of, like you said, sort of moving targets, as it relates to understanding cyber. A lot has changed in the last year in terms of just like what a company has to do to even be willing to sort of be looked at for coverage these days. I guess, what sits number one for you in terms of the things that it agents need to know when they're going in to have these conversations, when insureds are reaching out. Because it is something that I think people are at least talking about, it depends on how serious they are, but what is that thing that sits at top of you that everybody needs to know?
Tim Foody: Not to get overly technical with it, but from a controlled standpoint, we say, and we've been saying, for eight or 10 months now, it's MFA or the highway. If you don't have multifactor authentication on your systems, you probably aren't going to get insurance. And that's a tough message because two years ago, you were getting a pat on the back for having that control in place, now it's the bare minimum. That's the important thing I think for insureds to understand, for our retail partners, really, what I can preach best is just get in front of things early and often. We can help have the conversations with their insureds. We can help decide what might need to happen or what would be nice, but isn't absolutely necessary. But having those conversations a week before the renewal are a little tougher when versus having them three months before the renewal.
Joey Giangola: Do you have any sort of real life examples of conversations going through that MFA process? Because I think sometimes people maybe make it to be a bigger deal than maybe it necessarily is. Granted, I think once it's actually in place and there might be more issues with the people, like dealing with it on the day to day than it is, but the actual just implementation of it. Is it something that maybe people make into a bigger problem?
Tim Foody: Absolutely. I mean, with most email providers, it's the flip of a switch. If you don't have it and you're working with either third party IT, or you just have Gmail or Outlook, it's a very, very easy thing to implement. What we find is the delay in that is not the cost because it's really affordable, we're talking $3 to $4 per employee per month. If you buy everybody a cup of coffee every month, you can get your MFA. But the reality is, there is a little bit of a learning curve to it. So the IT folks look at it and say, we've got a hundred people that might pick up the phone and call us and ask what this is and how to do it. So we don't want to turn that on all at once. We'd like to do it in a phased effort. And again, that's fine if we're starting early enough in advance, but if we need it by tomorrow, we need it by tomorrow.
Joey Giangola: That's a good point. I guess I didn't really consider that. And the staged approach, I would imagine saves a lot of... Well, let's ask this question. How many people do you see actually have that preparation in place to where they're able to do that? Or is it a disproportionate amount of people turning it on at the last minute just to be able to get the coverage?
Tim Foody: It's a disproportionate amount of people turning it on to qualify for coverage. But again, that number's heading in the right direction. Most of these things, the education is out there. We're reaching a point now, we're 60 days out now from when the market started to really turn in a real way from a requirement standpoint in June of 2021. So I think that pain, hopefully knock wood, is going to get a little bit less so as we approach now what'll be the second renewal, where we're talking about things like MFA. There's going to be a next version of it. We know that, we just don't know exactly what it's going to be. It all comes back to early communication and education on our part.
Joey Giangola: I definitely want to get back to that next thing. Not that we can predict the future, but I think it's worth, at least talking about. But really quickly before we move too off of the MFA thing is, I guess, have you talked to agents who have had success getting in early with that conversation to where a business owner maybe has listened and they're like, Hey, listen, that sounds great, maybe we will get this staggered over the course of six months so by the time we really need it, we're not over overloading the systems, we're not overloading our people in terms of just their ability to, like you said, get that help that they need.
Tim Foody: A hundred percent. The brokers that I work with that I think really do the best job of it, is they treat it as a way to have a midyear touch point with their client. So they're reaching out either six months in advance of the renewal, four months in advance for the renewal and saying, Hey, let's complete the application now. It allows us to have a conversation about things we might want to change or things we need to change and we can evaluate the cost benefit of that.
What it does is two things. It doesn't put the insured under the gun as far as needing things to happen in a short period of time, because keep in mind the IT resources are finite and those folks are pretty overloaded now, too. But the other thing it does is. I think it really allows the retail broker to just continue fostering that relationship with their client, showing them that they're being proactive. Most people aren't touching base at the six month mark because they don't have to. I think that allows retail brokers to just give a little bit more stickiness with their clients, which is huge.
Joey Giangola: So I think a lot of that is that there could be some resentment to the agencies that have, we'll say, their stuff together to be able to have that six month conversation. It's like the person that's always exercising every day, or having the salad for lunch sort of thing. What stands out to you that separates that type of agency that you see, that is kind of consistently organized with their processes to have that six month procedure versus the ones that are not.
Tim Foody: Like everybody else, there's just not enough time in the day. And some people are, rightfully so. I can't argue with this, they're just trying to stay above water. They're just trying to do what's right in front of them. If you can set aside an hour or two hours to just look at your renewal book and set up calls and say at the six month mark, I'm putting this on my calendar and we're going to have a conversation. If you do that and have that sort of thoughtful, proactive effort, that's where I see a big difference being made because if you don't, we're all crazy busy. There's a lot of fires going on. We know that there's new business, there's renewal business, there's certificate requests, there's loss runs. There's a whole host of things that you can just drown under, unless you're really thoughtful about that proactive process.
Joey Giangola: Yeah. I want to get back act to the idea of what's sort of next and like I said, I don't want to make you predict the future, but I mean, if you want to take a shot, Tim, I'm certainly not going to stop you.
Tim Foody: Let me just grab my crystal ball.
Joey Giangola: Yeah. I mean, feel free. But I guess the question is, it does feel like MFA sort of came abruptly in terms of just how it was met with such ubiquity across the underwriting process. Do you anticipate things to be maybe rolling out a little bit slower? I think maybe now that people have their wits about them maybe, in the market. Does it feel like things have normalized to the point where they can install changes at a much maybe more manageable pace? I guess, tell me what you're seeing.
Tim Foody: The short answer there is, it depends. Because everyone has such a different control environment. From the insurance company perspective, there's really a sliding scale of the things that they need. We know MFA is a baseline, pretty much everyone has to have that, it's not really worth much more of a conversation. Beyond that, some of the additional controls that are really hot topics right now, things like endpoint detection and response, things like training your staff, pretty simple things, things that we can partner with retail agencies on, oftentimes for free to implement. Things like, how do we control our backups? All really important and the way the insurance companies look at it is sort of on a sliding scale. If you're in a certain industry or you're a certain size, those things become of a heightened importance. So that's a long way of saying it depends, but they're looking at really, really intensely, at email security, backup security.
And really what it all boils down to, is the underwriters want to see, do you care? Are you making an effort to make yourself have good cyber hygiene? If we think you're doing that, then we'll insure you. If we don't think you have a proactive approach to making sure that you're secure, we've got a hundred other submissions on our desk that are maybe willing to do that.
Joey Giangola: Yeah. There's kind of feels a little bit like somebody that's maybe in their seventies, eighties looking for a nice, well preferred underwritten life insurance policy at this point. It feels like it could get to that point. And do you find some businesses being, or, I mean, do you find agents talking to businesses that are maybe that stubborn, in that case, they're looking for something that essentially doesn't and exist anymore or will soon not exist?
Tim Foody: We see that. I don't know about every day, but very, very frequently, where the choice is just to not take the coverage at all, whether that's not to renew it or not to buy it in the first place, because as I referenced it, the investment to get yourself to a level of being insurable and then paying for the insurance on top of that, is just something that some folks refuse to accept. But I think the nature of where the market is now supports the fact that you need it. One of the things that's unique about cyber and the market relative to other coverages is the news does us a lot of favors, it's everywhere. People know that breaches as are going on. So we have to explain the why, and we have to explain the how to avoid it, but we're not just babbling about things that insureds don't understand, it's right there in front of them everywhere they go.
Joey Giangola: Yeah. And I think a lot of this, kind of what we're discussing, predicting the future and stuff dictates on the market and how fast, because it doesn't seem like any of it is slowing down. If anything, it seems like we haven't even come close to scratching the surface of what's possible in terms of cyber attacks. Again, this is pure speculation on my part. But how much of that, I mean, from what you've seen from watching, just how the threats have developed over the years. If you sort of had to give your, I guess, guidance statement to agents like, listen, like you said, we're a halfway point of acceptance or at least kind of that. Where are we at in terms of the maturity of the space and the threat levels and things like that?
Tim Foody: That's a good question. When we look at what we were doing 10 years ago, nobody was buying it. The security controls didn't matter. Even five years ago, if you wrote down your address and your revenue, you can get a quote. And what we saw from five years ago until about two years ago was just a race to the bottom. Everything was getting super inexpensive, there was tons of new competition in the market, and now we're on a really serious upswing. But things that we talked about a few years ago, for people that have been selling cyber, we talked a lot about notification costs and how expensive that was going to be and the obligations to make sure people were aware that their data was accessed or breached. That's not really as important anymore, now we're talking about ransomware.
One of the things that people are speculating is that the regulations are going to change and maybe ransom payments aren't going to be legal anymore. If that happens, that would obviously change the landscape pretty dramatically, but I'm pretty sure the criminals are just going to find another way to still get into our systems and figure out a way to cause some pain. That's their job and they're pretty good at it. So even as those regulations continue to change, I think we're maybe halfway through this evolution from both a claims trend standpoint, as well as just a security control standpoint, those things are going to continue to evolve too.
Joey Giangola: Now, if an agent is sort of in that conversation and maybe they decide to throw their hands up, the client's not biting, they have no interest in MFA or anything. Is there another coverage that you think maybe deserves, is a logical pivot, I guess, to at least have some sort of success within that conversation with their clients, to maybe provide a little bit more protection across the business.
Tim Foody: The only other thing outside of insurance for cyber, is just practicing other good ways of having cyber hygiene, so hiring a third party IT, making sure you have training enforced for your employees so they know what to look for if an email looks suspicious. Some kind of simple blocking and tackling, really. When we look at the overall toolkit of what makes you well protected from a cyber event, part of it certainly is insurance, but the other part of it is all those other things. If an insured doesn't want to get to a level of either qualifying or paying for a cyber policy, there's really not another product in insurance that's going to address that. If anything, all other insurance products are making efforts toward not paying cyber claims and ensuring that they don't get brought into cyber claims. So an absent of having an actual insurance product, it would really just be about having more of a proactive security effort internally within your own company.
Joey Giangola: All right, Tim, I got three more questions for you, sir. The first one is, what's one thing that you hope you never forget?
Tim Foody: I have so many things running through my mind right now.
Joey Giangola: You can just grab one.
Tim Foody: Well, I hope I don't forget the names of any people in my family or who they are, right off the bat. If I bring it to a work perspective, I hope I don't forget where we started in this whole cycle of the market, because I think it's really, really going to be relevant and important to understand where we're going and how we're going to get there.
Joey Giangola: Now on the other side of that, Tim, what is one thing you still have yet to learn?
Tim Foody: Oh, well, I don't know what I have yet to learn. You don't know what you don't know. Right? I think the important thing is, I've been doing this a long time and certainly long enough to know that there's a lot that I don't know. There's no new product or new company, insurance company or underwriting meeting that I won't join, just because I think we always have something to learn. And if you look at the people who are really successful in this business, who are much older than you and I, they're still willing to learn too and recognize, and that they don't know at all.
Joey Giangola: All right, Tim, last question to you, sir. If I were to hand you a magic wand of sorts to reshape, change, alter, speed up, really any part of insurance, what's that thing? Where is it going, and what's it doing?
Tim Foody: To speed up or change something in insurance. This is a little bit of a double edged sword, but I'm going to answer with technology because I think insurance can really, really benefit from technology. I think relative to some other industries, we might be a little bit behind the curve. Insurance, like a lot of things is heading in the direction of being commoditized. The other edge of that sword with technology is that, in some cases, it can serve to, we think, or we fear, replace brokers. When that happens, people like myself and my colleagues and the retail brokers that we work with, really, we just need to focus on how we can continue to add value in new and different ways.
Technology being a thing to be afraid of because it's going to replace us, I just really don't subscribe to that. First of all, if it's going to, it doesn't care about me anyway. So really, it's incumbent upon me to just make sure that I'm continuing to add value in new and different ways. And I think if the last two and three years in this market has shown us anything, it's that the value of having human involvement and expertise is more impactful than it's ever been.
Joey Giangola: Tim, this has been fantastic, sir. I'm going to leave it right there.
Tim Foody: Great. Thanks, Joey.